diff --git a/cmd/tailscaled/depaware-min.txt b/cmd/tailscaled/depaware-min.txt
index f37dde001..bada798db 100644
--- a/cmd/tailscaled/depaware-min.txt
+++ b/cmd/tailscaled/depaware-min.txt
@@ -24,7 +24,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
      💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink+
      💣 github.com/safchain/ethtool                                  from tailscale.com/net/netkernelconf
-        github.com/tailscale/hujson                                  from tailscale.com/ipn/conffile
         github.com/tailscale/peercred                                from tailscale.com/ipn/ipnauth
      💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
      💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/net/tstun+
diff --git a/cmd/tailscaled/depaware-minbox.txt b/cmd/tailscaled/depaware-minbox.txt
index 7e12a9c36..ef0d2a8ee 100644
--- a/cmd/tailscaled/depaware-minbox.txt
+++ b/cmd/tailscaled/depaware-minbox.txt
@@ -36,7 +36,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
         github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
         github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
-        github.com/tailscale/hujson                                  from tailscale.com/ipn/conffile
         github.com/tailscale/peercred                                from tailscale.com/ipn/ipnauth
      💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
      💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/net/tstun+
diff --git a/cmd/tailscaled/deps_test.go b/cmd/tailscaled/deps_test.go
index fd5d31836..a9f125e19 100644
--- a/cmd/tailscaled/deps_test.go
+++ b/cmd/tailscaled/deps_test.go
@@ -253,13 +253,19 @@ func TestMinTailscaledNoCLI(t *testing.T) {
 }
 
 func TestMinTailscaledWithCLI(t *testing.T) {
+	badSubstrs := []string{
+		"cbor",
+		"hujson",
+	}
 	deptest.DepChecker{
 		GOOS:   "linux",
 		GOARCH: "amd64",
 		Tags:   minTags() + ",ts_include_cli",
 		OnDep: func(dep string) {
-			if strings.Contains(dep, "cbor") {
-				t.Errorf("unexpected dep: %q", dep)
+			for _, bad := range badSubstrs {
+				if strings.Contains(dep, bad) {
+					t.Errorf("unexpected dep: %q", dep)
+				}
 			}
 		},
 	}.Check(t)
diff --git a/feature/buildfeatures/feature_hujsonconf_disabled.go b/feature/buildfeatures/feature_hujsonconf_disabled.go
new file mode 100644
index 000000000..cee076bc2
--- /dev/null
+++ b/feature/buildfeatures/feature_hujsonconf_disabled.go
@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by gen.go; DO NOT EDIT.
+
+//go:build ts_omit_hujsonconf
+
+package buildfeatures
+
+// HasHuJSONConf is whether the binary was built with support for modular feature "HuJSON config file support".
+// Specifically, it's whether the binary was NOT built with the "ts_omit_hujsonconf" build tag.
+// It's a const so it can be used for dead code elimination.
+const HasHuJSONConf = false
diff --git a/feature/buildfeatures/feature_hujsonconf_enabled.go b/feature/buildfeatures/feature_hujsonconf_enabled.go
new file mode 100644
index 000000000..aefeeace5
--- /dev/null
+++ b/feature/buildfeatures/feature_hujsonconf_enabled.go
@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by gen.go; DO NOT EDIT.
+
+//go:build !ts_omit_hujsonconf
+
+package buildfeatures
+
+// HasHuJSONConf is whether the binary was built with support for modular feature "HuJSON config file support".
+// Specifically, it's whether the binary was NOT built with the "ts_omit_hujsonconf" build tag.
+// It's a const so it can be used for dead code elimination.
+const HasHuJSONConf = true
diff --git a/feature/featuretags/featuretags.go b/feature/featuretags/featuretags.go
index daf4c71eb..347ccdec0 100644
--- a/feature/featuretags/featuretags.go
+++ b/feature/featuretags/featuretags.go
@@ -113,6 +113,7 @@ var Features = map[FeatureTag]FeatureMeta{
 		Desc: "Generic Receive Offload support (performance)",
 		Deps: []FeatureTag{"netstack"},
 	},
+	"hujsonconf":    {"HuJSONConf", "HuJSON config file support", nil},
 	"iptables":      {"IPTables", "Linux iptables support", nil},
 	"kube":          {"Kube", "Kubernetes integration", nil},
 	"linuxdnsfight": {"LinuxDNSFight", "Linux support for detecting DNS fights (inotify watching of /etc/resolv.conf)", nil},
diff --git a/ipn/conffile/cloudconf.go b/ipn/conffile/cloudconf.go
index 650611cf1..4475a2d7b 100644
--- a/ipn/conffile/cloudconf.go
+++ b/ipn/conffile/cloudconf.go
@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"strings"
 
+	"tailscale.com/feature"
+	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/omit"
 )
 
@@ -35,6 +37,9 @@ func getEC2MetadataToken() (string, error) {
 }
 
 func readVMUserData() ([]byte, error) {
+	if !buildfeatures.HasAWS {
+		return nil, feature.ErrUnavailable
+	}
 	// TODO(bradfitz): support GCP, Azure, Proxmox/cloud-init
 	// (NoCloud/ConfigDrive ISO), etc.
 
diff --git a/ipn/conffile/conffile.go b/ipn/conffile/conffile.go
index a2bafb8b7..3a2aeffb3 100644
--- a/ipn/conffile/conffile.go
+++ b/ipn/conffile/conffile.go
@@ -8,11 +8,11 @@ package conffile
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"runtime"
 
+	"tailscale.com/feature/buildfeatures"
 	"tailscale.com/ipn"
 )
 
@@ -51,10 +51,6 @@ func Load(path string) (*Config, error) {
 		// compile-time for deadcode elimination
 		return nil, fmt.Errorf("config file loading not supported on %q", runtime.GOOS)
 	}
-	if hujsonStandardize == nil {
-		// Build tags are wrong in conffile_hujson.go
-		return nil, errors.New("[unexpected] config file loading not wired up")
-	}
 	var c Config
 	c.Path = path
 	var err error
@@ -68,14 +64,21 @@ func Load(path string) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.Std, err = hujsonStandardize(c.Raw)
-	if err != nil {
-		return nil, fmt.Errorf("error parsing config file %s HuJSON/JSON: %w", path, err)
+	if buildfeatures.HasHuJSONConf && hujsonStandardize != nil {
+		c.Std, err = hujsonStandardize(c.Raw)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing config file %s HuJSON/JSON: %w", path, err)
+		}
+	} else {
+		c.Std = c.Raw // config file must be valid JSON with ts_omit_hujsonconf
 	}
 	var ver struct {
 		Version string `json:"version"`
 	}
 	if err := json.Unmarshal(c.Std, &ver); err != nil {
+		if !buildfeatures.HasHuJSONConf {
+			return nil, fmt.Errorf("error parsing config file %s, which must be valid standard JSON: %w", path, err)
+		}
 		return nil, fmt.Errorf("error parsing config file %s: %w", path, err)
 	}
 	switch ver.Version {
diff --git a/ipn/conffile/conffile_hujson.go b/ipn/conffile/conffile_hujson.go
index 6825a0638..1e967f1bd 100644
--- a/ipn/conffile/conffile_hujson.go
+++ b/ipn/conffile/conffile_hujson.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !ios && !android
+//go:build !ios && !android && !ts_omit_hujsonconf
 
 package conffile