oidc: make email verification configurable

Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>
capver: generate
2026-02-19 06:07:42 +01:00 · 2025-12-18 11:42:32 +00:00 · 2025-12-18 10:02:23 +01:00 · 2025-12-18 10:02:23 +01:00 · 2025-12-17 15:15:43 +01:00 · 2025-12-17 13:19:26 +01:00
442 changed files with 35607 additions and 14894 deletions
--- a/.claude/agents/headscale-integration-tester.md
+++ b/.claude/agents/headscale-integration-tester.md
@@ -52,7 +52,7 @@ go test ./integration -timeout 45m
 **Timeout Guidelines by Test Type**:
 - **Basic functionality tests**: `--timeout=900s` (15 minutes minimum)
 - **Route/ACL tests**: `--timeout=1200s` (20 minutes)
- **HA/failover tests**: `--timeout=1800s` (30 minutes)  
+- **HA/failover tests**: `--timeout=1800s` (30 minutes)
 - **Long-running tests**: `--timeout=2100s` (35 minutes)
 - **Full test suite**: `-timeout 45m` (45 minutes)

@@ -433,7 +433,7 @@ When you understand a test's purpose through debugging, always add comprehensive
 //
 // The test verifies:
 // - Route announcements are received and tracked
-// - ACL policies control route approval correctly  
+// - ACL policies control route approval correctly
 // - Only approved routes appear in peer network maps
 // - Route state persists correctly in the database
 func TestSubnetRoutes(t *testing.T) {
@@ -535,7 +535,7 @@ var nodeKey key.NodePublic
 assert.EventuallyWithT(t, func(c *assert.CollectT) {
    nodes, err := headscale.ListNodes()
    assert.NoError(c, err)
-    
+
    for _, node := range nodes {
        if node.GetName() == "router" {
            routeNode = node
@@ -550,7 +550,7 @@ assert.EventuallyWithT(t, func(c *assert.CollectT) {
 assert.EventuallyWithT(t, func(c *assert.CollectT) {
    status, err := client.Status()
    assert.NoError(c, err)
-    
+
    peerStatus, ok := status.Peer[nodeKey]
    assert.True(c, ok, "peer should exist in status")
    requirePeerSubnetRoutesWithCollect(c, peerStatus, expectedPrefixes)
@@ -566,7 +566,7 @@ assert.EventuallyWithT(t, func(c *assert.CollectT) {
    nodes, err := headscale.ListNodes()
    assert.NoError(c, err)
    assert.Len(c, nodes, 2)
-    
+
    // Second unrelated external call - WRONG!
    status, err := client.Status()
    assert.NoError(c, err)
@@ -577,7 +577,7 @@ assert.EventuallyWithT(t, func(c *assert.CollectT) {
 assert.EventuallyWithT(t, func(c *assert.CollectT) {
    nodes, err := headscale.ListNodes()
    assert.NoError(c, err)
-    
+
    // NEVER do this!
    assert.EventuallyWithT(t, func(c2 *assert.CollectT) {
        status, _ := client.Status()
@@ -666,11 +666,11 @@ When working within EventuallyWithT blocks where you need to prevent panics:
 assert.EventuallyWithT(t, func(c *assert.CollectT) {
    nodes, err := headscale.ListNodes()
    assert.NoError(c, err)
-    
+
    // For array bounds - use require with t to prevent panic
    assert.Len(c, nodes, 6)  // Test expectation
    require.GreaterOrEqual(t, len(nodes), 3, "need at least 3 nodes to avoid panic")
-    
+
    // For nil pointer access - use require with t before dereferencing
    assert.NotNil(c, srs1PeerStatus.PrimaryRoutes)  // Test expectation
    require.NotNil(t, srs1PeerStatus.PrimaryRoutes, "primary routes must be set to avoid panic")
@@ -681,7 +681,7 @@ assert.EventuallyWithT(t, func(c *assert.CollectT) {
 }, 5*time.Second, 200*time.Millisecond, "checking route state")
 ```

-**Key Principle**: 
+**Key Principle**:
 - Use `assert` with `c` (*assert.CollectT) for test expectations that can be retried
 - Use `require` with `t` (*testing.T) for MUST conditions that prevent panics
 - Within EventuallyWithT, both are available - choose based on whether failure would cause a panic
@@ -704,7 +704,7 @@ assert.EventuallyWithT(t, func(c *assert.CollectT) {
 assert.EventuallyWithT(t, func(c *assert.CollectT) {
    status, err := client.Status()
    assert.NoError(c, err)
-    
+
    // Check all peers have expected routes
    for _, peerKey := range status.Peers() {
        peerStatus := status.Peer[peerKey]
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,16 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+max_line_length = 120
+
+[*.go]
+indent_style = tab
+
+[Makefile]
+indent_style = tab
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,8 +5,6 @@ on:
    branches:
      - main
  pull_request:
-    branches:
-      - main

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -17,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
      - name: Get changed files
@@ -31,13 +29,12 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
        if: steps.changed-files.outputs.files == 'true'
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

@@ -57,7 +54,7 @@ jobs:
          exit $BUILD_STATUS

      - name: Nix gosum diverging
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        if: failure() && steps.build.outcome == 'failure'
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
@@ -69,7 +66,7 @@ jobs:
              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
            })

-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        if: steps.changed-files.outputs.files == 'true'
        with:
          name: headscale-linux
@@ -84,20 +81,20 @@ jobs:
          - "GOARCH=arm64 GOOS=darwin"
          - "GOARCH=amd64 GOOS=darwin"
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: Run go cross compile
-        run:
-          env ${{ matrix.env }} nix develop --command -- go build -o "headscale"
+        env:
+          CGO_ENABLED: 0
+        run: env ${{ matrix.env }} nix develop --command -- go build -o "headscale"
          ./cmd/headscale
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: "headscale-${{ matrix.env }}"
          path: "headscale"
--- a/.github/workflows/check-generated.yml
+++ b/.github/workflows/check-generated.yml
@@ -16,7 +16,7 @@ jobs:
  check-generated:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
      - name: Get changed files
@@ -31,7 +31,7 @@ jobs:
              - '**/*.proto'
              - 'buf.gen.yaml'
              - 'tools/**'
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
        if: steps.changed-files.outputs.files == 'true'
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
--- a/.github/workflows/check-tests.yaml
+++ b/.github/workflows/check-tests.yaml
@@ -10,7 +10,7 @@ jobs:
  check-tests:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
      - name: Get changed files
@@ -24,13 +24,12 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
        if: steps.changed-files.outputs.files == 'true'
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -21,15 +21,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
      - name: Install python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: 3.x
      - name: Setup cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          key: ${{ github.ref }}
          path: .cache
--- a/.github/workflows/docs-test.yml
+++ b/.github/workflows/docs-test.yml
@@ -11,13 +11,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Install python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: 3.x
      - name: Setup cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0
        with:
          key: ${{ github.ref }}
          path: .cache
--- a/.github/workflows/gh-action-integration-generator.go
+++ b/.github/workflows/gh-action-integration-generator.go
@@ -10,6 +10,55 @@ import (
 	"strings"
 )

+// testsToSplit defines tests that should be split into multiple CI jobs.
+// Key is the test function name, value is a list of subtest prefixes.
+// Each prefix becomes a separate CI job as "TestName/prefix".
+//
+// Example: TestAutoApproveMultiNetwork has subtests like:
+//   - TestAutoApproveMultiNetwork/authkey-tag-advertiseduringup-false-pol-database
+//   - TestAutoApproveMultiNetwork/webauth-user-advertiseduringup-true-pol-file
+//
+// Splitting by approver type (tag, user, group) creates 6 CI jobs with 4 tests each:
+//   - TestAutoApproveMultiNetwork/authkey-tag.* (4 tests)
+//   - TestAutoApproveMultiNetwork/authkey-user.* (4 tests)
+//   - TestAutoApproveMultiNetwork/authkey-group.* (4 tests)
+//   - TestAutoApproveMultiNetwork/webauth-tag.* (4 tests)
+//   - TestAutoApproveMultiNetwork/webauth-user.* (4 tests)
+//   - TestAutoApproveMultiNetwork/webauth-group.* (4 tests)
+//
+// This reduces load per CI job (4 tests instead of 12) to avoid infrastructure
+// flakiness when running many sequential Docker-based integration tests.
+var testsToSplit = map[string][]string{
+	"TestAutoApproveMultiNetwork": {
+		"authkey-tag",
+		"authkey-user",
+		"authkey-group",
+		"webauth-tag",
+		"webauth-user",
+		"webauth-group",
+	},
+}
+
+// expandTests takes a list of test names and expands any that need splitting
+// into multiple subtest patterns.
+func expandTests(tests []string) []string {
+	var expanded []string
+	for _, test := range tests {
+		if prefixes, ok := testsToSplit[test]; ok {
+			// This test should be split into multiple jobs.
+			// We append ".*" to each prefix because the CI runner wraps patterns
+			// with ^...$ anchors. Without ".*", a pattern like "authkey$" wouldn't
+			// match "authkey-tag-advertiseduringup-false-pol-database".
+			for _, prefix := range prefixes {
+				expanded = append(expanded, fmt.Sprintf("%s/%s.*", test, prefix))
+			}
+		} else {
+			expanded = append(expanded, test)
+		}
+	}
+	return expanded
+}
+
 func findTests() []string {
 	rgBin, err := exec.LookPath("rg")
 	if err != nil {
@@ -66,8 +115,11 @@ func updateYAML(tests []string, jobName string, testPath string) {
 func main() {
 	tests := findTests()

-	quotedTests := make([]string, len(tests))
-	for i, test := range tests {
+	// Expand tests that should be split into multiple jobs
+	expandedTests := expandTests(tests)
+
+	quotedTests := make([]string, len(expandedTests))
+	for i, test := range expandedTests {
 		quotedTests[i] = fmt.Sprintf("\"%s\"", test)
 	}

--- a/.github/workflows/gh-actions-updater.yaml
+++ b/.github/workflows/gh-actions-updater.yaml
@@ -11,13 +11,13 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          # [Required] Access token with `workflow` scope.
          token: ${{ secrets.WORKFLOW_SECRET }}

      - name: Run GitHub Actions Version Updater
-        uses: saadmk11/github-actions-version-updater@64be81ba69383f81f2be476703ea6570c4c8686e # v0.8.1
+        uses: saadmk11/github-actions-version-updater@d8781caf11d11168579c8e5e94f62b068038f442 # v0.9.0
        with:
          # [Required] Access token with `workflow` scope.
          token: ${{ secrets.WORKFLOW_SECRET }}
--- a/.github/workflows/integration-test-template.yml
+++ b/.github/workflows/integration-test-template.yml
@@ -28,23 +28,12 @@ jobs:
      # that triggered the build.
      HAS_TAILSCALE_SECRET: ${{ secrets.TS_OAUTH_CLIENT_ID }}
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
-      - name: Get changed files
-        id: changed-files
-        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-        with:
-          filters: |
-            files:
-              - '*.nix'
-              - 'go.*'
-              - '**/*.go'
-              - 'integration_test/'
-              - 'config-example.yaml'
      - name: Tailscale
        if: ${{ env.HAS_TAILSCALE_SECRET }}
-        uses: tailscale/github-action@6986d2c82a91fbac2949fe01f5bab95cf21b5102 # v3.2.2
+        uses: tailscale/github-action@a392da0a182bba0e9613b6243ebd69529b1878aa # v4.1.0
        with:
          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
@@ -52,30 +41,72 @@ jobs:
      - name: Setup SSH server for Actor
        if: ${{ env.HAS_TAILSCALE_SECRET }}
        uses: alexellis/setup-sshd-actor@master
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
-        if: steps.changed-files.outputs.files == 'true'
-      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
-        if: steps.changed-files.outputs.files == 'true'
+      - name: Download headscale image
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
-            '**/flake.lock') }}
-          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}
+          name: headscale-image
+          path: /tmp/artifacts
+      - name: Download tailscale HEAD image
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: tailscale-head-image
+          path: /tmp/artifacts
+      - name: Download hi binary
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: hi-binary
+          path: /tmp/artifacts
+      - name: Download Go cache
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: go-cache
+          path: /tmp/artifacts
+      - name: Download postgres image
+        if: ${{ inputs.postgres_flag == '--postgres=1' }}
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: postgres-image
+          path: /tmp/artifacts
+      - name: Load Docker images, Go cache, and prepare binary
+        run: |
+          gunzip -c /tmp/artifacts/headscale-image.tar.gz | docker load
+          gunzip -c /tmp/artifacts/tailscale-head-image.tar.gz | docker load
+          if [ -f /tmp/artifacts/postgres-image.tar.gz ]; then
+            gunzip -c /tmp/artifacts/postgres-image.tar.gz | docker load
+          fi
+          chmod +x /tmp/artifacts/hi
+          docker images
+          # Extract Go cache to host directories for bind mounting
+          mkdir -p /tmp/go-cache
+          tar -xzf /tmp/artifacts/go-cache.tar.gz -C /tmp/go-cache
+          ls -la /tmp/go-cache/ /tmp/go-cache/.cache/
      - name: Run Integration Test
-        run:
-          nix develop --command -- hi run --stats --ts-memory-limit=300 --hs-memory-limit=1500 "^${{ inputs.test }}$" \
+        env:
+          HEADSCALE_INTEGRATION_HEADSCALE_IMAGE: headscale:${{ github.sha }}
+          HEADSCALE_INTEGRATION_TAILSCALE_IMAGE: tailscale-head:${{ github.sha }}
+          HEADSCALE_INTEGRATION_POSTGRES_IMAGE: ${{ inputs.postgres_flag == '--postgres=1' && format('postgres:{0}', github.sha) || '' }}
+          HEADSCALE_INTEGRATION_GO_CACHE: /tmp/go-cache/go
+          HEADSCALE_INTEGRATION_GO_BUILD_CACHE: /tmp/go-cache/.cache/go-build
+        run: /tmp/artifacts/hi run --stats --ts-memory-limit=300 --hs-memory-limit=1500 "^${{ inputs.test }}$" \
          --timeout=120m \
          ${{ inputs.postgres_flag }}
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: always() && steps.changed-files.outputs.files == 'true'
+      # Sanitize test name for artifact upload (replace invalid characters: " : < > | * ? \ / with -)
+      - name: Sanitize test name for artifacts
+        if: always()
+        id: sanitize
+        run: echo "name=${TEST_NAME//[\":<>|*?\\\/]/-}" >> $GITHUB_OUTPUT
+        env:
+          TEST_NAME: ${{ inputs.test }}
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: always()
        with:
-          name: ${{ inputs.database_name }}-${{ inputs.test }}-logs
+          name: ${{ inputs.database_name }}-${{ steps.sanitize.outputs.name }}-logs
          path: "control_logs/*/*.log"
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: always() && steps.changed-files.outputs.files == 'true'
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        if: always()
        with:
-          name: ${{ inputs.database_name }}-${{ inputs.test }}-archives
-          path: "control_logs/*/*.tar"
+          name: ${{ inputs.database_name }}-${{ steps.sanitize.outputs.name }}-artifacts
+          path: control_logs/
      - name: Setup a blocking tmux session
        if: ${{ env.HAS_TAILSCALE_SECRET }}
        uses: alexellis/block-with-tmux-action@master
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,7 +10,7 @@ jobs:
  golangci-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
      - name: Get changed files
@@ -24,13 +24,12 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
        if: steps.changed-files.outputs.files == 'true'
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

@@ -46,7 +45,7 @@ jobs:
  prettier-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
      - name: Get changed files
@@ -65,13 +64,12 @@ jobs:
              - '**/*.css'
              - '**/*.scss'
              - '**/*.html'
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
        if: steps.changed-files.outputs.files == 'true'
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

@@ -83,12 +81,11 @@ jobs:
  proto-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

--- a/.github/workflows/nix-module-test.yml
+++ b/.github/workflows/nix-module-test.yml
@@ -0,0 +1,55 @@
+name: NixOS Module Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  nix-module-check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        with:
+          filters: |
+            nix:
+              - 'nix/**'
+              - 'flake.nix'
+              - 'flake.lock'
+            go:
+              - 'go.*'
+              - '**/*.go'
+              - 'cmd/**'
+              - 'hscontrol/**'
+
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
+        if: steps.changed-files.outputs.nix == 'true' || steps.changed-files.outputs.go == 'true'
+
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        if: steps.changed-files.outputs.nix == 'true' || steps.changed-files.outputs.go == 'true'
+        with:
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}
+
+      - name: Run NixOS module tests
+        if: steps.changed-files.outputs.nix == 'true' || steps.changed-files.outputs.go == 'true'
+        run: |
+          echo "Running NixOS module integration test..."
+          nix build .#checks.x86_64-linux.headscale -L
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,28 +13,27 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GHCR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -12,16 +12,14 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          days-before-issue-stale: 90
          days-before-issue-close: 7
          stale-issue-label: "stale"
-          stale-issue-message:
-            "This issue is stale because it has been open for 90 days with no
+          stale-issue-message: "This issue is stale because it has been open for 90 days with no
            activity."
-          close-issue-message:
-            "This issue was closed because it has been inactive for 14 days
+          close-issue-message: "This issue was closed because it has been inactive for 14 days
            since being marked as stale."
          days-before-pr-stale: -1
          days-before-pr-close: -1
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -7,7 +7,117 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
+  # build: Builds binaries and Docker images once, uploads as artifacts for reuse.
+  # build-postgres: Pulls postgres image separately to avoid Docker Hub rate limits.
+  # sqlite: Runs all integration tests with SQLite backend.
+  # postgres: Runs a subset of tests with PostgreSQL to verify database compatibility.
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      files-changed: ${{ steps.changed-files.outputs.files }}
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration/**'
+              - 'config-example.yaml'
+              - '.github/workflows/test-integration.yaml'
+              - '.github/workflows/integration-test-template.yml'
+              - 'Dockerfile.*'
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}
+      - name: Build binaries and warm Go cache
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          # Build all Go binaries in one nix shell to maximize cache reuse
+          nix develop --command -- bash -c '
+            go build -o hi ./cmd/hi
+            CGO_ENABLED=0 GOOS=linux go build -o headscale ./cmd/headscale
+            # Build integration test binary to warm the cache with all dependencies
+            go test -c ./integration -o /dev/null 2>/dev/null || true
+          '
+      - name: Upload hi binary
+        if: steps.changed-files.outputs.files == 'true'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: hi-binary
+          path: hi
+          retention-days: 10
+      - name: Package Go cache
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          # Package Go module cache and build cache
+          tar -czf go-cache.tar.gz -C ~ go .cache/go-build
+      - name: Upload Go cache
+        if: steps.changed-files.outputs.files == 'true'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: go-cache
+          path: go-cache.tar.gz
+          retention-days: 10
+      - name: Build headscale image
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          docker build \
+            --file Dockerfile.integration-ci \
+            --tag headscale:${{ github.sha }} \
+            .
+          docker save headscale:${{ github.sha }} | gzip > headscale-image.tar.gz
+      - name: Build tailscale HEAD image
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          docker build \
+            --file Dockerfile.tailscale-HEAD \
+            --tag tailscale-head:${{ github.sha }} \
+            .
+          docker save tailscale-head:${{ github.sha }} | gzip > tailscale-head-image.tar.gz
+      - name: Upload headscale image
+        if: steps.changed-files.outputs.files == 'true'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: headscale-image
+          path: headscale-image.tar.gz
+          retention-days: 10
+      - name: Upload tailscale HEAD image
+        if: steps.changed-files.outputs.files == 'true'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: tailscale-head-image
+          path: tailscale-head-image.tar.gz
+          retention-days: 10
+  build-postgres:
+    runs-on: ubuntu-latest
+    needs: build
+    if: needs.build.outputs.files-changed == 'true'
+    steps:
+      - name: Pull and save postgres image
+        run: |
+          docker pull postgres:latest
+          docker tag postgres:latest postgres:${{ github.sha }}
+          docker save postgres:${{ github.sha }} | gzip > postgres-image.tar.gz
+      - name: Upload postgres image
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: postgres-image
+          path: postgres-image.tar.gz
+          retention-days: 10
  sqlite:
+    needs: build
+    if: needs.build.outputs.files-changed == 'true'
    strategy:
      fail-fast: false
      matrix:
@@ -23,28 +133,42 @@ jobs:
          - TestPolicyUpdateWhileRunningWithCLIInDatabase
          - TestACLAutogroupMember
          - TestACLAutogroupTagged
+          - TestACLAutogroupSelf
+          - TestACLPolicyPropagationOverTime
+          - TestACLTagPropagation
+          - TestACLTagPropagationPortSpecific
+          - TestAPIAuthenticationBypass
+          - TestAPIAuthenticationBypassCurl
+          - TestGRPCAuthenticationBypass
+          - TestCLIWithConfigAuthenticationBypass
          - TestAuthKeyLogoutAndReloginSameUser
          - TestAuthKeyLogoutAndReloginNewUser
          - TestAuthKeyLogoutAndReloginSameUserExpiredKey
+          - TestAuthKeyDeleteKey
+          - TestAuthKeyLogoutAndReloginRoutesPreserved
          - TestOIDCAuthenticationPingAll
          - TestOIDCExpireNodesBasedOnTokenExpiry
          - TestOIDC024UserCreation
          - TestOIDCAuthenticationWithPKCE
          - TestOIDCReloginSameNodeNewUser
+          - TestOIDCFollowUpUrl
+          - TestOIDCMultipleOpenedLoginUrls
+          - TestOIDCReloginSameNodeSameUser
+          - TestOIDCExpiryAfterRestart
+          - TestOIDCACLPolicyOnJoin
+          - TestOIDCReloginSameUserRoutesPreserved
          - TestAuthWebFlowAuthenticationPingAll
-          - TestAuthWebFlowLogoutAndRelogin
+          - TestAuthWebFlowLogoutAndReloginSameUser
+          - TestAuthWebFlowLogoutAndReloginNewUser
          - TestUserCommand
          - TestPreAuthKeyCommand
          - TestPreAuthKeyCommandWithoutExpiry
          - TestPreAuthKeyCommandReusableEphemeral
          - TestPreAuthKeyCorrectUserLoggedInCommand
          - TestApiKeyCommand
-          - TestNodeTagCommand
-          - TestNodeAdvertiseTagCommand
          - TestNodeCommand
          - TestNodeExpireCommand
          - TestNodeRenameCommand
-          - TestNodeMoveCommand
          - TestPolicyCommand
          - TestPolicyBrokenConfigCommand
          - TestDERPVerifyEndpoint
@@ -61,6 +185,7 @@ jobs:
          - TestTaildrop
          - TestUpdateHostnameFromClient
          - TestExpireNode
+          - TestSetNodeExpiryInFuture
          - TestNodeOnlineStatus
          - TestPingAllByIPManyUpDown
          - Test2118DeletingOnlineNodePanics
@@ -70,7 +195,12 @@ jobs:
          - TestEnablingExitRoutes
          - TestSubnetRouterMultiNetwork
          - TestSubnetRouterMultiNetworkExitNode
-          - TestAutoApproveMultiNetwork
+          - TestAutoApproveMultiNetwork/authkey-tag.*
+          - TestAutoApproveMultiNetwork/authkey-user.*
+          - TestAutoApproveMultiNetwork/authkey-group.*
+          - TestAutoApproveMultiNetwork/webauth-tag.*
+          - TestAutoApproveMultiNetwork/webauth-user.*
+          - TestAutoApproveMultiNetwork/webauth-group.*
          - TestSubnetRouteACLFiltering
          - TestHeadscale
          - TestTailscaleNodesJoiningHeadcale
@@ -79,12 +209,43 @@ jobs:
          - TestSSHNoSSHConfigured
          - TestSSHIsBlockedInACL
          - TestSSHUserOnlyIsolation
+          - TestSSHAutogroupSelf
+          - TestTagsAuthKeyWithTagRequestDifferentTag
+          - TestTagsAuthKeyWithTagNoAdvertiseFlag
+          - TestTagsAuthKeyWithTagCannotAddViaCLI
+          - TestTagsAuthKeyWithTagCannotChangeViaCLI
+          - TestTagsAuthKeyWithTagAdminOverrideReauthPreserves
+          - TestTagsAuthKeyWithTagCLICannotModifyAdminTags
+          - TestTagsAuthKeyWithoutTagCannotRequestTags
+          - TestTagsAuthKeyWithoutTagRegisterNoTags
+          - TestTagsAuthKeyWithoutTagCannotAddViaCLI
+          - TestTagsAuthKeyWithoutTagCLINoOpAfterAdminWithReset
+          - TestTagsAuthKeyWithoutTagCLINoOpAfterAdminWithEmptyAdvertise
+          - TestTagsAuthKeyWithoutTagCLICannotReduceAdminMultiTag
+          - TestTagsUserLoginOwnedTagAtRegistration
+          - TestTagsUserLoginNonExistentTagAtRegistration
+          - TestTagsUserLoginUnownedTagAtRegistration
+          - TestTagsUserLoginAddTagViaCLIReauth
+          - TestTagsUserLoginRemoveTagViaCLIReauth
+          - TestTagsUserLoginCLINoOpAfterAdminAssignment
+          - TestTagsUserLoginCLICannotRemoveAdminTags
+          - TestTagsAuthKeyWithTagRequestNonExistentTag
+          - TestTagsAuthKeyWithTagRequestUnownedTag
+          - TestTagsAuthKeyWithoutTagRequestNonExistentTag
+          - TestTagsAuthKeyWithoutTagRequestUnownedTag
+          - TestTagsAdminAPICannotSetNonExistentTag
+          - TestTagsAdminAPICanSetUnownedTag
+          - TestTagsAdminAPICannotRemoveAllTags
+          - TestTagsAdminAPICannotSetInvalidFormat
    uses: ./.github/workflows/integration-test-template.yml
+    secrets: inherit
    with:
      test: ${{ matrix.test }}
      postgres_flag: "--postgres=0"
      database_name: "sqlite"
  postgres:
+    needs: [build, build-postgres]
+    if: needs.build.outputs.files-changed == 'true'
    strategy:
      fail-fast: false
      matrix:
@@ -95,6 +256,7 @@ jobs:
          - TestPingAllByIPManyUpDown
          - TestSubnetRouterMultiNetwork
    uses: ./.github/workflows/integration-test-template.yml
+    secrets: inherit
    with:
      test: ${{ matrix.test }}
      postgres_flag: "--postgres=1"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2

@@ -27,13 +27,12 @@ jobs:
              - 'integration_test/'
              - 'config-example.yaml'

-      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nixbuild/nix-quick-install-action@2c9db80fb984ceb1bcaa77cdda3fdf8cfba92035 # v34
        if: steps.changed-files.outputs.files == 'true'
      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
        with:
-          primary-key:
-            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
            '**/flake.lock') }}
          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@ ignored/
 tailscale/
 .vscode/
 .claude/
+logs/

 *.prof

--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -7,6 +7,7 @@ linters:
    - depguard
    - dupl
    - exhaustruct
+    - funcorder
    - funlen
    - gochecknoglobals
    - gochecknoinits
@@ -28,6 +29,15 @@ linters:
    - wrapcheck
    - wsl
  settings:
+    forbidigo:
+      forbid:
+        # Forbid time.Sleep everywhere with context-appropriate alternatives
+        - pattern: 'time\.Sleep'
+          msg: >-
+            time.Sleep is forbidden.
+            In tests: use assert.EventuallyWithT for polling/waiting patterns.
+            In production code: use a backoff strategy (e.g., cenkalti/backoff) or proper synchronization primitives.
+      analyze-types: true
    gocritic:
      disabled-checks:
        - appendAssign
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -2,12 +2,39 @@
 version: 2
 before:
  hooks:
-    - go mod tidy -compat=1.24
+    - go mod tidy -compat=1.25
    - go mod vendor

 release:
  prerelease: auto
  draft: true
+  header: |
+    ## Upgrade
+
+    Please follow the steps outlined in the [upgrade guide](https://headscale.net/stable/setup/upgrade/) to update your existing Headscale installation.
+
+    **It's best to update from one stable version to the next** (e.g., 0.24.0 → 0.25.1 → 0.26.1) in case you are multiple releases behind. You should always pick the latest available patch release.
+
+    Be sure to check the changelog above for version-specific upgrade instructions and breaking changes.
+
+    ### Backup Your Database
+
+    **Always backup your database before upgrading.** Here's how to backup a SQLite database:
+
+    ```bash
+    # Stop headscale
+    systemctl stop headscale
+
+    # Backup sqlite database
+    cp /var/lib/headscale/db.sqlite /var/lib/headscale/db.sqlite.backup
+
+    # Backup sqlite WAL/SHM files (if they exist)
+    cp /var/lib/headscale/db.sqlite-wal /var/lib/headscale/db.sqlite-wal.backup
+    cp /var/lib/headscale/db.sqlite-shm /var/lib/headscale/db.sqlite-shm.backup
+
+    # Start headscale (migration will run automatically)
+    systemctl start headscale
+    ```

 builds:
  - id: headscale
@@ -98,7 +125,7 @@ kos:
    # bare tells KO to only use the repository
    # for tagging and naming the container.
    bare: true
-    base_image: gcr.io/distroless/base-debian12
+    base_image: gcr.io/distroless/base-debian13
    build: headscale
    main: ./cmd/headscale
    env:
@@ -118,6 +145,8 @@ kos:
      - "{{ .Tag }}"
      - '{{ trimprefix .Tag "v" }}'
      - "sha-{{ .ShortCommit }}"
+    creation_time: "{{.CommitTimestamp}}"
+    ko_data_creation_time: "{{.CommitTimestamp}}"

  - id: ghcr-debug
    repositories:
@@ -125,7 +154,7 @@ kos:
      - headscale/headscale

    bare: true
-    base_image: gcr.io/distroless/base-debian12:debug
+    base_image: gcr.io/distroless/base-debian13:debug
    build: headscale
    main: ./cmd/headscale
    env:
--- a/.mcp.json
+++ b/.mcp.json
@@ -3,45 +3,31 @@
    "claude-code-mcp": {
      "type": "stdio",
      "command": "npx",
-      "args": [
-        "-y",
-        "@steipete/claude-code-mcp@latest"
-      ],
+      "args": ["-y", "@steipete/claude-code-mcp@latest"],
      "env": {}
    },
    "sequential-thinking": {
      "type": "stdio",
      "command": "npx",
-      "args": [
-        "-y",
-        "@modelcontextprotocol/server-sequential-thinking"
-      ],
+      "args": ["-y", "@modelcontextprotocol/server-sequential-thinking"],
      "env": {}
    },
    "nixos": {
      "type": "stdio",
      "command": "uvx",
-      "args": [
-        "mcp-nixos"
-      ],
+      "args": ["mcp-nixos"],
      "env": {}
    },
    "context7": {
      "type": "stdio",
      "command": "npx",
-      "args": [
-        "-y",
-        "@upstash/context7-mcp"
-      ],
+      "args": ["-y", "@upstash/context7-mcp"],
      "env": {}
    },
    "git": {
      "type": "stdio",
      "command": "npx",
-      "args": [
-        "-y",
-        "@cyanheads/git-mcp-server"
-      ],
+      "args": ["-y", "@cyanheads/git-mcp-server"],
      "env": {}
    }
  }
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,68 @@
+# prek/pre-commit configuration for headscale
+# See: https://prek.j178.dev/quickstart/
+# See: https://prek.j178.dev/builtin/
+
+# Global exclusions - ignore generated code
+exclude: ^gen/
+
+repos:
+  # Built-in hooks from pre-commit/pre-commit-hooks
+  # prek will use fast-path optimized versions automatically
+  # See: https://prek.j178.dev/builtin/
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-xml
+      - id: check-yaml
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: fix-byte-order-marker
+      - id: mixed-line-ending
+      - id: trailing-whitespace
+
+  # Local hooks for project-specific tooling
+  - repo: local
+    hooks:
+      # nixpkgs-fmt for Nix files
+      - id: nixpkgs-fmt
+        name: nixpkgs-fmt
+        entry: nixpkgs-fmt
+        language: system
+        files: \.nix$
+
+      # Prettier for formatting
+      - id: prettier
+        name: prettier
+        entry: prettier --write --list-different
+        language: system
+        exclude: ^docs/
+        types_or:
+          [
+            javascript,
+            jsx,
+            ts,
+            tsx,
+            yaml,
+            json,
+            toml,
+            html,
+            css,
+            scss,
+            sass,
+            markdown,
+          ]
+
+      # golangci-lint for Go code quality
+      - id: golangci-lint
+        name: golangci-lint
+        entry: nix develop --command golangci-lint run --new-from-rev=HEAD~1 --timeout=5m --fix
+        language: system
+        types: [go]
+        pass_filenames: false
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,5 +1,5 @@
 .github/workflows/test-integration-v2*
 docs/about/features.md
+docs/ref/api.md
 docs/ref/configuration.md
 docs/ref/oidc.md
-docs/ref/remote-cli.md
--- a/AGENTS.md
+++ b/AGENTS.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,530 +1 @@
-# CLAUDE.md
-
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
-
-## Overview
-
-Headscale is an open-source implementation of the Tailscale control server written in Go. It provides self-hosted coordination for Tailscale networks (tailnets), managing node registration, IP allocation, policy enforcement, and DERP routing.
-
-## Development Commands
-
-### Quick Setup
-```bash
-# Recommended: Use Nix for dependency management
-nix develop
-
-# Full development workflow
-make dev  # runs fmt + lint + test + build
-```
-
-### Essential Commands
-```bash
-# Build headscale binary
-make build
-
-# Run tests
-make test
-go test ./...                    # All unit tests
-go test -race ./...              # With race detection
-
-# Run specific integration test
-go run ./cmd/hi run "TestName" --postgres
-
-# Code formatting and linting
-make fmt         # Format all code (Go, docs, proto)
-make lint        # Lint all code (Go, proto)
-make fmt-go      # Format Go code only
-make lint-go     # Lint Go code only
-
-# Protocol buffer generation (after modifying proto/)
-make generate
-
-# Clean build artifacts  
-make clean
-```
-
-### Integration Testing
-```bash
-# Use the hi (Headscale Integration) test runner
-go run ./cmd/hi doctor                    # Check system requirements
-go run ./cmd/hi run "TestPattern"         # Run specific test
-go run ./cmd/hi run "TestPattern" --postgres  # With PostgreSQL backend
-
-# Test artifacts are saved to control_logs/ with logs and debug data
-```
-
-## Project Structure & Architecture
-
-### Top-Level Organization
-
-```
-headscale/
-├── cmd/                    # Command-line applications
-│   ├── headscale/         # Main headscale server binary
-│   └── hi/               # Headscale Integration test runner
-├── hscontrol/            # Core control plane logic
-├── integration/          # End-to-end Docker-based tests
-├── proto/               # Protocol buffer definitions
-├── gen/                 # Generated code (protobuf)
-├── docs/                # Documentation
-└── packaging/           # Distribution packaging
-```
-
-### Core Packages (`hscontrol/`)
-
-**Main Server (`hscontrol/`)**
- `app.go`: Application setup, dependency injection, server lifecycle
- `handlers.go`: HTTP/gRPC API endpoints for management operations
- `grpcv1.go`: gRPC service implementation for headscale API
- `poll.go`: **Critical** - Handles Tailscale MapRequest/MapResponse protocol
- `noise.go`: Noise protocol implementation for secure client communication
- `auth.go`: Authentication flows (web, OIDC, command-line)
- `oidc.go`: OpenID Connect integration for user authentication
-
-**State Management (`hscontrol/state/`)**
- `state.go`: Central coordinator for all subsystems (database, policy, IP allocation, DERP)
- `node_store.go`: **Performance-critical** - In-memory cache with copy-on-write semantics
- Thread-safe operations with deadlock detection
- Coordinates between database persistence and real-time operations
-
-**Database Layer (`hscontrol/db/`)**
- `db.go`: Database abstraction, GORM setup, migration management
- `node.go`: Node lifecycle, registration, expiration, IP assignment
- `users.go`: User management, namespace isolation
- `api_key.go`: API authentication tokens
- `preauth_keys.go`: Pre-authentication keys for automated node registration
- `ip.go`: IP address allocation and management
- `policy.go`: Policy storage and retrieval
- Schema migrations in `schema.sql` with extensive test data coverage
-
-**Policy Engine (`hscontrol/policy/`)**
- `policy.go`: Core ACL evaluation logic, HuJSON parsing
- `v2/`: Next-generation policy system with improved filtering
- `matcher/`: ACL rule matching and evaluation engine
- Determines peer visibility, route approval, and network access rules
- Supports both file-based and database-stored policies
-
-**Network Management (`hscontrol/`)**
- `derp/`: DERP (Designated Encrypted Relay for Packets) server implementation
-  - NAT traversal when direct connections fail
-  - Fallback relay for firewall-restricted environments
- `mapper/`: Converts internal Headscale state to Tailscale's wire protocol format
-  - `tail.go`: Tailscale-specific data structure generation
- `routes/`: Subnet route management and primary route selection
- `dns/`: DNS record management and MagicDNS implementation
-
-**Utilities & Support (`hscontrol/`)**
- `types/`: Core data structures, configuration, validation
- `util/`: Helper functions for networking, DNS, key management
- `templates/`: Client configuration templates (Apple, Windows, etc.)
- `notifier/`: Event notification system for real-time updates
- `metrics.go`: Prometheus metrics collection
- `capver/`: Tailscale capability version management
-
-### Key Subsystem Interactions
-
-**Node Registration Flow**
-1. **Client Connection**: `noise.go` handles secure protocol handshake
-2. **Authentication**: `auth.go` validates credentials (web/OIDC/preauth)
-3. **State Creation**: `state.go` coordinates IP allocation via `db/ip.go`
-4. **Storage**: `db/node.go` persists node, `NodeStore` caches in memory
-5. **Network Setup**: `mapper/` generates initial Tailscale network map
-
-**Ongoing Operations**
-1. **Poll Requests**: `poll.go` receives periodic client updates
-2. **State Updates**: `NodeStore` maintains real-time node information
-3. **Policy Application**: `policy/` evaluates ACL rules for peer relationships
-4. **Map Distribution**: `mapper/` sends network topology to all affected clients
-
-**Route Management**
-1. **Advertisement**: Clients announce routes via `poll.go` Hostinfo updates
-2. **Storage**: `db/` persists routes, `NodeStore` caches for performance
-3. **Approval**: `policy/` auto-approves routes based on ACL rules
-4. **Distribution**: `routes/` selects primary routes, `mapper/` distributes to peers
-
-### Command-Line Tools (`cmd/`)
-
-**Main Server (`cmd/headscale/`)**
- `headscale.go`: CLI parsing, configuration loading, server startup
- Supports daemon mode, CLI operations (user/node management), database operations
-
-**Integration Test Runner (`cmd/hi/`)**
- `main.go`: Test execution framework with Docker orchestration
- `run.go`: Individual test execution with artifact collection
- `doctor.go`: System requirements validation
- `docker.go`: Container lifecycle management
- Essential for validating changes against real Tailscale clients
-
-### Generated & External Code
-
-**Protocol Buffers (`proto/` → `gen/`)**
- Defines gRPC API for headscale management operations
- Client libraries can generate from these definitions
- Run `make generate` after modifying `.proto` files
-
-**Integration Testing (`integration/`)**
- `scenario.go`: Docker test environment setup
- `tailscale.go`: Tailscale client container management
- Individual test files for specific functionality areas
- Real end-to-end validation with network isolation
-
-### Critical Performance Paths
-
-**High-Frequency Operations**
-1. **MapRequest Processing** (`poll.go`): Every 15-60 seconds per client
-2. **NodeStore Reads** (`node_store.go`): Every operation requiring node data
-3. **Policy Evaluation** (`policy/`): On every peer relationship calculation
-4. **Route Lookups** (`routes/`): During network map generation
-
-**Database Write Patterns**
- **Frequent**: Node heartbeats, endpoint updates, route changes
- **Moderate**: User operations, policy updates, API key management
- **Rare**: Schema migrations, bulk operations
-
-### Configuration & Deployment
-
-**Configuration** (`hscontrol/types/config.go`)**
- Database connection settings (SQLite/PostgreSQL)
- Network configuration (IP ranges, DNS settings)
- Policy mode (file vs database)
- DERP relay configuration
- OIDC provider settings
-
-**Key Dependencies**
- **GORM**: Database ORM with migration support
- **Tailscale Libraries**: Core networking and protocol code
- **Zerolog**: Structured logging throughout the application
- **Buf**: Protocol buffer toolchain for code generation
-
-### Development Workflow Integration
-
-The architecture supports incremental development:
- **Unit Tests**: Focus on individual packages (`*_test.go` files)
- **Integration Tests**: Validate cross-component interactions
- **Database Tests**: Extensive migration and data integrity validation
- **Policy Tests**: ACL rule evaluation and edge cases
- **Performance Tests**: NodeStore and high-frequency operation validation
-
-## Integration Testing System
-
-### Overview
-Headscale uses Docker-based integration tests with real Tailscale clients to validate end-to-end functionality. The integration test system is complex and requires specialized knowledge for effective execution and debugging.
-
-### **MANDATORY: Use the headscale-integration-tester Agent**
-
-**CRITICAL REQUIREMENT**: For ANY integration test execution, analysis, troubleshooting, or validation, you MUST use the `headscale-integration-tester` agent. This agent contains specialized knowledge about:
-
- Test execution strategies and timing requirements  
- Infrastructure vs code issue distinction (99% vs 1% failure patterns)
- Security-critical debugging rules and forbidden practices
- Comprehensive artifact analysis workflows
- Real-world failure patterns from HA debugging experiences
-
-### Quick Reference Commands
-
-```bash
-# Check system requirements (always run first)
-go run ./cmd/hi doctor
-
-# Run single test (recommended for development)  
-go run ./cmd/hi run "TestName"
-
-# Use PostgreSQL for database-heavy tests
-go run ./cmd/hi run "TestName" --postgres
-
-# Pattern matching for related tests
-go run ./cmd/hi run "TestPattern*"
-```
-
-**Critical Notes**:
- Only ONE test can run at a time (Docker port conflicts)
- Tests generate ~100MB of logs per run in `control_logs/`
- Clean environment before each test: `rm -rf control_logs/202507* && docker system prune -f`
-
-### Test Artifacts Location
-All test runs save comprehensive debugging artifacts to `control_logs/TIMESTAMP-ID/` including server logs, client logs, database dumps, MapResponse protocol data, and Prometheus metrics.
-
-**For all integration test work, use the headscale-integration-tester agent - it contains the complete knowledge needed for effective testing and debugging.**
-
-## NodeStore Implementation Details
-
-**Key Insight from Recent Work**: The NodeStore is a critical performance optimization that caches node data in memory while ensuring consistency with the database. When working with route advertisements or node state changes:
-
-1. **Timing Considerations**: Route advertisements need time to propagate from clients to server. Use `require.EventuallyWithT()` patterns in tests instead of immediate assertions.
-
-2. **Synchronization Points**: NodeStore updates happen at specific points like `poll.go:420` after Hostinfo changes. Ensure these are maintained when modifying the polling logic.
-
-3. **Peer Visibility**: The NodeStore's `peersFunc` determines which nodes are visible to each other. Policy-based filtering is separate from monitoring visibility - expired nodes should remain visible for debugging but marked as expired.
-
-## Testing Guidelines
-
-### Integration Test Patterns
-
-#### **CRITICAL: EventuallyWithT Pattern for External Calls**
-
-**All external calls in integration tests MUST be wrapped in EventuallyWithT blocks** to handle eventual consistency in distributed systems. External calls include:
- `client.Status()` - Getting Tailscale client status
- `client.Curl()` - Making HTTP requests through clients
- `client.Traceroute()` - Running network diagnostics
- `headscale.ListNodes()` - Querying headscale server state
- Any other calls that interact with external systems or network operations
-
-**Key Rules**:
-1. **Never use bare `require.NoError(t, err)` with external calls** - Always wrap in EventuallyWithT
-2. **Keep related assertions together** - If multiple assertions depend on the same external call, keep them in the same EventuallyWithT block
-3. **Split unrelated external calls** - Different external calls should be in separate EventuallyWithT blocks
-4. **Never nest EventuallyWithT calls** - Each EventuallyWithT should be at the same level
-5. **Declare shared variables at function scope** - Variables used across multiple EventuallyWithT blocks must be declared before first use
-
-**Examples**:
-
-```go
-// CORRECT: External call wrapped in EventuallyWithT
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    status, err := client.Status()
-    assert.NoError(c, err)
-    
-    // Related assertions using the same status call
-    for _, peerKey := range status.Peers() {
-        peerStatus := status.Peer[peerKey]
-        assert.NotNil(c, peerStatus.PrimaryRoutes)
-        requirePeerSubnetRoutesWithCollect(c, peerStatus, expectedRoutes)
-    }
-}, 5*time.Second, 200*time.Millisecond, "Verifying client status and routes")
-
-// INCORRECT: Bare external call without EventuallyWithT
-status, err := client.Status()  // ❌ Will fail intermittently
-require.NoError(t, err)
-
-// CORRECT: Separate EventuallyWithT for different external calls
-// First external call - headscale.ListNodes()
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    nodes, err := headscale.ListNodes()
-    assert.NoError(c, err)
-    assert.Len(c, nodes, 2)
-    requireNodeRouteCountWithCollect(c, nodes[0], 2, 2, 2)
-}, 10*time.Second, 500*time.Millisecond, "route state changes should propagate to nodes")
-
-// Second external call - client.Status() 
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    status, err := client.Status()
-    assert.NoError(c, err)
-    
-    for _, peerKey := range status.Peers() {
-        peerStatus := status.Peer[peerKey]
-        requirePeerSubnetRoutesWithCollect(c, peerStatus, []netip.Prefix{tsaddr.AllIPv4(), tsaddr.AllIPv6()})
-    }
-}, 10*time.Second, 500*time.Millisecond, "routes should be visible to client")
-
-// INCORRECT: Multiple unrelated external calls in same EventuallyWithT
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    nodes, err := headscale.ListNodes()  // ❌ First external call
-    assert.NoError(c, err)
-    
-    status, err := client.Status()  // ❌ Different external call - should be separate
-    assert.NoError(c, err)
-}, 10*time.Second, 500*time.Millisecond, "mixed calls")
-
-// CORRECT: Variable scoping for shared data
-var (
-    srs1, srs2, srs3       *ipnstate.Status
-    clientStatus           *ipnstate.Status
-    srs1PeerStatus         *ipnstate.PeerStatus
-)
-
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    srs1 = subRouter1.MustStatus()  // = not :=
-    srs2 = subRouter2.MustStatus()
-    clientStatus = client.MustStatus()
-    
-    srs1PeerStatus = clientStatus.Peer[srs1.Self.PublicKey]
-    // assertions...
-}, 5*time.Second, 200*time.Millisecond, "checking router status")
-
-// CORRECT: Wrapping client operations
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    result, err := client.Curl(weburl)
-    assert.NoError(c, err)
-    assert.Len(c, result, 13)
-}, 5*time.Second, 200*time.Millisecond, "Verifying HTTP connectivity")
-
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    tr, err := client.Traceroute(webip)
-    assert.NoError(c, err)
-    assertTracerouteViaIPWithCollect(c, tr, expectedRouter.MustIPv4())
-}, 5*time.Second, 200*time.Millisecond, "Verifying network path")
-```
-
-**Helper Functions**:
- Use `requirePeerSubnetRoutesWithCollect` instead of `requirePeerSubnetRoutes` inside EventuallyWithT
- Use `requireNodeRouteCountWithCollect` instead of `requireNodeRouteCount` inside EventuallyWithT
- Use `assertTracerouteViaIPWithCollect` instead of `assertTracerouteViaIP` inside EventuallyWithT
-
-```go
-// Node route checking by actual node properties, not array position
-var routeNode *v1.Node
-for _, node := range nodes {
-    if nodeIDStr := fmt.Sprintf("%d", node.GetId()); expectedRoutes[nodeIDStr] != "" {
-        routeNode = node
-        break
-    }
-}
-```
-
-### Running Problematic Tests
- Some tests require significant time (e.g., `TestNodeOnlineStatus` runs for 12 minutes)
- Infrastructure issues like disk space can cause test failures unrelated to code changes  
- Use `--postgres` flag when testing database-heavy scenarios
-
-## Quality Assurance and Testing Requirements
-
-### **MANDATORY: Always Use Specialized Testing Agents**
-
-**CRITICAL REQUIREMENT**: For ANY task involving testing, quality assurance, review, or validation, you MUST use the appropriate specialized agent at the END of your task list. This ensures comprehensive quality validation and prevents regressions.
-
-**Required Agents for Different Task Types**:
-
-1. **Integration Testing**: Use `headscale-integration-tester` agent for:
-   - Running integration tests with `cmd/hi`
-   - Analyzing test failures and artifacts
-   - Troubleshooting Docker-based test infrastructure
-   - Validating end-to-end functionality changes
-
-2. **Quality Control**: Use `quality-control-enforcer` agent for:
-   - Code review and validation
-   - Ensuring best practices compliance  
-   - Preventing common pitfalls and anti-patterns
-   - Validating architectural decisions
-
-**Agent Usage Pattern**: Always add the appropriate agent as the FINAL step in any task list to ensure quality validation occurs after all work is complete.
-
-### Integration Test Debugging Reference
-
-Test artifacts are preserved in `control_logs/TIMESTAMP-ID/` including:
- Headscale server logs (stderr/stdout)
- Tailscale client logs and status  
- Database dumps and network captures
- MapResponse JSON files for protocol debugging
-
-**For integration test issues, ALWAYS use the headscale-integration-tester agent - do not attempt manual debugging.**
-
-## EventuallyWithT Pattern for Integration Tests
-
-### Overview
-EventuallyWithT is a testing pattern used to handle eventual consistency in distributed systems. In Headscale integration tests, many operations are asynchronous - clients advertise routes, the server processes them, updates propagate through the network. EventuallyWithT allows tests to wait for these operations to complete while making assertions.
-
-### External Calls That Must Be Wrapped
-The following operations are **external calls** that interact with the headscale server or tailscale clients and MUST be wrapped in EventuallyWithT:
- `headscale.ListNodes()` - Queries server state
- `client.Status()` - Gets client network status
- `client.Curl()` - Makes HTTP requests through the network
- `client.Traceroute()` - Performs network diagnostics
- `client.Execute()` when running commands that query state
- Any operation that reads from the headscale server or tailscale client
-
-### Operations That Must NOT Be Wrapped
-The following are **blocking operations** that modify state and should NOT be wrapped in EventuallyWithT:
- `tailscale set` commands (e.g., `--advertise-routes`, `--exit-node`)
- Any command that changes configuration or state
- Use `client.MustStatus()` instead of `client.Status()` when you just need the ID for a blocking operation
-
-### Five Key Rules for EventuallyWithT
-
-1. **One External Call Per EventuallyWithT Block**
-   - Each EventuallyWithT should make ONE external call (e.g., ListNodes OR Status)
-   - Related assertions based on that single call can be grouped together
-   - Unrelated external calls must be in separate EventuallyWithT blocks
-
-2. **Variable Scoping**
-   - Declare variables that need to be shared across EventuallyWithT blocks at function scope
-   - Use `=` for assignment inside EventuallyWithT, not `:=` (unless the variable is only used within that block)
-   - Variables declared with `:=` inside EventuallyWithT are not accessible outside
-
-3. **No Nested EventuallyWithT**
-   - NEVER put an EventuallyWithT inside another EventuallyWithT
-   - This is a critical anti-pattern that must be avoided
-
-4. **Use CollectT for Assertions**
-   - Inside EventuallyWithT, use `assert` methods with the CollectT parameter
-   - Helper functions called within EventuallyWithT must accept `*assert.CollectT`
-
-5. **Descriptive Messages**
-   - Always provide a descriptive message as the last parameter
-   - Message should explain what condition is being waited for
-
-### Correct Pattern Examples
-
-```go
-// CORRECT: Blocking operation NOT wrapped
-for _, client := range allClients {
-    status := client.MustStatus()
-    command := []string{
-        "tailscale",
-        "set",
-        "--advertise-routes=" + expectedRoutes[string(status.Self.ID)],
-    }
-    _, _, err = client.Execute(command)
-    require.NoErrorf(t, err, "failed to advertise route: %s", err)
-}
-
-// CORRECT: Single external call with related assertions
-var nodes []*v1.Node
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    nodes, err = headscale.ListNodes()
-    assert.NoError(c, err)
-    assert.Len(c, nodes, 2)
-    requireNodeRouteCountWithCollect(c, nodes[0], 2, 2, 2)
-}, 10*time.Second, 500*time.Millisecond, "nodes should have expected route counts")
-
-// CORRECT: Separate EventuallyWithT for different external call
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    status, err := client.Status()
-    assert.NoError(c, err)
-    for _, peerKey := range status.Peers() {
-        peerStatus := status.Peer[peerKey]
-        requirePeerSubnetRoutesWithCollect(c, peerStatus, expectedPrefixes)
-    }
-}, 10*time.Second, 500*time.Millisecond, "client should see expected routes")
-```
-
-### Incorrect Patterns to Avoid
-
-```go
-// INCORRECT: Blocking operation wrapped in EventuallyWithT
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    status, err := client.Status()
-    assert.NoError(c, err)
-    
-    // This is a blocking operation - should NOT be in EventuallyWithT!
-    command := []string{
-        "tailscale",
-        "set",
-        "--advertise-routes=" + expectedRoutes[string(status.Self.ID)],
-    }
-    _, _, err = client.Execute(command)
-    assert.NoError(c, err)
-}, 5*time.Second, 200*time.Millisecond, "wrong pattern")
-
-// INCORRECT: Multiple unrelated external calls in same EventuallyWithT
-assert.EventuallyWithT(t, func(c *assert.CollectT) {
-    // First external call
-    nodes, err := headscale.ListNodes()
-    assert.NoError(c, err)
-    assert.Len(c, nodes, 2)
-    
-    // Second unrelated external call - WRONG!
-    status, err := client.Status()
-    assert.NoError(c, err)
-    assert.NotNil(c, status)
-}, 10*time.Second, 500*time.Millisecond, "mixed operations")
-```
-
-## Important Notes
-
- **Dependencies**: Use `nix develop` for consistent toolchain (Go, buf, protobuf tools, linting)
- **Protocol Buffers**: Changes to `proto/` require `make generate` and should be committed separately
- **Code Style**: Enforced via golangci-lint with golines (width 88) and gofumpt formatting
- **Database**: Supports both SQLite (development) and PostgreSQL (production/testing)
- **Integration Tests**: Require Docker and can consume significant disk space - use headscale-integration-tester agent
- **Performance**: NodeStore optimizations are critical for scale - be careful with changes to state management
- **Quality Assurance**: Always use appropriate specialized agents for testing and validation tasks
+@AGENTS.md
--- a/Dockerfile.derper
+++ b/Dockerfile.derper
@@ -12,7 +12,7 @@ WORKDIR /go/src/tailscale
 ARG TARGETARCH
 RUN GOARCH=$TARGETARCH go install -v ./cmd/derper

-FROM alpine:3.18
+FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl

 COPY --from=build-env /go/bin/* /usr/local/bin/
--- a/Dockerfile.integration
+++ b/Dockerfile.integration
@@ -2,29 +2,43 @@
 # and are in no way endorsed by Headscale's maintainers as an
 # official nor supported release or distribution.

-FROM docker.io/golang:1.24-bookworm
+FROM docker.io/golang:1.25-trixie AS builder
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale

-RUN apt-get update \
-  && apt-get install --no-install-recommends --yes less jq sqlite3 dnsutils \
-  && rm -rf /var/lib/apt/lists/* \
-  && apt-get clean
-RUN mkdir -p /var/run/headscale
-
-# Install delve debugger
+# Install delve debugger first - rarely changes, good cache candidate
 RUN go install github.com/go-delve/delve/cmd/dlv@latest

+# Download dependencies - only invalidated when go.mod/go.sum change
 COPY go.mod go.sum /go/src/headscale/
 RUN go mod download

+# Copy source and build - invalidated on any source change
 COPY . .

 # Build debug binary with debug symbols for delve
 RUN CGO_ENABLED=0 GOOS=linux go build -gcflags="all=-N -l" -o /go/bin/headscale ./cmd/headscale

+# Runtime stage
+FROM debian:trixie-slim
+
+RUN apt-get --update install --no-install-recommends --yes \
+    bash ca-certificates curl dnsutils findutils iproute2 jq less procps python3 sqlite3 \
+  && apt-get dist-clean
+
+RUN mkdir -p /var/run/headscale
+
+# Copy binaries from builder
+COPY --from=builder /go/bin/headscale /usr/local/bin/headscale
+COPY --from=builder /go/bin/dlv /usr/local/bin/dlv
+
+# Copy source code for delve source-level debugging
+COPY --from=builder /go/src/headscale /go/src/headscale
+
+WORKDIR /go/src/headscale
+
 # Need to reset the entrypoint or everything will run as a busybox script
 ENTRYPOINT []
 EXPOSE 8080/tcp 40000/tcp
-CMD ["/go/bin/dlv", "--listen=0.0.0.0:40000", "--headless=true", "--api-version=2", "--accept-multiclient", "exec", "/go/bin/headscale", "--"]
+CMD ["dlv", "--listen=0.0.0.0:40000", "--headless=true", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/headscale", "--"]
--- a/Dockerfile.integration-ci
+++ b/Dockerfile.integration-ci
@@ -0,0 +1,17 @@
+# Minimal CI image - expects pre-built headscale binary in build context
+# For local development with delve debugging, use Dockerfile.integration instead
+
+FROM debian:trixie-slim
+
+RUN apt-get --update install --no-install-recommends --yes \
+    bash ca-certificates curl dnsutils findutils iproute2 jq less procps python3 sqlite3 \
+  && apt-get dist-clean
+
+RUN mkdir -p /var/run/headscale
+
+# Copy pre-built headscale binary from build context
+COPY headscale /usr/local/bin/headscale
+
+ENTRYPOINT []
+EXPOSE 8080/tcp
+CMD ["/usr/local/bin/headscale"]
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -36,8 +36,10 @@ RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot

-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+FROM alpine:3.22
+# Upstream: ca-certificates ip6tables iptables iproute2
+# Tests: curl python3 (traceroute via BusyBox)
+RUN apk add --no-cache ca-certificates curl ip6tables iptables iproute2 python3

 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
--- a/5
+++ b/5
@@ -64,7 +64,6 @@ fmt-go: check-deps $(GO_SOURCES)
 fmt-prettier: check-deps $(DOC_SOURCES)
 	@echo "Formatting documentation and config files..."
 	prettier --write '**/*.{ts,js,md,yaml,yml,sass,css,scss,html}'
-	prettier --write --print-width 80 --prose-wrap always CHANGELOG.md

 .PHONY: fmt-proto
 fmt-proto: check-deps $(PROTO_SOURCES)
@@ -117,7 +116,7 @@ help:
 	@echo ""
 	@echo "Specific targets:"
 	@echo "  fmt-go       - Format Go code only"
-	@echo "  fmt-prettier - Format documentation only" 
+	@echo "  fmt-prettier - Format documentation only"
 	@echo "  fmt-proto    - Format Protocol Buffer files only"
 	@echo "  lint-go      - Lint Go code only"
 	@echo "  lint-proto   - Lint Protocol Buffer files only"
@@ -126,4 +125,4 @@ help:
 	@echo "  check-deps   - Verify required tools are available"
 	@echo ""
 	@echo "Note: If not running in a nix shell, ensure dependencies are available:"
-	@echo "  nix develop"
+	@echo "  nix develop"
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-![headscale logo](./docs/logo/headscale3_header_stacked_left.png)
+![headscale logo](./docs/assets/logo/headscale3_header_stacked_left.png)

 ![ci](https://github.com/juanfont/headscale/actions/workflows/test.yml/badge.svg)

@@ -63,6 +63,8 @@ and container to run Headscale.**

 Please have a look at the [`documentation`](https://headscale.net/stable/).

+For NixOS users, a module is available in [`nix/`](./nix/).
+
 ## Talks

 - Fosdem 2023 (video): [Headscale: How we are using integration testing to reimplement Tailscale](https://fosdem.org/2023/schedule/event/goheadscale/)
@@ -147,6 +149,7 @@ make build
 We recommend using Nix for dependency management to ensure you have all required tools. If you prefer to manage dependencies yourself, you can use Make directly:

 **With Nix (recommended):**
+
 ```shell
 nix develop
 make test
@@ -154,6 +157,7 @@ make build
 ```

 **With your own dependencies:**
+
 ```shell
 make test
 make build
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -10,10 +10,6 @@ import (
 	"google.golang.org/grpc/status"
 )

-const (
-	errPreAuthKeyMalformed = Error("key is malformed. expected 64 hex characters with `nodekey` prefix")
-)
-
 // Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
 type Error string

--- a/cmd/headscale/cli/health.go
+++ b/cmd/headscale/cli/health.go
@@ -0,0 +1,29 @@
+package cli
+
+import (
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(healthCmd)
+}
+
+var healthCmd = &cobra.Command{
+	Use:   "health",
+	Short: "Check the health of the Headscale server",
+	Long:  "Check the health of the Headscale server. This command will return an exit code of 0 if the server is healthy, or 1 if it is not.",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.Health(ctx, &v1.HealthRequest{})
+		if err != nil {
+			ErrorOutput(err, "Error checking health", output)
+		}
+
+		SuccessOutput(response, "", output)
+	},
+}
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -15,6 +15,7 @@ import (
 	"github.com/samber/lo"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
 	"tailscale.com/types/key"
 )

@@ -51,6 +52,7 @@ func init() {
 	nodeCmd.AddCommand(registerNodeCmd)

 	expireNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	expireNodeCmd.Flags().StringP("expiry", "e", "", "Set expire to (RFC3339 format, e.g. 2025-08-27T10:00:00Z), or leave empty to expire immediately.")
 	err = expireNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
 		log.Fatal(err.Error())
@@ -71,26 +73,6 @@ func init() {
 	}
 	nodeCmd.AddCommand(deleteNodeCmd)

-	moveNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-
-	err = moveNodeCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatal(err.Error())
-	}
-
-	moveNodeCmd.Flags().Uint64P("user", "u", 0, "New user")
-
-	moveNodeCmd.Flags().StringP("namespace", "n", "", "User")
-	moveNodeNamespaceFlag := moveNodeCmd.Flags().Lookup("namespace")
-	moveNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
-	moveNodeNamespaceFlag.Hidden = true
-
-	err = moveNodeCmd.MarkFlagRequired("user")
-	if err != nil {
-		log.Fatal(err.Error())
-	}
-	nodeCmd.AddCommand(moveNodeCmd)
-
 	tagCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	tagCmd.MarkFlagRequired("identifier")
 	tagCmd.Flags().StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
@@ -238,10 +220,6 @@ var listNodeRoutesCmd = &cobra.Command{
 			)
 		}

-		if output != "" {
-			SuccessOutput(response.GetNodes(), "", output)
-		}
-
 		nodes := response.GetNodes()
 		if identifier != 0 {
 			for _, node := range response.GetNodes() {
@@ -256,6 +234,11 @@ var listNodeRoutesCmd = &cobra.Command{
 			return (n.GetSubnetRoutes() != nil && len(n.GetSubnetRoutes()) > 0) || (n.GetApprovedRoutes() != nil && len(n.GetApprovedRoutes()) > 0) || (n.GetAvailableRoutes() != nil && len(n.GetAvailableRoutes()) > 0)
 		})

+		if output != "" {
+			SuccessOutput(nodes, "", output)
+			return
+		}
+
 		tableData, err := nodeRoutesToPtables(nodes)
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
@@ -289,12 +272,37 @@ var expireNodeCmd = &cobra.Command{
 			)
 		}

+		expiry, err := cmd.Flags().GetString("expiry")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting expiry to string: %s", err),
+				output,
+			)
+
+			return
+		}
+		expiryTime := time.Now()
+		if expiry != "" {
+			expiryTime, err = time.Parse(time.RFC3339, expiry)
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf("Error converting expiry to string: %s", err),
+					output,
+				)
+
+				return
+			}
+		}
+
 		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

 		request := &v1.ExpireNodeRequest{
 			NodeId: identifier,
+			Expiry: timestamppb.New(expiryTime),
 		}

 		response, err := client.ExpireNode(ctx, request)
@@ -428,66 +436,6 @@ var deleteNodeCmd = &cobra.Command{
 	},
 }

-var moveNodeCmd = &cobra.Command{
-	Use:     "move",
-	Short:   "Move node to another user",
-	Aliases: []string{"mv"},
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		identifier, err := cmd.Flags().GetUint64("identifier")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error converting ID to integer: %s", err),
-				output,
-			)
-		}
-
-		user, err := cmd.Flags().GetUint64("user")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting user: %s", err),
-				output,
-			)
-		}
-
-		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
-		defer cancel()
-		defer conn.Close()
-
-		getRequest := &v1.GetNodeRequest{
-			NodeId: identifier,
-		}
-
-		_, err = client.GetNode(ctx, getRequest)
-		if err != nil {
-			ErrorOutput(
-				err,
-				"Error getting node: "+status.Convert(err).Message(),
-				output,
-			)
-		}
-
-		moveRequest := &v1.MoveNodeRequest{
-			NodeId: identifier,
-			User:   user,
-		}
-
-		moveResponse, err := client.MoveNode(ctx, moveRequest)
-		if err != nil {
-			ErrorOutput(
-				err,
-				"Error moving node: "+status.Convert(err).Message(),
-				output,
-			)
-		}
-
-		SuccessOutput(moveResponse.GetNode(), "Node moved to another user", output)
-	},
-}
-
 var backfillNodeIPsCmd = &cobra.Command{
 	Use:   "backfillips",
 	Short: "Backfill IPs missing from nodes",
@@ -614,23 +562,26 @@ func nodesToPtables(

 		var forcedTags string
 		for _, tag := range node.GetForcedTags() {
-			forcedTags += "," + tag
+			forcedTags += "\n" + tag
 		}
-		forcedTags = strings.TrimLeft(forcedTags, ",")
+
+		forcedTags = strings.TrimLeft(forcedTags, "\n")
 		var invalidTags string
 		for _, tag := range node.GetInvalidTags() {
 			if !slices.Contains(node.GetForcedTags(), tag) {
-				invalidTags += "," + pterm.LightRed(tag)
+				invalidTags += "\n" + pterm.LightRed(tag)
 			}
 		}
-		invalidTags = strings.TrimLeft(invalidTags, ",")
+
+		invalidTags = strings.TrimLeft(invalidTags, "\n")
 		var validTags string
 		for _, tag := range node.GetValidTags() {
 			if !slices.Contains(node.GetForcedTags(), tag) {
-				validTags += "," + pterm.LightGreen(tag)
+				validTags += "\n" + pterm.LightGreen(tag)
 			}
 		}
-		validTags = strings.TrimLeft(validTags, ",")
+
+		validTags = strings.TrimLeft(validTags, "\n")

 		var user string
 		if currentUser == "" || (currentUser == node.GetUser().GetName()) {
@@ -692,9 +643,9 @@ func nodeRoutesToPtables(
 		nodeData := []string{
 			strconv.FormatUint(node.GetId(), util.Base10),
 			node.GetGivenName(),
-			strings.Join(node.GetApprovedRoutes(), ", "),
-			strings.Join(node.GetAvailableRoutes(), ", "),
-			strings.Join(node.GetSubnetRoutes(), ", "),
+			strings.Join(node.GetApprovedRoutes(), "\n"),
+			strings.Join(node.GetAvailableRoutes(), "\n"),
+			strings.Join(node.GetSubnetRoutes(), "\n"),
 		}
 		tableData = append(
 			tableData,
--- a/cmd/headscale/cli/policy.go
+++ b/cmd/headscale/cli/policy.go
@@ -127,12 +127,6 @@ var setPolicy = &cobra.Command{
 			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
 		}

-		_, err = policy.NewPolicyManager(policyBytes, nil, views.Slice[types.NodeView]{})
-		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
-			return
-		}
-
 		if bypass, _ := cmd.Flags().GetBool(bypassFlag); bypass {
 			confirm := false
 			force, _ := cmd.Flags().GetBool("force")
@@ -159,6 +153,17 @@ var setPolicy = &cobra.Command{
 				ErrorOutput(err, fmt.Sprintf("Failed to open database: %s", err), output)
 			}

+			users, err := d.ListUsers()
+			if err != nil {
+				ErrorOutput(err, fmt.Sprintf("Failed to load users for policy validation: %s", err), output)
+			}
+
+			_, err = policy.NewPolicyManager(policyBytes, users, views.Slice[types.NodeView]{})
+			if err != nil {
+				ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
+				return
+			}
+
 			_, err = d.SetPolicy(string(policyBytes))
 			if err != nil {
 				ErrorOutput(err, fmt.Sprintf("Failed to set ACL Policy: %s", err), output)
--- a/cmd/headscale/cli/preauthkeys.go
+++ b/cmd/headscale/cli/preauthkeys.go
@@ -34,6 +34,7 @@ func init() {
 	preauthkeysCmd.AddCommand(listPreAuthKeys)
 	preauthkeysCmd.AddCommand(createPreAuthKeyCmd)
 	preauthkeysCmd.AddCommand(expirePreAuthKeyCmd)
+	preauthkeysCmd.AddCommand(deletePreAuthKeyCmd)
 	createPreAuthKeyCmd.PersistentFlags().
 		Bool("reusable", false, "Make the preauthkey reusable")
 	createPreAuthKeyCmd.PersistentFlags().
@@ -88,7 +89,7 @@ var listPreAuthKeys = &cobra.Command{
 		tableData := pterm.TableData{
 			{
 				"ID",
-				"Key",
+				"Key/Prefix",
 				"Reusable",
 				"Ephemeral",
 				"Used",
@@ -106,10 +107,10 @@ var listPreAuthKeys = &cobra.Command{
 			aclTags := ""

 			for _, tag := range key.GetAclTags() {
-				aclTags += "," + tag
+				aclTags += "\n" + tag
 			}

-			aclTags = strings.TrimLeft(aclTags, ",")
+			aclTags = strings.TrimLeft(aclTags, "\n")

 			tableData = append(tableData, []string{
 				strconv.FormatUint(key.GetId(), 10),
@@ -232,3 +233,43 @@ var expirePreAuthKeyCmd = &cobra.Command{
 		SuccessOutput(response, "Key expired", output)
 	},
 }
+
+var deletePreAuthKeyCmd = &cobra.Command{
+	Use:     "delete KEY",
+	Short:   "Delete a preauthkey",
+	Aliases: []string{"del", "rm", "d"},
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errMissingParameter
+		}
+
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		user, err := cmd.Flags().GetUint64("user")
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
+		}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.DeletePreAuthKeyRequest{
+			User: user,
+			Key:  args[0],
+		}
+
+		response, err := client.DeletePreAuthKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot delete Pre Auth Key: %s\n", err),
+				output,
+			)
+		}
+
+		SuccessOutput(response, "Key deleted", output)
+	},
+}
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"runtime"
 	"slices"
+	"strings"

 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog"
@@ -75,8 +76,9 @@ func initConfig() {
 		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
 			!versionInfo.Dirty {
 			githubTag := &latest.GithubTag{
-				Owner:      "juanfont",
-				Repository: "headscale",
+				Owner:         "juanfont",
+				Repository:    "headscale",
+				TagFilterFunc: filterPreReleasesIfStable(func() string { return versionInfo.Version }),
 			}
 			res, err := latest.Check(githubTag, versionInfo.Version)
 			if err == nil && res.Outdated {
@@ -91,6 +93,43 @@ func initConfig() {
 	}
 }

+var prereleases = []string{"alpha", "beta", "rc", "dev"}
+
+func isPreReleaseVersion(version string) bool {
+	for _, unstable := range prereleases {
+		if strings.Contains(version, unstable) {
+			return true
+		}
+	}
+	return false
+}
+
+// filterPreReleasesIfStable returns a function that filters out
+// pre-release tags if the current version is stable.
+// If the current version is a pre-release, it does not filter anything.
+// versionFunc is a function that returns the current version string, it is
+// a func for testability.
+func filterPreReleasesIfStable(versionFunc func() string) func(string) bool {
+	return func(tag string) bool {
+		version := versionFunc()
+
+		// If we are on a pre-release version, then we do not filter anything
+		// as we want to recommend the user the latest pre-release.
+		if isPreReleaseVersion(version) {
+			return false
+		}
+
+		// If we are on a stable release, filter out pre-releases.
+		for _, ignore := range prereleases {
+			if strings.Contains(tag, ignore) {
+				return true
+			}
+		}
+
+		return false
+	}
+}
+
 var rootCmd = &cobra.Command{
 	Use:   "headscale",
 	Short: "headscale - a Tailscale control server",
--- a/cmd/headscale/cli/root_test.go
+++ b/cmd/headscale/cli/root_test.go
@@ -0,0 +1,293 @@
+package cli
+
+import (
+	"testing"
+)
+
+func TestFilterPreReleasesIfStable(t *testing.T) {
+	tests := []struct {
+		name           string
+		currentVersion string
+		tag            string
+		expectedFilter bool
+		description    string
+	}{
+		{
+			name:           "stable version filters alpha tag",
+			currentVersion: "0.23.0",
+			tag:            "v0.24.0-alpha.1",
+			expectedFilter: true,
+			description:    "When on stable release, alpha tags should be filtered",
+		},
+		{
+			name:           "stable version filters beta tag",
+			currentVersion: "0.23.0",
+			tag:            "v0.24.0-beta.2",
+			expectedFilter: true,
+			description:    "When on stable release, beta tags should be filtered",
+		},
+		{
+			name:           "stable version filters rc tag",
+			currentVersion: "0.23.0",
+			tag:            "v0.24.0-rc.1",
+			expectedFilter: true,
+			description:    "When on stable release, rc tags should be filtered",
+		},
+		{
+			name:           "stable version allows stable tag",
+			currentVersion: "0.23.0",
+			tag:            "v0.24.0",
+			expectedFilter: false,
+			description:    "When on stable release, stable tags should not be filtered",
+		},
+		{
+			name:           "alpha version allows alpha tag",
+			currentVersion: "0.23.0-alpha.1",
+			tag:            "v0.24.0-alpha.2",
+			expectedFilter: false,
+			description:    "When on alpha release, alpha tags should not be filtered",
+		},
+		{
+			name:           "alpha version allows beta tag",
+			currentVersion: "0.23.0-alpha.1",
+			tag:            "v0.24.0-beta.1",
+			expectedFilter: false,
+			description:    "When on alpha release, beta tags should not be filtered",
+		},
+		{
+			name:           "alpha version allows rc tag",
+			currentVersion: "0.23.0-alpha.1",
+			tag:            "v0.24.0-rc.1",
+			expectedFilter: false,
+			description:    "When on alpha release, rc tags should not be filtered",
+		},
+		{
+			name:           "alpha version allows stable tag",
+			currentVersion: "0.23.0-alpha.1",
+			tag:            "v0.24.0",
+			expectedFilter: false,
+			description:    "When on alpha release, stable tags should not be filtered",
+		},
+		{
+			name:           "beta version allows alpha tag",
+			currentVersion: "0.23.0-beta.1",
+			tag:            "v0.24.0-alpha.1",
+			expectedFilter: false,
+			description:    "When on beta release, alpha tags should not be filtered",
+		},
+		{
+			name:           "beta version allows beta tag",
+			currentVersion: "0.23.0-beta.2",
+			tag:            "v0.24.0-beta.3",
+			expectedFilter: false,
+			description:    "When on beta release, beta tags should not be filtered",
+		},
+		{
+			name:           "beta version allows rc tag",
+			currentVersion: "0.23.0-beta.1",
+			tag:            "v0.24.0-rc.1",
+			expectedFilter: false,
+			description:    "When on beta release, rc tags should not be filtered",
+		},
+		{
+			name:           "beta version allows stable tag",
+			currentVersion: "0.23.0-beta.1",
+			tag:            "v0.24.0",
+			expectedFilter: false,
+			description:    "When on beta release, stable tags should not be filtered",
+		},
+		{
+			name:           "rc version allows alpha tag",
+			currentVersion: "0.23.0-rc.1",
+			tag:            "v0.24.0-alpha.1",
+			expectedFilter: false,
+			description:    "When on rc release, alpha tags should not be filtered",
+		},
+		{
+			name:           "rc version allows beta tag",
+			currentVersion: "0.23.0-rc.1",
+			tag:            "v0.24.0-beta.1",
+			expectedFilter: false,
+			description:    "When on rc release, beta tags should not be filtered",
+		},
+		{
+			name:           "rc version allows rc tag",
+			currentVersion: "0.23.0-rc.2",
+			tag:            "v0.24.0-rc.3",
+			expectedFilter: false,
+			description:    "When on rc release, rc tags should not be filtered",
+		},
+		{
+			name:           "rc version allows stable tag",
+			currentVersion: "0.23.0-rc.1",
+			tag:            "v0.24.0",
+			expectedFilter: false,
+			description:    "When on rc release, stable tags should not be filtered",
+		},
+		{
+			name:           "stable version with patch filters alpha",
+			currentVersion: "0.23.1",
+			tag:            "v0.24.0-alpha.1",
+			expectedFilter: true,
+			description:    "Stable version with patch number should filter alpha tags",
+		},
+		{
+			name:           "stable version with patch allows stable",
+			currentVersion: "0.23.1",
+			tag:            "v0.24.0",
+			expectedFilter: false,
+			description:    "Stable version with patch number should allow stable tags",
+		},
+		{
+			name:           "tag with alpha substring in version number",
+			currentVersion: "0.23.0",
+			tag:            "v1.0.0-alpha.1",
+			expectedFilter: true,
+			description:    "Tags with alpha in version string should be filtered on stable",
+		},
+		{
+			name:           "tag with beta substring in version number",
+			currentVersion: "0.23.0",
+			tag:            "v1.0.0-beta.1",
+			expectedFilter: true,
+			description:    "Tags with beta in version string should be filtered on stable",
+		},
+		{
+			name:           "tag with rc substring in version number",
+			currentVersion: "0.23.0",
+			tag:            "v1.0.0-rc.1",
+			expectedFilter: true,
+			description:    "Tags with rc in version string should be filtered on stable",
+		},
+		{
+			name:           "empty tag on stable version",
+			currentVersion: "0.23.0",
+			tag:            "",
+			expectedFilter: false,
+			description:    "Empty tags should not be filtered",
+		},
+		{
+			name:           "dev version allows all tags",
+			currentVersion: "0.23.0-dev",
+			tag:            "v0.24.0-alpha.1",
+			expectedFilter: false,
+			description:    "Dev versions should not filter any tags (pre-release allows all)",
+		},
+		{
+			name:           "stable version filters dev tag",
+			currentVersion: "0.23.0",
+			tag:            "v0.24.0-dev",
+			expectedFilter: true,
+			description:    "When on stable release, dev tags should be filtered",
+		},
+		{
+			name:           "dev version allows dev tag",
+			currentVersion: "0.23.0-dev",
+			tag:            "v0.24.0-dev.1",
+			expectedFilter: false,
+			description:    "When on dev release, dev tags should not be filtered",
+		},
+		{
+			name:           "dev version allows stable tag",
+			currentVersion: "0.23.0-dev",
+			tag:            "v0.24.0",
+			expectedFilter: false,
+			description:    "When on dev release, stable tags should not be filtered",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := filterPreReleasesIfStable(func() string { return tt.currentVersion })(tt.tag)
+			if result != tt.expectedFilter {
+				t.Errorf("%s: got %v, want %v\nDescription: %s\nCurrent version: %s, Tag: %s",
+					tt.name,
+					result,
+					tt.expectedFilter,
+					tt.description,
+					tt.currentVersion,
+					tt.tag,
+				)
+			}
+		})
+	}
+}
+
+func TestIsPreReleaseVersion(t *testing.T) {
+	tests := []struct {
+		name        string
+		version     string
+		expected    bool
+		description string
+	}{
+		{
+			name:        "stable version",
+			version:     "0.23.0",
+			expected:    false,
+			description: "Stable version should not be pre-release",
+		},
+		{
+			name:        "alpha version",
+			version:     "0.23.0-alpha.1",
+			expected:    true,
+			description: "Alpha version should be pre-release",
+		},
+		{
+			name:        "beta version",
+			version:     "0.23.0-beta.1",
+			expected:    true,
+			description: "Beta version should be pre-release",
+		},
+		{
+			name:        "rc version",
+			version:     "0.23.0-rc.1",
+			expected:    true,
+			description: "RC version should be pre-release",
+		},
+		{
+			name:        "version with alpha substring",
+			version:     "0.23.0-alphabetical",
+			expected:    true,
+			description: "Version containing 'alpha' should be pre-release",
+		},
+		{
+			name:        "version with beta substring",
+			version:     "0.23.0-betamax",
+			expected:    true,
+			description: "Version containing 'beta' should be pre-release",
+		},
+		{
+			name:        "dev version",
+			version:     "0.23.0-dev",
+			expected:    true,
+			description: "Dev version should be pre-release",
+		},
+		{
+			name:        "empty version",
+			version:     "",
+			expected:    false,
+			description: "Empty version should not be pre-release",
+		},
+		{
+			name:        "version with patch number",
+			version:     "0.23.1",
+			expected:    false,
+			description: "Stable version with patch should not be pre-release",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isPreReleaseVersion(tt.version)
+			if result != tt.expected {
+				t.Errorf("%s: got %v, want %v\nDescription: %s\nVersion: %s",
+					tt.name,
+					result,
+					tt.expected,
+					tt.description,
+					tt.version,
+				)
+			}
+		})
+	}
+}
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -130,7 +130,7 @@ func newHeadscaleCLIWithConfig() (context.Context, v1.HeadscaleServiceClient, *g
 	return ctx, client, conn, cancel
 }

-func output(result interface{}, override string, outputFormat string) string {
+func output(result any, override string, outputFormat string) string {
 	var jsonBytes []byte
 	var err error
 	switch outputFormat {
@@ -158,7 +158,7 @@ func output(result interface{}, override string, outputFormat string) string {
 }

 // SuccessOutput prints the result to stdout and exits with status code 0.
-func SuccessOutput(result interface{}, override string, outputFormat string) {
+func SuccessOutput(result any, override string, outputFormat string) {
 	fmt.Println(output(result, override, outputFormat))
 	os.Exit(0)
 }
--- a/cmd/hi/README.md
+++ b/cmd/hi/README.md
@@ -0,0 +1,6 @@
+# hi
+
+hi (headscale integration runner) is an entirely "vibe coded" wrapper around our
+[integration test suite](../integration). It essentially runs the docker
+commands for you with some added benefits of extracting resources like logs and
+databases.
--- a/cmd/hi/cleanup.go
+++ b/cmd/hi/cleanup.go
@@ -3,9 +3,13 @@ package main
 import (
 	"context"
 	"fmt"
+	"log"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"

+	"github.com/cenkalti/backoff/v5"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
@@ -83,30 +87,28 @@ func killTestContainers(ctx context.Context) error {
 	return nil
 }

+const (
+	containerRemoveInitialInterval = 100 * time.Millisecond
+	containerRemoveMaxElapsedTime  = 2 * time.Second
+)
+
 // removeContainerWithRetry attempts to remove a container with exponential backoff retry logic.
 func removeContainerWithRetry(ctx context.Context, cli *client.Client, containerID string) bool {
-	maxRetries := 3
-	baseDelay := 100 * time.Millisecond
+	expBackoff := backoff.NewExponentialBackOff()
+	expBackoff.InitialInterval = containerRemoveInitialInterval

-	for attempt := range maxRetries {
+	_, err := backoff.Retry(ctx, func() (struct{}, error) {
 		err := cli.ContainerRemove(ctx, containerID, container.RemoveOptions{
 			Force: true,
 		})
-		if err == nil {
-			return true
+		if err != nil {
+			return struct{}{}, err
 		}

-		// If this is the last attempt, don't wait
-		if attempt == maxRetries-1 {
-			break
-		}
+		return struct{}{}, nil
+	}, backoff.WithBackOff(expBackoff), backoff.WithMaxElapsedTime(containerRemoveMaxElapsedTime))

-		// Wait with exponential backoff
-		delay := baseDelay * time.Duration(1<<attempt)
-		time.Sleep(delay)
-	}
-
-	return false
+	return err == nil
 }

 // pruneDockerNetworks removes unused Docker networks.
@@ -205,3 +207,110 @@ func cleanCacheVolume(ctx context.Context) error {

 	return nil
 }
+
+// cleanupSuccessfulTestArtifacts removes artifacts from successful test runs to save disk space.
+// This function removes large artifacts that are mainly useful for debugging failures:
+// - Database dumps (.db files)
+// - Profile data (pprof directories)
+// - MapResponse data (mapresponses directories)
+// - Prometheus metrics files
+//
+// It preserves:
+// - Log files (.log) which are small and useful for verification.
+func cleanupSuccessfulTestArtifacts(logsDir string, verbose bool) error {
+	entries, err := os.ReadDir(logsDir)
+	if err != nil {
+		return fmt.Errorf("failed to read logs directory: %w", err)
+	}
+
+	var (
+		removedFiles, removedDirs int
+		totalSize                 int64
+	)
+
+	for _, entry := range entries {
+		name := entry.Name()
+		fullPath := filepath.Join(logsDir, name)
+
+		if entry.IsDir() {
+			// Remove pprof and mapresponses directories (typically large)
+			// These directories contain artifacts from all containers in the test run
+			if name == "pprof" || name == "mapresponses" {
+				size, sizeErr := getDirSize(fullPath)
+				if sizeErr == nil {
+					totalSize += size
+				}
+
+				err := os.RemoveAll(fullPath)
+				if err != nil {
+					if verbose {
+						log.Printf("Warning: failed to remove directory %s: %v", name, err)
+					}
+				} else {
+					removedDirs++
+
+					if verbose {
+						log.Printf("Removed directory: %s/", name)
+					}
+				}
+			}
+		} else {
+			// Only process test-related files (headscale and tailscale)
+			if !strings.HasPrefix(name, "hs-") && !strings.HasPrefix(name, "ts-") {
+				continue
+			}
+
+			// Remove database, metrics, and status files, but keep logs
+			shouldRemove := strings.HasSuffix(name, ".db") ||
+				strings.HasSuffix(name, "_metrics.txt") ||
+				strings.HasSuffix(name, "_status.json")
+
+			if shouldRemove {
+				info, infoErr := entry.Info()
+				if infoErr == nil {
+					totalSize += info.Size()
+				}
+
+				err := os.Remove(fullPath)
+				if err != nil {
+					if verbose {
+						log.Printf("Warning: failed to remove file %s: %v", name, err)
+					}
+				} else {
+					removedFiles++
+
+					if verbose {
+						log.Printf("Removed file: %s", name)
+					}
+				}
+			}
+		}
+	}
+
+	if removedFiles > 0 || removedDirs > 0 {
+		const bytesPerMB = 1024 * 1024
+		log.Printf("Cleaned up %d files and %d directories (freed ~%.2f MB)",
+			removedFiles, removedDirs, float64(totalSize)/bytesPerMB)
+	}
+
+	return nil
+}
+
+// getDirSize calculates the total size of a directory.
+func getDirSize(path string) (int64, error) {
+	var size int64
+
+	err := filepath.Walk(path, func(_ string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if !info.IsDir() {
+			size += info.Size()
+		}
+
+		return nil
+	})
+
+	return size, err
+}
--- a/cmd/hi/docker.go
+++ b/cmd/hi/docker.go
@@ -26,8 +26,93 @@ var (
 	ErrTestFailed              = errors.New("test failed")
 	ErrUnexpectedContainerWait = errors.New("unexpected end of container wait")
 	ErrNoDockerContext         = errors.New("no docker context found")
+	ErrAnotherRunInProgress    = errors.New("another integration test run is already in progress")
 )

+// RunningTestInfo contains information about a currently running integration test.
+type RunningTestInfo struct {
+	RunID         string
+	ContainerID   string
+	ContainerName string
+	StartTime     time.Time
+	Duration      time.Duration
+	TestPattern   string
+}
+
+// ErrNoRunningTests indicates that no integration test is currently running.
+var ErrNoRunningTests = errors.New("no running tests found")
+
+// checkForRunningTests checks if there's already an integration test running.
+// Returns ErrNoRunningTests if no test is running, or RunningTestInfo with details about the running test.
+func checkForRunningTests(ctx context.Context) (*RunningTestInfo, error) {
+	cli, err := createDockerClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	// List all running containers
+	containers, err := cli.ContainerList(ctx, container.ListOptions{
+		All: false, // Only running containers
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to list containers: %w", err)
+	}
+
+	// Look for containers with hi.test-type=test-runner label
+	for _, cont := range containers {
+		if cont.Labels != nil && cont.Labels["hi.test-type"] == "test-runner" {
+			// Found a running test runner container
+			runID := cont.Labels["hi.run-id"]
+
+			containerName := ""
+			for _, name := range cont.Names {
+				containerName = strings.TrimPrefix(name, "/")
+
+				break
+			}
+
+			// Get more details via inspection
+			inspect, err := cli.ContainerInspect(ctx, cont.ID)
+			if err != nil {
+				// Return basic info if inspection fails
+				return &RunningTestInfo{
+					RunID:         runID,
+					ContainerID:   cont.ID,
+					ContainerName: containerName,
+				}, nil
+			}
+
+			startTime, _ := time.Parse(time.RFC3339Nano, inspect.State.StartedAt)
+			duration := time.Since(startTime)
+
+			// Try to extract test pattern from command
+			testPattern := ""
+
+			if len(inspect.Config.Cmd) > 0 {
+				for i, arg := range inspect.Config.Cmd {
+					if arg == "-run" && i+1 < len(inspect.Config.Cmd) {
+						testPattern = inspect.Config.Cmd[i+1]
+
+						break
+					}
+				}
+			}
+
+			return &RunningTestInfo{
+				RunID:         runID,
+				ContainerID:   cont.ID,
+				ContainerName: containerName,
+				StartTime:     startTime,
+				Duration:      duration,
+				TestPattern:   testPattern,
+			}, nil
+		}
+	}
+
+	return nil, ErrNoRunningTests
+}
+
 // runTestContainer executes integration tests in a Docker container.
 func runTestContainer(ctx context.Context, config *RunConfig) error {
 	cli, err := createDockerClient()
@@ -154,6 +239,19 @@ func runTestContainer(ctx context.Context, config *RunConfig) error {
 		if cleanErr := cleanupAfterTest(ctx, cli, resp.ID); cleanErr != nil && config.Verbose {
 			log.Printf("Warning: post-test cleanup failed: %v", cleanErr)
 		}
+
+		// Clean up artifacts from successful tests to save disk space in CI
+		if exitCode == 0 {
+			if config.Verbose {
+				log.Printf("Test succeeded, cleaning up artifacts to save disk space...")
+			}
+
+			cleanErr := cleanupSuccessfulTestArtifacts(logsDir, config.Verbose)
+
+			if cleanErr != nil && config.Verbose {
+				log.Printf("Warning: artifact cleanup failed: %v", cleanErr)
+			}
+		}
 	}

 	if err != nil {
@@ -202,6 +300,28 @@ func createGoTestContainer(ctx context.Context, cli *client.Client, config *RunC
 		fmt.Sprintf("HEADSCALE_INTEGRATION_POSTGRES=%d", boolToInt(config.UsePostgres)),
 		"HEADSCALE_INTEGRATION_RUN_ID=" + runID,
 	}
+
+	// Pass through CI environment variable for CI detection
+	if ci := os.Getenv("CI"); ci != "" {
+		env = append(env, "CI="+ci)
+	}
+
+	// Pass through all HEADSCALE_INTEGRATION_* environment variables
+	for _, e := range os.Environ() {
+		if strings.HasPrefix(e, "HEADSCALE_INTEGRATION_") {
+			// Skip the ones we already set explicitly
+			if strings.HasPrefix(e, "HEADSCALE_INTEGRATION_POSTGRES=") ||
+				strings.HasPrefix(e, "HEADSCALE_INTEGRATION_RUN_ID=") {
+				continue
+			}
+
+			env = append(env, e)
+		}
+	}
+
+	// Set GOCACHE to a known location (used by both bind mount and volume cases)
+	env = append(env, "GOCACHE=/cache/go-build")
+
 	containerConfig := &container.Config{
 		Image:      "golang:" + config.GoVersion,
 		Cmd:        goTestCmd,
@@ -221,20 +341,43 @@ func createGoTestContainer(ctx context.Context, cli *client.Client, config *RunC
 		log.Printf("Using Docker socket: %s", dockerSocketPath)
 	}

+	binds := []string{
+		fmt.Sprintf("%s:%s", projectRoot, projectRoot),
+		dockerSocketPath + ":/var/run/docker.sock",
+		logsDir + ":/tmp/control",
+	}
+
+	// Use bind mounts for Go cache if provided via environment variables,
+	// otherwise fall back to Docker volumes for local development
+	var mounts []mount.Mount
+
+	goCache := os.Getenv("HEADSCALE_INTEGRATION_GO_CACHE")
+	goBuildCache := os.Getenv("HEADSCALE_INTEGRATION_GO_BUILD_CACHE")
+
+	if goCache != "" {
+		binds = append(binds, goCache+":/go")
+	} else {
+		mounts = append(mounts, mount.Mount{
+			Type:   mount.TypeVolume,
+			Source: "hs-integration-go-cache",
+			Target: "/go",
+		})
+	}
+
+	if goBuildCache != "" {
+		binds = append(binds, goBuildCache+":/cache/go-build")
+	} else {
+		mounts = append(mounts, mount.Mount{
+			Type:   mount.TypeVolume,
+			Source: "hs-integration-go-build-cache",
+			Target: "/cache/go-build",
+		})
+	}
+
 	hostConfig := &container.HostConfig{
 		AutoRemove: false, // We'll remove manually for better control
-		Binds: []string{
-			fmt.Sprintf("%s:%s", projectRoot, projectRoot),
-			dockerSocketPath + ":/var/run/docker.sock",
-			logsDir + ":/tmp/control",
-		},
-		Mounts: []mount.Mount{
-			{
-				Type:   mount.TypeVolume,
-				Source: "hs-integration-go-cache",
-				Target: "/go",
-			},
-		},
+		Binds:      binds,
+		Mounts:     mounts,
 	}

 	return cli.ContainerCreate(ctx, containerConfig, hostConfig, nil, nil, containerName)
@@ -357,10 +500,10 @@ func boolToInt(b bool) int {

 // DockerContext represents Docker context information.
 type DockerContext struct {
-	Name      string                 `json:"Name"`
-	Metadata  map[string]interface{} `json:"Metadata"`
-	Endpoints map[string]interface{} `json:"Endpoints"`
-	Current   bool                   `json:"Current"`
+	Name      string         `json:"Name"`
+	Metadata  map[string]any `json:"Metadata"`
+	Endpoints map[string]any `json:"Endpoints"`
+	Current   bool           `json:"Current"`
 }

 // createDockerClient creates a Docker client with context detection.
@@ -375,7 +518,7 @@ func createDockerClient() (*client.Client, error) {

 	if contextInfo != nil {
 		if endpoints, ok := contextInfo.Endpoints["docker"]; ok {
-			if endpointMap, ok := endpoints.(map[string]interface{}); ok {
+			if endpointMap, ok := endpoints.(map[string]any); ok {
 				if host, ok := endpointMap["Host"].(string); ok {
 					if runConfig.Verbose {
 						log.Printf("Using Docker host from context '%s': %s", contextInfo.Name, host)
@@ -701,63 +844,3 @@ func extractContainerFiles(ctx context.Context, cli *client.Client, containerID,
 	// This function is kept for potential future use or other file types
 	return nil
 }
-
-// logExtractionError logs extraction errors with appropriate level based on error type.
-func logExtractionError(artifactType, containerName string, err error, verbose bool) {
-	if errors.Is(err, ErrFileNotFoundInTar) {
-		// File not found is expected and only logged in verbose mode
-		if verbose {
-			log.Printf("No %s found in container %s", artifactType, containerName)
-		}
-	} else {
-		// Other errors are actual failures and should be logged as warnings
-		log.Printf("Warning: failed to extract %s from %s: %v", artifactType, containerName, err)
-	}
-}
-
-// extractSingleFile copies a single file from a container.
-func extractSingleFile(ctx context.Context, cli *client.Client, containerID, sourcePath, fileName, logsDir string, verbose bool) error {
-	tarReader, _, err := cli.CopyFromContainer(ctx, containerID, sourcePath)
-	if err != nil {
-		return fmt.Errorf("failed to copy %s from container: %w", sourcePath, err)
-	}
-	defer tarReader.Close()
-
-	// Extract the single file from the tar
-	filePath := filepath.Join(logsDir, fileName)
-	if err := extractFileFromTar(tarReader, filepath.Base(sourcePath), filePath); err != nil {
-		return fmt.Errorf("failed to extract file from tar: %w", err)
-	}
-
-	if verbose {
-		log.Printf("Extracted %s from %s", fileName, containerID[:12])
-	}
-
-	return nil
-}
-
-// extractDirectory copies a directory from a container and extracts its contents.
-func extractDirectory(ctx context.Context, cli *client.Client, containerID, sourcePath, dirName, logsDir string, verbose bool) error {
-	tarReader, _, err := cli.CopyFromContainer(ctx, containerID, sourcePath)
-	if err != nil {
-		return fmt.Errorf("failed to copy %s from container: %w", sourcePath, err)
-	}
-	defer tarReader.Close()
-
-	// Create target directory
-	targetDir := filepath.Join(logsDir, dirName)
-	if err := os.MkdirAll(targetDir, 0o755); err != nil {
-		return fmt.Errorf("failed to create directory %s: %w", targetDir, err)
-	}
-
-	// Extract the directory from the tar
-	if err := extractDirectoryFromTar(tarReader, targetDir); err != nil {
-		return fmt.Errorf("failed to extract directory from tar: %w", err)
-	}
-
-	if verbose {
-		log.Printf("Extracted %s/ from %s", dirName, containerID[:12])
-	}
-
-	return nil
-}
--- a/cmd/hi/run.go
+++ b/cmd/hi/run.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"

 	"github.com/creachadair/command"
@@ -13,6 +14,58 @@ import (

 var ErrTestPatternRequired = errors.New("test pattern is required as first argument or use --test flag")

+// formatRunningTestError creates a detailed error message about a running test.
+func formatRunningTestError(info *RunningTestInfo) error {
+	var msg strings.Builder
+	msg.WriteString("\n")
+	msg.WriteString("╔══════════════════════════════════════════════════════════════════╗\n")
+	msg.WriteString("║  Another integration test run is already in progress!            ║\n")
+	msg.WriteString("╚══════════════════════════════════════════════════════════════════╝\n")
+	msg.WriteString("\n")
+	msg.WriteString("Running test details:\n")
+	msg.WriteString(fmt.Sprintf("  Run ID:      %s\n", info.RunID))
+	msg.WriteString(fmt.Sprintf("  Container:   %s\n", info.ContainerName))
+
+	if info.TestPattern != "" {
+		msg.WriteString(fmt.Sprintf("  Test:        %s\n", info.TestPattern))
+	}
+
+	if !info.StartTime.IsZero() {
+		msg.WriteString(fmt.Sprintf("  Started:     %s\n", info.StartTime.Format("2006-01-02 15:04:05")))
+		msg.WriteString(fmt.Sprintf("  Running for: %s\n", formatDuration(info.Duration)))
+	}
+
+	msg.WriteString("\n")
+	msg.WriteString("Please wait for the current test to complete, or stop it with:\n")
+	msg.WriteString("  go run ./cmd/hi clean containers\n")
+	msg.WriteString("\n")
+	msg.WriteString("To monitor the running test:\n")
+	msg.WriteString(fmt.Sprintf("  docker logs -f %s\n", info.ContainerName))
+
+	return fmt.Errorf("%w\n%s", ErrAnotherRunInProgress, msg.String())
+}
+
+const secondsPerMinute = 60
+
+// formatDuration formats a duration in a human-readable way.
+func formatDuration(d time.Duration) string {
+	if d < time.Minute {
+		return fmt.Sprintf("%d seconds", int(d.Seconds()))
+	}
+
+	if d < time.Hour {
+		minutes := int(d.Minutes())
+		seconds := int(d.Seconds()) % secondsPerMinute
+
+		return fmt.Sprintf("%d minutes, %d seconds", minutes, seconds)
+	}
+
+	hours := int(d.Hours())
+	minutes := int(d.Minutes()) % secondsPerMinute
+
+	return fmt.Sprintf("%d hours, %d minutes", hours, minutes)
+}
+
 type RunConfig struct {
 	TestPattern   string        `flag:"test,Test pattern to run"`
 	Timeout       time.Duration `flag:"timeout,default=120m,Test timeout"`
@@ -27,6 +80,7 @@ type RunConfig struct {
 	Stats         bool          `flag:"stats,default=false,Collect and display container resource usage statistics"`
 	HSMemoryLimit float64       `flag:"hs-memory-limit,default=0,Fail test if any Headscale container exceeds this memory limit in MB (0 = disabled)"`
 	TSMemoryLimit float64       `flag:"ts-memory-limit,default=0,Fail test if any Tailscale container exceeds this memory limit in MB (0 = disabled)"`
+	Force         bool          `flag:"force,default=false,Kill any running test and start a new one"`
 }

 // runIntegrationTest executes the integration test workflow.
@@ -44,6 +98,23 @@ func runIntegrationTest(env *command.Env) error {
 		runConfig.GoVersion = detectGoVersion()
 	}

+	// Check if another test run is already in progress
+	runningTest, err := checkForRunningTests(env.Context())
+	if err != nil && !errors.Is(err, ErrNoRunningTests) {
+		log.Printf("Warning: failed to check for running tests: %v", err)
+	} else if runningTest != nil {
+		if runConfig.Force {
+			log.Printf("Force flag set, killing existing test run: %s", runningTest.RunID)
+
+			err = killTestContainers(env.Context())
+			if err != nil {
+				return fmt.Errorf("failed to kill existing test containers: %w", err)
+			}
+		} else {
+			return formatRunningTestError(runningTest)
+		}
+	}
+
 	// Run pre-flight checks
 	if runConfig.Verbose {
 		log.Printf("Running pre-flight system checks...")
@@ -74,7 +145,7 @@ func detectGoVersion() string {

 	content, err := os.ReadFile(goModPath)
 	if err != nil {
-		return "1.24"
+		return "1.25"
 	}

 	lines := splitLines(string(content))
@@ -89,7 +160,7 @@ func detectGoVersion() string {
 		}
 	}

-	return "1.24"
+	return "1.25"
 }

 // splitLines splits a string into lines without using strings.Split.
--- a/cmd/hi/tar_utils.go
+++ b/cmd/hi/tar_utils.go
@@ -1,105 +0,0 @@
-package main
-
-import (
-	"archive/tar"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-// ErrFileNotFoundInTar indicates a file was not found in the tar archive.
-var ErrFileNotFoundInTar = errors.New("file not found in tar")
-
-// extractFileFromTar extracts a single file from a tar reader.
-func extractFileFromTar(tarReader io.Reader, fileName, outputPath string) error {
-	tr := tar.NewReader(tarReader)
-
-	for {
-		header, err := tr.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return fmt.Errorf("failed to read tar header: %w", err)
-		}
-
-		// Check if this is the file we're looking for
-		if filepath.Base(header.Name) == fileName {
-			if header.Typeflag == tar.TypeReg {
-				// Create the output file
-				outFile, err := os.Create(outputPath)
-				if err != nil {
-					return fmt.Errorf("failed to create output file: %w", err)
-				}
-				defer outFile.Close()
-
-				// Copy file contents
-				if _, err := io.Copy(outFile, tr); err != nil {
-					return fmt.Errorf("failed to copy file contents: %w", err)
-				}
-
-				return nil
-			}
-		}
-	}
-
-	return fmt.Errorf("%w: %s", ErrFileNotFoundInTar, fileName)
-}
-
-// extractDirectoryFromTar extracts all files from a tar reader to a target directory.
-func extractDirectoryFromTar(tarReader io.Reader, targetDir string) error {
-	tr := tar.NewReader(tarReader)
-
-	for {
-		header, err := tr.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return fmt.Errorf("failed to read tar header: %w", err)
-		}
-
-		// Clean the path to prevent directory traversal
-		cleanName := filepath.Clean(header.Name)
-		if strings.Contains(cleanName, "..") {
-			continue // Skip potentially dangerous paths
-		}
-
-		targetPath := filepath.Join(targetDir, cleanName)
-
-		switch header.Typeflag {
-		case tar.TypeDir:
-			// Create directory
-			if err := os.MkdirAll(targetPath, os.FileMode(header.Mode)); err != nil {
-				return fmt.Errorf("failed to create directory %s: %w", targetPath, err)
-			}
-		case tar.TypeReg:
-			// Ensure parent directories exist
-			if err := os.MkdirAll(filepath.Dir(targetPath), 0o755); err != nil {
-				return fmt.Errorf("failed to create parent directories for %s: %w", targetPath, err)
-			}
-			
-			// Create file
-			outFile, err := os.Create(targetPath)
-			if err != nil {
-				return fmt.Errorf("failed to create file %s: %w", targetPath, err)
-			}
-
-			if _, err := io.Copy(outFile, tr); err != nil {
-				outFile.Close()
-				return fmt.Errorf("failed to copy file contents: %w", err)
-			}
-			outFile.Close()
-
-			// Set file permissions
-			if err := os.Chmod(targetPath, os.FileMode(header.Mode)); err != nil {
-				return fmt.Errorf("failed to set file permissions: %w", err)
-			}
-		}
-	}
-
-	return nil
-}
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -60,7 +60,9 @@ prefixes:
  v6: fd7a:115c:a1e0::/48

  # Strategy used for allocation of IPs to nodes, available options:
-  # - sequential (default): assigns the next free IP from the previous given IP.
+  # - sequential (default): assigns the next free IP from the previous given
+  #   IP. A best-effort approach is used and Headscale might leave holes in the
+  #   IP range or fill up existing holes in the IP range.
  # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
  allocation: sequential

@@ -391,11 +393,13 @@ unix_socket_permission: "0770"
 #     method: S256

 # Logtail configuration
-# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
-# to instruct tailscale nodes to log their activity to a remote server.
+# Logtail is Tailscales logging and auditing infrastructure, it allows the
+# control panel to instruct tailscale nodes to log their activity to a remote
+# server. To disable logging on the client side, please refer to:
+# https://tailscale.com/kb/1011/log-mesh-traffic#opting-out-of-client-logging
 logtail:
-  # Enable logtail for this headscales clients.
-  # As there is currently no support for overriding the log server in headscale, this is
+  # Enable logtail for tailscale nodes of this Headscale instance.
+  # As there is currently no support for overriding the log server in Headscale, this is
  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
  enabled: false

@@ -403,3 +407,23 @@ logtail:
 # default static port 41641. This option is intended as a workaround for some buggy
 # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
 randomize_client_port: false
+
+# Taildrop configuration
+# Taildrop is the file sharing feature of Tailscale, allowing nodes to send files to each other.
+# https://tailscale.com/kb/1106/taildrop/
+taildrop:
+  # Enable or disable Taildrop for all nodes.
+  # When enabled, nodes can send files to other nodes owned by the same user.
+  # Tagged devices and cross-user transfers are not permitted by Tailscale clients.
+  enabled: true
+# Advanced performance tuning parameters.
+# The defaults are carefully chosen and should rarely need adjustment.
+# Only modify these if you have identified a specific performance issue.
+#
+# tuning:
+#   # NodeStore write batching configuration.
+#   # The NodeStore batches write operations before rebuilding peer relationships,
+#   # which is computationally expensive. Batching reduces rebuild frequency.
+#   #
+#   # node_store_batch_size: 100
+#   # node_store_batch_timeout: 500ms
--- a/derp-example.yaml
+++ b/derp-example.yaml
@@ -1,6 +1,6 @@
 # If you plan to somehow use headscale, please deploy your own DERP infra: https://tailscale.com/kb/1118/custom-derp-servers/
 regions:
-  1: null   # Disable DERP region with ID 1
+  1: null # Disable DERP region with ID 1
  900:
    regionid: 900
    regioncode: custom
--- a/docs/about/faq.md
+++ b/docs/about/faq.md
@@ -44,6 +44,15 @@ For convenience, we also [build container images with headscale](../setup/instal
 we don't officially support deploying headscale using Docker**. On our [Discord server](https://discord.gg/c84AZQhmpx)
 we have a "docker-issues" channel where you can ask for Docker-specific help to the community.

+## What is the recommended update path? Can I skip multiple versions while updating?
+
+Please follow the steps outlined in the [upgrade guide](../setup/upgrade.md) to update your existing Headscale
+installation. Its best to update from one stable version to the next (e.g. 0.24.0 &rarr; 0.25.1 &rarr; 0.26.1) in case
+you are multiple releases behind. You should always pick the latest available patch release.
+
+Be sure to check the [changelog](https://github.com/juanfont/headscale/blob/main/CHANGELOG.md) for version specific
+upgrade instructions and breaking changes.
+
 ## Scaling / How many clients does Headscale support?

 It depends. As often stated, Headscale is not enterprise software and our focus
@@ -134,3 +143,35 @@ in their output of `tailscale status`. Traffic is still filtered according to th
 ping` which is always allowed in either direction.

 See also <https://tailscale.com/kb/1087/device-visibility>.
+
+## My policy is stored in the database and Headscale refuses to start due to an invalid policy. How can I recover?
+
+Headscale checks if the policy is valid during startup and refuses to start if it detects an error. The error message
+indicates which part of the policy is invalid. Follow these steps to fix your policy:
+
+- Dump the policy to a file: `headscale policy get --bypass-grpc-and-access-database-directly > policy.json`
+- Edit and fixup `policy.json`. Use the command `headscale policy check --file policy.json` to validate the policy.
+- Load the modified policy: `headscale policy set --bypass-grpc-and-access-database-directly --file policy.json`
+- Start Headscale as usual.
+
+!!! warning "Full server configuration required"
+
+    The above commands to get/set the policy require a complete server configuration file including database settings. A
+    minimal config to [control Headscale via remote CLI](../ref/api.md#grpc) is not sufficient. You may use `headscale
+    -c /path/to/config.yaml` to specify the path to an alternative configuration file.
+
+## How can I avoid to send logs to Tailscale Inc?
+
+A Tailscale client [collects logs about its operation and connection attempts with other
+clients](https://tailscale.com/kb/1011/log-mesh-traffic#client-logs) and sends them to a central log service operated by
+Tailscale Inc.
+
+Headscale, by default, instructs clients to disable log submission to the central log service. This configuration is
+applied by a client once it successfully connected with Headscale. See the configuration option `logtail.enabled` in the
+[configuration file](../ref/configuration.md) for details.
+
+Alternatively, logging can also be disabled on the client side. This is independent of Headscale and opting out of
+client logging disables log submission early during client startup. The configuration is operating system specific and
+is usually achieved by setting the environment variable `TS_NO_LOGS_NO_SUPPORT=true` or by passing the flag
+`--no-logs-no-support` to `tailscaled`. See
+<https://tailscale.com/kb/1011/log-mesh-traffic#opting-out-of-client-logging> for details.
--- a/docs/about/features.md
+++ b/docs/about/features.md
@@ -23,7 +23,7 @@ provides on overview of Headscale's feature and compatibility with the Tailscale
 - [x] Access control lists ([GitHub label "policy"](https://github.com/juanfont/headscale/labels/policy%20%F0%9F%93%9D))
    - [x] ACL management via API
    - [x] Some [Autogroups](https://tailscale.com/kb/1396/targets#autogroups), currently: `autogroup:internet`,
-      `autogroup:nonroot`, `autogroup:member`, `autogroup:tagged`
+      `autogroup:nonroot`, `autogroup:member`, `autogroup:tagged`, `autogroup:self`
    - [x] [Auto approvers](https://tailscale.com/kb/1337/acl-syntax#auto-approvers) for [subnet
      routers](../ref/routes.md#automatically-approve-routes-of-a-subnet-router) and [exit
      nodes](../ref/routes.md#automatically-approve-an-exit-node-with-auto-approvers)
--- a/docs/assets/favicon.png
+++ b/docs/assets/favicon.png
--- a/docs/assets/images/headscale-acl-network.png
+++ b/docs/assets/images/headscale-acl-network.png
--- a/docs/assets/logo/headscale3-dots.pdf
+++ b/docs/assets/logo/headscale3-dots.pdf
--- a/docs/assets/logo/headscale3-dots.png
+++ b/docs/assets/logo/headscale3-dots.png
--- a/docs/assets/logo/headscale3-dots.svg
+++ b/docs/assets/logo/headscale3-dots.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2" viewBox="0 0 1280 640"><circle cx="141.023" cy="338.36" r="117.472" style="fill:#f8b5cb" transform="matrix(.997276 0 0 1.00556 10.0024 -14.823)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 0)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.43 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.851 0)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 3.36978 -10.2458)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 255.633 -10.2458)"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030" transform="matrix(-1 0 0 1 1857.19 0)"/></svg>
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2" viewBox="0 0 1280 640"><circle cx="141.023" cy="338.36" r="117.472" style="fill:#f8b5cb" transform="matrix(.997276 0 0 1.00556 10.0024 -14.823)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 0)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.43 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.851 0)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 3.36978 -10.2458)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 255.633 -10.2458)"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030" transform="matrix(-1 0 0 1 1857.19 0)"/></svg>
--- a/docs/assets/logo/headscale3_header_stacked_left.pdf
+++ b/docs/assets/logo/headscale3_header_stacked_left.pdf
--- a/docs/assets/logo/headscale3_header_stacked_left.png
+++ b/docs/assets/logo/headscale3_header_stacked_left.png
--- a/docs/assets/logo/headscale3_header_stacked_left.svg
+++ b/docs/assets/logo/headscale3_header_stacked_left.svg
--- a/docs/ref/acls.md
+++ b/docs/ref/acls.md
@@ -65,7 +65,7 @@ servers.
 - billing.internal
 - router.internal

-![ACL implementation example](../images/headscale-acl-network.png)
+![ACL implementation example](../assets/images/headscale-acl-network.png)

 When [registering the servers](../usage/getting-started.md#register-a-node) we
 will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
@@ -194,13 +194,94 @@ Here are the ACL's to implement the same permissions as above:
      "dst": ["tag:dev-app-servers:80,443"]
    },

-    // We still have to allow internal users communications since nothing guarantees that each user have
-    // their own users.
-    { "action": "accept", "src": ["boss@"], "dst": ["boss@:*"] },
-    { "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },
-    { "action": "accept", "src": ["dev2@"], "dst": ["dev2@:*"] },
-    { "action": "accept", "src": ["admin1@"], "dst": ["admin1@:*"] },
-    { "action": "accept", "src": ["intern1@"], "dst": ["intern1@:*"] }
+    // Allow users to access their own devices using autogroup:self (see below for more details about performance impact)
+    {
+      "action": "accept",
+      "src": ["autogroup:member"],
+      "dst": ["autogroup:self:*"]
+    }
  ]
 }
 ```
+
+## Autogroups
+
+Headscale supports several autogroups that automatically include users, destinations, or devices with specific properties. Autogroups provide a convenient way to write ACL rules without manually listing individual users or devices.
+
+### `autogroup:internet`
+
+Allows access to the internet through [exit nodes](routes.md#exit-node). Can only be used in ACL destinations.
+
+```json
+{
+  "action": "accept",
+  "src": ["group:users"],
+  "dst": ["autogroup:internet:*"]
+}
+```
+
+### `autogroup:member`
+
+Includes all users who are direct members of the tailnet. Does not include users from shared devices.
+
+```json
+{
+  "action": "accept",
+  "src": ["autogroup:member"],
+  "dst": ["tag:prod-app-servers:80,443"]
+}
+```
+
+### `autogroup:tagged`
+
+Includes all devices that have at least one tag.
+
+```json
+{
+  "action": "accept",
+  "src": ["autogroup:tagged"],
+  "dst": ["tag:monitoring:9090"]
+}
+```
+
+### `autogroup:self`
+**(EXPERIMENTAL)**
+
+!!! warning "The current implementation of `autogroup:self` is inefficient"
+
+Includes devices where the same user is authenticated on both the source and destination. Does not include tagged devices. Can only be used in ACL destinations.
+
+```json
+{
+  "action": "accept",
+  "src": ["autogroup:member"],
+  "dst": ["autogroup:self:*"]
+}
+```
+*Using `autogroup:self` may cause performance degradation on the Headscale coordinator server in large deployments, as filter rules must be compiled per-node rather than globally and the current implementation is not very efficient.*
+
+If you experience performance issues, consider using more specific ACL rules or limiting the use of `autogroup:self`.
+```json
+{
+  // The following rules allow internal users to communicate with their
+  // own nodes in case autogroup:self is causing performance issues.
+  { "action": "accept", "src": ["boss@"], "dst": ["boss@:*"] },
+  { "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },
+  { "action": "accept", "src": ["dev2@"], "dst": ["dev2@:*"] },
+  { "action": "accept", "src": ["admin1@"], "dst": ["admin1@:*"] },
+  { "action": "accept", "src": ["intern1@"], "dst": ["intern1@:*"] }
+}
+```
+
+### `autogroup:nonroot`
+
+Used in Tailscale SSH rules to allow access to any user except root. Can only be used in the `users` field of SSH rules.
+
+```json
+{
+  "action": "accept",
+  "src": ["autogroup:member"],
+  "dst": ["autogroup:self"],
+  "users": ["autogroup:nonroot"]
+}
+```
--- a/docs/ref/api.md
+++ b/docs/ref/api.md
@@ -0,0 +1,128 @@
+# API
+Headscale provides a [HTTP REST API](#rest-api) and a [gRPC interface](#grpc) which may be used to integrate a [web
+interface](integration/web-ui.md), [remote control Headscale](#setup-remote-control) or provide a base for custom
+integration and tooling.
+
+Both interfaces require a valid API key before use. To create an API key, log into your Headscale server and generate
+one with the default expiration of 90 days:
+
+```shell
+headscale apikeys create
+```
+
+Copy the output of the command and save it for later. Please note that you can not retrieve an API key again. If the API
+key is lost, expire the old one, and create a new one.
+
+To list the API keys currently associated with the server:
+
+```shell
+headscale apikeys list
+```
+
+and to expire an API key:
+
+```shell
+headscale apikeys expire --prefix <PREFIX>
+```
+
+## REST API
+
+- API endpoint: `/api/v1`, e.g. `https://headscale.example.com/api/v1`
+- Documentation: `/swagger`, e.g. `https://headscale.example.com/swagger`
+- Authenticate using HTTP Bearer authentication by sending the [API key](#api) with the HTTP `Authorization: Bearer
+  <API_KEY>` header.
+
+Start by [creating an API key](#api) and test it with the examples below. Read the API documentation provided by your
+Headscale server at `/swagger` for details.
+
+=== "Get details for all users"
+
+    ```console
+    curl -H "Authorization: Bearer <API_KEY>" \
+        https://headscale.example.com/api/v1/user
+    ```
+
+=== "Get details for user 'bob'"
+
+    ```console
+    curl -H "Authorization: Bearer <API_KEY>" \
+        https://headscale.example.com/api/v1/user?name=bob
+    ```
+
+=== "Register a node"
+
+    ```console
+    curl -H "Authorization: Bearer <API_KEY>" \
+        -d user=<USER> -d key=<KEY> \
+        https://headscale.example.com/api/v1/node/register
+    ```
+
+## gRPC
+
+The gRPC interface can be used to control a Headscale instance from a remote machine with the `headscale` binary.
+
+### Prerequisite
+
+- A workstation to run `headscale` (any supported platform, e.g. Linux).
+- A Headscale server with gRPC enabled.
+- Connections to the gRPC port (default: `50443`) are allowed.
+- Remote access requires an encrypted connection via TLS.
+- An [API key](#api) to authenticate with the Headscale server.
+
+### Setup remote control
+
+1.  Download the [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases). Make
+    sure to use the same version as on the server.
+
+1.  Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
+
+1.  Make `headscale` executable: `chmod +x /usr/local/bin/headscale`
+
+1.  [Create an API key](#api) on the Headscale server.
+
+1.  Provide the connection parameters for the remote Headscale server either via a minimal YAML configuration file or
+    via environment variables:
+
+    === "Minimal YAML configuration file"
+
+        ```yaml title="config.yaml"
+        cli:
+            address: <HEADSCALE_ADDRESS>:<PORT>
+            api_key: <API_KEY>
+        ```
+
+    === "Environment variables"
+
+        ```shell
+        export HEADSCALE_CLI_ADDRESS="<HEADSCALE_ADDRESS>:<PORT>"
+        export HEADSCALE_CLI_API_KEY="<API_KEY>"
+        ```
+
+    This instructs the `headscale` binary to connect to a remote instance at `<HEADSCALE_ADDRESS>:<PORT>`, instead of
+    connecting to the local instance.
+
+1.  Test the connection by listing all nodes:
+
+    ```shell
+    headscale nodes list
+    ```
+
+    You should now be able to see a list of your nodes from your workstation, and you can
+    now control the Headscale server from your workstation.
+
+### Behind a proxy
+
+It's possible to run the gRPC remote endpoint behind a reverse proxy, like Nginx, and have it run on the _same_ port as Headscale.
+
+While this is _not a supported_ feature, an example on how this can be set up on
+[NixOS is shown here](https://github.com/kradalby/dotfiles/blob/4489cdbb19cddfbfae82cd70448a38fde5a76711/machines/headscale.oracldn/headscale.nix#L61-L91).
+
+### Troubleshooting
+
+- Make sure you have the _same_ Headscale version on your server and workstation.
+- Ensure that connections to the gRPC port are allowed.
+- Verify that your TLS certificate is valid and trusted.
+- If you don't have access to a trusted certificate (e.g. from Let's Encrypt), either:
+    - Add your self-signed certificate to the trust store of your OS _or_
+    - Disable certificate verification by either setting `cli.insecure: true` in the configuration file or by setting
+      `HEADSCALE_CLI_INSECURE=1` via an environment variable. We do **not** recommend to disable certificate validation.
--- a/docs/ref/dns.md
+++ b/docs/ref/dns.md
@@ -1,7 +1,7 @@
 # DNS

 Headscale supports [most DNS features](../about/features.md) from Tailscale. DNS related settings can be configured
-within `dns` section of the [configuration file](./configuration.md).
+within the `dns` section of the [configuration file](./configuration.md).

 ## Setting extra DNS records

--- a/docs/ref/integration/tools.md
+++ b/docs/ref/integration/tools.md
@@ -7,10 +7,15 @@

 This page collects third-party tools, client libraries, and scripts related to headscale.

-| Name                  | Repository Link                                                 | Description                                                          |
-| --------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------- |
-| tailscale-manager     | [Github](https://github.com/singlestore-labs/tailscale-manager) | Dynamically manage Tailscale route advertisements                    |
-| headscalebacktosqlite | [Github](https://github.com/bigbozza/headscalebacktosqlite)     | Migrate headscale from PostgreSQL back to SQLite                     |
-| headscale-pf          | [Github](https://github.com/YouSysAdmin/headscale-pf)           | Populates user groups based on user groups in Jumpcloud or Authentik |
-| headscale-client-go   | [Github](https://github.com/hibare/headscale-client-go)         | A Go client implementation for the Headscale HTTP API.               |
-| headscale-zabbix      | [Github](https://github.com/dblanque/headscale-zabbix)          | A Zabbix Monitoring Template for the Headscale Service.              |
+- [tailscale-manager](https://github.com/singlestore-labs/tailscale-manager) - Dynamically manage Tailscale route
+  advertisements
+- [headscalebacktosqlite](https://github.com/bigbozza/headscalebacktosqlite) - Migrate headscale from PostgreSQL back to
+  SQLite
+- [headscale-pf](https://github.com/YouSysAdmin/headscale-pf) - Populates user groups based on user groups in Jumpcloud
+  or Authentik
+- [headscale-client-go](https://github.com/hibare/headscale-client-go) - A Go client implementation for the Headscale
+  HTTP API.
+- [headscale-zabbix](https://github.com/dblanque/headscale-zabbix) - A Zabbix Monitoring Template for the Headscale
+  Service.
+- [tailscale-exporter](https://github.com/adinhodovic/tailscale-exporter) - A Prometheus exporter for Headscale that
+  provides network-level metrics using the Headscale API.
--- a/docs/ref/integration/web-ui.md
+++ b/docs/ref/integration/web-ui.md
@@ -7,14 +7,17 @@

 Headscale doesn't provide a built-in web interface but users may pick one from the available options.

-| Name                   | Repository Link                                             | Description                                                                                  |
-| ---------------------- | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
-| headscale-ui           | [Github](https://github.com/gurucomputing/headscale-ui)     | A web frontend for the headscale Tailscale-compatible coordination server                    |
-| HeadscaleUi            | [GitHub](https://github.com/simcu/headscale-ui)             | A static headscale admin ui, no backend environment required                                 |
-| Headplane              | [GitHub](https://github.com/tale/headplane)                 | An advanced Tailscale inspired frontend for headscale                                        |
-| headscale-admin        | [Github](https://github.com/GoodiesHQ/headscale-admin)      | Headscale-Admin is meant to be a simple, modern web interface for headscale                  |
-| ouroboros              | [Github](https://github.com/yellowsink/ouroboros)           | Ouroboros is designed for users to manage their own devices, rather than for admins          |
-| unraid-headscale-admin | [Github](https://github.com/ich777/unraid-headscale-admin)  | A simple headscale admin UI for Unraid, it offers Local (`docker exec`) and API Mode         |
-| headscale-console      | [Github](https://github.com/rickli-cloud/headscale-console) | WebAssembly-based client supporting SSH, VNC and RDP with optional self-service capabilities |
+- [headscale-ui](https://github.com/gurucomputing/headscale-ui) - A web frontend for the headscale Tailscale-compatible
+  coordination server
+- [HeadscaleUi](https://github.com/simcu/headscale-ui) - A static headscale admin ui, no backend environment required
+- [Headplane](https://github.com/tale/headplane) - An advanced Tailscale inspired frontend for headscale
+- [headscale-admin](https://github.com/GoodiesHQ/headscale-admin) - Headscale-Admin is meant to be a simple, modern web
+  interface for headscale
+- [ouroboros](https://github.com/yellowsink/ouroboros) - Ouroboros is designed for users to manage their own devices,
+  rather than for admins
+- [unraid-headscale-admin](https://github.com/ich777/unraid-headscale-admin) - A simple headscale admin UI for Unraid,
+  it offers Local (`docker exec`) and API Mode
+- [headscale-console](https://github.com/rickli-cloud/headscale-console) - WebAssembly-based client supporting SSH, VNC
+  and RDP with optional self-service capabilities

 You can ask for support on our [Discord server](https://discord.gg/c84AZQhmpx) in the "web-interfaces" channel.
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -305,5 +305,13 @@ Entra ID is: `https://login.microsoftonline.com/<tenant-UUID>/v2.0`. The followi
 - `domain_hint: example.com` to use your own domain
 - `prompt: select_account` to force an account picker during login

-Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their group ID instead
+When using Microsoft Entra ID together with the [allowed groups filter](#authorize-users-with-filters), configure the
+Headscale OIDC scope without the `groups` claim, for example:
+
+```yaml
+oidc:
+  scope: ["openid", "profile", "email"]
+```
+
+Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their group ID(UUID) instead
 of the group name.
--- a/docs/ref/remote-cli.md
+++ b/docs/ref/remote-cli.md
@@ -1,105 +0,0 @@
-# Controlling headscale with remote CLI
-
-This documentation has the goal of showing a user how-to control a headscale instance
-from a remote machine with the `headscale` command line binary.
-
-## Prerequisite
-
- A workstation to run `headscale` (any supported platform, e.g. Linux).
- A headscale server with gRPC enabled.
- Connections to the gRPC port (default: `50443`) are allowed.
- Remote access requires an encrypted connection via TLS.
- An API key to authenticate with the headscale server.
-
-## Create an API key
-
-We need to create an API key to authenticate with the remote headscale server when using it from our workstation.
-
-To create an API key, log into your headscale server and generate a key:
-
-```shell
-headscale apikeys create --expiration 90d
-```
-
-Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
-if the key is lost, expire the old one, and create a new key.
-
-To list the keys currently associated with the server:
-
-```shell
-headscale apikeys list
-```
-
-and to expire a key:
-
-```shell
-headscale apikeys expire --prefix "<PREFIX>"
-```
-
-## Download and configure headscale
-
-1.  Download the [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases). Make
-    sure to use the same version as on the server.
-
-1.  Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
-
-1.  Make `headscale` executable:
-
-    ```shell
-    chmod +x /usr/local/bin/headscale
-    ```
-
-1.  Provide the connection parameters for the remote headscale server either via a minimal YAML configuration file or via
-    environment variables:
-
-    === "Minimal YAML configuration file"
-
-        ```yaml title="config.yaml"
-        cli:
-            address: <HEADSCALE_ADDRESS>:<PORT>
-            api_key: <API_KEY_FROM_PREVIOUS_STEP>
-        ```
-
-    === "Environment variables"
-
-        ```shell
-        export HEADSCALE_CLI_ADDRESS="<HEADSCALE_ADDRESS>:<PORT>"
-        export HEADSCALE_CLI_API_KEY="<API_KEY_FROM_PREVIOUS_STEP>"
-        ```
-
-        !!! bug
-
-            Headscale currently requires at least an empty configuration file when environment variables are used to
-            specify connection details. See [issue 2193](https://github.com/juanfont/headscale/issues/2193) for more
-            information.
-
-    This instructs the `headscale` binary to connect to a remote instance at `<HEADSCALE_ADDRESS>:<PORT>`, instead of
-    connecting to the local instance.
-
-1.  Test the connection
-
-    Let us run the headscale command to verify that we can connect by listing our nodes:
-
-    ```shell
-    headscale nodes list
-    ```
-
-    You should now be able to see a list of your nodes from your workstation, and you can
-    now control the headscale server from your workstation.
-
-## Behind a proxy
-
-It is possible to run the gRPC remote endpoint behind a reverse proxy, like Nginx, and have it run on the _same_ port as headscale.
-
-While this is _not a supported_ feature, an example on how this can be set up on
-[NixOS is shown here](https://github.com/kradalby/dotfiles/blob/4489cdbb19cddfbfae82cd70448a38fde5a76711/machines/headscale.oracldn/headscale.nix#L61-L91).
-
-## Troubleshooting
-
- Make sure you have the _same_ headscale version on your server and workstation.
- Ensure that connections to the gRPC port are allowed.
- Verify that your TLS certificate is valid and trusted.
- If you don't have access to a trusted certificate (e.g. from Let's Encrypt), either:
-    - Add your self-signed certificate to the trust store of your OS _or_
-    - Disable certificate verification by either setting `cli.insecure: true` in the configuration file or by setting
-      `HEADSCALE_CLI_INSECURE=1` via an environment variable. We do **not** recommend to disable certificate validation.
--- a/docs/ref/routes.md
+++ b/docs/ref/routes.md
@@ -216,6 +216,39 @@ nodes.
 }
 ```

+### Restrict access to exit nodes per user or group
+
+A user can use _any_ of the available exit nodes with `autogroup:internet`. Alternatively, the ACL snippet below assigns
+each user a specific exit node while hiding all other exit nodes. The user `alice` can only use exit node `exit1` while
+user `bob` can only use exit node `exit2`.
+
+```json title="Assign each user a dedicated exit node"
+{
+  "hosts": {
+    "exit1": "100.64.0.1/32",
+    "exit2": "100.64.0.2/32"
+  },
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["alice@"],
+      "dst": ["exit1:*"]
+    },
+    {
+      "action": "accept",
+      "src": ["bob@"],
+      "dst": ["exit2:*"]
+    }
+  ]
+}
+```
+
+!!! warning
+
+    - The above implementation is Headscale specific and will likely be removed once [support for
+      `via`](https://github.com/juanfont/headscale/issues/2409) is available.
+    - Beware that a user can also connect to any port of the exit node itself.
+
 ### Automatically approve an exit node with auto approvers

 The initial setup of an exit node usually requires manual approval on the control server before it can be used by a node
--- a/docs/setup/install/container.md
+++ b/docs/setup/install/container.md
@@ -18,10 +18,10 @@ Registry](https://github.com/juanfont/headscale/pkgs/container/headscale). The c

 ## Configure and run headscale

-1.  Create a directory on the Docker host to store headscale's [configuration](../../ref/configuration.md) and the [SQLite](https://www.sqlite.org/) database:
+1.  Create a directory on the container host to store headscale's [configuration](../../ref/configuration.md) and the [SQLite](https://www.sqlite.org/) database:

    ```shell
-    mkdir -p ./headscale/{config,lib,run}
+    mkdir -p ./headscale/{config,lib}
    cd ./headscale
    ```

@@ -34,11 +34,13 @@ Registry](https://github.com/juanfont/headscale/pkgs/container/headscale). The c
    docker run \
      --name headscale \
      --detach \
-      --volume "$(pwd)/config:/etc/headscale" \
+      --read-only \
+      --tmpfs /var/run/headscale \
+      --volume "$(pwd)/config:/etc/headscale:ro" \
      --volume "$(pwd)/lib:/var/lib/headscale" \
-      --volume "$(pwd)/run:/var/run/headscale" \
      --publish 127.0.0.1:8080:8080 \
      --publish 127.0.0.1:9090:9090 \
+      --health-cmd "CMD headscale health" \
      docker.io/headscale/headscale:<VERSION> \
      serve
    ```
@@ -56,16 +58,20 @@ Registry](https://github.com/juanfont/headscale/pkgs/container/headscale). The c
        image: docker.io/headscale/headscale:<VERSION>
        restart: unless-stopped
        container_name: headscale
+        read_only: true
+        tmpfs:
+          - /var/run/headscale
        ports:
          - "127.0.0.1:8080:8080"
          - "127.0.0.1:9090:9090"
        volumes:
          # Please set <HEADSCALE_PATH> to the absolute path
          # of the previously created headscale directory.
-          - <HEADSCALE_PATH>/config:/etc/headscale
+          - <HEADSCALE_PATH>/config:/etc/headscale:ro
          - <HEADSCALE_PATH>/lib:/var/lib/headscale
-          - <HEADSCALE_PATH>/run:/var/run/headscale
        command: serve
+        healthcheck:
+            test: ["CMD", "headscale", "health"]
    ```

 1.  Verify headscale is running:
@@ -85,45 +91,10 @@ Registry](https://github.com/juanfont/headscale/pkgs/container/headscale). The c
    Verify headscale is available:

    ```shell
-    curl http://127.0.0.1:9090/metrics
+    curl http://127.0.0.1:8080/health
    ```

-1.  Create a headscale user:
-
-    ```shell
-    docker exec -it headscale \
-      headscale users create myfirstuser
-    ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale up` command to login:
-
-```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-To register a machine when running headscale in a container, take the headscale command and pass it to the container:
-
-```shell
-docker exec -it headscale \
-  headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
-```
-
-### Register a machine using a pre authenticated key
-
-Generate a key using the command line for the user with ID 1:
-
-```shell
-docker exec -it headscale \
-  headscale preauthkeys create --user 1 --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to headscale with the `tailscale up` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
+Continue on the [getting started page](../../usage/getting-started.md) to register your first machine.

 ## Debugging headscale running in Docker

--- a/docs/setup/install/official.md
+++ b/docs/setup/install/official.md
@@ -7,7 +7,7 @@ Both are available on the [GitHub releases page](https://github.com/juanfont/hea

 It is recommended to use our DEB packages to install headscale on a Debian based system as those packages configure a
 local user to run headscale, provide a default configuration and ship with a systemd service file. Supported
-distributions are Ubuntu 22.04 or newer, Debian 11 or newer.
+distributions are Ubuntu 22.04 or newer, Debian 12 or newer.

 1.  Download the [latest headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).

@@ -42,6 +42,8 @@ distributions are Ubuntu 22.04 or newer, Debian 11 or newer.
    sudo systemctl status headscale
    ```

+Continue on the [getting started page](../../usage/getting-started.md) to register your first machine.
+
 ## Using standalone binaries (advanced)

 !!! warning "Advanced"
@@ -57,14 +59,14 @@ managed by systemd.
 1.  Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):

    ```shell
-    sudo wget --output-document=/usr/local/bin/headscale \
+    sudo wget --output-document=/usr/bin/headscale \
    https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
    ```

 1.  Make `headscale` executable:

    ```shell
-    sudo chmod +x /usr/local/bin/headscale
+    sudo chmod +x /usr/bin/headscale
    ```

 1.  Add a dedicated local user to run headscale:
@@ -115,3 +117,5 @@ managed by systemd.
    ```shell
    systemctl status headscale
    ```
+
+Continue on the [getting started page](../../usage/getting-started.md) to register your first machine.
--- a/docs/setup/requirements.md
+++ b/docs/setup/requirements.md
@@ -28,7 +28,7 @@ The ports in use vary with the intended scenario and enabled features. Some of t
    - STUN, required if the [embedded DERP server](../ref/derp.md) is enabled
 - tcp/50443
    - Expose publicly: yes
-    - Only required if the gRPC interface is used to [remote-control Headscale](../ref/remote-cli.md).
+    - Only required if the gRPC interface is used to [remote-control Headscale](../ref/api.md#grpc).
 - tcp/9090
    - Expose publicly: no
    - [Metrics and debug endpoint](../ref/debug.md#metrics-and-debug-endpoint)
--- a/docs/usage/getting-started.md
+++ b/docs/usage/getting-started.md
@@ -9,8 +9,8 @@ This page helps you get started with headscale and provides a few usage examples
      installation instructions.
    * The configuration file exists and is adjusted to suit your environment, see
      [Configuration](../ref/configuration.md) for details.
-    * Headscale is reachable from the Internet. Verify this by opening client specific setup instructions in your
-      browser, e.g. https://headscale.example.com/windows
+    * Headscale is reachable from the Internet. Verify this by visiting the health endpoint:
+      https://headscale.example.com/health
    * The Tailscale client is installed, see [Client and operating system support](../about/clients.md) for more
      information.

@@ -41,6 +41,23 @@ options, run:
      headscale <COMMAND> --help
    ```

+!!! note "Manage headscale from another local user"
+
+    By default only the user `headscale` or `root` will have the necessary permissions to access the unix socket
+    (`/var/run/headscale/headscale.sock`) that is used to communicate with the service. In order to be able to
+    communicate with the headscale service you have to make sure the unix socket is accessible by the user that runs
+    the commands. In general you can achieve this by any of the following methods:
+
+      * using `sudo`
+      * run the commands as user `headscale`
+      * add your user to the `headscale` group
+
+    To verify you can run the following command using your preferred method:
+
+    ```shell
+    headscale users list
+    ```
+
 ## Manage headscale users

 In headscale, a node (also known as machine or device) is always assigned to a
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1755829505,
-        "narHash": "sha256-4/Jd+LkQ2ssw8luQVkqVs9spDBVE6h/u/hC/tzngsPo=",
+        "lastModified": 1760533177,
+        "narHash": "sha256-OwM1sFustLHx+xmTymhucZuNhtq98fHIbfO8Swm5L8A=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f937f8ecd1c70efd7e9f90ba13dfb400cf559de4",
+        "rev": "35f590344ff791e6b1d6d6b8f3523467c9217caf",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -6,238 +6,230 @@
    flake-utils.url = "github:numtide/flake-utils";
  };

-  outputs = {
-    self,
-    nixpkgs,
-    flake-utils,
-    ...
-  }: let
-    headscaleVersion = self.shortRev or self.dirtyShortRev;
-    commitHash = self.rev or self.dirtyRev;
-  in
+  outputs =
+    { self
+    , nixpkgs
+    , flake-utils
+    , ...
+    }:
+    let
+      headscaleVersion = self.shortRev or self.dirtyShortRev;
+      commitHash = self.rev or self.dirtyRev;
+    in
    {
-      overlay = _: prev: let
-        pkgs = nixpkgs.legacyPackages.${prev.system};
-        buildGo = pkgs.buildGo124Module;
-        vendorHash = "sha256-hIY6asY3rOIqf/5P6lFmnNCDWcqNPJaj+tqJuOvGJlo=";
-      in {
-        headscale = buildGo {
-          pname = "headscale";
-          version = headscaleVersion;
-          src = pkgs.lib.cleanSource self;
-
-          # Only run unit tests when testing a build
-          checkFlags = ["-short"];
-
-          # When updating go.mod or go.sum, a new sha will need to be calculated,
-          # update this if you have a mismatch after doing a change to those files.
-          inherit vendorHash;
-
-          subPackages = ["cmd/headscale"];
-
-          ldflags = [
-            "-s"
-            "-w"
-            "-X github.com/juanfont/headscale/hscontrol/types.Version=${headscaleVersion}"
-            "-X github.com/juanfont/headscale/hscontrol/types.GitCommitHash=${commitHash}"
-          ];
-        };
-
-        hi = buildGo {
-          pname = "hi";
-          version = headscaleVersion;
-          src = pkgs.lib.cleanSource self;
-
-          checkFlags = ["-short"];
-          inherit vendorHash;
-
-          subPackages = ["cmd/hi"];
-        };
-
-        protoc-gen-grpc-gateway = buildGo rec {
-          pname = "grpc-gateway";
-          version = "2.24.0";
-
-          src = pkgs.fetchFromGitHub {
-            owner = "grpc-ecosystem";
-            repo = "grpc-gateway";
-            rev = "v${version}";
-            sha256 = "sha256-lUEoqXJF1k4/il9bdDTinkUV5L869njZNYqObG/mHyA=";
-          };
-
-          vendorHash = "sha256-Ttt7bPKU+TMKRg5550BS6fsPwYp0QJqcZ7NLrhttSdw=";
-
-          nativeBuildInputs = [pkgs.installShellFiles];
-
-          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
-        };
-
-        protobuf-language-server = buildGo rec {
-          pname = "protobuf-language-server";
-          version = "2546944";
-
-          src = pkgs.fetchFromGitHub {
-            owner = "lasorda";
-            repo = "protobuf-language-server";
-            rev = "${version}";
-            sha256 = "sha256-Cbr3ktT86RnwUntOiDKRpNTClhdyrKLTQG2ZEd6fKDc=";
-          };
-
-          vendorHash = "sha256-PfT90dhfzJZabzLTb1D69JCO+kOh2khrlpF5mCDeypk=";
-
-          subPackages = ["."];
-        };
-
-        # Upstream does not override buildGoModule properly,
-        # importing a specific module, so comment out for now.
-        # golangci-lint = prev.golangci-lint.override {
-        #   buildGoModule = buildGo;
-        # };
-        # golangci-lint-langserver = prev.golangci-lint.override {
-        #   buildGoModule = buildGo;
-        # };
-
-        goreleaser = prev.goreleaser.override {
-          buildGoModule = buildGo;
-        };
-
-        gotestsum = prev.gotestsum.override {
-          buildGoModule = buildGo;
-        };
-
-        gotests = prev.gotests.override {
-          buildGoModule = buildGo;
-        };
-
-        gofumpt = prev.gofumpt.override {
-          buildGoModule = buildGo;
-        };
-
-        # gopls = prev.gopls.override {
-        #   buildGoModule = buildGo;
-        # };
+      # NixOS module
+      nixosModules = rec {
+        headscale = import ./nix/module.nix;
+        default = headscale;
      };
+
+      overlay = _: prev:
+        let
+          pkgs = nixpkgs.legacyPackages.${prev.system};
+          buildGo = pkgs.buildGo125Module;
+          vendorHash = "sha256-VOi4PGZ8I+2MiwtzxpKc/4smsL5KcH/pHVkjJfAFPJ0=";
+        in
+        {
+          headscale = buildGo {
+            pname = "headscale";
+            version = headscaleVersion;
+            src = pkgs.lib.cleanSource self;
+
+            # Only run unit tests when testing a build
+            checkFlags = [ "-short" ];
+
+            # When updating go.mod or go.sum, a new sha will need to be calculated,
+            # update this if you have a mismatch after doing a change to those files.
+            inherit vendorHash;
+
+            subPackages = [ "cmd/headscale" ];
+
+            meta = {
+              mainProgram = "headscale";
+            };
+          };
+
+          hi = buildGo {
+            pname = "hi";
+            version = headscaleVersion;
+            src = pkgs.lib.cleanSource self;
+
+            checkFlags = [ "-short" ];
+            inherit vendorHash;
+
+            subPackages = [ "cmd/hi" ];
+          };
+
+          protoc-gen-grpc-gateway = buildGo rec {
+            pname = "grpc-gateway";
+            version = "2.24.0";
+
+            src = pkgs.fetchFromGitHub {
+              owner = "grpc-ecosystem";
+              repo = "grpc-gateway";
+              rev = "v${version}";
+              sha256 = "sha256-lUEoqXJF1k4/il9bdDTinkUV5L869njZNYqObG/mHyA=";
+            };
+
+            vendorHash = "sha256-Ttt7bPKU+TMKRg5550BS6fsPwYp0QJqcZ7NLrhttSdw=";
+
+            nativeBuildInputs = [ pkgs.installShellFiles ];
+
+            subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
+          };
+
+          protobuf-language-server = buildGo rec {
+            pname = "protobuf-language-server";
+            version = "2546944";
+
+            src = pkgs.fetchFromGitHub {
+              owner = "lasorda";
+              repo = "protobuf-language-server";
+              rev = "${version}";
+              sha256 = "sha256-Cbr3ktT86RnwUntOiDKRpNTClhdyrKLTQG2ZEd6fKDc=";
+            };
+
+            vendorHash = "sha256-PfT90dhfzJZabzLTb1D69JCO+kOh2khrlpF5mCDeypk=";
+
+            subPackages = [ "." ];
+          };
+
+          # Upstream does not override buildGoModule properly,
+          # importing a specific module, so comment out for now.
+          # golangci-lint = prev.golangci-lint.override {
+          #   buildGoModule = buildGo;
+          # };
+          # golangci-lint-langserver = prev.golangci-lint.override {
+          #   buildGoModule = buildGo;
+          # };
+
+          # The package uses buildGo125Module, not the convention.
+          # goreleaser = prev.goreleaser.override {
+          #   buildGoModule = buildGo;
+          # };
+
+          gotestsum = prev.gotestsum.override {
+            buildGoModule = buildGo;
+          };
+
+          gotests = prev.gotests.override {
+            buildGoModule = buildGo;
+          };
+
+          gofumpt = prev.gofumpt.override {
+            buildGoModule = buildGo;
+          };
+
+          # gopls = prev.gopls.override {
+          #   buildGoModule = buildGo;
+          # };
+        };
    }
    // flake-utils.lib.eachDefaultSystem
-    (system: let
-      pkgs = import nixpkgs {
-        overlays = [self.overlay];
-        inherit system;
-      };
-      buildDeps = with pkgs; [git go_1_24 gnumake];
-      devDeps = with pkgs;
-        buildDeps
-        ++ [
-          golangci-lint
-          golangci-lint-langserver
-          golines
-          nodePackages.prettier
-          goreleaser
-          nfpm
-          gotestsum
-          gotests
-          gofumpt
-          gopls
-          ksh
-          ko
-          yq-go
-          ripgrep
-          postgresql
-
-          # 'dot' is needed for pprof graphs
-          # go tool pprof -http=: <source>
-          graphviz
-
-          # Protobuf dependencies
-          protobuf
-          protoc-gen-go
-          protoc-gen-go-grpc
-          protoc-gen-grpc-gateway
-          buf
-          clang-tools # clang-format
-          protobuf-language-server
-
-          # Add hi to make it even easier to use ci runner.
-          hi
-        ]
-        ++ lib.optional pkgs.stdenv.isLinux [traceroute];
-
-      # Add entry to build a docker image with headscale
-      # caveat: only works on Linux
-      #
-      # Usage:
-      # nix build .#headscale-docker
-      # docker load < result
-      headscale-docker = pkgs.dockerTools.buildLayeredImage {
-        name = "headscale";
-        tag = headscaleVersion;
-        contents = [pkgs.headscale];
-        config.Entrypoint = [(pkgs.headscale + "/bin/headscale")];
-      };
-    in rec {
-      # `nix develop`
-      devShell = pkgs.mkShell {
-        buildInputs =
-          devDeps
+      (system:
+      let
+        pkgs = import nixpkgs {
+          overlays = [ self.overlay ];
+          inherit system;
+        };
+        buildDeps = with pkgs; [ git go_1_25 gnumake ];
+        devDeps = with pkgs;
+          buildDeps
          ++ [
-            (pkgs.writeShellScriptBin
-              "nix-vendor-sri"
-              ''
-                set -eu
+            golangci-lint
+            golangci-lint-langserver
+            golines
+            nodePackages.prettier
+            nixpkgs-fmt
+            goreleaser
+            nfpm
+            gotestsum
+            gotests
+            gofumpt
+            gopls
+            ksh
+            ko
+            yq-go
+            ripgrep
+            postgresql
+            prek

-                OUT=$(mktemp -d -t nar-hash-XXXXXX)
-                rm -rf "$OUT"
+            # 'dot' is needed for pprof graphs
+            # go tool pprof -http=: <source>
+            graphviz

-                go mod vendor -o "$OUT"
-                go run tailscale.com/cmd/nardump --sri "$OUT"
-                rm -rf "$OUT"
-              '')
+            # Protobuf dependencies
+            protobuf
+            protoc-gen-go
+            protoc-gen-go-grpc
+            protoc-gen-grpc-gateway
+            buf
+            clang-tools # clang-format
+            protobuf-language-server
+          ]
+          ++ lib.optional pkgs.stdenv.isLinux [ traceroute ];

-            (pkgs.writeShellScriptBin
-              "go-mod-update-all"
-              ''
-                cat go.mod | ${pkgs.silver-searcher}/bin/ag "\t" | ${pkgs.silver-searcher}/bin/ag -v indirect | ${pkgs.gawk}/bin/awk '{print $1}' | ${pkgs.findutils}/bin/xargs go get -u
-                go mod tidy
-              '')
-          ];
+        # Add entry to build a docker image with headscale
+        # caveat: only works on Linux
+        #
+        # Usage:
+        # nix build .#headscale-docker
+        # docker load < result
+        headscale-docker = pkgs.dockerTools.buildLayeredImage {
+          name = "headscale";
+          tag = headscaleVersion;
+          contents = [ pkgs.headscale ];
+          config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
+        };
+      in
+      rec {
+        # `nix develop`
+        devShell = pkgs.mkShell {
+          buildInputs =
+            devDeps
+            ++ [
+              (pkgs.writeShellScriptBin
+                "nix-vendor-sri"
+                ''
+                  set -eu

-        shellHook = ''
-          export PATH="$PWD/result/bin:$PATH"
-        '';
-      };
+                  OUT=$(mktemp -d -t nar-hash-XXXXXX)
+                  rm -rf "$OUT"

-      # `nix build`
-      packages = with pkgs; {
-        inherit headscale;
-        inherit headscale-docker;
-      };
-      defaultPackage = pkgs.headscale;
+                  go mod vendor -o "$OUT"
+                  go run tailscale.com/cmd/nardump --sri "$OUT"
+                  rm -rf "$OUT"
+                '')

-      # `nix run`
-      apps.headscale = flake-utils.lib.mkApp {
-        drv = packages.headscale;
-      };
-      apps.default = apps.headscale;
-
-      checks = {
-        format =
-          pkgs.runCommand "check-format"
-          {
-            buildInputs = with pkgs; [
-              gnumake
-              nixpkgs-fmt
-              golangci-lint
-              nodePackages.prettier
-              golines
-              clang-tools
+              (pkgs.writeShellScriptBin
+                "go-mod-update-all"
+                ''
+                  cat go.mod | ${pkgs.silver-searcher}/bin/ag "\t" | ${pkgs.silver-searcher}/bin/ag -v indirect | ${pkgs.gawk}/bin/awk '{print $1}' | ${pkgs.findutils}/bin/xargs go get -u
+                  go mod tidy
+                '')
            ];
-          } ''
-            ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
-            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
-            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-            ${pkgs.clang-tools}/bin/clang-format -i ${./.}
+
+          shellHook = ''
+            export PATH="$PWD/result/bin:$PATH"
+            export CGO_ENABLED=0
          '';
-      };
-    });
+        };
+
+        # `nix build`
+        packages = with pkgs; {
+          inherit headscale;
+          inherit headscale-docker;
+        };
+        defaultPackage = pkgs.headscale;
+
+        # `nix run`
+        apps.headscale = flake-utils.lib.mkApp {
+          drv = packages.headscale;
+        };
+        apps.default = apps.headscale;
+
+        checks = {
+          headscale = pkgs.nixosTest (import ./nix/tests/headscale.nix);
+        };
+      });
 }
--- a/gen/go/headscale/v1/apikey.pb.go
+++ b/gen/go/headscale/v1/apikey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/apikey.proto

--- a/gen/go/headscale/v1/device.pb.go
+++ b/gen/go/headscale/v1/device.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/device.proto

--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/headscale.proto

@@ -11,6 +11,7 @@ import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
+	sync "sync"
 	unsafe "unsafe"
 )

@@ -21,11 +22,94 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )

+type HealthRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *HealthRequest) Reset() {
+	*x = HealthRequest{}
+	mi := &file_headscale_v1_headscale_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *HealthRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HealthRequest) ProtoMessage() {}
+
+func (x *HealthRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_headscale_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HealthRequest.ProtoReflect.Descriptor instead.
+func (*HealthRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_headscale_proto_rawDescGZIP(), []int{0}
+}
+
+type HealthResponse struct {
+	state                protoimpl.MessageState `protogen:"open.v1"`
+	DatabaseConnectivity bool                   `protobuf:"varint,1,opt,name=database_connectivity,json=databaseConnectivity,proto3" json:"database_connectivity,omitempty"`
+	unknownFields        protoimpl.UnknownFields
+	sizeCache            protoimpl.SizeCache
+}
+
+func (x *HealthResponse) Reset() {
+	*x = HealthResponse{}
+	mi := &file_headscale_v1_headscale_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *HealthResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*HealthResponse) ProtoMessage() {}
+
+func (x *HealthResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_headscale_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use HealthResponse.ProtoReflect.Descriptor instead.
+func (*HealthResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_headscale_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *HealthResponse) GetDatabaseConnectivity() bool {
+	if x != nil {
+		return x.DatabaseConnectivity
+	}
+	return false
+}
+
 var File_headscale_v1_headscale_proto protoreflect.FileDescriptor

 const file_headscale_v1_headscale_proto_rawDesc = "" +
 	"\n" +
-	"\x1cheadscale/v1/headscale.proto\x12\fheadscale.v1\x1a\x1cgoogle/api/annotations.proto\x1a\x17headscale/v1/user.proto\x1a\x1dheadscale/v1/preauthkey.proto\x1a\x17headscale/v1/node.proto\x1a\x19headscale/v1/apikey.proto\x1a\x19headscale/v1/policy.proto2\xa3\x16\n" +
+	"\x1cheadscale/v1/headscale.proto\x12\fheadscale.v1\x1a\x1cgoogle/api/annotations.proto\x1a\x17headscale/v1/user.proto\x1a\x1dheadscale/v1/preauthkey.proto\x1a\x17headscale/v1/node.proto\x1a\x19headscale/v1/apikey.proto\x1a\x19headscale/v1/policy.proto\"\x0f\n" +
+	"\rHealthRequest\"E\n" +
+	"\x0eHealthResponse\x123\n" +
+	"\x15database_connectivity\x18\x01 \x01(\bR\x14databaseConnectivity2\x8c\x17\n" +
 	"\x10HeadscaleService\x12h\n" +
 	"\n" +
 	"CreateUser\x12\x1f.headscale.v1.CreateUserRequest\x1a .headscale.v1.CreateUserResponse\"\x17\x82\xd3\xe4\x93\x02\x11:\x01*\"\f/api/v1/user\x12\x80\x01\n" +
@@ -35,7 +119,8 @@ const file_headscale_v1_headscale_proto_rawDesc = "" +
 	"DeleteUser\x12\x1f.headscale.v1.DeleteUserRequest\x1a .headscale.v1.DeleteUserResponse\"\x19\x82\xd3\xe4\x93\x02\x13*\x11/api/v1/user/{id}\x12b\n" +
 	"\tListUsers\x12\x1e.headscale.v1.ListUsersRequest\x1a\x1f.headscale.v1.ListUsersResponse\"\x14\x82\xd3\xe4\x93\x02\x0e\x12\f/api/v1/user\x12\x80\x01\n" +
 	"\x10CreatePreAuthKey\x12%.headscale.v1.CreatePreAuthKeyRequest\x1a&.headscale.v1.CreatePreAuthKeyResponse\"\x1d\x82\xd3\xe4\x93\x02\x17:\x01*\"\x12/api/v1/preauthkey\x12\x87\x01\n" +
-	"\x10ExpirePreAuthKey\x12%.headscale.v1.ExpirePreAuthKeyRequest\x1a&.headscale.v1.ExpirePreAuthKeyResponse\"$\x82\xd3\xe4\x93\x02\x1e:\x01*\"\x19/api/v1/preauthkey/expire\x12z\n" +
+	"\x10ExpirePreAuthKey\x12%.headscale.v1.ExpirePreAuthKeyRequest\x1a&.headscale.v1.ExpirePreAuthKeyResponse\"$\x82\xd3\xe4\x93\x02\x1e:\x01*\"\x19/api/v1/preauthkey/expire\x12}\n" +
+	"\x10DeletePreAuthKey\x12%.headscale.v1.DeletePreAuthKeyRequest\x1a&.headscale.v1.DeletePreAuthKeyResponse\"\x1a\x82\xd3\xe4\x93\x02\x14*\x12/api/v1/preauthkey\x12z\n" +
 	"\x0fListPreAuthKeys\x12$.headscale.v1.ListPreAuthKeysRequest\x1a%.headscale.v1.ListPreAuthKeysResponse\"\x1a\x82\xd3\xe4\x93\x02\x14\x12\x12/api/v1/preauthkey\x12}\n" +
 	"\x0fDebugCreateNode\x12$.headscale.v1.DebugCreateNodeRequest\x1a%.headscale.v1.DebugCreateNodeResponse\"\x1d\x82\xd3\xe4\x93\x02\x17:\x01*\"\x12/api/v1/debug/node\x12f\n" +
 	"\aGetNode\x12\x1c.headscale.v1.GetNodeRequest\x1a\x1d.headscale.v1.GetNodeResponse\"\x1e\x82\xd3\xe4\x93\x02\x18\x12\x16/api/v1/node/{node_id}\x12n\n" +
@@ -48,117 +133,134 @@ const file_headscale_v1_headscale_proto_rawDesc = "" +
 	"ExpireNode\x12\x1f.headscale.v1.ExpireNodeRequest\x1a .headscale.v1.ExpireNodeResponse\"%\x82\xd3\xe4\x93\x02\x1f\"\x1d/api/v1/node/{node_id}/expire\x12\x81\x01\n" +
 	"\n" +
 	"RenameNode\x12\x1f.headscale.v1.RenameNodeRequest\x1a .headscale.v1.RenameNodeResponse\"0\x82\xd3\xe4\x93\x02*\"(/api/v1/node/{node_id}/rename/{new_name}\x12b\n" +
-	"\tListNodes\x12\x1e.headscale.v1.ListNodesRequest\x1a\x1f.headscale.v1.ListNodesResponse\"\x14\x82\xd3\xe4\x93\x02\x0e\x12\f/api/v1/node\x12q\n" +
-	"\bMoveNode\x12\x1d.headscale.v1.MoveNodeRequest\x1a\x1e.headscale.v1.MoveNodeResponse\"&\x82\xd3\xe4\x93\x02 :\x01*\"\x1b/api/v1/node/{node_id}/user\x12\x80\x01\n" +
+	"\tListNodes\x12\x1e.headscale.v1.ListNodesRequest\x1a\x1f.headscale.v1.ListNodesResponse\"\x14\x82\xd3\xe4\x93\x02\x0e\x12\f/api/v1/node\x12\x80\x01\n" +
 	"\x0fBackfillNodeIPs\x12$.headscale.v1.BackfillNodeIPsRequest\x1a%.headscale.v1.BackfillNodeIPsResponse\" \x82\xd3\xe4\x93\x02\x1a\"\x18/api/v1/node/backfillips\x12p\n" +
 	"\fCreateApiKey\x12!.headscale.v1.CreateApiKeyRequest\x1a\".headscale.v1.CreateApiKeyResponse\"\x19\x82\xd3\xe4\x93\x02\x13:\x01*\"\x0e/api/v1/apikey\x12w\n" +
 	"\fExpireApiKey\x12!.headscale.v1.ExpireApiKeyRequest\x1a\".headscale.v1.ExpireApiKeyResponse\" \x82\xd3\xe4\x93\x02\x1a:\x01*\"\x15/api/v1/apikey/expire\x12j\n" +
 	"\vListApiKeys\x12 .headscale.v1.ListApiKeysRequest\x1a!.headscale.v1.ListApiKeysResponse\"\x16\x82\xd3\xe4\x93\x02\x10\x12\x0e/api/v1/apikey\x12v\n" +
 	"\fDeleteApiKey\x12!.headscale.v1.DeleteApiKeyRequest\x1a\".headscale.v1.DeleteApiKeyResponse\"\x1f\x82\xd3\xe4\x93\x02\x19*\x17/api/v1/apikey/{prefix}\x12d\n" +
 	"\tGetPolicy\x12\x1e.headscale.v1.GetPolicyRequest\x1a\x1f.headscale.v1.GetPolicyResponse\"\x16\x82\xd3\xe4\x93\x02\x10\x12\x0e/api/v1/policy\x12g\n" +
-	"\tSetPolicy\x12\x1e.headscale.v1.SetPolicyRequest\x1a\x1f.headscale.v1.SetPolicyResponse\"\x19\x82\xd3\xe4\x93\x02\x13:\x01*\x1a\x0e/api/v1/policyB)Z'github.com/juanfont/headscale/gen/go/v1b\x06proto3"
+	"\tSetPolicy\x12\x1e.headscale.v1.SetPolicyRequest\x1a\x1f.headscale.v1.SetPolicyResponse\"\x19\x82\xd3\xe4\x93\x02\x13:\x01*\x1a\x0e/api/v1/policy\x12[\n" +
+	"\x06Health\x12\x1b.headscale.v1.HealthRequest\x1a\x1c.headscale.v1.HealthResponse\"\x16\x82\xd3\xe4\x93\x02\x10\x12\x0e/api/v1/healthB)Z'github.com/juanfont/headscale/gen/go/v1b\x06proto3"

+var (
+	file_headscale_v1_headscale_proto_rawDescOnce sync.Once
+	file_headscale_v1_headscale_proto_rawDescData []byte
+)
+
+func file_headscale_v1_headscale_proto_rawDescGZIP() []byte {
+	file_headscale_v1_headscale_proto_rawDescOnce.Do(func() {
+		file_headscale_v1_headscale_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_headscale_v1_headscale_proto_rawDesc), len(file_headscale_v1_headscale_proto_rawDesc)))
+	})
+	return file_headscale_v1_headscale_proto_rawDescData
+}
+
+var file_headscale_v1_headscale_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_headscale_v1_headscale_proto_goTypes = []any{
-	(*CreateUserRequest)(nil),         // 0: headscale.v1.CreateUserRequest
-	(*RenameUserRequest)(nil),         // 1: headscale.v1.RenameUserRequest
-	(*DeleteUserRequest)(nil),         // 2: headscale.v1.DeleteUserRequest
-	(*ListUsersRequest)(nil),          // 3: headscale.v1.ListUsersRequest
-	(*CreatePreAuthKeyRequest)(nil),   // 4: headscale.v1.CreatePreAuthKeyRequest
-	(*ExpirePreAuthKeyRequest)(nil),   // 5: headscale.v1.ExpirePreAuthKeyRequest
-	(*ListPreAuthKeysRequest)(nil),    // 6: headscale.v1.ListPreAuthKeysRequest
-	(*DebugCreateNodeRequest)(nil),    // 7: headscale.v1.DebugCreateNodeRequest
-	(*GetNodeRequest)(nil),            // 8: headscale.v1.GetNodeRequest
-	(*SetTagsRequest)(nil),            // 9: headscale.v1.SetTagsRequest
-	(*SetApprovedRoutesRequest)(nil),  // 10: headscale.v1.SetApprovedRoutesRequest
-	(*RegisterNodeRequest)(nil),       // 11: headscale.v1.RegisterNodeRequest
-	(*DeleteNodeRequest)(nil),         // 12: headscale.v1.DeleteNodeRequest
-	(*ExpireNodeRequest)(nil),         // 13: headscale.v1.ExpireNodeRequest
-	(*RenameNodeRequest)(nil),         // 14: headscale.v1.RenameNodeRequest
-	(*ListNodesRequest)(nil),          // 15: headscale.v1.ListNodesRequest
-	(*MoveNodeRequest)(nil),           // 16: headscale.v1.MoveNodeRequest
-	(*BackfillNodeIPsRequest)(nil),    // 17: headscale.v1.BackfillNodeIPsRequest
-	(*CreateApiKeyRequest)(nil),       // 18: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),       // 19: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),        // 20: headscale.v1.ListApiKeysRequest
-	(*DeleteApiKeyRequest)(nil),       // 21: headscale.v1.DeleteApiKeyRequest
-	(*GetPolicyRequest)(nil),          // 22: headscale.v1.GetPolicyRequest
-	(*SetPolicyRequest)(nil),          // 23: headscale.v1.SetPolicyRequest
-	(*CreateUserResponse)(nil),        // 24: headscale.v1.CreateUserResponse
-	(*RenameUserResponse)(nil),        // 25: headscale.v1.RenameUserResponse
-	(*DeleteUserResponse)(nil),        // 26: headscale.v1.DeleteUserResponse
-	(*ListUsersResponse)(nil),         // 27: headscale.v1.ListUsersResponse
-	(*CreatePreAuthKeyResponse)(nil),  // 28: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil),  // 29: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),   // 30: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateNodeResponse)(nil),   // 31: headscale.v1.DebugCreateNodeResponse
-	(*GetNodeResponse)(nil),           // 32: headscale.v1.GetNodeResponse
-	(*SetTagsResponse)(nil),           // 33: headscale.v1.SetTagsResponse
-	(*SetApprovedRoutesResponse)(nil), // 34: headscale.v1.SetApprovedRoutesResponse
-	(*RegisterNodeResponse)(nil),      // 35: headscale.v1.RegisterNodeResponse
-	(*DeleteNodeResponse)(nil),        // 36: headscale.v1.DeleteNodeResponse
-	(*ExpireNodeResponse)(nil),        // 37: headscale.v1.ExpireNodeResponse
-	(*RenameNodeResponse)(nil),        // 38: headscale.v1.RenameNodeResponse
-	(*ListNodesResponse)(nil),         // 39: headscale.v1.ListNodesResponse
-	(*MoveNodeResponse)(nil),          // 40: headscale.v1.MoveNodeResponse
-	(*BackfillNodeIPsResponse)(nil),   // 41: headscale.v1.BackfillNodeIPsResponse
-	(*CreateApiKeyResponse)(nil),      // 42: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),      // 43: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),       // 44: headscale.v1.ListApiKeysResponse
-	(*DeleteApiKeyResponse)(nil),      // 45: headscale.v1.DeleteApiKeyResponse
-	(*GetPolicyResponse)(nil),         // 46: headscale.v1.GetPolicyResponse
-	(*SetPolicyResponse)(nil),         // 47: headscale.v1.SetPolicyResponse
+	(*HealthRequest)(nil),             // 0: headscale.v1.HealthRequest
+	(*HealthResponse)(nil),            // 1: headscale.v1.HealthResponse
+	(*CreateUserRequest)(nil),         // 2: headscale.v1.CreateUserRequest
+	(*RenameUserRequest)(nil),         // 3: headscale.v1.RenameUserRequest
+	(*DeleteUserRequest)(nil),         // 4: headscale.v1.DeleteUserRequest
+	(*ListUsersRequest)(nil),          // 5: headscale.v1.ListUsersRequest
+	(*CreatePreAuthKeyRequest)(nil),   // 6: headscale.v1.CreatePreAuthKeyRequest
+	(*ExpirePreAuthKeyRequest)(nil),   // 7: headscale.v1.ExpirePreAuthKeyRequest
+	(*DeletePreAuthKeyRequest)(nil),   // 8: headscale.v1.DeletePreAuthKeyRequest
+	(*ListPreAuthKeysRequest)(nil),    // 9: headscale.v1.ListPreAuthKeysRequest
+	(*DebugCreateNodeRequest)(nil),    // 10: headscale.v1.DebugCreateNodeRequest
+	(*GetNodeRequest)(nil),            // 11: headscale.v1.GetNodeRequest
+	(*SetTagsRequest)(nil),            // 12: headscale.v1.SetTagsRequest
+	(*SetApprovedRoutesRequest)(nil),  // 13: headscale.v1.SetApprovedRoutesRequest
+	(*RegisterNodeRequest)(nil),       // 14: headscale.v1.RegisterNodeRequest
+	(*DeleteNodeRequest)(nil),         // 15: headscale.v1.DeleteNodeRequest
+	(*ExpireNodeRequest)(nil),         // 16: headscale.v1.ExpireNodeRequest
+	(*RenameNodeRequest)(nil),         // 17: headscale.v1.RenameNodeRequest
+	(*ListNodesRequest)(nil),          // 18: headscale.v1.ListNodesRequest
+	(*BackfillNodeIPsRequest)(nil),    // 19: headscale.v1.BackfillNodeIPsRequest
+	(*CreateApiKeyRequest)(nil),       // 20: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),       // 21: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),        // 22: headscale.v1.ListApiKeysRequest
+	(*DeleteApiKeyRequest)(nil),       // 23: headscale.v1.DeleteApiKeyRequest
+	(*GetPolicyRequest)(nil),          // 24: headscale.v1.GetPolicyRequest
+	(*SetPolicyRequest)(nil),          // 25: headscale.v1.SetPolicyRequest
+	(*CreateUserResponse)(nil),        // 26: headscale.v1.CreateUserResponse
+	(*RenameUserResponse)(nil),        // 27: headscale.v1.RenameUserResponse
+	(*DeleteUserResponse)(nil),        // 28: headscale.v1.DeleteUserResponse
+	(*ListUsersResponse)(nil),         // 29: headscale.v1.ListUsersResponse
+	(*CreatePreAuthKeyResponse)(nil),  // 30: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil),  // 31: headscale.v1.ExpirePreAuthKeyResponse
+	(*DeletePreAuthKeyResponse)(nil),  // 32: headscale.v1.DeletePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),   // 33: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateNodeResponse)(nil),   // 34: headscale.v1.DebugCreateNodeResponse
+	(*GetNodeResponse)(nil),           // 35: headscale.v1.GetNodeResponse
+	(*SetTagsResponse)(nil),           // 36: headscale.v1.SetTagsResponse
+	(*SetApprovedRoutesResponse)(nil), // 37: headscale.v1.SetApprovedRoutesResponse
+	(*RegisterNodeResponse)(nil),      // 38: headscale.v1.RegisterNodeResponse
+	(*DeleteNodeResponse)(nil),        // 39: headscale.v1.DeleteNodeResponse
+	(*ExpireNodeResponse)(nil),        // 40: headscale.v1.ExpireNodeResponse
+	(*RenameNodeResponse)(nil),        // 41: headscale.v1.RenameNodeResponse
+	(*ListNodesResponse)(nil),         // 42: headscale.v1.ListNodesResponse
+	(*BackfillNodeIPsResponse)(nil),   // 43: headscale.v1.BackfillNodeIPsResponse
+	(*CreateApiKeyResponse)(nil),      // 44: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),      // 45: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),       // 46: headscale.v1.ListApiKeysResponse
+	(*DeleteApiKeyResponse)(nil),      // 47: headscale.v1.DeleteApiKeyResponse
+	(*GetPolicyResponse)(nil),         // 48: headscale.v1.GetPolicyResponse
+	(*SetPolicyResponse)(nil),         // 49: headscale.v1.SetPolicyResponse
 }
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
-	0,  // 0: headscale.v1.HeadscaleService.CreateUser:input_type -> headscale.v1.CreateUserRequest
-	1,  // 1: headscale.v1.HeadscaleService.RenameUser:input_type -> headscale.v1.RenameUserRequest
-	2,  // 2: headscale.v1.HeadscaleService.DeleteUser:input_type -> headscale.v1.DeleteUserRequest
-	3,  // 3: headscale.v1.HeadscaleService.ListUsers:input_type -> headscale.v1.ListUsersRequest
-	4,  // 4: headscale.v1.HeadscaleService.CreatePreAuthKey:input_type -> headscale.v1.CreatePreAuthKeyRequest
-	5,  // 5: headscale.v1.HeadscaleService.ExpirePreAuthKey:input_type -> headscale.v1.ExpirePreAuthKeyRequest
-	6,  // 6: headscale.v1.HeadscaleService.ListPreAuthKeys:input_type -> headscale.v1.ListPreAuthKeysRequest
-	7,  // 7: headscale.v1.HeadscaleService.DebugCreateNode:input_type -> headscale.v1.DebugCreateNodeRequest
-	8,  // 8: headscale.v1.HeadscaleService.GetNode:input_type -> headscale.v1.GetNodeRequest
-	9,  // 9: headscale.v1.HeadscaleService.SetTags:input_type -> headscale.v1.SetTagsRequest
-	10, // 10: headscale.v1.HeadscaleService.SetApprovedRoutes:input_type -> headscale.v1.SetApprovedRoutesRequest
-	11, // 11: headscale.v1.HeadscaleService.RegisterNode:input_type -> headscale.v1.RegisterNodeRequest
-	12, // 12: headscale.v1.HeadscaleService.DeleteNode:input_type -> headscale.v1.DeleteNodeRequest
-	13, // 13: headscale.v1.HeadscaleService.ExpireNode:input_type -> headscale.v1.ExpireNodeRequest
-	14, // 14: headscale.v1.HeadscaleService.RenameNode:input_type -> headscale.v1.RenameNodeRequest
-	15, // 15: headscale.v1.HeadscaleService.ListNodes:input_type -> headscale.v1.ListNodesRequest
-	16, // 16: headscale.v1.HeadscaleService.MoveNode:input_type -> headscale.v1.MoveNodeRequest
-	17, // 17: headscale.v1.HeadscaleService.BackfillNodeIPs:input_type -> headscale.v1.BackfillNodeIPsRequest
-	18, // 18: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
-	19, // 19: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
-	20, // 20: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
-	21, // 21: headscale.v1.HeadscaleService.DeleteApiKey:input_type -> headscale.v1.DeleteApiKeyRequest
-	22, // 22: headscale.v1.HeadscaleService.GetPolicy:input_type -> headscale.v1.GetPolicyRequest
-	23, // 23: headscale.v1.HeadscaleService.SetPolicy:input_type -> headscale.v1.SetPolicyRequest
-	24, // 24: headscale.v1.HeadscaleService.CreateUser:output_type -> headscale.v1.CreateUserResponse
-	25, // 25: headscale.v1.HeadscaleService.RenameUser:output_type -> headscale.v1.RenameUserResponse
-	26, // 26: headscale.v1.HeadscaleService.DeleteUser:output_type -> headscale.v1.DeleteUserResponse
-	27, // 27: headscale.v1.HeadscaleService.ListUsers:output_type -> headscale.v1.ListUsersResponse
-	28, // 28: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
-	29, // 29: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
-	30, // 30: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	31, // 31: headscale.v1.HeadscaleService.DebugCreateNode:output_type -> headscale.v1.DebugCreateNodeResponse
-	32, // 32: headscale.v1.HeadscaleService.GetNode:output_type -> headscale.v1.GetNodeResponse
-	33, // 33: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
-	34, // 34: headscale.v1.HeadscaleService.SetApprovedRoutes:output_type -> headscale.v1.SetApprovedRoutesResponse
-	35, // 35: headscale.v1.HeadscaleService.RegisterNode:output_type -> headscale.v1.RegisterNodeResponse
-	36, // 36: headscale.v1.HeadscaleService.DeleteNode:output_type -> headscale.v1.DeleteNodeResponse
-	37, // 37: headscale.v1.HeadscaleService.ExpireNode:output_type -> headscale.v1.ExpireNodeResponse
-	38, // 38: headscale.v1.HeadscaleService.RenameNode:output_type -> headscale.v1.RenameNodeResponse
-	39, // 39: headscale.v1.HeadscaleService.ListNodes:output_type -> headscale.v1.ListNodesResponse
-	40, // 40: headscale.v1.HeadscaleService.MoveNode:output_type -> headscale.v1.MoveNodeResponse
-	41, // 41: headscale.v1.HeadscaleService.BackfillNodeIPs:output_type -> headscale.v1.BackfillNodeIPsResponse
-	42, // 42: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
-	43, // 43: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
-	44, // 44: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
-	45, // 45: headscale.v1.HeadscaleService.DeleteApiKey:output_type -> headscale.v1.DeleteApiKeyResponse
-	46, // 46: headscale.v1.HeadscaleService.GetPolicy:output_type -> headscale.v1.GetPolicyResponse
-	47, // 47: headscale.v1.HeadscaleService.SetPolicy:output_type -> headscale.v1.SetPolicyResponse
-	24, // [24:48] is the sub-list for method output_type
-	0,  // [0:24] is the sub-list for method input_type
+	2,  // 0: headscale.v1.HeadscaleService.CreateUser:input_type -> headscale.v1.CreateUserRequest
+	3,  // 1: headscale.v1.HeadscaleService.RenameUser:input_type -> headscale.v1.RenameUserRequest
+	4,  // 2: headscale.v1.HeadscaleService.DeleteUser:input_type -> headscale.v1.DeleteUserRequest
+	5,  // 3: headscale.v1.HeadscaleService.ListUsers:input_type -> headscale.v1.ListUsersRequest
+	6,  // 4: headscale.v1.HeadscaleService.CreatePreAuthKey:input_type -> headscale.v1.CreatePreAuthKeyRequest
+	7,  // 5: headscale.v1.HeadscaleService.ExpirePreAuthKey:input_type -> headscale.v1.ExpirePreAuthKeyRequest
+	8,  // 6: headscale.v1.HeadscaleService.DeletePreAuthKey:input_type -> headscale.v1.DeletePreAuthKeyRequest
+	9,  // 7: headscale.v1.HeadscaleService.ListPreAuthKeys:input_type -> headscale.v1.ListPreAuthKeysRequest
+	10, // 8: headscale.v1.HeadscaleService.DebugCreateNode:input_type -> headscale.v1.DebugCreateNodeRequest
+	11, // 9: headscale.v1.HeadscaleService.GetNode:input_type -> headscale.v1.GetNodeRequest
+	12, // 10: headscale.v1.HeadscaleService.SetTags:input_type -> headscale.v1.SetTagsRequest
+	13, // 11: headscale.v1.HeadscaleService.SetApprovedRoutes:input_type -> headscale.v1.SetApprovedRoutesRequest
+	14, // 12: headscale.v1.HeadscaleService.RegisterNode:input_type -> headscale.v1.RegisterNodeRequest
+	15, // 13: headscale.v1.HeadscaleService.DeleteNode:input_type -> headscale.v1.DeleteNodeRequest
+	16, // 14: headscale.v1.HeadscaleService.ExpireNode:input_type -> headscale.v1.ExpireNodeRequest
+	17, // 15: headscale.v1.HeadscaleService.RenameNode:input_type -> headscale.v1.RenameNodeRequest
+	18, // 16: headscale.v1.HeadscaleService.ListNodes:input_type -> headscale.v1.ListNodesRequest
+	19, // 17: headscale.v1.HeadscaleService.BackfillNodeIPs:input_type -> headscale.v1.BackfillNodeIPsRequest
+	20, // 18: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
+	21, // 19: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
+	22, // 20: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
+	23, // 21: headscale.v1.HeadscaleService.DeleteApiKey:input_type -> headscale.v1.DeleteApiKeyRequest
+	24, // 22: headscale.v1.HeadscaleService.GetPolicy:input_type -> headscale.v1.GetPolicyRequest
+	25, // 23: headscale.v1.HeadscaleService.SetPolicy:input_type -> headscale.v1.SetPolicyRequest
+	0,  // 24: headscale.v1.HeadscaleService.Health:input_type -> headscale.v1.HealthRequest
+	26, // 25: headscale.v1.HeadscaleService.CreateUser:output_type -> headscale.v1.CreateUserResponse
+	27, // 26: headscale.v1.HeadscaleService.RenameUser:output_type -> headscale.v1.RenameUserResponse
+	28, // 27: headscale.v1.HeadscaleService.DeleteUser:output_type -> headscale.v1.DeleteUserResponse
+	29, // 28: headscale.v1.HeadscaleService.ListUsers:output_type -> headscale.v1.ListUsersResponse
+	30, // 29: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
+	31, // 30: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
+	32, // 31: headscale.v1.HeadscaleService.DeletePreAuthKey:output_type -> headscale.v1.DeletePreAuthKeyResponse
+	33, // 32: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
+	34, // 33: headscale.v1.HeadscaleService.DebugCreateNode:output_type -> headscale.v1.DebugCreateNodeResponse
+	35, // 34: headscale.v1.HeadscaleService.GetNode:output_type -> headscale.v1.GetNodeResponse
+	36, // 35: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
+	37, // 36: headscale.v1.HeadscaleService.SetApprovedRoutes:output_type -> headscale.v1.SetApprovedRoutesResponse
+	38, // 37: headscale.v1.HeadscaleService.RegisterNode:output_type -> headscale.v1.RegisterNodeResponse
+	39, // 38: headscale.v1.HeadscaleService.DeleteNode:output_type -> headscale.v1.DeleteNodeResponse
+	40, // 39: headscale.v1.HeadscaleService.ExpireNode:output_type -> headscale.v1.ExpireNodeResponse
+	41, // 40: headscale.v1.HeadscaleService.RenameNode:output_type -> headscale.v1.RenameNodeResponse
+	42, // 41: headscale.v1.HeadscaleService.ListNodes:output_type -> headscale.v1.ListNodesResponse
+	43, // 42: headscale.v1.HeadscaleService.BackfillNodeIPs:output_type -> headscale.v1.BackfillNodeIPsResponse
+	44, // 43: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
+	45, // 44: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
+	46, // 45: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
+	47, // 46: headscale.v1.HeadscaleService.DeleteApiKey:output_type -> headscale.v1.DeleteApiKeyResponse
+	48, // 47: headscale.v1.HeadscaleService.GetPolicy:output_type -> headscale.v1.GetPolicyResponse
+	49, // 48: headscale.v1.HeadscaleService.SetPolicy:output_type -> headscale.v1.SetPolicyResponse
+	1,  // 49: headscale.v1.HeadscaleService.Health:output_type -> headscale.v1.HealthResponse
+	25, // [25:50] is the sub-list for method output_type
+	0,  // [0:25] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
@@ -180,12 +282,13 @@ func file_headscale_v1_headscale_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_headscale_v1_headscale_proto_rawDesc), len(file_headscale_v1_headscale_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   0,
+			NumMessages:   2,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
 		GoTypes:           file_headscale_v1_headscale_proto_goTypes,
 		DependencyIndexes: file_headscale_v1_headscale_proto_depIdxs,
+		MessageInfos:      file_headscale_v1_headscale_proto_msgTypes,
 	}.Build()
 	File_headscale_v1_headscale_proto = out.File
 	file_headscale_v1_headscale_proto_goTypes = nil
--- a/gen/go/headscale/v1/headscale.pb.gw.go
+++ b/gen/go/headscale/v1/headscale.pb.gw.go
@@ -227,6 +227,38 @@ func local_request_HeadscaleService_ExpirePreAuthKey_0(ctx context.Context, mars
 	return msg, metadata, err
 }

+var filter_HeadscaleService_DeletePreAuthKey_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+
+func request_HeadscaleService_DeletePreAuthKey_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var (
+		protoReq DeletePreAuthKeyRequest
+		metadata runtime.ServerMetadata
+	)
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_HeadscaleService_DeletePreAuthKey_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	msg, err := client.DeletePreAuthKey(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+}
+
+func local_request_HeadscaleService_DeletePreAuthKey_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var (
+		protoReq DeletePreAuthKeyRequest
+		metadata runtime.ServerMetadata
+	)
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_HeadscaleService_DeletePreAuthKey_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	msg, err := server.DeletePreAuthKey(ctx, &protoReq)
+	return msg, metadata, err
+}
+
 var filter_HeadscaleService_ListPreAuthKeys_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}

 func request_HeadscaleService_ListPreAuthKeys_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -471,6 +503,8 @@ func local_request_HeadscaleService_DeleteNode_0(ctx context.Context, marshaler
 	return msg, metadata, err
 }

+var filter_HeadscaleService_ExpireNode_0 = &utilities.DoubleArray{Encoding: map[string]int{"node_id": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+
 func request_HeadscaleService_ExpireNode_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var (
 		protoReq ExpireNodeRequest
@@ -485,6 +519,12 @@ func request_HeadscaleService_ExpireNode_0(ctx context.Context, marshaler runtim
 	if err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "node_id", err)
 	}
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_HeadscaleService_ExpireNode_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
 	msg, err := client.ExpireNode(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
 }
@@ -503,6 +543,12 @@ func local_request_HeadscaleService_ExpireNode_0(ctx context.Context, marshaler
 	if err != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "node_id", err)
 	}
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_HeadscaleService_ExpireNode_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
 	msg, err := server.ExpireNode(ctx, &protoReq)
 	return msg, metadata, err
 }
@@ -591,48 +637,6 @@ func local_request_HeadscaleService_ListNodes_0(ctx context.Context, marshaler r
 	return msg, metadata, err
 }

-func request_HeadscaleService_MoveNode_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
-	var (
-		protoReq MoveNodeRequest
-		metadata runtime.ServerMetadata
-		err      error
-	)
-	if err := marshaler.NewDecoder(req.Body).Decode(&protoReq); err != nil && !errors.Is(err, io.EOF) {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	val, ok := pathParams["node_id"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "node_id")
-	}
-	protoReq.NodeId, err = runtime.Uint64(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "node_id", err)
-	}
-	msg, err := client.MoveNode(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
-	return msg, metadata, err
-}
-
-func local_request_HeadscaleService_MoveNode_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
-	var (
-		protoReq MoveNodeRequest
-		metadata runtime.ServerMetadata
-		err      error
-	)
-	if err := marshaler.NewDecoder(req.Body).Decode(&protoReq); err != nil && !errors.Is(err, io.EOF) {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
-	}
-	val, ok := pathParams["node_id"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "node_id")
-	}
-	protoReq.NodeId, err = runtime.Uint64(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "node_id", err)
-	}
-	msg, err := server.MoveNode(ctx, &protoReq)
-	return msg, metadata, err
-}
-
 var filter_HeadscaleService_BackfillNodeIPs_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}

 func request_HeadscaleService_BackfillNodeIPs_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -809,6 +813,24 @@ func local_request_HeadscaleService_SetPolicy_0(ctx context.Context, marshaler r
 	return msg, metadata, err
 }

+func request_HeadscaleService_Health_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var (
+		protoReq HealthRequest
+		metadata runtime.ServerMetadata
+	)
+	msg, err := client.Health(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+}
+
+func local_request_HeadscaleService_Health_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var (
+		protoReq HealthRequest
+		metadata runtime.ServerMetadata
+	)
+	msg, err := server.Health(ctx, &protoReq)
+	return msg, metadata, err
+}
+
 // RegisterHeadscaleServiceHandlerServer registers the http handlers for service HeadscaleService to "mux".
 // UnaryRPC     :call HeadscaleServiceServer directly.
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
@@ -935,6 +957,26 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 		forward_HeadscaleService_ExpirePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
 	})
+	mux.Handle(http.MethodDelete, pattern_HeadscaleService_DeletePreAuthKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		annotatedContext, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/DeletePreAuthKey", runtime.WithHTTPPathPattern("/api/v1/preauthkey"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_HeadscaleService_DeletePreAuthKey_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		forward_HeadscaleService_DeletePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+	})
 	mux.Handle(http.MethodGet, pattern_HeadscaleService_ListPreAuthKeys_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1135,26 +1177,6 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 		forward_HeadscaleService_ListNodes_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
 	})
-	mux.Handle(http.MethodPost, pattern_HeadscaleService_MoveNode_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
-		ctx, cancel := context.WithCancel(req.Context())
-		defer cancel()
-		var stream runtime.ServerTransportStream
-		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
-		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
-		annotatedContext, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/MoveNode", runtime.WithHTTPPathPattern("/api/v1/node/{node_id}/user"))
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		resp, md, err := local_request_HeadscaleService_MoveNode_0(annotatedContext, inboundMarshaler, server, req, pathParams)
-		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
-		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
-		if err != nil {
-			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		forward_HeadscaleService_MoveNode_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
-	})
 	mux.Handle(http.MethodPost, pattern_HeadscaleService_BackfillNodeIPs_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1295,6 +1317,26 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 		forward_HeadscaleService_SetPolicy_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
 	})
+	mux.Handle(http.MethodGet, pattern_HeadscaleService_Health_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		annotatedContext, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/Health", runtime.WithHTTPPathPattern("/api/v1/health"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_HeadscaleService_Health_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		forward_HeadscaleService_Health_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+	})

 	return nil
 }
@@ -1437,6 +1479,23 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 		forward_HeadscaleService_ExpirePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
 	})
+	mux.Handle(http.MethodDelete, pattern_HeadscaleService_DeletePreAuthKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		annotatedContext, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/DeletePreAuthKey", runtime.WithHTTPPathPattern("/api/v1/preauthkey"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_HeadscaleService_DeletePreAuthKey_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		forward_HeadscaleService_DeletePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+	})
 	mux.Handle(http.MethodGet, pattern_HeadscaleService_ListPreAuthKeys_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1607,23 +1666,6 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 		forward_HeadscaleService_ListNodes_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
 	})
-	mux.Handle(http.MethodPost, pattern_HeadscaleService_MoveNode_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
-		ctx, cancel := context.WithCancel(req.Context())
-		defer cancel()
-		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
-		annotatedContext, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/MoveNode", runtime.WithHTTPPathPattern("/api/v1/node/{node_id}/user"))
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		resp, md, err := request_HeadscaleService_MoveNode_0(annotatedContext, inboundMarshaler, client, req, pathParams)
-		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
-		if err != nil {
-			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		forward_HeadscaleService_MoveNode_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
-	})
 	mux.Handle(http.MethodPost, pattern_HeadscaleService_BackfillNodeIPs_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1743,6 +1785,23 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 		forward_HeadscaleService_SetPolicy_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
 	})
+	mux.Handle(http.MethodGet, pattern_HeadscaleService_Health_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		annotatedContext, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/Health", runtime.WithHTTPPathPattern("/api/v1/health"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_HeadscaleService_Health_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		forward_HeadscaleService_Health_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+	})
 	return nil
 }

@@ -1753,6 +1812,7 @@ var (
 	pattern_HeadscaleService_ListUsers_0         = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "user"}, ""))
 	pattern_HeadscaleService_CreatePreAuthKey_0  = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "preauthkey"}, ""))
 	pattern_HeadscaleService_ExpirePreAuthKey_0  = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v1", "preauthkey", "expire"}, ""))
+	pattern_HeadscaleService_DeletePreAuthKey_0  = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "preauthkey"}, ""))
 	pattern_HeadscaleService_ListPreAuthKeys_0   = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "preauthkey"}, ""))
 	pattern_HeadscaleService_DebugCreateNode_0   = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v1", "debug", "node"}, ""))
 	pattern_HeadscaleService_GetNode_0           = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "node", "node_id"}, ""))
@@ -1763,7 +1823,6 @@ var (
 	pattern_HeadscaleService_ExpireNode_0        = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "node", "node_id", "expire"}, ""))
 	pattern_HeadscaleService_RenameNode_0        = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4, 1, 0, 4, 1, 5, 5}, []string{"api", "v1", "node", "node_id", "rename", "new_name"}, ""))
 	pattern_HeadscaleService_ListNodes_0         = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "node"}, ""))
-	pattern_HeadscaleService_MoveNode_0          = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "node", "node_id", "user"}, ""))
 	pattern_HeadscaleService_BackfillNodeIPs_0   = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v1", "node", "backfillips"}, ""))
 	pattern_HeadscaleService_CreateApiKey_0      = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "apikey"}, ""))
 	pattern_HeadscaleService_ExpireApiKey_0      = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v1", "apikey", "expire"}, ""))
@@ -1771,6 +1830,7 @@ var (
 	pattern_HeadscaleService_DeleteApiKey_0      = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "apikey", "prefix"}, ""))
 	pattern_HeadscaleService_GetPolicy_0         = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "policy"}, ""))
 	pattern_HeadscaleService_SetPolicy_0         = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "policy"}, ""))
+	pattern_HeadscaleService_Health_0            = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "health"}, ""))
 )

 var (
@@ -1780,6 +1840,7 @@ var (
 	forward_HeadscaleService_ListUsers_0         = runtime.ForwardResponseMessage
 	forward_HeadscaleService_CreatePreAuthKey_0  = runtime.ForwardResponseMessage
 	forward_HeadscaleService_ExpirePreAuthKey_0  = runtime.ForwardResponseMessage
+	forward_HeadscaleService_DeletePreAuthKey_0  = runtime.ForwardResponseMessage
 	forward_HeadscaleService_ListPreAuthKeys_0   = runtime.ForwardResponseMessage
 	forward_HeadscaleService_DebugCreateNode_0   = runtime.ForwardResponseMessage
 	forward_HeadscaleService_GetNode_0           = runtime.ForwardResponseMessage
@@ -1790,7 +1851,6 @@ var (
 	forward_HeadscaleService_ExpireNode_0        = runtime.ForwardResponseMessage
 	forward_HeadscaleService_RenameNode_0        = runtime.ForwardResponseMessage
 	forward_HeadscaleService_ListNodes_0         = runtime.ForwardResponseMessage
-	forward_HeadscaleService_MoveNode_0          = runtime.ForwardResponseMessage
 	forward_HeadscaleService_BackfillNodeIPs_0   = runtime.ForwardResponseMessage
 	forward_HeadscaleService_CreateApiKey_0      = runtime.ForwardResponseMessage
 	forward_HeadscaleService_ExpireApiKey_0      = runtime.ForwardResponseMessage
@@ -1798,4 +1858,5 @@ var (
 	forward_HeadscaleService_DeleteApiKey_0      = runtime.ForwardResponseMessage
 	forward_HeadscaleService_GetPolicy_0         = runtime.ForwardResponseMessage
 	forward_HeadscaleService_SetPolicy_0         = runtime.ForwardResponseMessage
+	forward_HeadscaleService_Health_0            = runtime.ForwardResponseMessage
 )
--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -25,6 +25,7 @@ const (
 	HeadscaleService_ListUsers_FullMethodName         = "/headscale.v1.HeadscaleService/ListUsers"
 	HeadscaleService_CreatePreAuthKey_FullMethodName  = "/headscale.v1.HeadscaleService/CreatePreAuthKey"
 	HeadscaleService_ExpirePreAuthKey_FullMethodName  = "/headscale.v1.HeadscaleService/ExpirePreAuthKey"
+	HeadscaleService_DeletePreAuthKey_FullMethodName  = "/headscale.v1.HeadscaleService/DeletePreAuthKey"
 	HeadscaleService_ListPreAuthKeys_FullMethodName   = "/headscale.v1.HeadscaleService/ListPreAuthKeys"
 	HeadscaleService_DebugCreateNode_FullMethodName   = "/headscale.v1.HeadscaleService/DebugCreateNode"
 	HeadscaleService_GetNode_FullMethodName           = "/headscale.v1.HeadscaleService/GetNode"
@@ -35,7 +36,6 @@ const (
 	HeadscaleService_ExpireNode_FullMethodName        = "/headscale.v1.HeadscaleService/ExpireNode"
 	HeadscaleService_RenameNode_FullMethodName        = "/headscale.v1.HeadscaleService/RenameNode"
 	HeadscaleService_ListNodes_FullMethodName         = "/headscale.v1.HeadscaleService/ListNodes"
-	HeadscaleService_MoveNode_FullMethodName          = "/headscale.v1.HeadscaleService/MoveNode"
 	HeadscaleService_BackfillNodeIPs_FullMethodName   = "/headscale.v1.HeadscaleService/BackfillNodeIPs"
 	HeadscaleService_CreateApiKey_FullMethodName      = "/headscale.v1.HeadscaleService/CreateApiKey"
 	HeadscaleService_ExpireApiKey_FullMethodName      = "/headscale.v1.HeadscaleService/ExpireApiKey"
@@ -43,6 +43,7 @@ const (
 	HeadscaleService_DeleteApiKey_FullMethodName      = "/headscale.v1.HeadscaleService/DeleteApiKey"
 	HeadscaleService_GetPolicy_FullMethodName         = "/headscale.v1.HeadscaleService/GetPolicy"
 	HeadscaleService_SetPolicy_FullMethodName         = "/headscale.v1.HeadscaleService/SetPolicy"
+	HeadscaleService_Health_FullMethodName            = "/headscale.v1.HeadscaleService/Health"
 )

 // HeadscaleServiceClient is the client API for HeadscaleService service.
@@ -57,6 +58,7 @@ type HeadscaleServiceClient interface {
 	// --- PreAuthKeys start ---
 	CreatePreAuthKey(ctx context.Context, in *CreatePreAuthKeyRequest, opts ...grpc.CallOption) (*CreatePreAuthKeyResponse, error)
 	ExpirePreAuthKey(ctx context.Context, in *ExpirePreAuthKeyRequest, opts ...grpc.CallOption) (*ExpirePreAuthKeyResponse, error)
+	DeletePreAuthKey(ctx context.Context, in *DeletePreAuthKeyRequest, opts ...grpc.CallOption) (*DeletePreAuthKeyResponse, error)
 	ListPreAuthKeys(ctx context.Context, in *ListPreAuthKeysRequest, opts ...grpc.CallOption) (*ListPreAuthKeysResponse, error)
 	// --- Node start ---
 	DebugCreateNode(ctx context.Context, in *DebugCreateNodeRequest, opts ...grpc.CallOption) (*DebugCreateNodeResponse, error)
@@ -68,7 +70,6 @@ type HeadscaleServiceClient interface {
 	ExpireNode(ctx context.Context, in *ExpireNodeRequest, opts ...grpc.CallOption) (*ExpireNodeResponse, error)
 	RenameNode(ctx context.Context, in *RenameNodeRequest, opts ...grpc.CallOption) (*RenameNodeResponse, error)
 	ListNodes(ctx context.Context, in *ListNodesRequest, opts ...grpc.CallOption) (*ListNodesResponse, error)
-	MoveNode(ctx context.Context, in *MoveNodeRequest, opts ...grpc.CallOption) (*MoveNodeResponse, error)
 	BackfillNodeIPs(ctx context.Context, in *BackfillNodeIPsRequest, opts ...grpc.CallOption) (*BackfillNodeIPsResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error)
@@ -78,6 +79,8 @@ type HeadscaleServiceClient interface {
 	// --- Policy start ---
 	GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*GetPolicyResponse, error)
 	SetPolicy(ctx context.Context, in *SetPolicyRequest, opts ...grpc.CallOption) (*SetPolicyResponse, error)
+	// --- Health start ---
+	Health(ctx context.Context, in *HealthRequest, opts ...grpc.CallOption) (*HealthResponse, error)
 }

 type headscaleServiceClient struct {
@@ -148,6 +151,16 @@ func (c *headscaleServiceClient) ExpirePreAuthKey(ctx context.Context, in *Expir
 	return out, nil
 }

+func (c *headscaleServiceClient) DeletePreAuthKey(ctx context.Context, in *DeletePreAuthKeyRequest, opts ...grpc.CallOption) (*DeletePreAuthKeyResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(DeletePreAuthKeyResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeletePreAuthKey_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *headscaleServiceClient) ListPreAuthKeys(ctx context.Context, in *ListPreAuthKeysRequest, opts ...grpc.CallOption) (*ListPreAuthKeysResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(ListPreAuthKeysResponse)
@@ -248,16 +261,6 @@ func (c *headscaleServiceClient) ListNodes(ctx context.Context, in *ListNodesReq
 	return out, nil
 }

-func (c *headscaleServiceClient) MoveNode(ctx context.Context, in *MoveNodeRequest, opts ...grpc.CallOption) (*MoveNodeResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(MoveNodeResponse)
-	err := c.cc.Invoke(ctx, HeadscaleService_MoveNode_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *headscaleServiceClient) BackfillNodeIPs(ctx context.Context, in *BackfillNodeIPsRequest, opts ...grpc.CallOption) (*BackfillNodeIPsResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(BackfillNodeIPsResponse)
@@ -328,6 +331,16 @@ func (c *headscaleServiceClient) SetPolicy(ctx context.Context, in *SetPolicyReq
 	return out, nil
 }

+func (c *headscaleServiceClient) Health(ctx context.Context, in *HealthRequest, opts ...grpc.CallOption) (*HealthResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(HealthResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_Health_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // HeadscaleServiceServer is the server API for HeadscaleService service.
 // All implementations must embed UnimplementedHeadscaleServiceServer
 // for forward compatibility.
@@ -340,6 +353,7 @@ type HeadscaleServiceServer interface {
 	// --- PreAuthKeys start ---
 	CreatePreAuthKey(context.Context, *CreatePreAuthKeyRequest) (*CreatePreAuthKeyResponse, error)
 	ExpirePreAuthKey(context.Context, *ExpirePreAuthKeyRequest) (*ExpirePreAuthKeyResponse, error)
+	DeletePreAuthKey(context.Context, *DeletePreAuthKeyRequest) (*DeletePreAuthKeyResponse, error)
 	ListPreAuthKeys(context.Context, *ListPreAuthKeysRequest) (*ListPreAuthKeysResponse, error)
 	// --- Node start ---
 	DebugCreateNode(context.Context, *DebugCreateNodeRequest) (*DebugCreateNodeResponse, error)
@@ -351,7 +365,6 @@ type HeadscaleServiceServer interface {
 	ExpireNode(context.Context, *ExpireNodeRequest) (*ExpireNodeResponse, error)
 	RenameNode(context.Context, *RenameNodeRequest) (*RenameNodeResponse, error)
 	ListNodes(context.Context, *ListNodesRequest) (*ListNodesResponse, error)
-	MoveNode(context.Context, *MoveNodeRequest) (*MoveNodeResponse, error)
 	BackfillNodeIPs(context.Context, *BackfillNodeIPsRequest) (*BackfillNodeIPsResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(context.Context, *CreateApiKeyRequest) (*CreateApiKeyResponse, error)
@@ -361,6 +374,8 @@ type HeadscaleServiceServer interface {
 	// --- Policy start ---
 	GetPolicy(context.Context, *GetPolicyRequest) (*GetPolicyResponse, error)
 	SetPolicy(context.Context, *SetPolicyRequest) (*SetPolicyResponse, error)
+	// --- Health start ---
+	Health(context.Context, *HealthRequest) (*HealthResponse, error)
 	mustEmbedUnimplementedHeadscaleServiceServer()
 }

@@ -389,6 +404,9 @@ func (UnimplementedHeadscaleServiceServer) CreatePreAuthKey(context.Context, *Cr
 func (UnimplementedHeadscaleServiceServer) ExpirePreAuthKey(context.Context, *ExpirePreAuthKeyRequest) (*ExpirePreAuthKeyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ExpirePreAuthKey not implemented")
 }
+func (UnimplementedHeadscaleServiceServer) DeletePreAuthKey(context.Context, *DeletePreAuthKeyRequest) (*DeletePreAuthKeyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeletePreAuthKey not implemented")
+}
 func (UnimplementedHeadscaleServiceServer) ListPreAuthKeys(context.Context, *ListPreAuthKeysRequest) (*ListPreAuthKeysResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListPreAuthKeys not implemented")
 }
@@ -419,9 +437,6 @@ func (UnimplementedHeadscaleServiceServer) RenameNode(context.Context, *RenameNo
 func (UnimplementedHeadscaleServiceServer) ListNodes(context.Context, *ListNodesRequest) (*ListNodesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListNodes not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) MoveNode(context.Context, *MoveNodeRequest) (*MoveNodeResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method MoveNode not implemented")
-}
 func (UnimplementedHeadscaleServiceServer) BackfillNodeIPs(context.Context, *BackfillNodeIPsRequest) (*BackfillNodeIPsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method BackfillNodeIPs not implemented")
 }
@@ -443,6 +458,9 @@ func (UnimplementedHeadscaleServiceServer) GetPolicy(context.Context, *GetPolicy
 func (UnimplementedHeadscaleServiceServer) SetPolicy(context.Context, *SetPolicyRequest) (*SetPolicyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SetPolicy not implemented")
 }
+func (UnimplementedHeadscaleServiceServer) Health(context.Context, *HealthRequest) (*HealthResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Health not implemented")
+}
 func (UnimplementedHeadscaleServiceServer) mustEmbedUnimplementedHeadscaleServiceServer() {}
 func (UnimplementedHeadscaleServiceServer) testEmbeddedByValue()                          {}

@@ -572,6 +590,24 @@ func _HeadscaleService_ExpirePreAuthKey_Handler(srv interface{}, ctx context.Con
 	return interceptor(ctx, in, info, handler)
 }

+func _HeadscaleService_DeletePreAuthKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeletePreAuthKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).DeletePreAuthKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: HeadscaleService_DeletePreAuthKey_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).DeletePreAuthKey(ctx, req.(*DeletePreAuthKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _HeadscaleService_ListPreAuthKeys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(ListPreAuthKeysRequest)
 	if err := dec(in); err != nil {
@@ -752,24 +788,6 @@ func _HeadscaleService_ListNodes_Handler(srv interface{}, ctx context.Context, d
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_MoveNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(MoveNodeRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).MoveNode(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: HeadscaleService_MoveNode_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).MoveNode(ctx, req.(*MoveNodeRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _HeadscaleService_BackfillNodeIPs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(BackfillNodeIPsRequest)
 	if err := dec(in); err != nil {
@@ -896,6 +914,24 @@ func _HeadscaleService_SetPolicy_Handler(srv interface{}, ctx context.Context, d
 	return interceptor(ctx, in, info, handler)
 }

+func _HeadscaleService_Health_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(HealthRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).Health(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: HeadscaleService_Health_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).Health(ctx, req.(*HealthRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // HeadscaleService_ServiceDesc is the grpc.ServiceDesc for HeadscaleService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -927,6 +963,10 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "ExpirePreAuthKey",
 			Handler:    _HeadscaleService_ExpirePreAuthKey_Handler,
 		},
+		{
+			MethodName: "DeletePreAuthKey",
+			Handler:    _HeadscaleService_DeletePreAuthKey_Handler,
+		},
 		{
 			MethodName: "ListPreAuthKeys",
 			Handler:    _HeadscaleService_ListPreAuthKeys_Handler,
@@ -967,10 +1007,6 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "ListNodes",
 			Handler:    _HeadscaleService_ListNodes_Handler,
 		},
-		{
-			MethodName: "MoveNode",
-			Handler:    _HeadscaleService_MoveNode_Handler,
-		},
 		{
 			MethodName: "BackfillNodeIPs",
 			Handler:    _HeadscaleService_BackfillNodeIPs_Handler,
@@ -999,6 +1035,10 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "SetPolicy",
 			Handler:    _HeadscaleService_SetPolicy_Handler,
 		},
+		{
+			MethodName: "Health",
+			Handler:    _HeadscaleService_Health_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "headscale/v1/headscale.proto",
--- a/gen/go/headscale/v1/node.pb.go
+++ b/gen/go/headscale/v1/node.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/node.proto

@@ -729,6 +729,7 @@ func (*DeleteNodeResponse) Descriptor() ([]byte, []int) {
 type ExpireNodeRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	NodeId        uint64                 `protobuf:"varint,1,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"`
+	Expiry        *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=expiry,proto3" json:"expiry,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -770,6 +771,13 @@ func (x *ExpireNodeRequest) GetNodeId() uint64 {
 	return 0
 }

+func (x *ExpireNodeRequest) GetExpiry() *timestamppb.Timestamp {
+	if x != nil {
+		return x.Expiry
+	}
+	return nil
+}
+
 type ExpireNodeResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Node          *Node                  `protobuf:"bytes,1,opt,name=node,proto3" json:"node,omitempty"`
@@ -998,102 +1006,6 @@ func (x *ListNodesResponse) GetNodes() []*Node {
 	return nil
 }

-type MoveNodeRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	NodeId        uint64                 `protobuf:"varint,1,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"`
-	User          uint64                 `protobuf:"varint,2,opt,name=user,proto3" json:"user,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *MoveNodeRequest) Reset() {
-	*x = MoveNodeRequest{}
-	mi := &file_headscale_v1_node_proto_msgTypes[17]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *MoveNodeRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*MoveNodeRequest) ProtoMessage() {}
-
-func (x *MoveNodeRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_node_proto_msgTypes[17]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use MoveNodeRequest.ProtoReflect.Descriptor instead.
-func (*MoveNodeRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_node_proto_rawDescGZIP(), []int{17}
-}
-
-func (x *MoveNodeRequest) GetNodeId() uint64 {
-	if x != nil {
-		return x.NodeId
-	}
-	return 0
-}
-
-func (x *MoveNodeRequest) GetUser() uint64 {
-	if x != nil {
-		return x.User
-	}
-	return 0
-}
-
-type MoveNodeResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Node          *Node                  `protobuf:"bytes,1,opt,name=node,proto3" json:"node,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *MoveNodeResponse) Reset() {
-	*x = MoveNodeResponse{}
-	mi := &file_headscale_v1_node_proto_msgTypes[18]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *MoveNodeResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*MoveNodeResponse) ProtoMessage() {}
-
-func (x *MoveNodeResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_node_proto_msgTypes[18]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use MoveNodeResponse.ProtoReflect.Descriptor instead.
-func (*MoveNodeResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_node_proto_rawDescGZIP(), []int{18}
-}
-
-func (x *MoveNodeResponse) GetNode() *Node {
-	if x != nil {
-		return x.Node
-	}
-	return nil
-}
-
 type DebugCreateNodeRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	User          string                 `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
@@ -1106,7 +1018,7 @@ type DebugCreateNodeRequest struct {

 func (x *DebugCreateNodeRequest) Reset() {
 	*x = DebugCreateNodeRequest{}
-	mi := &file_headscale_v1_node_proto_msgTypes[19]
+	mi := &file_headscale_v1_node_proto_msgTypes[17]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1118,7 +1030,7 @@ func (x *DebugCreateNodeRequest) String() string {
 func (*DebugCreateNodeRequest) ProtoMessage() {}

 func (x *DebugCreateNodeRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_node_proto_msgTypes[19]
+	mi := &file_headscale_v1_node_proto_msgTypes[17]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1131,7 +1043,7 @@ func (x *DebugCreateNodeRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DebugCreateNodeRequest.ProtoReflect.Descriptor instead.
 func (*DebugCreateNodeRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_node_proto_rawDescGZIP(), []int{19}
+	return file_headscale_v1_node_proto_rawDescGZIP(), []int{17}
 }

 func (x *DebugCreateNodeRequest) GetUser() string {
@@ -1171,7 +1083,7 @@ type DebugCreateNodeResponse struct {

 func (x *DebugCreateNodeResponse) Reset() {
 	*x = DebugCreateNodeResponse{}
-	mi := &file_headscale_v1_node_proto_msgTypes[20]
+	mi := &file_headscale_v1_node_proto_msgTypes[18]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1183,7 +1095,7 @@ func (x *DebugCreateNodeResponse) String() string {
 func (*DebugCreateNodeResponse) ProtoMessage() {}

 func (x *DebugCreateNodeResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_node_proto_msgTypes[20]
+	mi := &file_headscale_v1_node_proto_msgTypes[18]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1196,7 +1108,7 @@ func (x *DebugCreateNodeResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DebugCreateNodeResponse.ProtoReflect.Descriptor instead.
 func (*DebugCreateNodeResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_node_proto_rawDescGZIP(), []int{20}
+	return file_headscale_v1_node_proto_rawDescGZIP(), []int{18}
 }

 func (x *DebugCreateNodeResponse) GetNode() *Node {
@@ -1215,7 +1127,7 @@ type BackfillNodeIPsRequest struct {

 func (x *BackfillNodeIPsRequest) Reset() {
 	*x = BackfillNodeIPsRequest{}
-	mi := &file_headscale_v1_node_proto_msgTypes[21]
+	mi := &file_headscale_v1_node_proto_msgTypes[19]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1227,7 +1139,7 @@ func (x *BackfillNodeIPsRequest) String() string {
 func (*BackfillNodeIPsRequest) ProtoMessage() {}

 func (x *BackfillNodeIPsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_node_proto_msgTypes[21]
+	mi := &file_headscale_v1_node_proto_msgTypes[19]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1240,7 +1152,7 @@ func (x *BackfillNodeIPsRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use BackfillNodeIPsRequest.ProtoReflect.Descriptor instead.
 func (*BackfillNodeIPsRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_node_proto_rawDescGZIP(), []int{21}
+	return file_headscale_v1_node_proto_rawDescGZIP(), []int{19}
 }

 func (x *BackfillNodeIPsRequest) GetConfirmed() bool {
@@ -1259,7 +1171,7 @@ type BackfillNodeIPsResponse struct {

 func (x *BackfillNodeIPsResponse) Reset() {
 	*x = BackfillNodeIPsResponse{}
-	mi := &file_headscale_v1_node_proto_msgTypes[22]
+	mi := &file_headscale_v1_node_proto_msgTypes[20]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -1271,7 +1183,7 @@ func (x *BackfillNodeIPsResponse) String() string {
 func (*BackfillNodeIPsResponse) ProtoMessage() {}

 func (x *BackfillNodeIPsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_node_proto_msgTypes[22]
+	mi := &file_headscale_v1_node_proto_msgTypes[20]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1284,7 +1196,7 @@ func (x *BackfillNodeIPsResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use BackfillNodeIPsResponse.ProtoReflect.Descriptor instead.
 func (*BackfillNodeIPsResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_node_proto_rawDescGZIP(), []int{22}
+	return file_headscale_v1_node_proto_rawDescGZIP(), []int{20}
 }

 func (x *BackfillNodeIPsResponse) GetChanges() []string {
@@ -1349,9 +1261,10 @@ const file_headscale_v1_node_proto_rawDesc = "" +
 	"\x04node\x18\x01 \x01(\v2\x12.headscale.v1.NodeR\x04node\",\n" +
 	"\x11DeleteNodeRequest\x12\x17\n" +
 	"\anode_id\x18\x01 \x01(\x04R\x06nodeId\"\x14\n" +
-	"\x12DeleteNodeResponse\",\n" +
+	"\x12DeleteNodeResponse\"`\n" +
 	"\x11ExpireNodeRequest\x12\x17\n" +
-	"\anode_id\x18\x01 \x01(\x04R\x06nodeId\"<\n" +
+	"\anode_id\x18\x01 \x01(\x04R\x06nodeId\x122\n" +
+	"\x06expiry\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x06expiry\"<\n" +
 	"\x12ExpireNodeResponse\x12&\n" +
 	"\x04node\x18\x01 \x01(\v2\x12.headscale.v1.NodeR\x04node\"G\n" +
 	"\x11RenameNodeRequest\x12\x17\n" +
@@ -1362,12 +1275,7 @@ const file_headscale_v1_node_proto_rawDesc = "" +
 	"\x10ListNodesRequest\x12\x12\n" +
 	"\x04user\x18\x01 \x01(\tR\x04user\"=\n" +
 	"\x11ListNodesResponse\x12(\n" +
-	"\x05nodes\x18\x01 \x03(\v2\x12.headscale.v1.NodeR\x05nodes\">\n" +
-	"\x0fMoveNodeRequest\x12\x17\n" +
-	"\anode_id\x18\x01 \x01(\x04R\x06nodeId\x12\x12\n" +
-	"\x04user\x18\x02 \x01(\x04R\x04user\":\n" +
-	"\x10MoveNodeResponse\x12&\n" +
-	"\x04node\x18\x01 \x01(\v2\x12.headscale.v1.NodeR\x04node\"j\n" +
+	"\x05nodes\x18\x01 \x03(\v2\x12.headscale.v1.NodeR\x05nodes\"j\n" +
 	"\x16DebugCreateNodeRequest\x12\x12\n" +
 	"\x04user\x18\x01 \x01(\tR\x04user\x12\x10\n" +
 	"\x03key\x18\x02 \x01(\tR\x03key\x12\x12\n" +
@@ -1398,7 +1306,7 @@ func file_headscale_v1_node_proto_rawDescGZIP() []byte {
 }

 var file_headscale_v1_node_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_headscale_v1_node_proto_msgTypes = make([]protoimpl.MessageInfo, 23)
+var file_headscale_v1_node_proto_msgTypes = make([]protoimpl.MessageInfo, 21)
 var file_headscale_v1_node_proto_goTypes = []any{
 	(RegisterMethod)(0),               // 0: headscale.v1.RegisterMethod
 	(*Node)(nil),                      // 1: headscale.v1.Node
@@ -1418,31 +1326,29 @@ var file_headscale_v1_node_proto_goTypes = []any{
 	(*RenameNodeResponse)(nil),        // 15: headscale.v1.RenameNodeResponse
 	(*ListNodesRequest)(nil),          // 16: headscale.v1.ListNodesRequest
 	(*ListNodesResponse)(nil),         // 17: headscale.v1.ListNodesResponse
-	(*MoveNodeRequest)(nil),           // 18: headscale.v1.MoveNodeRequest
-	(*MoveNodeResponse)(nil),          // 19: headscale.v1.MoveNodeResponse
-	(*DebugCreateNodeRequest)(nil),    // 20: headscale.v1.DebugCreateNodeRequest
-	(*DebugCreateNodeResponse)(nil),   // 21: headscale.v1.DebugCreateNodeResponse
-	(*BackfillNodeIPsRequest)(nil),    // 22: headscale.v1.BackfillNodeIPsRequest
-	(*BackfillNodeIPsResponse)(nil),   // 23: headscale.v1.BackfillNodeIPsResponse
-	(*User)(nil),                      // 24: headscale.v1.User
-	(*timestamppb.Timestamp)(nil),     // 25: google.protobuf.Timestamp
-	(*PreAuthKey)(nil),                // 26: headscale.v1.PreAuthKey
+	(*DebugCreateNodeRequest)(nil),    // 18: headscale.v1.DebugCreateNodeRequest
+	(*DebugCreateNodeResponse)(nil),   // 19: headscale.v1.DebugCreateNodeResponse
+	(*BackfillNodeIPsRequest)(nil),    // 20: headscale.v1.BackfillNodeIPsRequest
+	(*BackfillNodeIPsResponse)(nil),   // 21: headscale.v1.BackfillNodeIPsResponse
+	(*User)(nil),                      // 22: headscale.v1.User
+	(*timestamppb.Timestamp)(nil),     // 23: google.protobuf.Timestamp
+	(*PreAuthKey)(nil),                // 24: headscale.v1.PreAuthKey
 }
 var file_headscale_v1_node_proto_depIdxs = []int32{
-	24, // 0: headscale.v1.Node.user:type_name -> headscale.v1.User
-	25, // 1: headscale.v1.Node.last_seen:type_name -> google.protobuf.Timestamp
-	25, // 2: headscale.v1.Node.expiry:type_name -> google.protobuf.Timestamp
-	26, // 3: headscale.v1.Node.pre_auth_key:type_name -> headscale.v1.PreAuthKey
-	25, // 4: headscale.v1.Node.created_at:type_name -> google.protobuf.Timestamp
+	22, // 0: headscale.v1.Node.user:type_name -> headscale.v1.User
+	23, // 1: headscale.v1.Node.last_seen:type_name -> google.protobuf.Timestamp
+	23, // 2: headscale.v1.Node.expiry:type_name -> google.protobuf.Timestamp
+	24, // 3: headscale.v1.Node.pre_auth_key:type_name -> headscale.v1.PreAuthKey
+	23, // 4: headscale.v1.Node.created_at:type_name -> google.protobuf.Timestamp
 	0,  // 5: headscale.v1.Node.register_method:type_name -> headscale.v1.RegisterMethod
 	1,  // 6: headscale.v1.RegisterNodeResponse.node:type_name -> headscale.v1.Node
 	1,  // 7: headscale.v1.GetNodeResponse.node:type_name -> headscale.v1.Node
 	1,  // 8: headscale.v1.SetTagsResponse.node:type_name -> headscale.v1.Node
 	1,  // 9: headscale.v1.SetApprovedRoutesResponse.node:type_name -> headscale.v1.Node
-	1,  // 10: headscale.v1.ExpireNodeResponse.node:type_name -> headscale.v1.Node
-	1,  // 11: headscale.v1.RenameNodeResponse.node:type_name -> headscale.v1.Node
-	1,  // 12: headscale.v1.ListNodesResponse.nodes:type_name -> headscale.v1.Node
-	1,  // 13: headscale.v1.MoveNodeResponse.node:type_name -> headscale.v1.Node
+	23, // 10: headscale.v1.ExpireNodeRequest.expiry:type_name -> google.protobuf.Timestamp
+	1,  // 11: headscale.v1.ExpireNodeResponse.node:type_name -> headscale.v1.Node
+	1,  // 12: headscale.v1.RenameNodeResponse.node:type_name -> headscale.v1.Node
+	1,  // 13: headscale.v1.ListNodesResponse.nodes:type_name -> headscale.v1.Node
 	1,  // 14: headscale.v1.DebugCreateNodeResponse.node:type_name -> headscale.v1.Node
 	15, // [15:15] is the sub-list for method output_type
 	15, // [15:15] is the sub-list for method input_type
@@ -1464,7 +1370,7 @@ func file_headscale_v1_node_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_headscale_v1_node_proto_rawDesc), len(file_headscale_v1_node_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   23,
+			NumMessages:   21,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/gen/go/headscale/v1/policy.pb.go
+++ b/gen/go/headscale/v1/policy.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/policy.proto

--- a/gen/go/headscale/v1/preauthkey.pb.go
+++ b/gen/go/headscale/v1/preauthkey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/preauthkey.proto

@@ -338,6 +338,94 @@ func (*ExpirePreAuthKeyResponse) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{4}
 }

+type DeletePreAuthKeyRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	User          uint64                 `protobuf:"varint,1,opt,name=user,proto3" json:"user,omitempty"`
+	Key           string                 `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *DeletePreAuthKeyRequest) Reset() {
+	*x = DeletePreAuthKeyRequest{}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *DeletePreAuthKeyRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeletePreAuthKeyRequest) ProtoMessage() {}
+
+func (x *DeletePreAuthKeyRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeletePreAuthKeyRequest.ProtoReflect.Descriptor instead.
+func (*DeletePreAuthKeyRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *DeletePreAuthKeyRequest) GetUser() uint64 {
+	if x != nil {
+		return x.User
+	}
+	return 0
+}
+
+func (x *DeletePreAuthKeyRequest) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+type DeletePreAuthKeyResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *DeletePreAuthKeyResponse) Reset() {
+	*x = DeletePreAuthKeyResponse{}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *DeletePreAuthKeyResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeletePreAuthKeyResponse) ProtoMessage() {}
+
+func (x *DeletePreAuthKeyResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeletePreAuthKeyResponse.ProtoReflect.Descriptor instead.
+func (*DeletePreAuthKeyResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{6}
+}
+
 type ListPreAuthKeysRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	User          uint64                 `protobuf:"varint,1,opt,name=user,proto3" json:"user,omitempty"`
@@ -347,7 +435,7 @@ type ListPreAuthKeysRequest struct {

 func (x *ListPreAuthKeysRequest) Reset() {
 	*x = ListPreAuthKeysRequest{}
-	mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[7]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -359,7 +447,7 @@ func (x *ListPreAuthKeysRequest) String() string {
 func (*ListPreAuthKeysRequest) ProtoMessage() {}

 func (x *ListPreAuthKeysRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[7]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -372,7 +460,7 @@ func (x *ListPreAuthKeysRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ListPreAuthKeysRequest.ProtoReflect.Descriptor instead.
 func (*ListPreAuthKeysRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{5}
+	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{7}
 }

 func (x *ListPreAuthKeysRequest) GetUser() uint64 {
@@ -391,7 +479,7 @@ type ListPreAuthKeysResponse struct {

 func (x *ListPreAuthKeysResponse) Reset() {
 	*x = ListPreAuthKeysResponse{}
-	mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[8]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -403,7 +491,7 @@ func (x *ListPreAuthKeysResponse) String() string {
 func (*ListPreAuthKeysResponse) ProtoMessage() {}

 func (x *ListPreAuthKeysResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[8]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -416,7 +504,7 @@ func (x *ListPreAuthKeysResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ListPreAuthKeysResponse.ProtoReflect.Descriptor instead.
 func (*ListPreAuthKeysResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{6}
+	return file_headscale_v1_preauthkey_proto_rawDescGZIP(), []int{8}
 }

 func (x *ListPreAuthKeysResponse) GetPreAuthKeys() []*PreAuthKey {
@@ -459,7 +547,11 @@ const file_headscale_v1_preauthkey_proto_rawDesc = "" +
 	"\x17ExpirePreAuthKeyRequest\x12\x12\n" +
 	"\x04user\x18\x01 \x01(\x04R\x04user\x12\x10\n" +
 	"\x03key\x18\x02 \x01(\tR\x03key\"\x1a\n" +
-	"\x18ExpirePreAuthKeyResponse\",\n" +
+	"\x18ExpirePreAuthKeyResponse\"?\n" +
+	"\x17DeletePreAuthKeyRequest\x12\x12\n" +
+	"\x04user\x18\x01 \x01(\x04R\x04user\x12\x10\n" +
+	"\x03key\x18\x02 \x01(\tR\x03key\"\x1a\n" +
+	"\x18DeletePreAuthKeyResponse\",\n" +
 	"\x16ListPreAuthKeysRequest\x12\x12\n" +
 	"\x04user\x18\x01 \x01(\x04R\x04user\"W\n" +
 	"\x17ListPreAuthKeysResponse\x12<\n" +
@@ -477,30 +569,32 @@ func file_headscale_v1_preauthkey_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_preauthkey_proto_rawDescData
 }

-var file_headscale_v1_preauthkey_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_headscale_v1_preauthkey_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_headscale_v1_preauthkey_proto_goTypes = []any{
 	(*PreAuthKey)(nil),               // 0: headscale.v1.PreAuthKey
 	(*CreatePreAuthKeyRequest)(nil),  // 1: headscale.v1.CreatePreAuthKeyRequest
 	(*CreatePreAuthKeyResponse)(nil), // 2: headscale.v1.CreatePreAuthKeyResponse
 	(*ExpirePreAuthKeyRequest)(nil),  // 3: headscale.v1.ExpirePreAuthKeyRequest
 	(*ExpirePreAuthKeyResponse)(nil), // 4: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysRequest)(nil),   // 5: headscale.v1.ListPreAuthKeysRequest
-	(*ListPreAuthKeysResponse)(nil),  // 6: headscale.v1.ListPreAuthKeysResponse
-	(*User)(nil),                     // 7: headscale.v1.User
-	(*timestamppb.Timestamp)(nil),    // 8: google.protobuf.Timestamp
+	(*DeletePreAuthKeyRequest)(nil),  // 5: headscale.v1.DeletePreAuthKeyRequest
+	(*DeletePreAuthKeyResponse)(nil), // 6: headscale.v1.DeletePreAuthKeyResponse
+	(*ListPreAuthKeysRequest)(nil),   // 7: headscale.v1.ListPreAuthKeysRequest
+	(*ListPreAuthKeysResponse)(nil),  // 8: headscale.v1.ListPreAuthKeysResponse
+	(*User)(nil),                     // 9: headscale.v1.User
+	(*timestamppb.Timestamp)(nil),    // 10: google.protobuf.Timestamp
 }
 var file_headscale_v1_preauthkey_proto_depIdxs = []int32{
-	7, // 0: headscale.v1.PreAuthKey.user:type_name -> headscale.v1.User
-	8, // 1: headscale.v1.PreAuthKey.expiration:type_name -> google.protobuf.Timestamp
-	8, // 2: headscale.v1.PreAuthKey.created_at:type_name -> google.protobuf.Timestamp
-	8, // 3: headscale.v1.CreatePreAuthKeyRequest.expiration:type_name -> google.protobuf.Timestamp
-	0, // 4: headscale.v1.CreatePreAuthKeyResponse.pre_auth_key:type_name -> headscale.v1.PreAuthKey
-	0, // 5: headscale.v1.ListPreAuthKeysResponse.pre_auth_keys:type_name -> headscale.v1.PreAuthKey
-	6, // [6:6] is the sub-list for method output_type
-	6, // [6:6] is the sub-list for method input_type
-	6, // [6:6] is the sub-list for extension type_name
-	6, // [6:6] is the sub-list for extension extendee
-	0, // [0:6] is the sub-list for field type_name
+	9,  // 0: headscale.v1.PreAuthKey.user:type_name -> headscale.v1.User
+	10, // 1: headscale.v1.PreAuthKey.expiration:type_name -> google.protobuf.Timestamp
+	10, // 2: headscale.v1.PreAuthKey.created_at:type_name -> google.protobuf.Timestamp
+	10, // 3: headscale.v1.CreatePreAuthKeyRequest.expiration:type_name -> google.protobuf.Timestamp
+	0,  // 4: headscale.v1.CreatePreAuthKeyResponse.pre_auth_key:type_name -> headscale.v1.PreAuthKey
+	0,  // 5: headscale.v1.ListPreAuthKeysResponse.pre_auth_keys:type_name -> headscale.v1.PreAuthKey
+	6,  // [6:6] is the sub-list for method output_type
+	6,  // [6:6] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
 }

 func init() { file_headscale_v1_preauthkey_proto_init() }
@@ -515,7 +609,7 @@ func file_headscale_v1_preauthkey_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_headscale_v1_preauthkey_proto_rawDesc), len(file_headscale_v1_preauthkey_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   7,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/gen/go/headscale/v1/user.pb.go
+++ b/gen/go/headscale/v1/user.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.8
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: headscale/v1/user.proto

--- a/gen/openapiv2/headscale/v1/headscale.swagger.json
+++ b/gen/openapiv2/headscale/v1/headscale.swagger.json
@@ -164,6 +164,29 @@
        ]
      }
    },
+    "/api/v1/health": {
+      "get": {
+        "summary": "--- Health start ---",
+        "operationId": "HeadscaleService_Health",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1HealthResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
    "/api/v1/node": {
      "get": {
        "operationId": "HeadscaleService_ListNodes",
@@ -383,6 +406,13 @@
            "required": true,
            "type": "string",
            "format": "uint64"
+          },
+          {
+            "name": "expiry",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "format": "date-time"
          }
        ],
        "tags": [
@@ -466,45 +496,6 @@
        ]
      }
    },
-    "/api/v1/node/{nodeId}/user": {
-      "post": {
-        "operationId": "HeadscaleService_MoveNode",
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1MoveNodeResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/rpcStatus"
-            }
-          }
-        },
-        "parameters": [
-          {
-            "name": "nodeId",
-            "in": "path",
-            "required": true,
-            "type": "string",
-            "format": "uint64"
-          },
-          {
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/HeadscaleServiceMoveNodeBody"
-            }
-          }
-        ],
-        "tags": [
-          "HeadscaleService"
-        ]
-      }
-    },
    "/api/v1/policy": {
      "get": {
        "summary": "--- Policy start ---",
@@ -588,6 +579,41 @@
          "HeadscaleService"
        ]
      },
+      "delete": {
+        "operationId": "HeadscaleService_DeletePreAuthKey",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1DeletePreAuthKeyResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "user",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "format": "uint64"
+          },
+          {
+            "name": "key",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      },
      "post": {
        "summary": "--- PreAuthKeys start ---",
        "operationId": "HeadscaleService_CreatePreAuthKey",
@@ -796,15 +822,6 @@
    }
  },
  "definitions": {
-    "HeadscaleServiceMoveNodeBody": {
-      "type": "object",
-      "properties": {
-        "user": {
-          "type": "string",
-          "format": "uint64"
-        }
-      }
-    },
    "HeadscaleServiceSetApprovedRoutesBody": {
      "type": "object",
      "properties": {
@@ -999,6 +1016,9 @@
    "v1DeleteNodeResponse": {
      "type": "object"
    },
+    "v1DeletePreAuthKeyResponse": {
+      "type": "object"
+    },
    "v1DeleteUserResponse": {
      "type": "object"
    },
@@ -1056,6 +1076,14 @@
        }
      }
    },
+    "v1HealthResponse": {
+      "type": "object",
+      "properties": {
+        "databaseConnectivity": {
+          "type": "boolean"
+        }
+      }
+    },
    "v1ListApiKeysResponse": {
      "type": "object",
      "properties": {
@@ -1104,14 +1132,6 @@
        }
      }
    },
-    "v1MoveNodeResponse": {
-      "type": "object",
-      "properties": {
-        "node": {
-          "$ref": "#/definitions/v1Node"
-        }
-      }
-    },
    "v1Node": {
      "type": "object",
      "properties": {
--- a/go.mod
+++ b/go.mod
@@ -1,61 +1,59 @@
 module github.com/juanfont/headscale

-go 1.24.4
-
-toolchain go1.24.6
+go 1.25

 require (
-	github.com/arl/statsviz v0.6.0
-	github.com/cenkalti/backoff/v5 v5.0.2
-	github.com/chasefleming/elem-go v0.30.0
-	github.com/coder/websocket v1.8.13
-	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/creachadair/command v0.1.22
+	github.com/arl/statsviz v0.7.2
+	github.com/cenkalti/backoff/v5 v5.0.3
+	github.com/chasefleming/elem-go v0.31.0
+	github.com/coder/websocket v1.8.14
+	github.com/coreos/go-oidc/v3 v3.16.0
+	github.com/creachadair/command v0.2.0
 	github.com/creachadair/flax v0.0.5
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
-	github.com/docker/docker v28.2.2+incompatible
+	github.com/docker/docker v28.5.1+incompatible
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-gormigrate/gormigrate/v2 v2.1.4
-	github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874
+	github.com/go-gormigrate/gormigrate/v2 v2.1.5
+	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced
 	github.com/gofrs/uuid/v5 v5.3.2
 	github.com/google/go-cmp v0.7.0
 	github.com/gorilla/mux v1.8.1
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.0
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3
 	github.com/jagottsicher/termcolor v1.0.2
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/ory/dockertest/v3 v3.12.0
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/pkg/profile v1.7.0
-	github.com/prometheus/client_golang v1.22.0
-	github.com/prometheus/common v0.65.0
-	github.com/pterm/pterm v0.12.81
-	github.com/puzpuzpuz/xsync/v4 v4.1.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/common v0.66.1
+	github.com/pterm/pterm v0.12.82
+	github.com/puzpuzpuz/xsync/v4 v4.2.0
 	github.com/rs/zerolog v1.34.0
-	github.com/samber/lo v1.51.0
-	github.com/sasha-s/go-deadlock v0.3.5
-	github.com/spf13/cobra v1.9.1
-	github.com/spf13/viper v1.20.1
-	github.com/stretchr/testify v1.10.0
+	github.com/samber/lo v1.52.0
+	github.com/sasha-s/go-deadlock v0.3.6
+	github.com/spf13/cobra v1.10.1
+	github.com/spf13/viper v1.21.0
+	github.com/stretchr/testify v1.11.1
 	github.com/tailscale/hujson v0.0.0-20250226034555-ec1d1c113d33
-	github.com/tailscale/squibble v0.0.0-20250108170732-a4ca58afa694
+	github.com/tailscale/squibble v0.0.0-20251030164342-4d5df9caa993
 	github.com/tailscale/tailsql v0.0.0-20250421235516-02f85f087b97
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.40.0
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
-	golang.org/x/net v0.42.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822
-	google.golang.org/grpc v1.73.0
-	google.golang.org/protobuf v1.36.6
+	golang.org/x/crypto v0.43.0
+	golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b
+	golang.org/x/net v0.46.0
+	golang.org/x/oauth2 v0.32.0
+	golang.org/x/sync v0.17.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4
+	google.golang.org/grpc v1.75.1
+	google.golang.org/protobuf v1.36.10
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.6.0
-	gorm.io/gorm v1.30.0
+	gorm.io/gorm v1.31.0
 	tailscale.com v1.86.5
-	zgo.at/zcache/v2 v2.2.0
+	zgo.at/zcache/v2 v2.4.1
 	zombiezen.com/go/postgrestest v1.0.1
 )

@@ -77,17 +75,17 @@ require (
 // together, e.g:
 // go get modernc.org/libc@v1.55.3 modernc.org/sqlite@v1.33.1
 require (
-	modernc.org/libc v1.62.1 // indirect
+	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.10.0 // indirect
-	modernc.org/sqlite v1.37.0
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.39.1
 )

 require (
 	atomicgo.dev/cursor v0.2.0 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	atomicgo.dev/schedule v0.1.0 // indirect
-	dario.cat/mergo v1.0.1 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
@@ -111,17 +109,18 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.5 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v0.3.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
-	github.com/creachadair/mds v0.24.3 // indirect
+	github.com/creachadair/mds v0.25.10 // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240123200102-b75a8a7d7eb0 // indirect
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v28.1.1+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/cli v28.5.1+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/fgprof v0.9.5 // indirect
@@ -130,13 +129,12 @@ require (
 	github.com/gaissmai/bart v0.18.0 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
@@ -144,10 +142,10 @@ require (
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
-	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
+	github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gookit/color v1.5.4 // indirect
+	github.com/gookit/color v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
@@ -155,20 +153,20 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.7.4 // indirect
+	github.com/jackc/pgx/v5 v5.7.6 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.1 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/sdnotify v1.0.0 // indirect
@@ -181,27 +179,25 @@ require (
 	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opencontainers/runc v1.3.0 // indirect
+	github.com/opencontainers/runc v1.3.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/petermattis/goid v0.0.0-20250319124200-ccd6737f222a // indirect
+	github.com/petermattis/goid v0.0.0-20250904145737-900bdf8bb490 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/sagikazarmark/locafero v0.12.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.14.0 // indirect
-	github.com/spf13/cast v1.8.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
@@ -211,7 +207,7 @@ require (
 	github.com/tailscale/setec v0.0.0-20250305161714-445cadbbca3d // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
 	github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da // indirect
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -219,22 +215,22 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/term v0.33.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/term v0.36.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 // indirect
 	gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633 // indirect
 )

--- a/go.sum
+++ b/go.sum
@@ -8,8 +8,8 @@ atomicgo.dev/keyboard v0.2.9 h1:tOsIid3nlPLZ3lwgG8KZMp/SFmr7P0ssEN5JUsm78K8=
 atomicgo.dev/keyboard v0.2.9/go.mod h1:BC4w9g00XkxH/f1HXhW2sXmJFOCWbKn9xrOunSFtExQ=
 atomicgo.dev/schedule v0.1.0 h1:nTthAbhZS5YZmgYbb2+DH8uQIZcTlIrd4eYr3UQxEjs=
 atomicgo.dev/schedule v0.1.0/go.mod h1:xeUa3oAkiuHYh8bKiQBRojqAMq3PXXbJujjb0hw8pEU=
-dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
-dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc=
@@ -37,8 +37,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/arl/statsviz v0.6.0 h1:jbW1QJkEYQkufd//4NDYRSNBpwJNrdzPahF7ZmoGdyE=
-github.com/arl/statsviz v0.6.0/go.mod h1:0toboo+YGSUXDaS4g1D5TVS4dXs7S7YYT5J/qnW2h8s=
+github.com/arl/statsviz v0.7.2 h1:xnuIfRiXE4kvxEcfGL+IE3mKH1BXNHuE+eJELIh7oOA=
+github.com/arl/statsviz v0.7.2/go.mod h1:XlrbiT7xYT03xaW9JMMfD8KFUhBOESJwfyNJu83PbB0=
 github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkUiF/RuIk=
 github.com/aws/aws-sdk-go-v2 v1.36.0 h1:b1wM5CcE65Ujwn565qcwgtOTT1aT4ADOHHgglKjG7fk=
 github.com/aws/aws-sdk-go-v2 v1.36.0/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
@@ -82,12 +82,12 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
-github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chasefleming/elem-go v0.30.0 h1:BlhV1ekv1RbFiM8XZUQeln1Ikb4D+bu2eDO4agREvok=
-github.com/chasefleming/elem-go v0.30.0/go.mod h1:hz73qILBIKnTgOujnSMtEj20/epI+f6vg71RUilJAA4=
+github.com/chasefleming/elem-go v0.31.0 h1:vZsuKmKdv6idnUbu3awMruxTiFqZ/ertFJFAyBCkVhI=
+github.com/chasefleming/elem-go v0.31.0/go.mod h1:UBmmZfso2LkXA0HZInbcwsmhE/LXFClEcBPNCGeARtA=
 github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
 github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs=
 github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
@@ -99,8 +99,10 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/cilium/ebpf v0.17.3 h1:FnP4r16PWYSE4ux6zN+//jMcW4nMVRvuTLVTvCjyyjg=
 github.com/cilium/ebpf v0.17.3/go.mod h1:G5EDHij8yiLzaqn0WjyfJHvRa+3aDlReIaLVRMvOyJk=
-github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
-github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/clipperhouse/uax29/v2 v2.2.0 h1:ChwIKnQN3kcZteTXMgb1wztSgaU+ZemkgWdohwgs8tY=
+github.com/clipperhouse/uax29/v2 v2.2.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
+github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
 github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
 github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
@@ -114,16 +116,16 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
-github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
+github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/creachadair/command v0.1.22 h1:WmdrURwZdmPD1jm13SjKooaMoqo7mW1qI2BPCShs154=
-github.com/creachadair/command v0.1.22/go.mod h1:YFc+OMGucqTpxwQg/iJnNg8BMNmRPDK60rYy8ckgKwE=
+github.com/creachadair/command v0.2.0 h1:qTA9cMMhZePAxFoNdnk6F6nn94s1qPndIg9hJbqI9cA=
+github.com/creachadair/command v0.2.0/go.mod h1:j+Ar+uYnFsHpkMeV9kGj6lJ45y9u2xqtg8FYy6cm+0o=
 github.com/creachadair/flax v0.0.5 h1:zt+CRuXQASxwQ68e9GHAOnEgAU29nF0zYMHOCrL5wzE=
 github.com/creachadair/flax v0.0.5/go.mod h1:F1PML0JZLXSNDMNiRGK2yjm5f+L9QCHchyHBldFymj8=
-github.com/creachadair/mds v0.24.3 h1:X7cM2ymZSyl4IVWnfyXLxRXMJ6awhbcWvtLPhfnTaqI=
-github.com/creachadair/mds v0.24.3/go.mod h1:0oeHt9QWu8VfnmskOL4zi2CumjEvB29ScmtOmdrhFeU=
+github.com/creachadair/mds v0.25.10 h1:9k9JB35D1xhOCFl0liBhagBBp8fWWkKZrA7UXsfoHtA=
+github.com/creachadair/mds v0.25.10/go.mod h1:4hatI3hRM+qhzuAmqPRFvaBM8mONkS7nsLxkcuTYUIs=
 github.com/creachadair/taskgroup v0.13.2 h1:3KyqakBuFsm3KkXi/9XIb0QcA8tEzLHLgaoidf0MdVc=
 github.com/creachadair/taskgroup v0.13.2/go.mod h1:i3V1Zx7H8RjwljUEeUWYT30Lmb9poewSb2XI1yTwD0g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -141,12 +143,12 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v28.1.1+incompatible h1:eyUemzeI45DY7eDPuwUcmDyDj1pM98oD5MdSpiItp8k=
-github.com/docker/cli v28.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v28.2.2+incompatible h1:CjwRSksz8Yo4+RmQ339Dp/D2tGO5JxwYeqtMOEe0LDw=
-github.com/docker/docker v28.2.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY=
+github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
+github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -170,17 +172,17 @@ github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
-github.com/go-gormigrate/gormigrate/v2 v2.1.4 h1:KOPEt27qy1cNzHfMZbp9YTmEuzkY4F4wrdsJW9WFk1U=
-github.com/go-gormigrate/gormigrate/v2 v2.1.4/go.mod h1:y/6gPAH6QGAgP1UfHMiXcqGeJ88/GRQbfCReE1JJD5Y=
+github.com/go-gormigrate/gormigrate/v2 v2.1.5 h1:1OyorA5LtdQw12cyJDEHuTrEV3GiXiIhS4/QTTa/SM8=
+github.com/go-gormigrate/gormigrate/v2 v2.1.5/go.mod h1:mj9ekk/7CPF3VjopaFvWKN2v7fN3D9d3eEOAXRhi/+M=
 github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
-github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
-github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 h1:F8d1AJ6M9UQCavhwmO6ZsrYLfG8zVFWfEfMS2MXPkSY=
-github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
@@ -199,8 +201,6 @@ github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0=
 github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -223,22 +223,24 @@ github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdF
 github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4=
-github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
+github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d h1:KJIErDwbSHjnp/SGzE5ed8Aol7JsKiI5X7yWKAtzhM0=
+github.com/google/pprof v0.0.0-20251007162407-5df77e3f7d1d/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gookit/assert v0.1.1 h1:lh3GcawXe/p+cU7ESTZ5Ui3Sm/x8JWpIis4/1aF0mY0=
+github.com/gookit/assert v0.1.1/go.mod h1:jS5bmIVQZTIwk42uXl4lyj4iaaxx32tqH16CFj0VX2E=
 github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ=
 github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
-github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
-github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
+github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA=
+github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.0 h1:+epNPbD5EqgpEMm5wrl4Hqts3jZt8+kYaqUisuuIGTk=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.0/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
@@ -255,8 +257,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.4 h1:9wKznZrhWa2QiHL+NjTSPP6yjl3451BX3imWDnokYlg=
-github.com/jackc/pgx/v5 v5.7.4/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
+github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jagottsicher/termcolor v1.0.2 h1:fo0c51pQSuLBN1+yVX2ZE+hE+P7ULb/TY8eRowJnrsM=
@@ -274,10 +276,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfC
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jsimonetti/rtnetlink v1.4.1 h1:JfD4jthWBqZMEffc5RjgmlzpYttAVw1sdnmiNaPO3hE=
 github.com/jsimonetti/rtnetlink v1.4.1/go.mod h1:xJjT7t59UIZ62GLZbv6PLLo8VFrostJMPBAheR6OM8w=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
+github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
@@ -312,8 +312,8 @@ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
+github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
@@ -340,8 +340,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
-github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25 h1:9bCMuD3TcnjeqjPT2gSlha4asp8NvgcFRYExCaikCxk=
@@ -350,16 +350,16 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
-github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
+github.com/opencontainers/runc v1.3.2 h1:GUwgo0Fx9M/pl2utaSYlJfdBcXAB/CZXDxe322lvJ3Y=
+github.com/opencontainers/runc v1.3.2/go.mod h1:F7UQQEsxcjUNnFpT1qPLHZBKYP7yWwk6hq8suLy9cl0=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/ory/dockertest/v3 v3.12.0 h1:3oV9d0sDzlSQfHtIaB5k6ghUCVMVLpAY8hwrqoCyRCw=
 github.com/ory/dockertest/v3 v3.12.0/go.mod h1:aKNDTva3cp8dwOWwb9cWuX84aH5akkxXRvO7KCwWVjE=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
-github.com/petermattis/goid v0.0.0-20250319124200-ccd6737f222a h1:S+AGcmAESQ0pXCUNnRH7V+bOUIgkSX5qVt2cNKCrm0Q=
-github.com/petermattis/goid v0.0.0-20250319124200-ccd6737f222a/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
+github.com/petermattis/goid v0.0.0-20250813065127-a731cc31b4fe/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
+github.com/petermattis/goid v0.0.0-20250904145737-900bdf8bb490 h1:QTvNkZ5ylY0PGgA+Lih+GdboMLY/G9SEGLMEGVjTVA4=
+github.com/petermattis/goid v0.0.0-20250904145737-900bdf8bb490/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
 github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
@@ -376,14 +376,14 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
 github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
-github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/pterm/pterm v0.12.27/go.mod h1:PhQ89w4i95rhgE+xedAoqous6K9X+r6aSOI2eFF7DZI=
 github.com/pterm/pterm v0.12.29/go.mod h1:WI3qxgvoQFFGKGjGnJR849gU0TsEOvKn5Q8LlY1U7lg=
 github.com/pterm/pterm v0.12.30/go.mod h1:MOqLIyMOgmTDz9yorcYbcw+HsgoZo3BQfg2wtl3HEFE=
@@ -391,15 +391,13 @@ github.com/pterm/pterm v0.12.31/go.mod h1:32ZAWZVXD7ZfG0s8qqHXePte42kdz8ECtRyEej
 github.com/pterm/pterm v0.12.33/go.mod h1:x+h2uL+n7CP/rel9+bImHD5lF3nM9vJj80k9ybiiTTE=
 github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5bUw8T8=
 github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s=
-github.com/pterm/pterm v0.12.81 h1:ju+j5I2++FO1jBKMmscgh5h5DPFDFMB7epEjSoKehKA=
-github.com/pterm/pterm v0.12.81/go.mod h1:TyuyrPjnxfwP+ccJdBTeWHtd/e0ybQHkOS/TakajZCw=
-github.com/puzpuzpuz/xsync/v4 v4.1.0 h1:x9eHRl4QhZFIPJ17yl4KKW9xLyVWbb3/Yq4SXpjF71U=
-github.com/puzpuzpuz/xsync/v4 v4.1.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/pterm/pterm v0.12.82 h1:+D9wYhCaeaK0FIQoZtqbNQuNpe2lB2tajKKsTd5paVQ=
+github.com/pterm/pterm v0.12.82/go.mod h1:TyuyrPjnxfwP+ccJdBTeWHtd/e0ybQHkOS/TakajZCw=
+github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
+github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
-github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
@@ -409,29 +407,28 @@ github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
 github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
-github.com/sagikazarmark/locafero v0.9.0 h1:GbgQGNtTrEmddYDSAH9QLRyfAHY12md+8YFTqyMTC9k=
-github.com/sagikazarmark/locafero v0.9.0/go.mod h1:UBUyz37V+EdMS3hDF3QWIiVr/2dPrx49OMO0Bn0hJqk=
-github.com/samber/lo v1.51.0 h1:kysRYLbHy/MB7kQZf5DSN50JHmMsNEdeY24VzJFu7wI=
-github.com/samber/lo v1.51.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
-github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
-github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
+github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=
+github.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=
+github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
+github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/sasha-s/go-deadlock v0.3.6 h1:TR7sfOnZ7x00tWPfD397Peodt57KzMDo+9Ae9rMiUmw=
+github.com/sasha-s/go-deadlock v0.3.6/go.mod h1:CUqNyyvMxTyjFqDT7MRg9mb4Dv/btmGTqSR+rky/UXo=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
-github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
-github.com/spf13/cast v1.8.0 h1:gEN9K4b8Xws4EX0+a0reLmhq8moKn7ntRlQYgjPeCDk=
-github.com/spf13/cast v1.8.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
-github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
+github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -442,8 +439,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
@@ -462,8 +459,8 @@ github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+y
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
 github.com/tailscale/setec v0.0.0-20250305161714-445cadbbca3d h1:mnqtPWYyvNiPU9l9tzO2YbHXU/xV664XthZYA26lOiE=
 github.com/tailscale/setec v0.0.0-20250305161714-445cadbbca3d/go.mod h1:9BzmlFc3OLqLzLTF/5AY+BMs+clxMqyhSGzgXIm8mNI=
-github.com/tailscale/squibble v0.0.0-20250108170732-a4ca58afa694 h1:95eIP97c88cqAFU/8nURjgI9xxPbD+Ci6mY/a79BI/w=
-github.com/tailscale/squibble v0.0.0-20250108170732-a4ca58afa694/go.mod h1:veguaG8tVg1H/JG5RfpoUW41I+O8ClPElo/fTYr8mMk=
+github.com/tailscale/squibble v0.0.0-20251030164342-4d5df9caa993 h1:FyiiAvDAxpB0DrW2GW3KOVfi3YFOtsQUEeFWbf55JJU=
+github.com/tailscale/squibble v0.0.0-20251030164342-4d5df9caa993/go.mod h1:xJkMmR3t+thnUQhA3Q4m2VSlS5pcOq+CIjmU/xfKKx4=
 github.com/tailscale/tailsql v0.0.0-20250421235516-02f85f087b97 h1:JJkDnrAhHvOCttk8z9xeZzcDlzzkRA7+Duxj9cwOyxk=
 github.com/tailscale/tailsql v0.0.0-20250421235516-02f85f087b97/go.mod h1:9jS8HxwsP2fU4ESZ7DZL+fpH/U66EVlVMzdgznH12RM=
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
@@ -485,8 +482,8 @@ github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -499,79 +496,70 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ
 github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 h1:dNzwXjZKpMpE2JhmO+9HsPl42NIXFIFSUSSs0fiqra0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0/go.mod h1:90PoxvaEB5n6AOdZvi+yWJQoE95U8Dhhw2bSyRqnTD0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0 h1:nRVXXvf78e00EwY6Wp0YII8ww2JVWshZ20HfTlE11AM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0/go.mod h1:r49hO7CgrxY9Voaj3Xe8pANWtr0Oq916d0XAmOoCZAQ=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
+go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
+go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI=
 go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc=
-go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
-go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
 go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b h1:18qgiDvlvH7kk8Ioa8Ov+K6xCi0GMvmGfGW0sgd/SYA=
+golang.org/x/exp v0.0.0-20251009144603-d2f985daa21b/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -592,8 +580,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -601,42 +589,40 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
-golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
-golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 h1:8XJ4pajGwOlasW+L13MnEGA8W4115jJySQtVfS2/IBU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4 h1:i8QOKZfYg6AbGVZzUAY3LrNWCKF8O6zFisU9Wl9RER4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250929231259-57b25ae835d4/go.mod h1:HSkG/KdJWusxU1F6CNrwNDjBMgisKxGnc5dAZfT0mjQ=
+google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
+google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -652,8 +638,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/gorm v1.30.0 h1:qbT5aPv1UH8gI99OsRlvDToLxW5zR7FzS9acZDOZcgs=
-gorm.io/gorm v1.30.0/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
+gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
+gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633 h1:2gap+Kh/3F47cO6hAu3idFvsJ0ue6TRcEi2IUkv/F8k=
@@ -662,26 +648,28 @@ honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-modernc.org/cc/v4 v4.25.2 h1:T2oH7sZdGvTaie0BRNFbIYsabzCxUQg8nLqCdQ2i0ic=
-modernc.org/cc/v4 v4.25.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.25.1 h1:TFSzPrAGmDsdnhT9X2UrcPMI3N/mJ9/X9ykKXwLhDsU=
-modernc.org/ccgo/v4 v4.25.1/go.mod h1:njjuAYiPflywOOrm3B7kCB444ONP5pAVr8PIEoE0uDw=
-modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
-modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
+modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
+modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
+modernc.org/ccgo/v4 v4.28.1/go.mod h1:uD+4RnfrVgE6ec9NGguUNdhqzNIeeomeXf6CL0GTE5Q=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/libc v1.62.1 h1:s0+fv5E3FymN8eJVmnk0llBe6rOxCu/DEU+XygRbS8s=
-modernc.org/libc v1.62.1/go.mod h1:iXhATfJQLjG3NWy56a6WVU73lWOcdYVxsvwCgoPljuo=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
+modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
-modernc.org/memory v1.10.0 h1:fzumd51yQ1DxcOxSO+S6X7+QTuVU+n8/Aj7swYjFfC4=
-modernc.org/memory v1.10.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
 modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.37.0 h1:s1TMe7T3Q3ovQiK2Ouz4Jwh7dw4ZDqbebSDTlSJdfjI=
-modernc.org/sqlite v1.37.0/go.mod h1:5YiWv+YviqGMuGw4V+PNplcyaJ5v+vQd7TQOgkACoJM=
+modernc.org/sqlite v1.39.1 h1:H+/wGFzuSCIEVCvXYVHX5RQglwhMOvtHSv+VtidL2r4=
+modernc.org/sqlite v1.39.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -690,7 +678,7 @@ software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
 tailscale.com v1.86.5 h1:yBtWFjuLYDmxVnfnvPbZNZcKADCYgNfMd0rUAOA9XCs=
 tailscale.com v1.86.5/go.mod h1:Lm8dnzU2i/Emw15r6sl3FRNp/liSQ/nYw6ZSQvIdZ1M=
-zgo.at/zcache/v2 v2.2.0 h1:K29/IPjMniZfveYE+IRXfrl11tMzHkIPuyGrfVZ2fGo=
-zgo.at/zcache/v2 v2.2.0/go.mod h1:gyCeoLVo01QjDZynjime8xUGHHMbsLiPyUTBpDGd4Gk=
+zgo.at/zcache/v2 v2.4.1 h1:Dfjoi8yI0Uq7NCc4lo2kaQJJmp9Mijo21gef+oJstbY=
+zgo.at/zcache/v2 v2.4.1/go.mod h1:gyCeoLVo01QjDZynjime8xUGHHMbsLiPyUTBpDGd4Gk=
 zombiezen.com/go/postgrestest v1.0.1 h1:aXoADQAJmZDU3+xilYVut0pHhgc0sF8ZspPW9gFNwP4=
 zombiezen.com/go/postgrestest v1.0.1/go.mod h1:marlZezr+k2oSJrvXHnZUs1olHqpE9czlz8ZYkVxliQ=
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	_ "net/http/pprof" // nolint
@@ -270,7 +271,7 @@ func (h *Headscale) scheduledTasks(ctx context.Context) {
 			return

 		case <-expireTicker.C:
-			var expiredNodeChanges []change.ChangeSet
+			var expiredNodeChanges []change.Change
 			var changed bool

 			lastExpiryCheck, expiredNodeChanges, changed = h.state.ExpireExpiredNodes(lastExpiryCheck)
@@ -304,7 +305,7 @@ func (h *Headscale) scheduledTasks(ctx context.Context) {
 			}
 			h.state.SetDERPMap(derpMap)

-			h.Change(change.DERPSet)
+			h.Change(change.DERPMap())

 		case records, ok := <-extraRecordsUpdate:
 			if !ok {
@@ -312,7 +313,7 @@ func (h *Headscale) scheduledTasks(ctx context.Context) {
 			}
 			h.cfg.TailcfgDNSConfig.ExtraRecords = records

-			h.Change(change.ExtraRecordsSet)
+			h.Change(change.ExtraRecords())
 		}
 	}
 }
@@ -380,53 +381,45 @@ func (h *Headscale) httpAuthenticationMiddleware(next http.Handler) http.Handler
 		writer http.ResponseWriter,
 		req *http.Request,
 	) {
-		if err := func() error {
-			log.Trace().
-				Caller().
-				Str("client_address", req.RemoteAddr).
-				Msg("HTTP authentication invoked")
+		log.Trace().
+			Caller().
+			Str("client_address", req.RemoteAddr).
+			Msg("HTTP authentication invoked")

-			authHeader := req.Header.Get("Authorization")
+		authHeader := req.Header.Get("Authorization")

-			if !strings.HasPrefix(authHeader, AuthPrefix) {
-				log.Error().
-					Caller().
-					Str("client_address", req.RemoteAddr).
-					Msg(`missing "Bearer " prefix in "Authorization" header`)
-				writer.WriteHeader(http.StatusUnauthorized)
-				_, err := writer.Write([]byte("Unauthorized"))
-				return err
+		writeUnauthorized := func(statusCode int) {
+			writer.WriteHeader(statusCode)
+			if _, err := writer.Write([]byte("Unauthorized")); err != nil {
+				log.Error().Err(err).Msg("writing HTTP response failed")
 			}
+		}

-			valid, err := h.state.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Str("client_address", req.RemoteAddr).
-					Msg("failed to validate token")
-
-				writer.WriteHeader(http.StatusInternalServerError)
-				_, err := writer.Write([]byte("Unauthorized"))
-				return err
-			}
-
-			if !valid {
-				log.Info().
-					Str("client_address", req.RemoteAddr).
-					Msg("invalid token")
-
-				writer.WriteHeader(http.StatusUnauthorized)
-				_, err := writer.Write([]byte("Unauthorized"))
-				return err
-			}
-
-			return nil
-		}(); err != nil {
+		if !strings.HasPrefix(authHeader, AuthPrefix) {
 			log.Error().
+				Caller().
+				Str("client_address", req.RemoteAddr).
+				Msg(`missing "Bearer " prefix in "Authorization" header`)
+			writeUnauthorized(http.StatusUnauthorized)
+			return
+		}
+
+		valid, err := h.state.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
+		if err != nil {
+			log.Info().
 				Caller().
 				Err(err).
-				Msg("Failed to write HTTP response")
+				Str("client_address", req.RemoteAddr).
+				Msg("failed to validate token")
+			writeUnauthorized(http.StatusUnauthorized)
+			return
+		}
+
+		if !valid {
+			log.Info().
+				Str("client_address", req.RemoteAddr).
+				Msg("invalid token")
+			writeUnauthorized(http.StatusUnauthorized)
 			return
 		}

@@ -454,6 +447,7 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {

 	router.HandleFunc("/robots.txt", h.RobotsHandler).Methods(http.MethodGet)
 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
+	router.HandleFunc("/version", h.VersionHandler).Methods(http.MethodGet)
 	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
 	router.HandleFunc("/register/{registration_id}", h.authProvider.RegisterHandler).
 		Methods(http.MethodGet)
@@ -483,8 +477,8 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	apiRouter := router.PathPrefix("/api").Subrouter()
 	apiRouter.Use(h.httpAuthenticationMiddleware)
 	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)
-
-	router.PathPrefix("/").HandlerFunc(notFoundHandler)
+	router.HandleFunc("/favicon.ico", FaviconHandler)
+	router.PathPrefix("/").HandlerFunc(BlankHandler)

 	return router
 }
@@ -736,16 +730,27 @@ func (h *Headscale) Serve() error {
 	log.Info().
 		Msgf("listening and serving HTTP on: %s", h.cfg.Addr)

-	debugHTTPListener, err := net.Listen("tcp", h.cfg.MetricsAddr)
-	if err != nil {
-		return fmt.Errorf("failed to bind to TCP address: %w", err)
+	// Only start debug/metrics server if address is configured
+	var debugHTTPServer *http.Server
+
+	var debugHTTPListener net.Listener
+
+	if h.cfg.MetricsAddr != "" {
+		debugHTTPListener, err = (&net.ListenConfig{}).Listen(ctx, "tcp", h.cfg.MetricsAddr)
+		if err != nil {
+			return fmt.Errorf("failed to bind to TCP address: %w", err)
+		}
+
+		debugHTTPServer = h.debugHTTPServer()
+
+		errorGroup.Go(func() error { return debugHTTPServer.Serve(debugHTTPListener) })
+
+		log.Info().
+			Msgf("listening and serving debug and metrics on: %s", h.cfg.MetricsAddr)
+	} else {
+		log.Info().Msg("metrics server disabled (metrics_listen_addr is empty)")
 	}

-	debugHTTPServer := h.debugHTTPServer()
-	errorGroup.Go(func() error { return debugHTTPServer.Serve(debugHTTPListener) })
-
-	log.Info().
-		Msgf("listening and serving debug and metrics on: %s", h.cfg.MetricsAddr)

 	var tailsqlContext context.Context
 	if tailsqlEnabled {
@@ -801,16 +806,25 @@ func (h *Headscale) Serve() error {
 				h.ephemeralGC.Close()

 				// Gracefully shut down servers
-				ctx, cancel := context.WithTimeout(
-					context.Background(),
+				shutdownCtx, cancel := context.WithTimeout(
+					context.WithoutCancel(ctx),
 					types.HTTPShutdownTimeout,
 				)
-				info("shutting down debug http server")
-				if err := debugHTTPServer.Shutdown(ctx); err != nil {
-					log.Error().Err(err).Msg("failed to shutdown prometheus http")
+				defer cancel()
+
+				if debugHTTPServer != nil {
+					info("shutting down debug http server")
+
+					err := debugHTTPServer.Shutdown(shutdownCtx)
+					if err != nil {
+						log.Error().Err(err).Msg("failed to shutdown prometheus http")
+					}
 				}
+
 				info("shutting down main http server")
-				if err := httpServer.Shutdown(ctx); err != nil {
+
+				err := httpServer.Shutdown(shutdownCtx)
+				if err != nil {
 					log.Error().Err(err).Msg("failed to shutdown http")
 				}

@@ -836,7 +850,10 @@ func (h *Headscale) Serve() error {

 				// Close network listeners
 				info("closing network listeners")
-				debugHTTPListener.Close()
+
+				if debugHTTPListener != nil {
+					debugHTTPListener.Close()
+				}
 				httpListener.Close()
 				grpcGatewayConn.Close()

@@ -854,9 +871,6 @@ func (h *Headscale) Serve() error {
 				log.Info().
 					Msg("Headscale stopped")

-				// And we're done:
-				cancel()
-
 				return
 			}
 		}
@@ -884,6 +898,11 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			Cache:      autocert.DirCache(h.cfg.TLS.LetsEncrypt.CacheDir),
 			Client: &acme.Client{
 				DirectoryURL: h.cfg.ACMEURL,
+				HTTPClient: &http.Client{
+					Transport: &acmeLogger{
+						rt: http.DefaultTransport,
+					},
+				},
 			},
 			Email: h.cfg.ACMEEmail,
 		}
@@ -942,18 +961,6 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 	}
 }

-func notFoundHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	log.Trace().
-		Interface("header", req.Header).
-		Interface("proto", req.Proto).
-		Interface("url", req.URL).
-		Msg("Request did not match")
-	writer.WriteHeader(http.StatusNotFound)
-}
-
 func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 	dir := filepath.Dir(path)
 	err := util.EnsureDir(dir)
@@ -1001,6 +1008,31 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 // Change is used to send changes to nodes.
 // All change should be enqueued here and empty will be automatically
 // ignored.
-func (h *Headscale) Change(cs ...change.ChangeSet) {
+func (h *Headscale) Change(cs ...change.Change) {
 	h.mapBatcher.AddWork(cs...)
 }
+
+// Provide some middleware that can inspect the ACME/autocert https calls
+// and log when things are failing.
+type acmeLogger struct {
+	rt http.RoundTripper
+}
+
+// RoundTrip will log when ACME/autocert failures happen either when err != nil OR
+// when http status codes indicate a failure has occurred.
+func (l *acmeLogger) RoundTrip(req *http.Request) (*http.Response, error) {
+	resp, err := l.rt.RoundTrip(req)
+	if err != nil {
+		log.Error().Err(err).Str("url", req.URL.String()).Msg("ACME request failed")
+		return nil, err
+	}
+
+	if resp.StatusCode >= http.StatusBadRequest {
+		defer resp.Body.Close()
+
+		body, _ := io.ReadAll(resp.Body)
+		log.Error().Int("status_code", resp.StatusCode).Str("url", req.URL.String()).Bytes("body", body).Msg("ACME request returned error")
+	}
+
+	return resp, nil
+}
--- a/hscontrol/assets/assets.go
+++ b/hscontrol/assets/assets.go
@@ -0,0 +1,24 @@
+// Package assets provides embedded static assets for Headscale.
+// All static files (favicon, CSS, SVG) are embedded here for
+// centralized asset management.
+package assets
+
+import (
+	_ "embed"
+)
+
+// Favicon is the embedded favicon.png file served at /favicon.ico
+//
+//go:embed favicon.png
+var Favicon []byte
+
+// CSS is the embedded style.css stylesheet used in HTML templates.
+// Contains Material for MkDocs design system styles.
+//
+//go:embed style.css
+var CSS string
+
+// SVG is the embedded headscale.svg logo used in HTML templates.
+//
+//go:embed headscale.svg
+var SVG string
--- a/hscontrol/assets/favicon.png
+++ b/hscontrol/assets/favicon.png
--- a/hscontrol/assets/headscale.svg
+++ b/hscontrol/assets/headscale.svg
--- a/hscontrol/assets/oidc_callback_template.html
+++ b/hscontrol/assets/oidc_callback_template.html
@@ -1,307 +0,0 @@
-<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>Headscale Authentication Succeeded</title>
-    <style>
-      body {
-        font-size: 14px;
-        font-family:
-          system-ui,
-          -apple-system,
-          BlinkMacSystemFont,
-          "Segoe UI",
-          "Roboto",
-          "Oxygen",
-          "Ubuntu",
-          "Cantarell",
-          "Fira Sans",
-          "Droid Sans",
-          "Helvetica Neue",
-          sans-serif;
-      }
-
-      hr {
-        border-color: #fdfdfe;
-        margin: 24px 0;
-      }
-
-      .container {
-        display: flex;
-        justify-content: center;
-        align-items: center;
-        height: 70vh;
-      }
-
-      #logo {
-        display: block;
-        margin-left: -20px;
-        margin-bottom: 16px;
-      }
-
-      .message {
-        display: flex;
-        min-width: 40vw;
-        background: #fafdfa;
-        border: 1px solid #c6e9c9;
-        margin-bottom: 12px;
-        padding: 12px 16px 16px 12px;
-        position: relative;
-        border-radius: 2px;
-        font-size: 14px;
-      }
-
-      .message-content {
-        margin-left: 4px;
-      }
-
-      .message #checkbox {
-        fill: #2eb039;
-      }
-
-      .message .message-title {
-        color: #1e7125;
-        font-size: 16px;
-        font-weight: 700;
-        line-height: 1.25;
-      }
-
-      .message .message-body {
-        border: 0;
-        margin-top: 4px;
-      }
-
-      .message p {
-        font-size: 12px;
-        margin: 0;
-        padding: 0;
-        color: #17421b;
-      }
-
-      a {
-        display: block;
-        margin: 8px 0;
-        color: #1563ff;
-        text-decoration: none;
-        font-weight: 600;
-      }
-
-      a:hover {
-        color: black;
-      }
-
-      a svg {
-        fill: currentcolor;
-      }
-
-      .icon {
-        align-items: center;
-        display: inline-flex;
-        justify-content: center;
-        height: 21px;
-        width: 21px;
-        vertical-align: middle;
-      }
-
-      h1 {
-        font-size: 17.5px;
-        font-weight: 700;
-        margin-bottom: 0;
-      }
-
-      h1 + p {
-        margin: 8px 0 16px 0;
-      }
-    </style>
-  </head>
-  <body translate="no">
-    <div class="container">
-      <div>
-        <svg
-          id="logo"
-          width="146"
-          height="51"
-          xmlns="http://www.w3.org/2000/svg"
-          xml:space="preserve"
-          style="
-            fill-rule: evenodd;
-            clip-rule: evenodd;
-            stroke-linejoin: round;
-            stroke-miterlimit: 2;
-          "
-          viewBox="0 0 1280 640"
-        >
-          <path
-            d="M.08 0v-.736h.068v.3C.203-.509.27-.545.347-.545c.029 0 .055.005.079.015.024.01.045.025.062.045.017.02.031.045.041.075.009.03.014.065.014.105V0H.475v-.289C.475-.352.464-.4.443-.433.422-.466.385-.483.334-.483c-.027 0-.052.006-.075.017C.236-.455.216-.439.2-.419c-.017.02-.029.044-.038.072-.009.028-.014.059-.014.093V0H.08Z"
-            style="fill: #f8b5cb; fill-rule: nonzero"
-            transform="translate(32.92220721 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.051-.264c0-.036.007-.071.02-.105.013-.034.031-.064.055-.09.023-.026.052-.047.086-.063.033-.015.071-.023.112-.023.039 0 .076.007.109.021.033.014.062.033.087.058.025.025.044.054.058.088.014.035.021.072.021.113v.005H.121c.001.031.007.059.018.084.01.025.024.047.042.065.018.019.04.033.065.043.025.01.052.015.082.015.026 0 .049-.003.069-.01.02-.007.038-.016.054-.028C.466-.102.48-.115.492-.13c.011-.015.022-.03.032-.046l.057.03C.556-.097.522-.058.48-.03.437-.001.387.013.328.013.284.013.245.006.21-.01.175-.024.146-.045.123-.07.1-.095.082-.125.07-.159.057-.192.051-.227.051-.264ZM.128-.32h.396C.51-.375.485-.416.449-.441.412-.466.371-.479.325-.479c-.048 0-.089.013-.123.039-.034.026-.059.066-.074.12Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(177.16674681 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.097h.067V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.012-.027.018-.056.018-.089 0-.031-.005-.059-.016-.086C.515-.375.501-.398.482-.417.462-.436.44-.452.415-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(327.76463481 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.302h.068V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.011-.027.017-.056.017-.089 0-.031-.005-.059-.016-.086C.514-.375.5-.398.481-.417.462-.436.439-.452.414-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(488.71612761 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="m.034-.062.043-.049c.017.019.035.034.054.044.018.01.037.015.057.015.013 0 .026-.002.038-.007.011-.004.021-.01.031-.018.009-.008.016-.017.021-.028.005-.011.008-.022.008-.035 0-.019-.005-.034-.014-.047C.263-.199.248-.21.229-.221.205-.234.183-.247.162-.259.14-.271.122-.284.107-.298.092-.311.08-.327.071-.344.062-.361.058-.381.058-.404c0-.021.004-.04.012-.058.007-.016.018-.031.031-.044.013-.013.028-.022.046-.029.018-.007.037-.01.057-.01.029 0 .056.006.079.019s.045.031.068.053l-.044.045C.291-.443.275-.456.258-.465.241-.474.221-.479.2-.479c-.022 0-.041.007-.056.02C.128-.445.12-.428.12-.408c0 .019.006.035.017.048.011.013.027.026.048.037.027.015.05.028.071.04.021.013.038.026.052.039.014.013.025.028.032.044.007.016.011.035.011.057 0 .021-.004.041-.011.059-.008.019-.019.036-.033.05-.014.015-.031.026-.05.035C.237.01.215.014.191.014c-.03 0-.059-.006-.086-.02C.077-.019.053-.037.034-.062Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(649.90292961 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.051-.266c0-.04.007-.077.022-.111.014-.034.034-.063.059-.089.025-.025.054-.044.089-.058.035-.014.072-.021.113-.021.051 0 .098.01.139.03.041.021.075.049.1.085l-.05.043C.498-.418.47-.441.439-.456.408-.471.372-.479.331-.479c-.03 0-.058.005-.083.016C.222-.452.2-.436.181-.418.162-.399.148-.376.137-.35c-.011.026-.016.054-.016.084 0 .031.005.06.016.086.011.027.025.049.044.068.019.019.041.034.067.044.025.011.053.016.084.016.077 0 .141-.03.191-.09l.051.04c-.028.036-.062.064-.103.085C.43.004.384.014.332.014.291.014.254.007.219-.008.184-.022.155-.042.13-.067.105-.092.086-.121.072-.156.058-.19.051-.227.051-.266Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(741.20289921 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.097h.067V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.012-.027.018-.056.018-.089 0-.031-.005-.059-.016-.086C.515-.375.501-.398.482-.417.462-.436.44-.452.415-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(884.27089281 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.066-.736h.068V0H.066z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(1045.22238561 521.8022953) scale(235.3092)"
-          />
-          <path
-            d="M.051-.264c0-.036.007-.071.02-.105.013-.034.031-.064.055-.09.023-.026.052-.047.086-.063.033-.015.071-.023.112-.023.039 0 .076.007.109.021.033.014.062.033.087.058.025.025.044.054.058.088.014.035.021.072.021.113v.005H.121c.001.031.007.059.018.084.01.025.024.047.042.065.018.019.04.033.065.043.025.01.052.015.082.015.026 0 .049-.003.069-.01.02-.007.038-.016.054-.028C.466-.102.48-.115.492-.13c.011-.015.022-.03.032-.046l.057.03C.556-.097.522-.058.48-.03.437-.001.387.013.328.013.284.013.245.006.21-.01.175-.024.146-.045.123-.07.1-.095.082-.125.07-.159.057-.192.051-.227.051-.264ZM.128-.32h.396C.51-.375.485-.416.449-.441.412-.466.371-.479.325-.479c-.048 0-.089.013-.123.039-.034.026-.059.066-.074.12Z"
-            style="fill: #8d8d8d; fill-rule: nonzero"
-            transform="translate(1092.28422561 521.8022953) scale(235.3092)"
-          />
-          <circle
-            cx="141.023"
-            cy="338.36"
-            r="117.472"
-            style="fill: #f8b5cb"
-            transform="matrix(.581302 0 0 .58613 40.06479894 12.59842153)"
-          />
-          <circle
-            cx="352.014"
-            cy="268.302"
-            r="33.095"
-            style="fill: #a2a2a2"
-            transform="matrix(.59308 0 0 .58289 32.39345942 21.2386)"
-          />
-          <circle
-            cx="352.014"
-            cy="268.302"
-            r="33.095"
-            style="fill: #a2a2a2"
-            transform="matrix(.59308 0 0 .58289 32.39345942 88.80371146)"
-          />
-          <circle
-            cx="352.014"
-            cy="268.302"
-            r="33.095"
-            style="fill: #a2a2a2"
-            transform="matrix(.59308 0 0 .58289 120.7528627 88.80371146)"
-          />
-          <circle
-            cx="352.014"
-            cy="268.302"
-            r="33.095"
-            style="fill: #a2a2a2"
-            transform="matrix(.59308 0 0 .58289 120.99825939 21.2386)"
-          />
-          <circle
-            cx="805.557"
-            cy="336.915"
-            r="118.199"
-            style="fill: #8d8d8d"
-            transform="matrix(.5782 0 0 .58289 36.19871106 15.26642564)"
-          />
-          <circle
-            cx="805.557"
-            cy="336.915"
-            r="118.199"
-            style="fill: #8d8d8d"
-            transform="matrix(.5782 0 0 .58289 183.24041937 15.26642564)"
-          />
-          <path
-            d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z"
-            style="fill: #303030"
-            transform="translate(34.2345 21.2386) scale(.58289)"
-          />
-          <path
-            d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z"
-            style="fill: #303030"
-            transform="matrix(-.58289 0 0 .58289 1116.7719791 21.2386)"
-          />
-        </svg>
-        <div class="message is-success">
-          <svg
-            id="checkbox"
-            aria-hidden="true"
-            xmlns="http://www.w3.org/2000/svg"
-            width="20"
-            height="20"
-            viewBox="0 0 512 512"
-          >
-            <path
-              d="M256 32C132.3 32 32 132.3 32 256s100.3 224 224 224 224-100.3 224-224S379.7 32 256 32zm114.9 149.1L231.8 359.6c-1.1 1.1-2.9 3.5-5.1 3.5-2.3 0-3.8-1.6-5.1-2.9-1.3-1.3-78.9-75.9-78.9-75.9l-1.5-1.5c-.6-.9-1.1-2-1.1-3.2 0-1.2.5-2.3 1.1-3.2.4-.4.7-.7 1.1-1.2 7.7-8.1 23.3-24.5 24.3-25.5 1.3-1.3 2.4-3 4.8-3 2.5 0 4.1 2.1 5.3 3.3 1.2 1.2 45 43.3 45 43.3l111.3-143c1-.8 2.2-1.4 3.5-1.4 1.3 0 2.5.5 3.5 1.3l30.6 24.1c.8 1 1.3 2.2 1.3 3.5.1 1.3-.4 2.4-1 3.3z"
-            ></path>
-          </svg>
-          <div class="message-content">
-            <div class="message-title">Signed in via your OIDC provider</div>
-            <p class="message-body">
-              {{.Verb}} as {{.User}}, you can now close this window.
-            </p>
-          </div>
-        </div>
-        <hr />
-        <h1>Not sure how to get started?</h1>
-        <p class="learn">
-          Check out beginner and advanced guides on, or read more in the
-          documentation.
-        </p>
-        <a
-          href="https://github.com/juanfont/headscale/tree/main/docs"
-          rel="noreferrer noopener"
-          target="_blank"
-        >
-          <span class="icon">
-            <svg
-              width="16"
-              height="16"
-              viewBox="0 0 16 16"
-              xmlns="http://www.w3.org/2000/svg"
-            >
-              <path
-                d="M13.307 1H11.5a.5.5 0 1 1 0-1h3a.499.499 0 0 1 .5.65V3.5a.5.5 0 1 1-1 0V1.72l-1.793 1.774a.5.5 0 0 1-.713-.701L13.307 1zM12 14V8a.5.5 0 1 1 1 0v6.5a.5.5 0 0 1-.5.5H.563a.5.5 0 0 1-.5-.5v-13a.5.5 0 0 1 .5-.5H8a.5.5 0 0 1 0 1H1v12h11zM4 6a.5.5 0 0 1 0-1h3a.5.5 0 0 1 0 1H4zm0 2.5a.5.5 0 0 1 0-1h5a.5.5 0 0 1 0 1H4zM4 11a.5.5 0 1 1 0-1h5a.5.5 0 1 1 0 1H4z"
-              />
-            </svg>
-          </span>
-          View the headscale documentation
-        </a>
-        <a
-          href="https://tailscale.com/kb/"
-          rel="noreferrer noopener"
-          target="_blank"
-        >
-          <span class="icon">
-            <svg
-              width="16"
-              height="16"
-              viewBox="0 0 16 16"
-              xmlns="http://www.w3.org/2000/svg"
-            >
-              <path
-                d="M13.307 1H11.5a.5.5 0 1 1 0-1h3a.499.499 0 0 1 .5.65V3.5a.5.5 0 1 1-1 0V1.72l-1.793 1.774a.5.5 0 0 1-.713-.701L13.307 1zM12 14V8a.5.5 0 1 1 1 0v6.5a.5.5 0 0 1-.5.5H.563a.5.5 0 0 1-.5-.5v-13a.5.5 0 0 1 .5-.5H8a.5.5 0 0 1 0 1H1v12h11zM4 6a.5.5 0 0 1 0-1h3a.5.5 0 0 1 0 1H4zm0 2.5a.5.5 0 0 1 0-1h5a.5.5 0 0 1 0 1H4zM4 11a.5.5 0 1 1 0-1h5a.5.5 0 1 1 0 1H4z"
-              />
-            </svg>
-          </span>
-          View the tailscale documentation
-        </a>
-      </div>
-    </div>
-  </body>
-</html>
--- a/hscontrol/assets/style.css
+++ b/hscontrol/assets/style.css
@@ -0,0 +1,143 @@
+/* CSS Variables from Material for MkDocs */
+:root {
+  --md-default-fg-color: rgba(0, 0, 0, 0.87);
+  --md-default-fg-color--light: rgba(0, 0, 0, 0.54);
+  --md-default-fg-color--lighter: rgba(0, 0, 0, 0.32);
+  --md-default-fg-color--lightest: rgba(0, 0, 0, 0.07);
+  --md-code-fg-color: #36464e;
+  --md-code-bg-color: #f5f5f5;
+  --md-primary-fg-color: #4051b5;
+  --md-accent-fg-color: #526cfe;
+  --md-typeset-a-color: var(--md-primary-fg-color);
+  --md-text-font: "Roboto", -apple-system, BlinkMacSystemFont, "Segoe UI", "Helvetica Neue", Arial, sans-serif;
+  --md-code-font: "Roboto Mono", "SF Mono", Monaco, "Cascadia Code", Consolas, "Courier New", monospace;
+}
+
+/* Base Typography */
+.md-typeset {
+  font-size: 0.8rem;
+  line-height: 1.6;
+  color: var(--md-default-fg-color);
+  font-family: var(--md-text-font);
+  overflow-wrap: break-word;
+  text-align: left;
+}
+
+/* Headings */
+.md-typeset h1 {
+  color: var(--md-default-fg-color--light);
+  font-size: 2em;
+  line-height: 1.3;
+  margin: 0 0 1.25em;
+  font-weight: 300;
+  letter-spacing: -0.01em;
+}
+
+.md-typeset h1:not(:first-child) {
+  margin-top: 2em;
+}
+
+.md-typeset h2 {
+  font-size: 1.5625em;
+  line-height: 1.4;
+  margin: 2.4em 0 0.64em;
+  font-weight: 300;
+  letter-spacing: -0.01em;
+  color: var(--md-default-fg-color--light);
+}
+
+.md-typeset h3 {
+  font-size: 1.25em;
+  line-height: 1.5;
+  margin: 2em 0 0.8em;
+  font-weight: 400;
+  letter-spacing: -0.01em;
+  color: var(--md-default-fg-color--light);
+}
+
+/* Paragraphs and block elements */
+.md-typeset p {
+  margin: 1em 0;
+}
+
+.md-typeset blockquote,
+.md-typeset dl,
+.md-typeset figure,
+.md-typeset ol,
+.md-typeset pre,
+.md-typeset ul {
+  margin-bottom: 1em;
+  margin-top: 1em;
+}
+
+/* Lists */
+.md-typeset ol,
+.md-typeset ul {
+  padding-left: 2em;
+}
+
+/* Links */
+.md-typeset a {
+  color: var(--md-typeset-a-color);
+  text-decoration: none;
+  word-break: break-word;
+}
+
+.md-typeset a:hover,
+.md-typeset a:focus {
+  color: var(--md-accent-fg-color);
+}
+
+/* Code (inline) */
+.md-typeset code {
+  background-color: var(--md-code-bg-color);
+  color: var(--md-code-fg-color);
+  border-radius: 0.1rem;
+  font-size: 0.85em;
+  font-family: var(--md-code-font);
+  padding: 0 0.2941176471em;
+  word-break: break-word;
+}
+
+/* Code blocks (pre) */
+.md-typeset pre {
+  display: block;
+  line-height: 1.4;
+  margin: 1em 0;
+  overflow-x: auto;
+}
+
+.md-typeset pre > code {
+  background-color: var(--md-code-bg-color);
+  color: var(--md-code-fg-color);
+  display: block;
+  padding: 0.7720588235em 1.1764705882em;
+  font-family: var(--md-code-font);
+  font-size: 0.85em;
+  line-height: 1.4;
+  overflow-wrap: break-word;
+  word-wrap: break-word;
+  white-space: pre-wrap;
+}
+
+/* Links in code */
+.md-typeset a code {
+  color: currentcolor;
+}
+
+/* Logo */
+.headscale-logo {
+  display: block;
+  width: 400px;
+  max-width: 100%;
+  height: auto;
+  margin: 0 0 3rem 0;
+  padding: 0;
+}
+
+@media (max-width: 768px) {
+  .headscale-logo {
+    width: 200px;
+    margin-left: 0;
+  }
+}
--- a/hscontrol/auth.go
+++ b/hscontrol/auth.go
@@ -1,6 +1,7 @@
 package hscontrol

 import (
+	"cmp"
 	"context"
 	"errors"
 	"fmt"
@@ -10,7 +11,7 @@ import (
 	"time"

 	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/types/change"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
@@ -25,26 +26,91 @@ type AuthProvider interface {

 func (h *Headscale) handleRegister(
 	ctx context.Context,
-	regReq tailcfg.RegisterRequest,
+	req tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
 ) (*tailcfg.RegisterResponse, error) {
-	node, ok := h.state.GetNodeByNodeKey(regReq.NodeKey)
+	// Check for logout/expiry FIRST, before checking auth key.
+	// Tailscale clients may send logout requests with BOTH a past expiry AND an auth key.
+	// A past expiry takes precedence - it's a logout regardless of other fields.
+	if !req.Expiry.IsZero() && req.Expiry.Before(time.Now()) {
+		log.Debug().
+			Str("node.key", req.NodeKey.ShortString()).
+			Time("expiry", req.Expiry).
+			Bool("has_auth", req.Auth != nil).
+			Msg("Detected logout attempt with past expiry")

-	if ok {
-		resp, err := h.handleExistingNode(node.AsStruct(), regReq, machineKey)
-		if err != nil {
-			return nil, fmt.Errorf("handling existing node: %w", err)
+		// This is a logout attempt (expiry in the past)
+		if node, ok := h.state.GetNodeByNodeKey(req.NodeKey); ok {
+			log.Debug().
+				Uint64("node.id", node.ID().Uint64()).
+				Str("node.name", node.Hostname()).
+				Bool("is_ephemeral", node.IsEphemeral()).
+				Bool("has_authkey", node.AuthKey().Valid()).
+				Msg("Found existing node for logout, calling handleLogout")
+
+			resp, err := h.handleLogout(node, req, machineKey)
+			if err != nil {
+				return nil, fmt.Errorf("handling logout: %w", err)
+			}
+			if resp != nil {
+				return resp, nil
+			}
+		} else {
+			log.Warn().
+				Str("node.key", req.NodeKey.ShortString()).
+				Msg("Logout attempt but node not found in NodeStore")
 		}
-
-		return resp, nil
 	}

-	if regReq.Followup != "" {
-		return h.waitForFollowup(ctx, regReq)
+	// If the register request does not contain a Auth struct, it means we are logging
+	// out an existing node (legacy logout path for clients that send Auth=nil).
+	if req.Auth == nil {
+		// If the register request present a NodeKey that is currently in use, we will
+		// check if the node needs to be sent to re-auth, or if the node is logging out.
+		// We do not look up nodes by [key.MachinePublic] as it might belong to multiple
+		// nodes, separated by users and this path is handling expiring/logout paths.
+		if node, ok := h.state.GetNodeByNodeKey(req.NodeKey); ok {
+			// When tailscaled restarts, it sends RegisterRequest with Auth=nil and Expiry=zero.
+			// Return the current node state without modification.
+			// See: https://github.com/juanfont/headscale/issues/2862
+			if req.Expiry.IsZero() && node.Expiry().Valid() && !node.IsExpired() {
+				return nodeToRegisterResponse(node), nil
+			}
+
+			resp, err := h.handleLogout(node, req, machineKey)
+			if err != nil {
+				return nil, fmt.Errorf("handling existing node: %w", err)
+			}
+
+			// If resp is not nil, we have a response to return to the node.
+			// If resp is nil, we should proceed and see if the node is trying to re-auth.
+			if resp != nil {
+				return resp, nil
+			}
+		} else {
+			// If the register request is not attempting to register a node, and
+			// we cannot match it with an existing node, we consider that unexpected
+			// as only register nodes should attempt to log out.
+			log.Debug().
+				Str("node.key", req.NodeKey.ShortString()).
+				Str("machine.key", machineKey.ShortString()).
+				Bool("unexpected", true).
+				Msg("received register request with no auth, and no existing node")
+		}
 	}

-	if regReq.Auth != nil && regReq.Auth.AuthKey != "" {
-		resp, err := h.handleRegisterWithAuthKey(regReq, machineKey)
+	// If the [tailcfg.RegisterRequest] has a Followup URL, it means that the
+	// node has already started the registration process and we should wait for
+	// it to finish the original registration.
+	if req.Followup != "" {
+		return h.waitForFollowup(ctx, req, machineKey)
+	}
+
+	// Pre authenticated keys are handled slightly different than interactive
+	// logins as they can be done fully sync and we can respond to the node with
+	// the result as it is waiting.
+	if isAuthKey(req) {
+		resp, err := h.handleRegisterWithAuthKey(req, machineKey)
 		if err != nil {
 			// Preserve HTTPError types so they can be handled properly by the HTTP layer
 			var httpErr HTTPError
@@ -58,7 +124,7 @@ func (h *Headscale) handleRegister(
 		return resp, nil
 	}

-	resp, err := h.handleRegisterInteractive(regReq, machineKey)
+	resp, err := h.handleRegisterInteractive(req, machineKey)
 	if err != nil {
 		return nil, fmt.Errorf("handling register interactive: %w", err)
 	}
@@ -66,20 +132,34 @@ func (h *Headscale) handleRegister(
 	return resp, nil
 }

-func (h *Headscale) handleExistingNode(
-	node *types.Node,
-	regReq tailcfg.RegisterRequest,
+// handleLogout checks if the [tailcfg.RegisterRequest] is a
+// logout attempt from a node. If the node is not attempting to
+func (h *Headscale) handleLogout(
+	node types.NodeView,
+	req tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
 ) (*tailcfg.RegisterResponse, error) {
-	if node.MachineKey != machineKey {
+	// Fail closed if it looks like this is an attempt to modify a node where
+	// the node key and the machine key the noise session was started with does
+	// not align.
+	if node.MachineKey() != machineKey {
 		return nil, NewHTTPError(http.StatusUnauthorized, "node exist with different machine key", nil)
 	}

-	expired := node.IsExpired()
+	// Note: We do NOT return early if req.Auth is set, because Tailscale clients
+	// may send logout requests with BOTH a past expiry AND an auth key.
+	// A past expiry indicates logout, regardless of whether Auth is present.
+	// The expiry check below will handle the logout logic.

 	// If the node is expired and this is not a re-authentication attempt,
-	// force the client to re-authenticate
-	if expired && regReq.Auth == nil {
+	// force the client to re-authenticate.
+	// TODO(kradalby): I wonder if this is a path we ever hit?
+	if node.IsExpired() {
+		log.Trace().Str("node.name", node.Hostname()).
+			Uint64("node.id", node.ID().Uint64()).
+			Interface("reg.req", req).
+			Bool("unexpected", true).
+			Msg("Node key expired, forcing re-authentication")
 		return &tailcfg.RegisterResponse{
 			NodeKeyExpired:    true,
 			MachineAuthorized: false,
@@ -87,49 +167,73 @@ func (h *Headscale) handleExistingNode(
 		}, nil
 	}

-	if !expired && !regReq.Expiry.IsZero() {
-		requestExpiry := regReq.Expiry
+	// If we get here, the node is not currently expired, and not trying to
+	// do an auth.
+	// The node is likely logging out, but before we run that logic, we will validate
+	// that the node is not attempting to tamper/extend their expiry.
+	// If it is not, we will expire the node or in the case of an ephemeral node, delete it.

-		// The client is trying to extend their key, this is not allowed.
-		if requestExpiry.After(time.Now()) {
-			return nil, NewHTTPError(http.StatusBadRequest, "extending key is not allowed", nil)
-		}
-
-		// If the request expiry is in the past, we consider it a logout.
-		if requestExpiry.Before(time.Now()) {
-			if node.IsEphemeral() {
-				c, err := h.state.DeleteNode(node.View())
-				if err != nil {
-					return nil, fmt.Errorf("deleting ephemeral node: %w", err)
-				}
-
-				h.Change(c)
-
-				return nil, nil
-			}
-		}
-
-		updatedNode, c, err := h.state.SetNodeExpiry(node.ID, requestExpiry)
-		if err != nil {
-			return nil, fmt.Errorf("setting node expiry: %w", err)
-		}
-
-		h.Change(c)
-
-		// CRITICAL: Use the updated node view for the response
-		// The original node object has stale expiry information
-		node = updatedNode.AsStruct()
+	// The client is trying to extend their key, this is not allowed.
+	if req.Expiry.After(time.Now()) {
+		return nil, NewHTTPError(http.StatusBadRequest, "extending key is not allowed", nil)
 	}

-	return nodeToRegisterResponse(node), nil
+	// If the request expiry is in the past, we consider it a logout.
+	// Zero expiry is handled in handleRegister() before calling this function.
+	if req.Expiry.Before(time.Now()) {
+		log.Debug().
+			Uint64("node.id", node.ID().Uint64()).
+			Str("node.name", node.Hostname()).
+			Bool("is_ephemeral", node.IsEphemeral()).
+			Bool("has_authkey", node.AuthKey().Valid()).
+			Time("req.expiry", req.Expiry).
+			Msg("Processing logout request with past expiry")
+
+		if node.IsEphemeral() {
+			log.Info().
+				Uint64("node.id", node.ID().Uint64()).
+				Str("node.name", node.Hostname()).
+				Msg("Deleting ephemeral node during logout")
+
+			c, err := h.state.DeleteNode(node)
+			if err != nil {
+				return nil, fmt.Errorf("deleting ephemeral node: %w", err)
+			}
+
+			h.Change(c)
+
+			return &tailcfg.RegisterResponse{
+				NodeKeyExpired:    true,
+				MachineAuthorized: false,
+			}, nil
+		}
+
+		log.Debug().
+			Uint64("node.id", node.ID().Uint64()).
+			Str("node.name", node.Hostname()).
+			Msg("Node is not ephemeral, setting expiry instead of deleting")
+	}
+
+	// Update the internal state with the nodes new expiry, meaning it is
+	// logged out.
+	updatedNode, c, err := h.state.SetNodeExpiry(node.ID(), req.Expiry)
+	if err != nil {
+		return nil, fmt.Errorf("setting node expiry: %w", err)
+	}
+
+	h.Change(c)
+
+	return nodeToRegisterResponse(updatedNode), nil
 }

-func nodeToRegisterResponse(node *types.Node) *tailcfg.RegisterResponse {
-	return &tailcfg.RegisterResponse{
-		// TODO(kradalby): Only send for user-owned nodes
-		// and not tagged nodes when tags is working.
-		User:           *node.User.TailscaleUser(),
-		Login:          *node.User.TailscaleLogin(),
+// isAuthKey reports if the register request is a registration request
+// using an pre auth key.
+func isAuthKey(req tailcfg.RegisterRequest) bool {
+	return req.Auth != nil && req.Auth.AuthKey != ""
+}
+
+func nodeToRegisterResponse(node types.NodeView) *tailcfg.RegisterResponse {
+	resp := &tailcfg.RegisterResponse{
 		NodeKeyExpired: node.IsExpired(),

 		// Headscale does not implement the concept of machine authorization
@@ -137,13 +241,26 @@ func nodeToRegisterResponse(node *types.Node) *tailcfg.RegisterResponse {
 		// Revisit this if #2176 gets implemented.
 		MachineAuthorized: true,
 	}
+
+	// For tagged nodes, use the TaggedDevices special user
+	// For user-owned nodes, include User and Login information from the actual user
+	if node.IsTagged() {
+		resp.User = types.TaggedDevices.View().TailscaleUser()
+		resp.Login = types.TaggedDevices.View().TailscaleLogin()
+	} else if node.UserView().Valid() {
+		resp.User = node.UserView().TailscaleUser()
+		resp.Login = node.UserView().TailscaleLogin()
+	}
+
+	return resp
 }

 func (h *Headscale) waitForFollowup(
 	ctx context.Context,
-	regReq tailcfg.RegisterRequest,
+	req tailcfg.RegisterRequest,
+	machineKey key.MachinePublic,
 ) (*tailcfg.RegisterResponse, error) {
-	fu, err := url.Parse(regReq.Followup)
+	fu, err := url.Parse(req.Followup)
 	if err != nil {
 		return nil, NewHTTPError(http.StatusUnauthorized, "invalid followup URL", err)
 	}
@@ -159,21 +276,68 @@ func (h *Headscale) waitForFollowup(
 			return nil, NewHTTPError(http.StatusUnauthorized, "registration timed out", err)
 		case node := <-reg.Registered:
 			if node == nil {
-				return nil, NewHTTPError(http.StatusUnauthorized, "node not found", nil)
+				// registration is expired in the cache, instruct the client to try a new registration
+				return h.reqToNewRegisterResponse(req, machineKey)
 			}
-			return nodeToRegisterResponse(node), nil
+			return nodeToRegisterResponse(node.View()), nil
 		}
 	}

-	return nil, NewHTTPError(http.StatusNotFound, "followup registration not found", nil)
+	// if the follow-up registration isn't found anymore, instruct the client to try a new registration
+	return h.reqToNewRegisterResponse(req, machineKey)
+}
+
+// reqToNewRegisterResponse refreshes the registration flow by creating a new
+// registration ID and returning the corresponding AuthURL so the client can
+// restart the authentication process.
+func (h *Headscale) reqToNewRegisterResponse(
+	req tailcfg.RegisterRequest,
+	machineKey key.MachinePublic,
+) (*tailcfg.RegisterResponse, error) {
+	newRegID, err := types.NewRegistrationID()
+	if err != nil {
+		return nil, NewHTTPError(http.StatusInternalServerError, "failed to generate registration ID", err)
+	}
+
+	// Ensure we have a valid hostname
+	hostname := util.EnsureHostname(
+		req.Hostinfo,
+		machineKey.String(),
+		req.NodeKey.String(),
+	)
+
+	// Ensure we have valid hostinfo
+	hostinfo := cmp.Or(req.Hostinfo, &tailcfg.Hostinfo{})
+	hostinfo.Hostname = hostname
+
+	nodeToRegister := types.NewRegisterNode(
+		types.Node{
+			Hostname:   hostname,
+			MachineKey: machineKey,
+			NodeKey:    req.NodeKey,
+			Hostinfo:   hostinfo,
+			LastSeen:   ptr.To(time.Now()),
+		},
+	)
+
+	if !req.Expiry.IsZero() {
+		nodeToRegister.Node.Expiry = &req.Expiry
+	}
+
+	log.Info().Msgf("New followup node registration using key: %s", newRegID)
+	h.state.SetRegistrationCacheEntry(newRegID, nodeToRegister)
+
+	return &tailcfg.RegisterResponse{
+		AuthURL: h.authProvider.AuthURL(newRegID),
+	}, nil
 }

 func (h *Headscale) handleRegisterWithAuthKey(
-	regReq tailcfg.RegisterRequest,
+	req tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
 ) (*tailcfg.RegisterResponse, error) {
 	node, changed, err := h.state.HandleNodeFromPreAuthKey(
-		regReq,
+		req,
 		machineKey,
 	)
 	if err != nil {
@@ -207,16 +371,13 @@ func (h *Headscale) handleRegisterWithAuthKey(
 	// eventbus.
 	// TODO(kradalby): This needs to be ran as part of the batcher maybe?
 	// now since we dont update the node/pol here anymore
-	routeChange := h.state.AutoApproveRoutes(node)
-
-	if _, _, err := h.state.SaveNode(node); err != nil {
-		return nil, fmt.Errorf("saving auto approved routes to node: %w", err)
+	routesChange, err := h.state.AutoApproveRoutes(node)
+	if err != nil {
+		return nil, fmt.Errorf("auto approving routes: %w", err)
 	}

-	if routeChange && changed.Empty() {
-		changed = change.NodeAdded(node.ID())
-	}
-	h.Change(changed)
+	// Send both changes. Empty changes are ignored by Change().
+	h.Change(changed, routesChange)

 	// TODO(kradalby): I think this is covered above, but we need to validate that.
 	// // If policy changed due to node registration, send a separate policy change
@@ -225,18 +386,26 @@ func (h *Headscale) handleRegisterWithAuthKey(
 	// 	h.Change(policyChange)
 	// }

-	user := node.User()
-
-	return &tailcfg.RegisterResponse{
+	resp := &tailcfg.RegisterResponse{
 		MachineAuthorized: true,
 		NodeKeyExpired:    node.IsExpired(),
-		User:              *user.TailscaleUser(),
-		Login:             *user.TailscaleLogin(),
-	}, nil
+		User:              node.UserView().TailscaleUser(),
+		Login:             node.UserView().TailscaleLogin(),
+	}
+
+	log.Trace().
+		Caller().
+		Interface("reg.resp", resp).
+		Interface("reg.req", req).
+		Str("node.name", node.Hostname()).
+		Uint64("node.id", node.ID().Uint64()).
+		Msg("RegisterResponse")
+
+	return resp, nil
 }

 func (h *Headscale) handleRegisterInteractive(
-	regReq tailcfg.RegisterRequest,
+	req tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
 ) (*tailcfg.RegisterResponse, error) {
 	registrationId, err := types.NewRegistrationID()
@@ -244,19 +413,42 @@ func (h *Headscale) handleRegisterInteractive(
 		return nil, fmt.Errorf("generating registration ID: %w", err)
 	}

-	nodeToRegister := types.RegisterNode{
-		Node: types.Node{
-			Hostname:   regReq.Hostinfo.Hostname,
+	// Ensure we have a valid hostname
+	hostname := util.EnsureHostname(
+		req.Hostinfo,
+		machineKey.String(),
+		req.NodeKey.String(),
+	)
+
+	// Ensure we have valid hostinfo
+	hostinfo := cmp.Or(req.Hostinfo, &tailcfg.Hostinfo{})
+	if req.Hostinfo == nil {
+		log.Warn().
+			Str("machine.key", machineKey.ShortString()).
+			Str("node.key", req.NodeKey.ShortString()).
+			Str("generated.hostname", hostname).
+			Msg("Received registration request with nil hostinfo, generated default hostname")
+	} else if req.Hostinfo.Hostname == "" {
+		log.Warn().
+			Str("machine.key", machineKey.ShortString()).
+			Str("node.key", req.NodeKey.ShortString()).
+			Str("generated.hostname", hostname).
+			Msg("Received registration request with empty hostname, generated default")
+	}
+	hostinfo.Hostname = hostname
+
+	nodeToRegister := types.NewRegisterNode(
+		types.Node{
+			Hostname:   hostname,
 			MachineKey: machineKey,
-			NodeKey:    regReq.NodeKey,
-			Hostinfo:   regReq.Hostinfo,
+			NodeKey:    req.NodeKey,
+			Hostinfo:   hostinfo,
 			LastSeen:   ptr.To(time.Now()),
 		},
-		Registered: make(chan *types.Node),
-	}
+	)

-	if !regReq.Expiry.IsZero() {
-		nodeToRegister.Node.Expiry = &regReq.Expiry
+	if !req.Expiry.IsZero() {
+		nodeToRegister.Node.Expiry = &req.Expiry
 	}

 	h.state.SetRegistrationCacheEntry(
--- a/hscontrol/auth_tags_test.go
+++ b/hscontrol/auth_tags_test.go
@@ -0,0 +1,535 @@
+package hscontrol
+
+import (
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+// TestTaggedPreAuthKeyCreatesTaggedNode tests that a PreAuthKey with tags creates
+// a tagged node with:
+// - Tags from the PreAuthKey
+// - UserID tracking who created the key (informational "created by")
+// - IsTagged() returns true.
+func TestTaggedPreAuthKeyCreatesTaggedNode(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	tags := []string{"tag:server", "tag:prod"}
+
+	// Create a tagged PreAuthKey
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, tags)
+	require.NoError(t, err)
+	require.NotEmpty(t, pak.Tags, "PreAuthKey should have tags")
+	require.ElementsMatch(t, tags, pak.Tags, "PreAuthKey should have specified tags")
+
+	// Register a node using the tagged key
+	machineKey := key.NewMachine()
+	nodeKey := key.NewNode()
+
+	regReq := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp, err := app.handleRegisterWithAuthKey(regReq, machineKey.Public())
+	require.NoError(t, err)
+	require.True(t, resp.MachineAuthorized)
+
+	// Verify the node was created with tags
+	node, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+
+	// Critical assertions for tags-as-identity model
+	assert.True(t, node.IsTagged(), "Node should be tagged")
+	assert.ElementsMatch(t, tags, node.Tags().AsSlice(), "Node should have tags from PreAuthKey")
+	assert.True(t, node.UserID().Valid(), "Node should have UserID tracking creator")
+	assert.Equal(t, user.ID, node.UserID().Get(), "UserID should track PreAuthKey creator")
+
+	// Verify node is identified correctly
+	assert.True(t, node.IsTagged(), "Tagged node is not user-owned")
+	assert.True(t, node.HasTag("tag:server"), "Node should have tag:server")
+	assert.True(t, node.HasTag("tag:prod"), "Node should have tag:prod")
+	assert.False(t, node.HasTag("tag:other"), "Node should not have tag:other")
+}
+
+// TestReAuthDoesNotReapplyTags tests that when a node re-authenticates using the
+// same PreAuthKey, the tags are NOT re-applied. Tags are only set during initial
+// authentication. This is critical for the container restart scenario (#2830).
+//
+// NOTE: This test verifies that re-authentication preserves the node's current tags
+// without testing tag modification via SetNodeTags (which requires ACL policy setup).
+func TestReAuthDoesNotReapplyTags(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	initialTags := []string{"tag:server", "tag:dev"}
+
+	// Create a tagged PreAuthKey with reusable=true for re-auth
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, initialTags)
+	require.NoError(t, err)
+
+	// Initial registration
+	machineKey := key.NewMachine()
+	nodeKey := key.NewNode()
+
+	regReq := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "reauth-test-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp, err := app.handleRegisterWithAuthKey(regReq, machineKey.Public())
+	require.NoError(t, err)
+	require.True(t, resp.MachineAuthorized)
+
+	// Verify initial tags
+	node, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+	require.True(t, node.IsTagged())
+	require.ElementsMatch(t, initialTags, node.Tags().AsSlice())
+
+	// Re-authenticate with the SAME PreAuthKey (container restart scenario)
+	// Key behavior: Tags should NOT be re-applied during re-auth
+	reAuthReq := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key, // Same key
+		},
+		NodeKey: nodeKey.Public(), // Same node key
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "reauth-test-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	reAuthResp, err := app.handleRegisterWithAuthKey(reAuthReq, machineKey.Public())
+	require.NoError(t, err)
+	require.True(t, reAuthResp.MachineAuthorized)
+
+	// CRITICAL: Tags should remain unchanged after re-auth
+	// They should match the original tags, proving they weren't re-applied
+	nodeAfterReauth, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+	assert.True(t, nodeAfterReauth.IsTagged(), "Node should still be tagged")
+	assert.ElementsMatch(t, initialTags, nodeAfterReauth.Tags().AsSlice(), "Tags should remain unchanged on re-auth")
+
+	// Verify only one node was created (no duplicates)
+	nodes := app.state.ListNodesByUser(types.UserID(user.ID))
+	assert.Equal(t, 1, nodes.Len(), "Should have exactly one node")
+}
+
+// NOTE: TestSetTagsOnUserOwnedNode functionality is covered by gRPC tests in grpcv1_test.go
+// which properly handle ACL policy setup. The test verifies that SetTags can convert
+// user-owned nodes to tagged nodes while preserving UserID.
+
+// TestCannotRemoveAllTags tests that attempting to remove all tags from a
+// tagged node fails with ErrCannotRemoveAllTags. Once a node is tagged,
+// it must always have at least one tag (Tailscale requirement).
+func TestCannotRemoveAllTags(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	tags := []string{"tag:server"}
+
+	// Create a tagged node
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, tags)
+	require.NoError(t, err)
+
+	machineKey := key.NewMachine()
+	nodeKey := key.NewNode()
+
+	regReq := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp, err := app.handleRegisterWithAuthKey(regReq, machineKey.Public())
+	require.NoError(t, err)
+	require.True(t, resp.MachineAuthorized)
+
+	// Verify node is tagged
+	node, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+	require.True(t, node.IsTagged())
+
+	// Attempt to remove all tags by setting empty array
+	_, _, err = app.state.SetNodeTags(node.ID(), []string{})
+	require.Error(t, err, "Should not be able to remove all tags")
+	require.ErrorIs(t, err, types.ErrCannotRemoveAllTags, "Error should be ErrCannotRemoveAllTags")
+
+	// Verify node still has original tags
+	nodeAfter, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+	assert.True(t, nodeAfter.IsTagged(), "Node should still be tagged")
+	assert.ElementsMatch(t, tags, nodeAfter.Tags().AsSlice(), "Tags should be unchanged")
+}
+
+// TestUserOwnedNodeCreatedWithUntaggedPreAuthKey tests that using a PreAuthKey
+// without tags creates a user-owned node (no tags, UserID is the owner).
+func TestUserOwnedNodeCreatedWithUntaggedPreAuthKey(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("node-owner")
+
+	// Create an untagged PreAuthKey
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, nil)
+	require.NoError(t, err)
+	require.Empty(t, pak.Tags, "PreAuthKey should not be tagged")
+	require.Empty(t, pak.Tags, "PreAuthKey should have no tags")
+
+	// Register a node
+	machineKey := key.NewMachine()
+	nodeKey := key.NewNode()
+
+	regReq := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "user-owned-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp, err := app.handleRegisterWithAuthKey(regReq, machineKey.Public())
+	require.NoError(t, err)
+	require.True(t, resp.MachineAuthorized)
+
+	// Verify node is user-owned
+	node, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+
+	// Critical assertions for user-owned node
+	assert.False(t, node.IsTagged(), "Node should not be tagged")
+	assert.False(t, node.IsTagged(), "Node should be user-owned (not tagged)")
+	assert.Empty(t, node.Tags().AsSlice(), "Node should have no tags")
+	assert.True(t, node.UserID().Valid(), "Node should have UserID")
+	assert.Equal(t, user.ID, node.UserID().Get(), "UserID should be the PreAuthKey owner")
+}
+
+// TestMultipleNodesWithSameReusableTaggedPreAuthKey tests that a reusable
+// PreAuthKey with tags can be used to register multiple nodes, and all nodes
+// receive the same tags from the key.
+func TestMultipleNodesWithSameReusableTaggedPreAuthKey(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	tags := []string{"tag:server", "tag:prod"}
+
+	// Create a REUSABLE tagged PreAuthKey
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, tags)
+	require.NoError(t, err)
+	require.ElementsMatch(t, tags, pak.Tags)
+
+	// Register first node
+	machineKey1 := key.NewMachine()
+	nodeKey1 := key.NewNode()
+
+	regReq1 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey1.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node-1",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp1, err := app.handleRegisterWithAuthKey(regReq1, machineKey1.Public())
+	require.NoError(t, err)
+	require.True(t, resp1.MachineAuthorized)
+
+	// Register second node with SAME PreAuthKey
+	machineKey2 := key.NewMachine()
+	nodeKey2 := key.NewNode()
+
+	regReq2 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key, // Same key
+		},
+		NodeKey: nodeKey2.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node-2",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp2, err := app.handleRegisterWithAuthKey(regReq2, machineKey2.Public())
+	require.NoError(t, err)
+	require.True(t, resp2.MachineAuthorized)
+
+	// Verify both nodes exist and have the same tags
+	node1, found := app.state.GetNodeByNodeKey(nodeKey1.Public())
+	require.True(t, found)
+	node2, found := app.state.GetNodeByNodeKey(nodeKey2.Public())
+	require.True(t, found)
+
+	// Both nodes should be tagged with the same tags
+	assert.True(t, node1.IsTagged(), "First node should be tagged")
+	assert.True(t, node2.IsTagged(), "Second node should be tagged")
+	assert.ElementsMatch(t, tags, node1.Tags().AsSlice(), "First node should have PreAuthKey tags")
+	assert.ElementsMatch(t, tags, node2.Tags().AsSlice(), "Second node should have PreAuthKey tags")
+
+	// Both nodes should track the same creator
+	assert.Equal(t, user.ID, node1.UserID().Get(), "First node should track creator")
+	assert.Equal(t, user.ID, node2.UserID().Get(), "Second node should track creator")
+
+	// Verify we have exactly 2 nodes
+	nodes := app.state.ListNodesByUser(types.UserID(user.ID))
+	assert.Equal(t, 2, nodes.Len(), "Should have exactly two nodes")
+}
+
+// TestNonReusableTaggedPreAuthKey tests that a non-reusable PreAuthKey with tags
+// can only be used once. The second attempt should fail.
+func TestNonReusableTaggedPreAuthKey(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	tags := []string{"tag:server"}
+
+	// Create a NON-REUSABLE tagged PreAuthKey
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), false, false, nil, tags)
+	require.NoError(t, err)
+	require.ElementsMatch(t, tags, pak.Tags)
+
+	// Register first node - should succeed
+	machineKey1 := key.NewMachine()
+	nodeKey1 := key.NewNode()
+
+	regReq1 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey1.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node-1",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp1, err := app.handleRegisterWithAuthKey(regReq1, machineKey1.Public())
+	require.NoError(t, err)
+	require.True(t, resp1.MachineAuthorized)
+
+	// Verify first node was created with tags
+	node1, found := app.state.GetNodeByNodeKey(nodeKey1.Public())
+	require.True(t, found)
+	assert.True(t, node1.IsTagged())
+	assert.ElementsMatch(t, tags, node1.Tags().AsSlice())
+
+	// Attempt to register second node with SAME non-reusable key - should fail
+	machineKey2 := key.NewMachine()
+	nodeKey2 := key.NewNode()
+
+	regReq2 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key, // Same non-reusable key
+		},
+		NodeKey: nodeKey2.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node-2",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	_, err = app.handleRegisterWithAuthKey(regReq2, machineKey2.Public())
+	require.Error(t, err, "Should not be able to reuse non-reusable PreAuthKey")
+
+	// Verify only one node was created
+	nodes := app.state.ListNodesByUser(types.UserID(user.ID))
+	assert.Equal(t, 1, nodes.Len(), "Should have exactly one node")
+}
+
+// TestExpiredTaggedPreAuthKey tests that an expired PreAuthKey with tags
+// cannot be used to register a node.
+func TestExpiredTaggedPreAuthKey(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	tags := []string{"tag:server"}
+
+	// Create a PreAuthKey that expires immediately
+	expiration := time.Now().Add(-1 * time.Hour) // Already expired
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), false, false, &expiration, tags)
+	require.NoError(t, err)
+	require.ElementsMatch(t, tags, pak.Tags)
+
+	// Attempt to register with expired key
+	machineKey := key.NewMachine()
+	nodeKey := key.NewNode()
+
+	regReq := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "tagged-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	_, err = app.handleRegisterWithAuthKey(regReq, machineKey.Public())
+	require.Error(t, err, "Should not be able to use expired PreAuthKey")
+
+	// Verify no node was created
+	_, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	assert.False(t, found, "No node should be created with expired key")
+}
+
+// TestSingleVsMultipleTags tests that PreAuthKeys work correctly with both
+// a single tag and multiple tags.
+func TestSingleVsMultipleTags(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+
+	// Test with single tag
+	singleTag := []string{"tag:server"}
+	pak1, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, singleTag)
+	require.NoError(t, err)
+
+	machineKey1 := key.NewMachine()
+	nodeKey1 := key.NewNode()
+
+	regReq1 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak1.Key,
+		},
+		NodeKey: nodeKey1.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "single-tag-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp1, err := app.handleRegisterWithAuthKey(regReq1, machineKey1.Public())
+	require.NoError(t, err)
+	require.True(t, resp1.MachineAuthorized)
+
+	node1, found := app.state.GetNodeByNodeKey(nodeKey1.Public())
+	require.True(t, found)
+	assert.True(t, node1.IsTagged())
+	assert.ElementsMatch(t, singleTag, node1.Tags().AsSlice())
+
+	// Test with multiple tags
+	multipleTags := []string{"tag:server", "tag:prod", "tag:database"}
+	pak2, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, multipleTags)
+	require.NoError(t, err)
+
+	machineKey2 := key.NewMachine()
+	nodeKey2 := key.NewNode()
+
+	regReq2 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak2.Key,
+		},
+		NodeKey: nodeKey2.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "multi-tag-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp2, err := app.handleRegisterWithAuthKey(regReq2, machineKey2.Public())
+	require.NoError(t, err)
+	require.True(t, resp2.MachineAuthorized)
+
+	node2, found := app.state.GetNodeByNodeKey(nodeKey2.Public())
+	require.True(t, found)
+	assert.True(t, node2.IsTagged())
+	assert.ElementsMatch(t, multipleTags, node2.Tags().AsSlice())
+
+	// Verify HasTag works for all tags
+	assert.True(t, node2.HasTag("tag:server"))
+	assert.True(t, node2.HasTag("tag:prod"))
+	assert.True(t, node2.HasTag("tag:database"))
+	assert.False(t, node2.HasTag("tag:other"))
+}
+
+// TestReAuthWithDifferentMachineKey tests the edge case where a node attempts
+// to re-authenticate with the same NodeKey but a DIFFERENT MachineKey.
+// This scenario should be handled gracefully (currently creates a new node).
+func TestReAuthWithDifferentMachineKey(t *testing.T) {
+	app := createTestApp(t)
+
+	user := app.state.CreateUserForTest("tag-creator")
+	tags := []string{"tag:server"}
+
+	// Create a reusable tagged PreAuthKey
+	pak, err := app.state.CreatePreAuthKey(user.TypedID(), true, false, nil, tags)
+	require.NoError(t, err)
+
+	// Initial registration
+	machineKey1 := key.NewMachine()
+	nodeKey := key.NewNode() // Same NodeKey for both attempts
+
+	regReq1 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(),
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "test-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp1, err := app.handleRegisterWithAuthKey(regReq1, machineKey1.Public())
+	require.NoError(t, err)
+	require.True(t, resp1.MachineAuthorized)
+
+	// Verify initial node
+	node1, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+	assert.True(t, node1.IsTagged())
+
+	// Re-authenticate with DIFFERENT MachineKey but SAME NodeKey
+	machineKey2 := key.NewMachine() // Different machine key
+
+	regReq2 := tailcfg.RegisterRequest{
+		Auth: &tailcfg.RegisterResponseAuth{
+			AuthKey: pak.Key,
+		},
+		NodeKey: nodeKey.Public(), // Same NodeKey
+		Hostinfo: &tailcfg.Hostinfo{
+			Hostname: "test-node",
+		},
+		Expiry: time.Now().Add(24 * time.Hour),
+	}
+
+	resp2, err := app.handleRegisterWithAuthKey(regReq2, machineKey2.Public())
+	require.NoError(t, err)
+	require.True(t, resp2.MachineAuthorized)
+
+	// Verify the node still exists and has tags
+	// Note: Depending on implementation, this might be the same node or a new node
+	node2, found := app.state.GetNodeByNodeKey(nodeKey.Public())
+	require.True(t, found)
+	assert.True(t, node2.IsTagged())
+	assert.ElementsMatch(t, tags, node2.Tags().AsSlice())
+}
--- a/hscontrol/auth_test.go
+++ b/hscontrol/auth_test.go
--- a/hscontrol/capver/capver.go
+++ b/hscontrol/capver/capver.go
@@ -12,7 +12,13 @@ import (
 	"tailscale.com/util/set"
 )

-const MinSupportedCapabilityVersion tailcfg.CapabilityVersion = 90
+const (
+	// minVersionParts is the minimum number of version parts needed for major.minor.
+	minVersionParts = 2
+
+	// legacyDERPCapVer is the capability version when LegacyDERP can be cleaned up.
+	legacyDERPCapVer = 111
+)

 // CanOldCodeBeCleanedUp is intended to be called on startup to see if
 // there are old code that can ble cleaned up, entries should contain
@@ -21,7 +27,7 @@ const MinSupportedCapabilityVersion tailcfg.CapabilityVersion = 90
 //
 // All uses of Capability version checks should be listed here.
 func CanOldCodeBeCleanedUp() {
-	if MinSupportedCapabilityVersion >= 111 {
+	if MinSupportedCapabilityVersion >= legacyDERPCapVer {
 		panic("LegacyDERP can be cleaned up in tail.go")
 	}
 }
@@ -29,12 +35,14 @@ func CanOldCodeBeCleanedUp() {
 func tailscaleVersSorted() []string {
 	vers := xmaps.Keys(tailscaleToCapVer)
 	sort.Strings(vers)
+
 	return vers
 }

 func capVersSorted() []tailcfg.CapabilityVersion {
 	capVers := xmaps.Keys(capVerToTailscaleVer)
 	slices.Sort(capVers)
+
 	return capVers
 }

@@ -44,11 +52,25 @@ func TailscaleVersion(ver tailcfg.CapabilityVersion) string {
 }

 // CapabilityVersion returns the CapabilityVersion for the given Tailscale version.
+// It accepts both full versions (v1.90.1) and minor versions (v1.90).
 func CapabilityVersion(ver string) tailcfg.CapabilityVersion {
 	if !strings.HasPrefix(ver, "v") {
 		ver = "v" + ver
 	}
-	return tailscaleToCapVer[ver]
+
+	// Try direct lookup first (works for minor versions like v1.90)
+	if cv, ok := tailscaleToCapVer[ver]; ok {
+		return cv
+	}
+
+	// Try extracting minor version from full version (v1.90.1 -> v1.90)
+	parts := strings.Split(strings.TrimPrefix(ver, "v"), ".")
+	if len(parts) >= minVersionParts {
+		minor := "v" + parts[0] + "." + parts[1]
+		return tailscaleToCapVer[minor]
+	}
+
+	return 0
 }

 // TailscaleLatest returns the n latest Tailscale versions.
@@ -73,10 +95,12 @@ func TailscaleLatestMajorMinor(n int, stripV bool) []string {
 	}

 	majors := set.Set[string]{}
+
 	for _, vers := range tailscaleVersSorted() {
 		if stripV {
 			vers = strings.TrimPrefix(vers, "v")
 		}
+
 		v := strings.Split(vers, ".")
 		majors.Add(v[0] + "." + v[1])
 	}
--- a/hscontrol/capver/capver_generated.go
+++ b/hscontrol/capver/capver_generated.go
@@ -1,52 +1,84 @@
 package capver

-//Generated DO NOT EDIT
+// Generated DO NOT EDIT

 import "tailscale.com/tailcfg"

 var tailscaleToCapVer = map[string]tailcfg.CapabilityVersion{
-	"v1.64.0": 90,
-	"v1.64.1": 90,
-	"v1.64.2": 90,
-	"v1.66.0": 95,
-	"v1.66.1": 95,
-	"v1.66.2": 95,
-	"v1.66.3": 95,
-	"v1.66.4": 95,
-	"v1.68.0": 97,
-	"v1.68.1": 97,
-	"v1.68.2": 97,
-	"v1.70.0": 102,
-	"v1.72.0": 104,
-	"v1.72.1": 104,
-	"v1.74.0": 106,
-	"v1.74.1": 106,
-	"v1.76.0": 106,
-	"v1.76.1": 106,
-	"v1.76.6": 106,
-	"v1.78.0": 109,
-	"v1.78.1": 109,
-	"v1.80.0": 113,
-	"v1.80.1": 113,
-	"v1.80.2": 113,
-	"v1.80.3": 113,
-	"v1.82.0": 115,
-	"v1.82.5": 115,
-	"v1.84.0": 116,
-	"v1.84.1": 116,
-	"v1.84.2": 116,
+	"v1.24": 32,
+	"v1.26": 32,
+	"v1.28": 32,
+	"v1.30": 41,
+	"v1.32": 46,
+	"v1.34": 51,
+	"v1.36": 56,
+	"v1.38": 58,
+	"v1.40": 61,
+	"v1.42": 62,
+	"v1.44": 63,
+	"v1.46": 65,
+	"v1.48": 68,
+	"v1.50": 74,
+	"v1.52": 79,
+	"v1.54": 79,
+	"v1.56": 82,
+	"v1.58": 85,
+	"v1.60": 87,
+	"v1.62": 88,
+	"v1.64": 90,
+	"v1.66": 95,
+	"v1.68": 97,
+	"v1.70": 102,
+	"v1.72": 104,
+	"v1.74": 106,
+	"v1.76": 106,
+	"v1.78": 109,
+	"v1.80": 113,
+	"v1.82": 115,
+	"v1.84": 116,
+	"v1.86": 123,
+	"v1.88": 125,
+	"v1.90": 130,
+	"v1.92": 131,
 }

-
 var capVerToTailscaleVer = map[tailcfg.CapabilityVersion]string{
-	90:		"v1.64.0",
-	95:		"v1.66.0",
-	97:		"v1.68.0",
-	102:		"v1.70.0",
-	104:		"v1.72.0",
-	106:		"v1.74.0",
-	109:		"v1.78.0",
-	113:		"v1.80.0",
-	115:		"v1.82.0",
-	116:		"v1.84.0",
+	32:  "v1.24",
+	41:  "v1.30",
+	46:  "v1.32",
+	51:  "v1.34",
+	56:  "v1.36",
+	58:  "v1.38",
+	61:  "v1.40",
+	62:  "v1.42",
+	63:  "v1.44",
+	65:  "v1.46",
+	68:  "v1.48",
+	74:  "v1.50",
+	79:  "v1.52",
+	82:  "v1.56",
+	85:  "v1.58",
+	87:  "v1.60",
+	88:  "v1.62",
+	90:  "v1.64",
+	95:  "v1.66",
+	97:  "v1.68",
+	102: "v1.70",
+	104: "v1.72",
+	106: "v1.74",
+	109: "v1.78",
+	113: "v1.80",
+	115: "v1.82",
+	116: "v1.84",
+	123: "v1.86",
+	125: "v1.88",
+	130: "v1.90",
+	131: "v1.92",
 }
+
+// SupportedMajorMinorVersions is the number of major.minor Tailscale versions supported.
+const SupportedMajorMinorVersions = 10
+
+// MinSupportedCapabilityVersion represents the minimum capability version
+// supported by this Headscale instance (latest 10 minor versions)
+const MinSupportedCapabilityVersion tailcfg.CapabilityVersion = 106
--- a/hscontrol/capver/capver_test.go
+++ b/hscontrol/capver/capver_test.go
@@ -4,34 +4,10 @@ import (
 	"testing"

 	"github.com/google/go-cmp/cmp"
-	"tailscale.com/tailcfg"
 )

 func TestTailscaleLatestMajorMinor(t *testing.T) {
-	tests := []struct {
-		n        int
-		stripV   bool
-		expected []string
-	}{
-		{3, false, []string{"v1.80", "v1.82", "v1.84"}},
-		{2, true, []string{"1.82", "1.84"}},
-		// Lazy way to see all supported versions
-		{10, true, []string{
-			"1.66",
-			"1.68",
-			"1.70",
-			"1.72",
-			"1.74",
-			"1.76",
-			"1.78",
-			"1.80",
-			"1.82",
-			"1.84",
-		}},
-		{0, false, nil},
-	}
-
-	for _, test := range tests {
+	for _, test := range tailscaleLatestMajorMinorTests {
 		t.Run("", func(t *testing.T) {
 			output := TailscaleLatestMajorMinor(test.n, test.stripV)
 			if diff := cmp.Diff(output, test.expected); diff != "" {
@@ -42,19 +18,7 @@ func TestTailscaleLatestMajorMinor(t *testing.T) {
 }

 func TestCapVerMinimumTailscaleVersion(t *testing.T) {
-	tests := []struct {
-		input    tailcfg.CapabilityVersion
-		expected string
-	}{
-		{90, "v1.64.0"},
-		{95, "v1.66.0"},
-		{106, "v1.74.0"},
-		{109, "v1.78.0"},
-		{9001, ""}, // Test case for a version higher than any in the map
-		{60, ""},   // Test case for a version lower than any in the map
-	}
-
-	for _, test := range tests {
+	for _, test := range capVerMinimumTailscaleVersionTests {
 		t.Run("", func(t *testing.T) {
 			output := TailscaleVersion(test.input)
 			if output != test.expected {
--- a/hscontrol/capver/capver_test_data.go
+++ b/hscontrol/capver/capver_test_data.go
@@ -0,0 +1,40 @@
+package capver
+
+// Generated DO NOT EDIT
+
+import "tailscale.com/tailcfg"
+
+var tailscaleLatestMajorMinorTests = []struct {
+	n        int
+	stripV   bool
+	expected []string
+}{
+	{3, false, []string{"v1.88", "v1.90", "v1.92"}},
+	{2, true, []string{"1.90", "1.92"}},
+	{10, true, []string{
+		"1.74",
+		"1.76",
+		"1.78",
+		"1.80",
+		"1.82",
+		"1.84",
+		"1.86",
+		"1.88",
+		"1.90",
+		"1.92",
+	}},
+	{0, false, nil},
+}
+
+var capVerMinimumTailscaleVersionTests = []struct {
+	input    tailcfg.CapabilityVersion
+	expected string
+}{
+	{106, "v1.74"},
+	{32, "v1.24"},
+	{41, "v1.30"},
+	{46, "v1.32"},
+	{51, "v1.34"},
+	{9001, ""}, // Test case for a version higher than any in the map
+	{60, ""},   // Test case for a version lower than any in the map
+}
--- a/hscontrol/db/api_key.go
+++ b/hscontrol/db/api_key.go
@@ -9,33 +9,64 @@ import (
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
 )

 const (
-	apiPrefixLength = 7
-	apiKeyLength    = 32
+	apiKeyPrefix       = "hskey-api-" //nolint:gosec // This is a prefix, not a credential
+	apiKeyPrefixLength = 12
+	apiKeyHashLength   = 64
+
+	// Legacy format constants.
+	legacyAPIPrefixLength = 7
+	legacyAPIKeyLength    = 32
 )

-var ErrAPIKeyFailedToParse = errors.New("failed to parse ApiKey")
+var (
+	ErrAPIKeyFailedToParse     = errors.New("failed to parse ApiKey")
+	ErrAPIKeyGenerationFailed  = errors.New("failed to generate API key")
+	ErrAPIKeyInvalidGeneration = errors.New("generated API key failed validation")
+)

 // CreateAPIKey creates a new ApiKey in a user, and returns it.
 func (hsdb *HSDatabase) CreateAPIKey(
 	expiration *time.Time,
 ) (string, *types.APIKey, error) {
-	prefix, err := util.GenerateRandomStringURLSafe(apiPrefixLength)
+	// Generate public prefix (12 chars)
+	prefix, err := util.GenerateRandomStringURLSafe(apiKeyPrefixLength)
 	if err != nil {
 		return "", nil, err
 	}

-	toBeHashed, err := util.GenerateRandomStringURLSafe(apiKeyLength)
+	// Validate prefix
+	if len(prefix) != apiKeyPrefixLength {
+		return "", nil, fmt.Errorf("%w: generated prefix has invalid length: expected %d, got %d", ErrAPIKeyInvalidGeneration, apiKeyPrefixLength, len(prefix))
+	}
+
+	if !isValidBase64URLSafe(prefix) {
+		return "", nil, fmt.Errorf("%w: generated prefix contains invalid characters", ErrAPIKeyInvalidGeneration)
+	}
+
+	// Generate secret (64 chars)
+	secret, err := util.GenerateRandomStringURLSafe(apiKeyHashLength)
 	if err != nil {
 		return "", nil, err
 	}

-	// Key to return to user, this will only be visible _once_
-	keyStr := prefix + "." + toBeHashed
+	// Validate secret
+	if len(secret) != apiKeyHashLength {
+		return "", nil, fmt.Errorf("%w: generated secret has invalid length: expected %d, got %d", ErrAPIKeyInvalidGeneration, apiKeyHashLength, len(secret))
+	}

-	hash, err := bcrypt.GenerateFromPassword([]byte(toBeHashed), bcrypt.DefaultCost)
+	if !isValidBase64URLSafe(secret) {
+		return "", nil, fmt.Errorf("%w: generated secret contains invalid characters", ErrAPIKeyInvalidGeneration)
+	}
+
+	// Full key string (shown ONCE to user)
+	keyStr := apiKeyPrefix + prefix + "-" + secret
+
+	// bcrypt hash of secret
+	hash, err := bcrypt.GenerateFromPassword([]byte(secret), bcrypt.DefaultCost)
 	if err != nil {
 		return "", nil, err
 	}
@@ -103,23 +134,164 @@ func (hsdb *HSDatabase) ExpireAPIKey(key *types.APIKey) error {
 }

 func (hsdb *HSDatabase) ValidateAPIKey(keyStr string) (bool, error) {
-	prefix, hash, found := strings.Cut(keyStr, ".")
-	if !found {
-		return false, ErrAPIKeyFailedToParse
-	}
-
-	key, err := hsdb.GetAPIKey(prefix)
+	key, err := validateAPIKey(hsdb.DB, keyStr)
 	if err != nil {
-		return false, fmt.Errorf("failed to validate api key: %w", err)
-	}
-
-	if key.Expiration.Before(time.Now()) {
-		return false, nil
-	}
-
-	if err := bcrypt.CompareHashAndPassword(key.Hash, []byte(hash)); err != nil {
 		return false, err
 	}

+	if key.Expiration != nil && key.Expiration.Before(time.Now()) {
+		return false, nil
+	}
+
 	return true, nil
 }
+
+// ParseAPIKeyPrefix extracts the database prefix from a display prefix.
+// Handles formats: "hskey-api-{12chars}-***", "hskey-api-{12chars}", or just "{12chars}".
+// Returns the 12-character prefix suitable for database lookup.
+func ParseAPIKeyPrefix(displayPrefix string) (string, error) {
+	// If it's already just the 12-character prefix, return it
+	if len(displayPrefix) == apiKeyPrefixLength && isValidBase64URLSafe(displayPrefix) {
+		return displayPrefix, nil
+	}
+
+	// If it starts with the API key prefix, parse it
+	if strings.HasPrefix(displayPrefix, apiKeyPrefix) {
+		// Remove the "hskey-api-" prefix
+		_, remainder, found := strings.Cut(displayPrefix, apiKeyPrefix)
+		if !found {
+			return "", fmt.Errorf("%w: invalid display prefix format", ErrAPIKeyFailedToParse)
+		}
+
+		// Extract just the first 12 characters (the actual prefix)
+		if len(remainder) < apiKeyPrefixLength {
+			return "", fmt.Errorf("%w: prefix too short", ErrAPIKeyFailedToParse)
+		}
+
+		prefix := remainder[:apiKeyPrefixLength]
+
+		// Validate it's base64 URL-safe
+		if !isValidBase64URLSafe(prefix) {
+			return "", fmt.Errorf("%w: prefix contains invalid characters", ErrAPIKeyFailedToParse)
+		}
+
+		return prefix, nil
+	}
+
+	// For legacy 7-character prefixes or other formats, return as-is
+	return displayPrefix, nil
+}
+
+// validateAPIKey validates an API key and returns the key if valid.
+// Handles both new (hskey-api-{prefix}-{secret}) and legacy (prefix.secret) formats.
+func validateAPIKey(db *gorm.DB, keyStr string) (*types.APIKey, error) {
+	// Validate input is not empty
+	if keyStr == "" {
+		return nil, ErrAPIKeyFailedToParse
+	}
+
+	// Check for new format: hskey-api-{prefix}-{secret}
+	_, prefixAndSecret, found := strings.Cut(keyStr, apiKeyPrefix)
+
+	if !found {
+		// Legacy format: prefix.secret
+		return validateLegacyAPIKey(db, keyStr)
+	}
+
+	// New format: parse and verify
+	const expectedMinLength = apiKeyPrefixLength + 1 + apiKeyHashLength
+	if len(prefixAndSecret) < expectedMinLength {
+		return nil, fmt.Errorf(
+			"%w: key too short, expected at least %d chars after prefix, got %d",
+			ErrAPIKeyFailedToParse,
+			expectedMinLength,
+			len(prefixAndSecret),
+		)
+	}
+
+	// Use fixed-length parsing
+	prefix := prefixAndSecret[:apiKeyPrefixLength]
+
+	// Validate separator at expected position
+	if prefixAndSecret[apiKeyPrefixLength] != '-' {
+		return nil, fmt.Errorf(
+			"%w: expected separator '-' at position %d, got '%c'",
+			ErrAPIKeyFailedToParse,
+			apiKeyPrefixLength,
+			prefixAndSecret[apiKeyPrefixLength],
+		)
+	}
+
+	secret := prefixAndSecret[apiKeyPrefixLength+1:]
+
+	// Validate secret length
+	if len(secret) != apiKeyHashLength {
+		return nil, fmt.Errorf(
+			"%w: secret length mismatch, expected %d chars, got %d",
+			ErrAPIKeyFailedToParse,
+			apiKeyHashLength,
+			len(secret),
+		)
+	}
+
+	// Validate prefix contains only base64 URL-safe characters
+	if !isValidBase64URLSafe(prefix) {
+		return nil, fmt.Errorf(
+			"%w: prefix contains invalid characters (expected base64 URL-safe: A-Za-z0-9_-)",
+			ErrAPIKeyFailedToParse,
+		)
+	}
+
+	// Validate secret contains only base64 URL-safe characters
+	if !isValidBase64URLSafe(secret) {
+		return nil, fmt.Errorf(
+			"%w: secret contains invalid characters (expected base64 URL-safe: A-Za-z0-9_-)",
+			ErrAPIKeyFailedToParse,
+		)
+	}
+
+	// Look up by prefix (indexed)
+	var key types.APIKey
+
+	err := db.First(&key, "prefix = ?", prefix).Error
+	if err != nil {
+		return nil, fmt.Errorf("API key not found: %w", err)
+	}
+
+	// Verify bcrypt hash
+	err = bcrypt.CompareHashAndPassword(key.Hash, []byte(secret))
+	if err != nil {
+		return nil, fmt.Errorf("invalid API key: %w", err)
+	}
+
+	return &key, nil
+}
+
+// validateLegacyAPIKey validates a legacy format API key (prefix.secret).
+func validateLegacyAPIKey(db *gorm.DB, keyStr string) (*types.APIKey, error) {
+	// Legacy format uses "." as separator
+	prefix, secret, found := strings.Cut(keyStr, ".")
+	if !found {
+		return nil, ErrAPIKeyFailedToParse
+	}
+
+	// Legacy prefix is 7 chars
+	if len(prefix) != legacyAPIPrefixLength {
+		return nil, fmt.Errorf("%w: legacy prefix length mismatch", ErrAPIKeyFailedToParse)
+	}
+
+	var key types.APIKey
+
+	err := db.First(&key, "prefix = ?", prefix).Error
+	if err != nil {
+		return nil, fmt.Errorf("API key not found: %w", err)
+	}
+
+	// Verify bcrypt (key.Hash stores bcrypt of full secret)
+	err = bcrypt.CompareHashAndPassword(key.Hash, []byte(secret))
+	if err != nil {
+		return nil, fmt.Errorf("invalid API key: %w", err)
+	}
+
+	return &key, nil
+}
--- a/hscontrol/db/api_key_test.go
+++ b/hscontrol/db/api_key_test.go
@@ -1,8 +1,14 @@
 package db

 import (
+	"strings"
+	"testing"
 	"time"

+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/bcrypt"
 	"gopkg.in/check.v1"
 )

@@ -87,3 +93,142 @@ func (*Suite) TestExpireAPIKey(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(notValid, check.Equals, false)
 }
+
+func TestAPIKeyWithPrefix(t *testing.T) {
+	tests := []struct {
+		name string
+		test func(*testing.T, *HSDatabase)
+	}{
+		{
+			name: "new_key_with_prefix",
+			test: func(t *testing.T, db *HSDatabase) {
+				t.Helper()
+
+				keyStr, apiKey, err := db.CreateAPIKey(nil)
+				require.NoError(t, err)
+
+				// Verify format: hskey-api-{12-char-prefix}-{64-char-secret}
+				assert.True(t, strings.HasPrefix(keyStr, "hskey-api-"))
+
+				_, prefixAndSecret, found := strings.Cut(keyStr, "hskey-api-")
+				assert.True(t, found)
+				assert.GreaterOrEqual(t, len(prefixAndSecret), 12+1+64)
+
+				prefix := prefixAndSecret[:12]
+				assert.Len(t, prefix, 12)
+				assert.Equal(t, byte('-'), prefixAndSecret[12])
+				secret := prefixAndSecret[13:]
+				assert.Len(t, secret, 64)
+
+				// Verify stored fields
+				assert.Len(t, apiKey.Prefix, types.NewAPIKeyPrefixLength)
+				assert.NotNil(t, apiKey.Hash)
+			},
+		},
+		{
+			name: "new_key_can_be_retrieved",
+			test: func(t *testing.T, db *HSDatabase) {
+				t.Helper()
+
+				keyStr, createdKey, err := db.CreateAPIKey(nil)
+				require.NoError(t, err)
+
+				// Validate the created key
+				valid, err := db.ValidateAPIKey(keyStr)
+				require.NoError(t, err)
+				assert.True(t, valid)
+
+				// Verify prefix is correct length
+				assert.Len(t, createdKey.Prefix, types.NewAPIKeyPrefixLength)
+			},
+		},
+		{
+			name: "invalid_key_format_rejected",
+			test: func(t *testing.T, db *HSDatabase) {
+				t.Helper()
+
+				invalidKeys := []string{
+					"",
+					"hskey-api-short",
+					"hskey-api-ABCDEFGHIJKL-tooshort",
+					"hskey-api-ABC$EFGHIJKL-" + strings.Repeat("a", 64),
+					"hskey-api-ABCDEFGHIJKL" + strings.Repeat("a", 64), // missing separator
+				}
+
+				for _, invalidKey := range invalidKeys {
+					valid, err := db.ValidateAPIKey(invalidKey)
+					require.Error(t, err, "key should be rejected: %s", invalidKey)
+					assert.False(t, valid)
+				}
+			},
+		},
+		{
+			name: "legacy_key_still_works",
+			test: func(t *testing.T, db *HSDatabase) {
+				t.Helper()
+
+				// Insert legacy API key directly (7-char prefix + 32-char secret)
+				legacyPrefix := "abcdefg"
+				legacySecret := strings.Repeat("x", 32)
+				legacyKey := legacyPrefix + "." + legacySecret
+				hash, err := bcrypt.GenerateFromPassword([]byte(legacySecret), bcrypt.DefaultCost)
+				require.NoError(t, err)
+
+				now := time.Now()
+				err = db.DB.Exec(`
+					INSERT INTO api_keys (prefix, hash, created_at)
+					VALUES (?, ?, ?)
+				`, legacyPrefix, hash, now).Error
+				require.NoError(t, err)
+
+				// Validate legacy key
+				valid, err := db.ValidateAPIKey(legacyKey)
+				require.NoError(t, err)
+				assert.True(t, valid)
+			},
+		},
+		{
+			name: "wrong_secret_rejected",
+			test: func(t *testing.T, db *HSDatabase) {
+				t.Helper()
+
+				keyStr, _, err := db.CreateAPIKey(nil)
+				require.NoError(t, err)
+
+				// Tamper with the secret
+				_, prefixAndSecret, _ := strings.Cut(keyStr, "hskey-api-")
+				prefix := prefixAndSecret[:12]
+				tamperedKey := "hskey-api-" + prefix + "-" + strings.Repeat("x", 64)
+
+				valid, err := db.ValidateAPIKey(tamperedKey)
+				require.Error(t, err)
+				assert.False(t, valid)
+			},
+		},
+		{
+			name: "expired_key_rejected",
+			test: func(t *testing.T, db *HSDatabase) {
+				t.Helper()
+
+				// Create expired key
+				expired := time.Now().Add(-1 * time.Hour)
+				keyStr, _, err := db.CreateAPIKey(&expired)
+				require.NoError(t, err)
+
+				// Should fail validation
+				valid, err := db.ValidateAPIKey(keyStr)
+				require.NoError(t, err)
+				assert.False(t, valid)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			db, err := newSQLiteTestDB()
+			require.NoError(t, err)
+
+			tt.test(t, db)
+		})
+	}
+}
--- a/hscontrol/db/db.go
+++ b/hscontrol/db/db.go
@@ -2,7 +2,6 @@ package db

 import (
 	"context"
-	"database/sql"
 	_ "embed"
 	"encoding/json"
 	"errors"
@@ -11,7 +10,6 @@ import (
 	"path/filepath"
 	"slices"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/glebarez/sqlite"
@@ -26,7 +24,6 @@ import (
 	"gorm.io/gorm/logger"
 	"gorm.io/gorm/schema"
 	"tailscale.com/net/tsaddr"
-	"tailscale.com/util/set"
 	"zgo.at/zcache/v2"
 )

@@ -79,497 +76,10 @@ func NewHeadscaleDatabase(
 		gormigrate.DefaultOptions,
 		[]*gormigrate.Migration{
 			// New migrations must be added as transactions at the end of this list.
-			// The initial migration here is quite messy, completely out of order and
-			// has no versioning and is the tech debt of not having versioned migrations
-			// prior to this point. This first migration is all DB changes to bring a DB
-			// up to 0.23.0.
-			{
-				ID: "202312101416",
-				Migrate: func(tx *gorm.DB) error {
-					if cfg.Type == types.DatabasePostgres {
-						tx.Exec(`create extension if not exists "uuid-ossp";`)
-					}
+			// Migrations start from v0.25.0. If upgrading from v0.24.x or earlier,
+			// you must first upgrade to v0.25.1 before upgrading to this version.

-					_ = tx.Migrator().RenameTable("namespaces", "users")
-
-					// the big rename from Machine to Node
-					_ = tx.Migrator().RenameTable("machines", "nodes")
-					_ = tx.Migrator().
-						RenameColumn(&types.Route{}, "machine_id", "node_id")
-
-					err = tx.AutoMigrate(types.User{})
-					if err != nil {
-						return err
-					}
-
-					_ = tx.Migrator().
-						RenameColumn(&types.Node{}, "namespace_id", "user_id")
-					_ = tx.Migrator().
-						RenameColumn(&types.PreAuthKey{}, "namespace_id", "user_id")
-
-					_ = tx.Migrator().
-						RenameColumn(&types.Node{}, "ip_address", "ip_addresses")
-					_ = tx.Migrator().RenameColumn(&types.Node{}, "name", "hostname")
-
-					// GivenName is used as the primary source of DNS names, make sure
-					// the field is populated and normalized if it was not when the
-					// node was registered.
-					_ = tx.Migrator().
-						RenameColumn(&types.Node{}, "nickname", "given_name")
-
-					dbConn.Model(&types.Node{}).Where("auth_key_id = ?", 0).Update("auth_key_id", nil)
-					// If the Node table has a column for registered,
-					// find all occurrences of "false" and drop them. Then
-					// remove the column.
-					if tx.Migrator().HasColumn(&types.Node{}, "registered") {
-						log.Info().
-							Msg(`Database has legacy "registered" column in node, removing...`)
-
-						nodes := types.Nodes{}
-						if err := tx.Not("registered").Find(&nodes).Error; err != nil {
-							log.Error().Err(err).Msg("Error accessing db")
-						}
-
-						for _, node := range nodes {
-							log.Info().
-								Str("node", node.Hostname).
-								Str("machine_key", node.MachineKey.ShortString()).
-								Msg("Deleting unregistered node")
-							if err := tx.Delete(&types.Node{}, node.ID).Error; err != nil {
-								log.Error().
-									Err(err).
-									Str("node", node.Hostname).
-									Str("machine_key", node.MachineKey.ShortString()).
-									Msg("Error deleting unregistered node")
-							}
-						}
-
-						err := tx.Migrator().DropColumn(&types.Node{}, "registered")
-						if err != nil {
-							log.Error().Err(err).Msg("Error dropping registered column")
-						}
-					}
-
-					// Remove any invalid routes associated with a node that does not exist.
-					if tx.Migrator().HasTable(&types.Route{}) && tx.Migrator().HasTable(&types.Node{}) {
-						err := tx.Exec("delete from routes where node_id not in (select id from nodes)").Error
-						if err != nil {
-							return err
-						}
-					}
-					err = tx.AutoMigrate(&types.Route{})
-					if err != nil {
-						return err
-					}
-
-					err = tx.AutoMigrate(&types.Node{})
-					if err != nil {
-						return err
-					}
-
-					// Ensure all keys have correct prefixes
-					// https://github.com/tailscale/tailscale/blob/main/types/key/node.go#L35
-					type result struct {
-						ID         uint64
-						MachineKey string
-						NodeKey    string
-						DiscoKey   string
-					}
-					var results []result
-					err = tx.Raw("SELECT id, node_key, machine_key, disco_key FROM nodes").
-						Find(&results).
-						Error
-					if err != nil {
-						return err
-					}
-
-					for _, node := range results {
-						mKey := node.MachineKey
-						if !strings.HasPrefix(node.MachineKey, "mkey:") {
-							mKey = "mkey:" + node.MachineKey
-						}
-						nKey := node.NodeKey
-						if !strings.HasPrefix(node.NodeKey, "nodekey:") {
-							nKey = "nodekey:" + node.NodeKey
-						}
-
-						dKey := node.DiscoKey
-						if !strings.HasPrefix(node.DiscoKey, "discokey:") {
-							dKey = "discokey:" + node.DiscoKey
-						}
-
-						err := tx.Exec(
-							"UPDATE nodes SET machine_key = @mKey, node_key = @nKey, disco_key = @dKey WHERE ID = @id",
-							sql.Named("mKey", mKey),
-							sql.Named("nKey", nKey),
-							sql.Named("dKey", dKey),
-							sql.Named("id", node.ID),
-						).Error
-						if err != nil {
-							return err
-						}
-					}
-
-					if tx.Migrator().HasColumn(&types.Node{}, "enabled_routes") {
-						log.Info().
-							Msgf("Database has legacy enabled_routes column in node, migrating...")
-
-						type NodeAux struct {
-							ID            uint64
-							EnabledRoutes []netip.Prefix `gorm:"serializer:json"`
-						}
-
-						nodesAux := []NodeAux{}
-						err := tx.Table("nodes").
-							Select("id, enabled_routes").
-							Scan(&nodesAux).
-							Error
-						if err != nil {
-							log.Fatal().Err(err).Msg("Error accessing db")
-						}
-						for _, node := range nodesAux {
-							for _, prefix := range node.EnabledRoutes {
-								if err != nil {
-									log.Error().
-										Err(err).
-										Str("enabled_route", prefix.String()).
-										Msg("Error parsing enabled_route")
-
-									continue
-								}
-
-								err = tx.Preload("Node").
-									Where("node_id = ? AND prefix = ?", node.ID, prefix).
-									First(&types.Route{}).
-									Error
-								if err == nil {
-									log.Info().
-										Str("enabled_route", prefix.String()).
-										Msg("Route already migrated to new table, skipping")
-
-									continue
-								}
-
-								route := types.Route{
-									NodeID:     node.ID,
-									Advertised: true,
-									Enabled:    true,
-									Prefix:     prefix,
-								}
-								if err := tx.Create(&route).Error; err != nil {
-									log.Error().Err(err).Msg("Error creating route")
-								} else {
-									log.Info().
-										Uint64("node.id", route.NodeID).
-										Str("prefix", prefix.String()).
-										Msg("Route migrated")
-								}
-							}
-						}
-
-						err = tx.Migrator().DropColumn(&types.Node{}, "enabled_routes")
-						if err != nil {
-							log.Error().
-								Err(err).
-								Msg("Error dropping enabled_routes column")
-						}
-					}
-
-					if tx.Migrator().HasColumn(&types.Node{}, "given_name") {
-						nodes := types.Nodes{}
-						if err := tx.Find(&nodes).Error; err != nil {
-							log.Error().Err(err).Msg("Error accessing db")
-						}
-
-						for item, node := range nodes {
-							if node.GivenName == "" {
-								if err != nil {
-									log.Error().
-										Caller().
-										Str("hostname", node.Hostname).
-										Err(err).
-										Msg("Failed to normalize node hostname in DB migration")
-								}
-
-								err = tx.Model(nodes[item]).Updates(types.Node{
-									GivenName: node.Hostname,
-								}).Error
-								if err != nil {
-									log.Error().
-										Caller().
-										Str("hostname", node.Hostname).
-										Err(err).
-										Msg("Failed to save normalized node name in DB migration")
-								}
-							}
-						}
-					}
-
-					err = tx.AutoMigrate(&KV{})
-					if err != nil {
-						return err
-					}
-
-					err = tx.AutoMigrate(&types.PreAuthKey{})
-					if err != nil {
-						return err
-					}
-
-					type preAuthKeyACLTag struct {
-						ID           uint64 `gorm:"primary_key"`
-						PreAuthKeyID uint64
-						Tag          string
-					}
-					err = tx.AutoMigrate(&preAuthKeyACLTag{})
-					if err != nil {
-						return err
-					}
-
-					_ = tx.Migrator().DropTable("shared_machines")
-
-					err = tx.AutoMigrate(&types.APIKey{})
-					if err != nil {
-						return err
-					}
-
-					return nil
-				},
-				Rollback: func(tx *gorm.DB) error {
-					return nil
-				},
-			},
-			{
-				// drop key-value table, it is not used, and has not contained
-				// useful data for a long time or ever.
-				ID: "202312101430",
-				Migrate: func(tx *gorm.DB) error {
-					return tx.Migrator().DropTable("kvs")
-				},
-				Rollback: func(tx *gorm.DB) error {
-					return nil
-				},
-			},
-			{
-				// remove last_successful_update from node table,
-				// no longer used.
-				ID: "202402151347",
-				Migrate: func(tx *gorm.DB) error {
-					_ = tx.Migrator().DropColumn(&types.Node{}, "last_successful_update")
-					return nil
-				},
-				Rollback: func(tx *gorm.DB) error {
-					return nil
-				},
-			},
-			{
-				// Replace column with IP address list with dedicated
-				// IP v4 and v6 column.
-				// Note that previously, the list _could_ contain more
-				// than two addresses, which should not really happen.
-				// In that case, the first occurrence of each type will
-				// be kept.
-				ID: "2024041121742",
-				Migrate: func(tx *gorm.DB) error {
-					_ = tx.Migrator().AddColumn(&types.Node{}, "ipv4")
-					_ = tx.Migrator().AddColumn(&types.Node{}, "ipv6")
-
-					type node struct {
-						ID        uint64 `gorm:"column:id"`
-						Addresses string `gorm:"column:ip_addresses"`
-					}
-
-					var nodes []node
-
-					_ = tx.Raw("SELECT id, ip_addresses FROM nodes").Scan(&nodes).Error
-
-					for _, node := range nodes {
-						addrs := strings.Split(node.Addresses, ",")
-
-						if len(addrs) == 0 {
-							return fmt.Errorf("no addresses found for node(%d)", node.ID)
-						}
-
-						var v4 *netip.Addr
-						var v6 *netip.Addr
-
-						for _, addrStr := range addrs {
-							addr, err := netip.ParseAddr(addrStr)
-							if err != nil {
-								return fmt.Errorf("parsing IP for node(%d) from database: %w", node.ID, err)
-							}
-
-							if addr.Is4() && v4 == nil {
-								v4 = &addr
-							}
-
-							if addr.Is6() && v6 == nil {
-								v6 = &addr
-							}
-						}
-
-						if v4 != nil {
-							err = tx.Model(&types.Node{}).Where("id = ?", node.ID).Update("ipv4", v4.String()).Error
-							if err != nil {
-								return fmt.Errorf("saving ip addresses to new columns: %w", err)
-							}
-						}
-
-						if v6 != nil {
-							err = tx.Model(&types.Node{}).Where("id = ?", node.ID).Update("ipv6", v6.String()).Error
-							if err != nil {
-								return fmt.Errorf("saving ip addresses to new columns: %w", err)
-							}
-						}
-					}
-
-					_ = tx.Migrator().DropColumn(&types.Node{}, "ip_addresses")
-
-					return nil
-				},
-				Rollback: func(tx *gorm.DB) error {
-					return nil
-				},
-			},
-			{
-				ID: "202406021630",
-				Migrate: func(tx *gorm.DB) error {
-					err := tx.AutoMigrate(&types.Policy{})
-					if err != nil {
-						return err
-					}
-
-					return nil
-				},
-				Rollback: func(db *gorm.DB) error { return nil },
-			},
-			// denormalise the ACL tags for preauth keys back onto
-			// the preauth key table. We dont normalise or reuse and
-			// it is just a bunch of work for extra work.
-			{
-				ID: "202409271400",
-				Migrate: func(tx *gorm.DB) error {
-					preauthkeyTags := map[uint64]set.Set[string]{}
-
-					type preAuthKeyACLTag struct {
-						ID           uint64 `gorm:"primary_key"`
-						PreAuthKeyID uint64
-						Tag          string
-					}
-
-					var aclTags []preAuthKeyACLTag
-					if err := tx.Find(&aclTags).Error; err != nil {
-						return err
-					}
-
-					// Store the current tags.
-					for _, tag := range aclTags {
-						if preauthkeyTags[tag.PreAuthKeyID] == nil {
-							preauthkeyTags[tag.PreAuthKeyID] = set.SetOf([]string{tag.Tag})
-						} else {
-							preauthkeyTags[tag.PreAuthKeyID].Add(tag.Tag)
-						}
-					}
-
-					// Add tags column and restore the tags.
-					_ = tx.Migrator().AddColumn(&types.PreAuthKey{}, "tags")
-					for keyID, tags := range preauthkeyTags {
-						s := tags.Slice()
-						j, err := json.Marshal(s)
-						if err != nil {
-							return err
-						}
-						if err := tx.Model(&types.PreAuthKey{}).Where("id = ?", keyID).Update("tags", string(j)).Error; err != nil {
-							return err
-						}
-					}
-
-					// Drop the old table.
-					_ = tx.Migrator().DropTable(&preAuthKeyACLTag{})
-
-					return nil
-				},
-				Rollback: func(db *gorm.DB) error { return nil },
-			},
-			{
-				// Pick up new user fields used for OIDC and to
-				// populate the user with more interesting information.
-				ID: "202407191627",
-				Migrate: func(tx *gorm.DB) error {
-					// Fix an issue where the automigration in GORM expected a constraint to
-					// exists that didn't, and add the one it wanted.
-					// Fixes https://github.com/juanfont/headscale/issues/2351
-					if cfg.Type == types.DatabasePostgres {
-						err := tx.Exec(`
-BEGIN;
-DO $$
-BEGIN
-    IF NOT EXISTS (
-        SELECT 1 FROM pg_constraint
-        WHERE conname = 'uni_users_name'
-    ) THEN
-        ALTER TABLE users ADD CONSTRAINT uni_users_name UNIQUE (name);
-    END IF;
-END $$;
-
-DO $$
-BEGIN
-    IF EXISTS (
-        SELECT 1 FROM pg_constraint
-        WHERE conname = 'users_name_key'
-    ) THEN
-        ALTER TABLE users DROP CONSTRAINT users_name_key;
-    END IF;
-END $$;
-COMMIT;
-`).Error
-						if err != nil {
-							return fmt.Errorf("failed to rename constraint: %w", err)
-						}
-					}
-
-					err := tx.AutoMigrate(&types.User{})
-					if err != nil {
-						return fmt.Errorf("automigrating types.User: %w", err)
-					}
-
-					return nil
-				},
-				Rollback: func(db *gorm.DB) error { return nil },
-			},
-			{
-				// The unique constraint of Name has been dropped
-				// in favour of a unique together of name and
-				// provider identity.
-				ID: "202408181235",
-				Migrate: func(tx *gorm.DB) error {
-					err := tx.AutoMigrate(&types.User{})
-					if err != nil {
-						return fmt.Errorf("automigrating types.User: %w", err)
-					}
-
-					// Set up indexes and unique constraints outside of GORM, it does not support
-					// conditional unique constraints.
-					// This ensures the following:
-					// - A user name and provider_identifier is unique
-					// - A provider_identifier is unique
-					// - A user name is unique if there is no provider_identifier is not set
-					for _, idx := range []string{
-						"DROP INDEX IF EXISTS idx_provider_identifier",
-						"DROP INDEX IF EXISTS idx_name_provider_identifier",
-						"CREATE UNIQUE INDEX IF NOT EXISTS idx_provider_identifier ON users (provider_identifier) WHERE provider_identifier IS NOT NULL;",
-						"CREATE UNIQUE INDEX IF NOT EXISTS idx_name_provider_identifier ON users (name,provider_identifier);",
-						"CREATE UNIQUE INDEX IF NOT EXISTS idx_name_no_provider_identifier ON users (name) WHERE provider_identifier IS NULL;",
-					} {
-						err = tx.Exec(idx).Error
-						if err != nil {
-							return fmt.Errorf("creating username index: %w", err)
-						}
-					}
-
-					return nil
-				},
-				Rollback: func(db *gorm.DB) error { return nil },
-			},
+			// v0.25.0
 			{
 				// Add a constraint to routes ensuring they cannot exist without a node.
 				ID: "202501221827",
@@ -639,6 +149,7 @@ AND auth_key_id NOT IN (
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			// v0.26.0
 			// Migrate all routes from the Route table to the new field ApprovedRoutes
 			// in the Node table. Then drop the Route table.
 			{
@@ -733,6 +244,7 @@ AND auth_key_id NOT IN (
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			// v0.27.0
 			// Schema migration to ensure all tables match the expected schema.
 			// This migration recreates all tables to match the exact structure in schema.sql,
 			// preserving all data during the process.
@@ -932,15 +444,212 @@ AND auth_key_id NOT IN (
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			// v0.27.1
+			{
+				// Drop all tables that are no longer in use and has existed.
+				// They potentially still present from broken migrations in the past.
+				ID: "202510311551",
+				Migrate: func(tx *gorm.DB) error {
+					for _, oldTable := range []string{"namespaces", "machines", "shared_machines", "kvs", "pre_auth_key_acl_tags", "routes"} {
+						err := tx.Migrator().DropTable(oldTable)
+						if err != nil {
+							log.Trace().Str("table", oldTable).
+								Err(err).
+								Msg("Error dropping old table, continuing...")
+						}
+					}
+
+					return nil
+				},
+				Rollback: func(tx *gorm.DB) error {
+					return nil
+				},
+			},
+			{
+				// Drop all indices that are no longer in use and has existed.
+				// They potentially still present from broken migrations in the past.
+				// They should all be cleaned up by the db engine, but we are a bit
+				// conservative to ensure all our previous mess is cleaned up.
+				ID: "202511101554-drop-old-idx",
+				Migrate: func(tx *gorm.DB) error {
+					for _, oldIdx := range []struct{ name, table string }{
+						{"idx_namespaces_deleted_at", "namespaces"},
+						{"idx_routes_deleted_at", "routes"},
+						{"idx_shared_machines_deleted_at", "shared_machines"},
+					} {
+						err := tx.Migrator().DropIndex(oldIdx.table, oldIdx.name)
+						if err != nil {
+							log.Trace().
+								Str("index", oldIdx.name).
+								Str("table", oldIdx.table).
+								Err(err).
+								Msg("Error dropping old index, continuing...")
+						}
+					}
+
+					return nil
+				},
+				Rollback: func(tx *gorm.DB) error {
+					return nil
+				},
+			},
+
+			// Migrations **above** this points will be REMOVED in version **0.29.0**
+			// This is to clean up a lot of old migrations that is seldom used
+			// and carries a lot of technical debt.
+			// Any new migrations should be added after the comment below and follow
+			// the rules it sets out.
+
 			// From this point, the following rules must be followed:
 			// - NEVER use gorm.AutoMigrate, write the exact migration steps needed
 			// - AutoMigrate depends on the struct staying exactly the same, which it won't over time.
 			// - Never write migrations that requires foreign keys to be disabled.
+			// - ALL errors in migrations must be handled properly.
+
+			{
+				// Add columns for prefix and hash for pre auth keys, implementing
+				// them with the same security model as api keys.
+				ID: "202511011637-preauthkey-bcrypt",
+				Migrate: func(tx *gorm.DB) error {
+					// Check and add prefix column if it doesn't exist
+					if !tx.Migrator().HasColumn(&types.PreAuthKey{}, "prefix") {
+						err := tx.Migrator().AddColumn(&types.PreAuthKey{}, "prefix")
+						if err != nil {
+							return fmt.Errorf("adding prefix column: %w", err)
+						}
+					}
+
+					// Check and add hash column if it doesn't exist
+					if !tx.Migrator().HasColumn(&types.PreAuthKey{}, "hash") {
+						err := tx.Migrator().AddColumn(&types.PreAuthKey{}, "hash")
+						if err != nil {
+							return fmt.Errorf("adding hash column: %w", err)
+						}
+					}
+
+					// Create partial unique index to allow multiple legacy keys (NULL/empty prefix)
+					// while enforcing uniqueness for new bcrypt-based keys
+					err := tx.Exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_pre_auth_keys_prefix ON pre_auth_keys(prefix) WHERE prefix IS NOT NULL AND prefix != ''").Error
+					if err != nil {
+						return fmt.Errorf("creating prefix index: %w", err)
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
+			{
+				ID: "202511122344-remove-newline-index",
+				Migrate: func(tx *gorm.DB) error {
+					// Reformat multi-line indexes to single-line for consistency
+					// This migration drops and recreates the three user identity indexes
+					// to match the single-line format expected by schema validation
+
+					// Drop existing multi-line indexes
+					dropIndexes := []string{
+						`DROP INDEX IF EXISTS idx_provider_identifier`,
+						`DROP INDEX IF EXISTS idx_name_provider_identifier`,
+						`DROP INDEX IF EXISTS idx_name_no_provider_identifier`,
+					}
+
+					for _, dropSQL := range dropIndexes {
+						err := tx.Exec(dropSQL).Error
+						if err != nil {
+							return fmt.Errorf("dropping index: %w", err)
+						}
+					}
+
+					// Recreate indexes in single-line format
+					createIndexes := []string{
+						`CREATE UNIQUE INDEX idx_provider_identifier ON users(provider_identifier) WHERE provider_identifier IS NOT NULL`,
+						`CREATE UNIQUE INDEX idx_name_provider_identifier ON users(name, provider_identifier)`,
+						`CREATE UNIQUE INDEX idx_name_no_provider_identifier ON users(name) WHERE provider_identifier IS NULL`,
+					}
+
+					for _, createSQL := range createIndexes {
+						err := tx.Exec(createSQL).Error
+						if err != nil {
+							return fmt.Errorf("creating index: %w", err)
+						}
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
+			{
+				// Rename forced_tags column to tags in nodes table.
+				// This must run after migration 202505141324 which creates tables with forced_tags.
+				ID: "202511131445-node-forced-tags-to-tags",
+				Migrate: func(tx *gorm.DB) error {
+					// Rename the column from forced_tags to tags
+					err := tx.Migrator().RenameColumn(&types.Node{}, "forced_tags", "tags")
+					if err != nil {
+						return fmt.Errorf("renaming forced_tags to tags: %w", err)
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)

+	migrations.InitSchema(func(tx *gorm.DB) error {
+		// Create all tables using AutoMigrate
+		err := tx.AutoMigrate(
+			&types.User{},
+			&types.PreAuthKey{},
+			&types.APIKey{},
+			&types.Node{},
+			&types.Policy{},
+		)
+		if err != nil {
+			return err
+		}
+
+		// Drop all indexes (both GORM-created and potentially pre-existing ones)
+		// to ensure we can recreate them in the correct format
+		dropIndexes := []string{
+			`DROP INDEX IF EXISTS "idx_users_deleted_at"`,
+			`DROP INDEX IF EXISTS "idx_api_keys_prefix"`,
+			`DROP INDEX IF EXISTS "idx_policies_deleted_at"`,
+			`DROP INDEX IF EXISTS "idx_provider_identifier"`,
+			`DROP INDEX IF EXISTS "idx_name_provider_identifier"`,
+			`DROP INDEX IF EXISTS "idx_name_no_provider_identifier"`,
+			`DROP INDEX IF EXISTS "idx_pre_auth_keys_prefix"`,
+		}
+
+		for _, dropSQL := range dropIndexes {
+			err := tx.Exec(dropSQL).Error
+			if err != nil {
+				return err
+			}
+		}
+
+		// Recreate indexes without backticks to match schema.sql format
+		indexes := []string{
+			`CREATE INDEX idx_users_deleted_at ON users(deleted_at)`,
+			`CREATE UNIQUE INDEX idx_api_keys_prefix ON api_keys(prefix)`,
+			`CREATE INDEX idx_policies_deleted_at ON policies(deleted_at)`,
+			`CREATE UNIQUE INDEX idx_provider_identifier ON users(provider_identifier) WHERE provider_identifier IS NOT NULL`,
+			`CREATE UNIQUE INDEX idx_name_provider_identifier ON users(name, provider_identifier)`,
+			`CREATE UNIQUE INDEX idx_name_no_provider_identifier ON users(name) WHERE provider_identifier IS NULL`,
+			`CREATE UNIQUE INDEX idx_pre_auth_keys_prefix ON pre_auth_keys(prefix) WHERE prefix IS NOT NULL AND prefix != ''`,
+		}
+
+		for _, indexSQL := range indexes {
+			err := tx.Exec(indexSQL).Error
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+
 	if err := runMigrations(cfg, dbConn, migrations); err != nil {
-		log.Fatal().Err(err).Msgf("Migration failed: %v", err)
+		return nil, fmt.Errorf("migration failed: %w", err)
 	}

 	// Validate that the schema ends up in the expected state.
@@ -962,7 +671,17 @@ AND auth_key_id NOT IN (
 		ctx, cancel := context.WithTimeout(context.Background(), contextTimeoutSecs*time.Second)
 		defer cancel()

-		if err := squibble.Validate(ctx, sqlConn, dbSchema); err != nil {
+		opts := squibble.DigestOptions{
+			IgnoreTables: []string{
+				// Litestream tables, these are inserted by
+				// litestream and not part of our schema
+				// https://litestream.io/how-it-works
+				"_litestream_lock",
+				"_litestream_seq",
+			},
+		}
+
+		if err := squibble.Validate(ctx, sqlConn, dbSchema, &opts); err != nil {
 			return nil, fmt.Errorf("validating schema: %w", err)
 		}
 	}
@@ -1091,13 +810,8 @@ func runMigrations(cfg types.DatabaseConfig, dbConn *gorm.DB, migrations *gormig
 		// These are migrations that perform complex schema changes that GORM cannot handle safely with FK enabled
 		// NO NEW MIGRATIONS SHOULD BE ADDED HERE. ALL NEW MIGRATIONS MUST RUN WITH FOREIGN KEYS ENABLED.
 		migrationsRequiringFKDisabled := map[string]bool{
-			"202312101416":  true, // Initial migration with complex table/column renames
-			"202402151347":  true, // Migration that removes last_successful_update column
-			"2024041121742": true, // Migration that changes IP address storage format
-			"202407191627":  true, // User table automigration with FK constraint issues
-			"202408181235":  true, // User table automigration with FK constraint issues
-			"202501221827":  true, // Route table automigration with FK constraint issues
-			"202501311657":  true, // PreAuthKey table automigration with FK constraint issues
+			"202501221827": true, // Route table automigration with FK constraint issues
+			"202501311657": true, // PreAuthKey table automigration with FK constraint issues
 			// Add other migration IDs here as they are identified to need FK disabled
 		}

@@ -1111,21 +825,17 @@ func runMigrations(cfg types.DatabaseConfig, dbConn *gorm.DB, migrations *gormig
 		// Only IDs that are in the migrationsRequiringFKDisabled map will be processed with FK disabled
 		// any other new migrations are ran after.
 		migrationIDs := []string{
-			"202312101416",
-			"202312101430",
-			"202402151347",
-			"2024041121742",
-			"202406021630",
-			"202407191627",
-			"202408181235",
-			"202409271400",
+			// v0.25.0
 			"202501221827",
 			"202501311657",
 			"202502070949",
+
+			// v0.26.0
 			"202502131714",
 			"202502171819",
 			"202505091439",
 			"202505141324",
+
 			// As of 2025-07-02, no new IDs should be added here.
 			// They will be ran by the migrations.Migrate() call below.
 		}
--- a/hscontrol/db/db_test.go
+++ b/hscontrol/db/db_test.go
@@ -2,19 +2,14 @@ package db

 import (
 	"database/sql"
-	"net/netip"
 	"os"
 	"os/exec"
 	"path/filepath"
-	"slices"
 	"strings"
 	"testing"
 	"time"

-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
@@ -25,400 +20,14 @@ import (
 // and validates data integrity after migration. All migrations that require data validation
 // should be added here.
 func TestSQLiteMigrationAndDataValidation(t *testing.T) {
-	ipp := func(p string) netip.Prefix {
-		return netip.MustParsePrefix(p)
-	}
-	r := func(id uint64, p string, a, e, i bool) types.Route {
-		return types.Route{
-			NodeID:     id,
-			Prefix:     ipp(p),
-			Advertised: a,
-			Enabled:    e,
-			IsPrimary:  i,
-		}
-	}
 	tests := []struct {
 		dbPath   string
 		wantFunc func(*testing.T, *HSDatabase)
 	}{
-		{
-			dbPath: "testdata/sqlite/0-22-3-to-0-23-0-routes-are-dropped-2063_dump.sql",
-			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
-				t.Helper()
-				// Comprehensive data preservation validation for 0.22.3->0.23.0 migration
-				// Expected data from dump: 4 users, 17 pre_auth_keys, 14 machines/nodes, 12 routes
-
-				// Verify users data preservation - should have 4 users
-				users, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-					return ListUsers(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, users, 4, "should preserve all 4 users from original schema")
-
-				// Verify pre_auth_keys data preservation - should have 17 keys
-				preAuthKeys, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-					var keys []types.PreAuthKey
-					err := rx.Find(&keys).Error
-					return keys, err
-				})
-				require.NoError(t, err)
-				assert.Len(t, preAuthKeys, 17, "should preserve all 17 pre_auth_keys from original schema")
-
-				// Verify all nodes data preservation - should have 14 nodes
-				allNodes, err := Read(hsdb.DB, func(rx *gorm.DB) (types.Nodes, error) {
-					return ListNodes(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, allNodes, 14, "should preserve all 14 machines/nodes from original schema")
-
-				// Verify specific nodes and their route migration with detailed validation
-				nodes, err := Read(hsdb.DB, func(rx *gorm.DB) (types.Nodes, error) {
-					n1, err := GetNodeByID(rx, 1)
-					n26, err := GetNodeByID(rx, 26)
-					n31, err := GetNodeByID(rx, 31)
-					n32, err := GetNodeByID(rx, 32)
-					if err != nil {
-						return nil, err
-					}
-
-					return types.Nodes{n1, n26, n31, n32}, nil
-				})
-				require.NoError(t, err)
-				assert.Len(t, nodes, 4, "should have retrieved 4 specific nodes")
-
-				// Validate specific node data from dump file
-				nodesByID := make(map[uint64]*types.Node)
-				for i := range nodes {
-					nodesByID[nodes[i].ID.Uint64()] = nodes[i]
-				}
-
-				node1 := nodesByID[1]
-				node26 := nodesByID[26]
-				node31 := nodesByID[31]
-				node32 := nodesByID[32]
-
-				require.NotNil(t, node1, "node 1 should exist")
-				require.NotNil(t, node26, "node 26 should exist")
-				require.NotNil(t, node31, "node 31 should exist")
-				require.NotNil(t, node32, "node 32 should exist")
-
-				// Validate node data using cmp.Diff
-				expectedNodes := map[uint64]struct {
-					Hostname  string
-					GivenName string
-					IPv4      string
-				}{
-					1:  {Hostname: "test_hostname", GivenName: "test_given_name", IPv4: "100.64.0.1"},
-					26: {Hostname: "test_hostname", GivenName: "test_given_name", IPv4: "100.64.0.19"},
-					31: {Hostname: "test_hostname", GivenName: "test_given_name", IPv4: "100.64.0.7"},
-					32: {Hostname: "test_hostname", GivenName: "test_given_name", IPv4: "100.64.0.11"},
-				}
-
-				for nodeID, expected := range expectedNodes {
-					node := nodesByID[nodeID]
-					require.NotNil(t, node, "node %d should exist", nodeID)
-
-					actual := struct {
-						Hostname  string
-						GivenName string
-						IPv4      string
-					}{
-						Hostname:  node.Hostname,
-						GivenName: node.GivenName,
-						IPv4:      node.IPv4.String(),
-					}
-
-					if diff := cmp.Diff(expected, actual); diff != "" {
-						t.Errorf("TestSQLiteMigrationAndDataValidation() node %d mismatch (-want +got):\n%s", nodeID, diff)
-					}
-				}
-
-				// Validate that routes were properly migrated from routes table to approved_routes
-				// Based on the dump file routes data:
-				// Node 1 (machine_id 1): routes 1,2,3 (0.0.0.0/0 enabled, ::/0 enabled, 10.9.110.0/24 enabled+primary)
-				// Node 26 (machine_id 26): route 6 (172.100.100.0/24 enabled+primary), route 7 (172.100.100.0/24 disabled)
-				// Node 31 (machine_id 31): routes 8,10 (0.0.0.0/0 enabled, ::/0 enabled), routes 9,11 (duplicates disabled)
-				// Node 32 (machine_id 32): route 12 (192.168.0.24/32 enabled+primary)
-				want := [][]netip.Prefix{
-					{ipp("0.0.0.0/0"), ipp("10.9.110.0/24"), ipp("::/0")}, // node 1: 3 enabled routes
-					{ipp("172.100.100.0/24")},                             // node 26: 1 enabled route
-					{ipp("0.0.0.0/0"), ipp("::/0")},                       // node 31: 2 enabled routes
-					{ipp("192.168.0.24/32")},                              // node 32: 1 enabled route
-				}
-				var got [][]netip.Prefix
-				for _, node := range nodes {
-					got = append(got, node.ApprovedRoutes)
-				}
-
-				if diff := cmp.Diff(want, got, util.PrefixComparer); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() route migration mismatch (-want +got):\n%s", diff)
-				}
-
-				// Verify routes table was dropped after migration
-				var routesTableExists bool
-				err = hsdb.DB.Raw("SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='routes'").Row().Scan(&routesTableExists)
-				require.NoError(t, err)
-				assert.False(t, routesTableExists, "routes table should have been dropped after migration")
-			},
-		},
-		{
-			dbPath: "testdata/sqlite/0-22-3-to-0-23-0-routes-fail-foreign-key-2076_dump.sql",
-			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
-				t.Helper()
-				// Comprehensive data preservation validation for foreign key constraint issue case
-				// Expected data from dump: 4 users, 2 pre_auth_keys, 8 nodes
-
-				// Verify users data preservation
-				users, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-					return ListUsers(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, users, 4, "should preserve all 4 users from original schema")
-
-				// Verify pre_auth_keys data preservation
-				preAuthKeys, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-					var keys []types.PreAuthKey
-					err := rx.Find(&keys).Error
-					return keys, err
-				})
-				require.NoError(t, err)
-				assert.Len(t, preAuthKeys, 2, "should preserve all 2 pre_auth_keys from original schema")
-
-				// Verify all nodes data preservation
-				allNodes, err := Read(hsdb.DB, func(rx *gorm.DB) (types.Nodes, error) {
-					return ListNodes(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, allNodes, 8, "should preserve all 8 nodes from original schema")
-
-				// Verify specific node route migration
-				node, err := Read(hsdb.DB, func(rx *gorm.DB) (*types.Node, error) {
-					return GetNodeByID(rx, 13)
-				})
-				require.NoError(t, err)
-
-				assert.Len(t, node.ApprovedRoutes, 3)
-				_ = types.Routes{
-					// These routes exists, but have no nodes associated with them
-					// when the migration starts.
-					// r(1, "0.0.0.0/0", true, false),
-					// r(1, "::/0", true, false),
-					// r(3, "0.0.0.0/0", true, false),
-					// r(3, "::/0", true, false),
-					// r(5, "0.0.0.0/0", true, false),
-					// r(5, "::/0", true, false),
-					// r(6, "0.0.0.0/0", true, false),
-					// r(6, "::/0", true, false),
-					// r(6, "10.0.0.0/8", true, false, false),
-					// r(7, "0.0.0.0/0", true, false),
-					// r(7, "::/0", true, false),
-					// r(7, "10.0.0.0/8", true, false, false),
-					// r(9, "0.0.0.0/0", true, false),
-					// r(9, "::/0", true, false),
-					// r(9, "10.0.0.0/8", true, false),
-					// r(11, "0.0.0.0/0", true, false),
-					// r(11, "::/0", true, false),
-					// r(11, "10.0.0.0/8", true, true),
-					// r(12, "0.0.0.0/0", true, false),
-					// r(12, "::/0", true, false),
-					// r(12, "10.0.0.0/8", true, false, false),
-					//
-					// These nodes exists, so routes should be kept.
-					r(13, "10.0.0.0/8", true, false, false),
-					r(13, "0.0.0.0/0", true, true, false),
-					r(13, "::/0", true, true, false),
-					r(13, "10.18.80.2/32", true, true, true),
-				}
-				want := []netip.Prefix{ipp("0.0.0.0/0"), ipp("10.18.80.2/32"), ipp("::/0")}
-				if diff := cmp.Diff(want, node.ApprovedRoutes, util.PrefixComparer); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() route migration mismatch (-want +got):\n%s", diff)
-				}
-
-				// Verify routes table was dropped after migration
-				var routesTableExists bool
-				err = hsdb.DB.Raw("SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='routes'").Row().Scan(&routesTableExists)
-				require.NoError(t, err)
-				assert.False(t, routesTableExists, "routes table should have been dropped after migration")
-			},
-		},
 		// at 14:15:06 ❯ go run ./cmd/headscale preauthkeys list
 		// ID | Key      | Reusable | Ephemeral | Used  | Expiration | Created    | Tags
 		// 1  | 09b28f.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:derp
 		// 2  | 3112b9.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:derp
-		// 3  | 7c23b9.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:derp,tag:merp
-		// 4  | f20155.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:test
-		// 5  | b212b9.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:test,tag:woop,tag:dedu
-		{
-			dbPath: "testdata/sqlite/0-23-0-to-0-24-0-preauthkey-tags-table_dump.sql",
-			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
-				t.Helper()
-				// Comprehensive data preservation validation for pre-auth key tags migration
-				// Expected data from dump: 2 users (kratest, testkra), 5 pre_auth_keys with specific tags
-
-				// Verify users data preservation with specific user data
-				users, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-					return ListUsers(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, users, 2, "should preserve all 2 users from original schema")
-
-				// Validate specific user data from dump file using cmp.Diff
-				expectedUsers := []types.User{
-					{Model: gorm.Model{ID: 1}, Name: "kratest"},
-					{Model: gorm.Model{ID: 2}, Name: "testkra"},
-				}
-
-				if diff := cmp.Diff(expectedUsers, users,
-					cmpopts.IgnoreFields(types.User{}, "CreatedAt", "UpdatedAt", "DeletedAt", "DisplayName", "Email", "ProviderIdentifier", "Provider", "ProfilePicURL")); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() users mismatch (-want +got):\n%s", diff)
-				}
-
-				// Create maps for easier access in later validations
-				usersByName := make(map[string]*types.User)
-				for i := range users {
-					usersByName[users[i].Name] = &users[i]
-				}
-				kratest := usersByName["kratest"]
-				testkra := usersByName["testkra"]
-
-				// Verify all pre_auth_keys data preservation
-				allKeys, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-					var keys []types.PreAuthKey
-					err := rx.Find(&keys).Error
-					return keys, err
-				})
-				require.NoError(t, err)
-				assert.Len(t, allKeys, 5, "should preserve all 5 pre_auth_keys from original schema")
-
-				// Verify specific pre-auth keys and their tag migration with exact data validation
-				keys, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-					kratest, err := ListPreAuthKeysByUser(rx, 1) // kratest
-					if err != nil {
-						return nil, err
-					}
-
-					testkra, err := ListPreAuthKeysByUser(rx, 2) // testkra
-					if err != nil {
-						return nil, err
-					}
-
-					return append(kratest, testkra...), nil
-				})
-				require.NoError(t, err)
-				assert.Len(t, keys, 5)
-
-				// Create map for easier validation by ID
-				keysByID := make(map[uint64]*types.PreAuthKey)
-				for i := range keys {
-					keysByID[keys[i].ID] = &keys[i]
-				}
-
-				// Validate specific pre-auth key data and tag migration from pre_auth_key_acl_tags table
-				key1 := keysByID[1]
-				key2 := keysByID[2]
-				key3 := keysByID[3]
-				key4 := keysByID[4]
-				key5 := keysByID[5]
-
-				require.NotNil(t, key1, "pre_auth_key 1 should exist")
-				require.NotNil(t, key2, "pre_auth_key 2 should exist")
-				require.NotNil(t, key3, "pre_auth_key 3 should exist")
-				require.NotNil(t, key4, "pre_auth_key 4 should exist")
-				require.NotNil(t, key5, "pre_auth_key 5 should exist")
-
-				// Validate specific pre-auth key data and tag migration using cmp.Diff
-				expectedKeys := []types.PreAuthKey{
-					{
-						ID:     1,
-						Key:    "09b28f8c3351984874d46dace0a70177a8721933a950b663",
-						UserID: kratest.ID,
-						Tags:   []string{"tag:derp"},
-					},
-					{
-						ID:     2,
-						Key:    "3112b953cb344191b2d5aec1b891250125bf7b437eac5d26",
-						UserID: kratest.ID,
-						Tags:   []string{"tag:derp"},
-					},
-					{
-						ID:     3,
-						Key:    "7c23b9f215961e7609527aef78bf82fb19064b002d78c36f",
-						UserID: kratest.ID,
-						Tags:   []string{"tag:derp", "tag:merp"},
-					},
-					{
-						ID:     4,
-						Key:    "f2015583852b725220cc4b107fb288a4cf7ac259bd458a32",
-						UserID: testkra.ID,
-						Tags:   []string{"tag:test"},
-					},
-					{
-						ID:     5,
-						Key:    "b212b990165e897944dd3772786544402729fb349da50f57",
-						UserID: testkra.ID,
-						Tags:   []string{"tag:test", "tag:woop", "tag:dedu"},
-					},
-				}
-
-				if diff := cmp.Diff(expectedKeys, keys, cmp.Comparer(func(a, b []string) bool {
-					slices.Sort(a)
-					slices.Sort(b)
-					return slices.Equal(a, b)
-				}), cmpopts.IgnoreFields(types.PreAuthKey{}, "User", "CreatedAt", "Reusable", "Ephemeral", "Used", "Expiration")); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() pre-auth key tags migration mismatch (-want +got):\n%s", diff)
-				}
-
-				// Verify pre_auth_key_acl_tags table was dropped after migration
-				if hsdb.DB.Migrator().HasTable("pre_auth_key_acl_tags") {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() table pre_auth_key_acl_tags should not exist after migration")
-				}
-			},
-		},
-		{
-			dbPath: "testdata/sqlite/0-23-0-to-0-24-0-no-more-special-types_dump.sql",
-			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
-				t.Helper()
-				// Comprehensive data preservation validation for special types removal migration
-				// Expected data from dump: 2 users, 2 pre_auth_keys, 12 nodes
-
-				// Verify users data preservation
-				users, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-					return ListUsers(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, users, 2, "should preserve all 2 users from original schema")
-
-				// Verify pre_auth_keys data preservation
-				preAuthKeys, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-					var keys []types.PreAuthKey
-					err := rx.Find(&keys).Error
-					return keys, err
-				})
-				require.NoError(t, err)
-				assert.Len(t, preAuthKeys, 2, "should preserve all 2 pre_auth_keys from original schema")
-
-				// Verify nodes data preservation and field validation
-				nodes, err := Read(hsdb.DB, func(rx *gorm.DB) (types.Nodes, error) {
-					return ListNodes(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, nodes, 12, "should preserve all 12 nodes from original schema")
-
-				for _, node := range nodes {
-					assert.Falsef(t, node.MachineKey.IsZero(), "expected non zero machinekey")
-					assert.Contains(t, node.MachineKey.String(), "mkey:")
-					assert.Falsef(t, node.NodeKey.IsZero(), "expected non zero nodekey")
-					assert.Contains(t, node.NodeKey.String(), "nodekey:")
-					assert.Falsef(t, node.DiscoKey.IsZero(), "expected non zero discokey")
-					assert.Contains(t, node.DiscoKey.String(), "discokey:")
-					assert.NotNil(t, node.IPv4)
-					assert.NotNil(t, node.IPv6)
-					assert.Len(t, node.Endpoints, 1)
-					assert.NotNil(t, node.Hostinfo)
-					assert.NotNil(t, node.MachineKey)
-				}
-			},
-		},
 		{
 			dbPath: "testdata/sqlite/failing-node-preauth-constraint_dump.sql",
 			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
@@ -458,253 +67,6 @@ func TestSQLiteMigrationAndDataValidation(t *testing.T) {
 				}
 			},
 		},
-		{
-			dbPath: "testdata/sqlite/wrongly-migrated-schema-0.25.1_dump.sql",
-			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
-				t.Helper()
-				// Test migration of a database that was wrongly migrated in 0.25.1
-				// This database has several issues:
-				// 1. Missing proper user unique constraints (idx_provider_identifier, idx_name_provider_identifier, idx_name_no_provider_identifier)
-				// 2. Still has routes table that should have been migrated to node.approved_routes
-				// 3. Wrong FOREIGN KEY constraint on pre_auth_keys (CASCADE instead of SET NULL)
-				// 4. Missing some required indexes
-
-				// Verify users table data is preserved with specific user data
-				users, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-					return ListUsers(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, users, 2, "should preserve existing users")
-
-				// Validate specific user data from dump file using cmp.Diff
-				expectedUsers := []types.User{
-					{Model: gorm.Model{ID: 1}, Name: "user2"},
-					{Model: gorm.Model{ID: 2}, Name: "user1"},
-				}
-
-				if diff := cmp.Diff(expectedUsers, users,
-					cmpopts.IgnoreFields(types.User{}, "CreatedAt", "UpdatedAt", "DeletedAt", "DisplayName", "Email", "ProviderIdentifier", "Provider", "ProfilePicURL")); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() users mismatch (-want +got):\n%s", diff)
-				}
-
-				// Create maps for easier access in later validations
-				usersByName := make(map[string]*types.User)
-				for i := range users {
-					usersByName[users[i].Name] = &users[i]
-				}
-				user1 := usersByName["user1"]
-				user2 := usersByName["user2"]
-
-				// Verify nodes table data is preserved and routes migrated to approved_routes
-				nodes, err := Read(hsdb.DB, func(rx *gorm.DB) (types.Nodes, error) {
-					return ListNodes(rx)
-				})
-				require.NoError(t, err)
-				assert.Len(t, nodes, 3, "should preserve existing nodes")
-
-				// Validate specific node data from dump file
-				nodesByID := make(map[uint64]*types.Node)
-				for i := range nodes {
-					nodesByID[nodes[i].ID.Uint64()] = nodes[i]
-				}
-
-				node1 := nodesByID[1]
-				node2 := nodesByID[2]
-				node3 := nodesByID[3]
-				require.NotNil(t, node1, "node 1 should exist")
-				require.NotNil(t, node2, "node 2 should exist")
-				require.NotNil(t, node3, "node 3 should exist")
-
-				// Validate specific node field data using cmp.Diff
-				expectedNodes := map[uint64]struct {
-					Hostname  string
-					GivenName string
-					IPv4      string
-					IPv6      string
-					UserID    uint
-				}{
-					1: {Hostname: "node1", GivenName: "node1", IPv4: "100.64.0.1", IPv6: "fd7a:115c:a1e0::1", UserID: user2.ID},
-					2: {Hostname: "node2", GivenName: "node2", IPv4: "100.64.0.2", IPv6: "fd7a:115c:a1e0::2", UserID: user2.ID},
-					3: {Hostname: "node3", GivenName: "node3", IPv4: "100.64.0.3", IPv6: "fd7a:115c:a1e0::3", UserID: user1.ID},
-				}
-
-				for nodeID, expected := range expectedNodes {
-					node := nodesByID[nodeID]
-					require.NotNil(t, node, "node %d should exist", nodeID)
-
-					actual := struct {
-						Hostname  string
-						GivenName string
-						IPv4      string
-						IPv6      string
-						UserID    uint
-					}{
-						Hostname:  node.Hostname,
-						GivenName: node.GivenName,
-						IPv4:      node.IPv4.String(),
-						IPv6: func() string {
-							if node.IPv6 != nil {
-								return node.IPv6.String()
-							} else {
-								return ""
-							}
-						}(),
-						UserID: node.UserID,
-					}
-
-					if diff := cmp.Diff(expected, actual); diff != "" {
-						t.Errorf("TestSQLiteMigrationAndDataValidation() node %d basic fields mismatch (-want +got):\n%s", nodeID, diff)
-					}
-
-					// Special validation for MachineKey content for node 1 only
-					if nodeID == 1 {
-						assert.Contains(t, node.MachineKey.String(), "mkey:1efe4388236c1c83fe0a19d3ce7c321ab81e138a4da57917c231ce4c01944409")
-					}
-				}
-
-				// Check that routes were migrated from routes table to node.approved_routes using cmp.Diff
-				// Original routes table had 4 routes for nodes 1, 2, 3:
-				// Node 1: 0.0.0.0/0 (enabled), ::/0 (enabled) -> should have 2 approved routes
-				// Node 2: 192.168.100.0/24 (enabled) -> should have 1 approved route
-				// Node 3: 10.0.0.0/8 (disabled) -> should have 0 approved routes
-				expectedRoutes := map[uint64][]netip.Prefix{
-					1: {netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")},
-					2: {netip.MustParsePrefix("192.168.100.0/24")},
-					3: nil,
-				}
-
-				actualRoutes := map[uint64][]netip.Prefix{
-					1: node1.ApprovedRoutes,
-					2: node2.ApprovedRoutes,
-					3: node3.ApprovedRoutes,
-				}
-
-				if diff := cmp.Diff(expectedRoutes, actualRoutes, util.PrefixComparer); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() routes migration mismatch (-want +got):\n%s", diff)
-				}
-
-				// Verify pre_auth_keys data is preserved with specific key data
-				preAuthKeys, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-					var keys []types.PreAuthKey
-					err := rx.Find(&keys).Error
-					return keys, err
-				})
-				require.NoError(t, err)
-				assert.Len(t, preAuthKeys, 2, "should preserve existing pre_auth_keys")
-
-				// Validate specific pre_auth_key data from dump file using cmp.Diff
-				expectedKeys := []types.PreAuthKey{
-					{
-						ID:       1,
-						Key:      "3d133ec953e31fd41edbd935371234f762b4bae300cea618",
-						UserID:   user2.ID,
-						Reusable: true,
-						Used:     true,
-					},
-					{
-						ID:       2,
-						Key:      "9813cc1df1832259fb6322dad788bb9bec89d8a01eef683a",
-						UserID:   user1.ID,
-						Reusable: true,
-						Used:     true,
-					},
-				}
-
-				if diff := cmp.Diff(expectedKeys, preAuthKeys,
-					cmpopts.IgnoreFields(types.PreAuthKey{}, "User", "CreatedAt", "Expiration", "Ephemeral", "Tags")); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() pre_auth_keys mismatch (-want +got):\n%s", diff)
-				}
-
-				// Verify api_keys data is preserved with specific key data
-				var apiKeys []struct {
-					ID         uint64
-					Prefix     string
-					Hash       []byte
-					CreatedAt  string
-					Expiration string
-					LastSeen   string
-				}
-				err = hsdb.DB.Raw("SELECT id, prefix, hash, created_at, expiration, last_seen FROM api_keys").Scan(&apiKeys).Error
-				require.NoError(t, err)
-				assert.Len(t, apiKeys, 1, "should preserve existing api_keys")
-
-				// Validate specific api_key data from dump file using cmp.Diff
-				expectedAPIKey := struct {
-					ID     uint64
-					Prefix string
-					Hash   []byte
-				}{
-					ID:     1,
-					Prefix: "ak_test",
-					Hash:   []byte{0xde, 0xad, 0xbe, 0xef},
-				}
-
-				actualAPIKey := struct {
-					ID     uint64
-					Prefix string
-					Hash   []byte
-				}{
-					ID:     apiKeys[0].ID,
-					Prefix: apiKeys[0].Prefix,
-					Hash:   apiKeys[0].Hash,
-				}
-
-				if diff := cmp.Diff(expectedAPIKey, actualAPIKey); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() api_key mismatch (-want +got):\n%s", diff)
-				}
-
-				// Validate date fields separately since they need Contains check
-				assert.Contains(t, apiKeys[0].CreatedAt, "2025-12-31", "created_at should be preserved")
-				assert.Contains(t, apiKeys[0].Expiration, "2025-06-18", "expiration should be preserved")
-
-				// Verify that routes table no longer exists (should have been dropped)
-				var routesTableExists bool
-				err = hsdb.DB.Raw("SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name='routes'").Row().Scan(&routesTableExists)
-				require.NoError(t, err)
-				assert.False(t, routesTableExists, "routes table should have been dropped")
-
-				// Verify all required indexes exist with correct structure using cmp.Diff
-				expectedIndexes := []string{
-					"idx_users_deleted_at",
-					"idx_provider_identifier",
-					"idx_name_provider_identifier",
-					"idx_name_no_provider_identifier",
-					"idx_api_keys_prefix",
-					"idx_policies_deleted_at",
-				}
-
-				expectedIndexMap := make(map[string]bool)
-				for _, index := range expectedIndexes {
-					expectedIndexMap[index] = true
-				}
-
-				actualIndexMap := make(map[string]bool)
-				for _, indexName := range expectedIndexes {
-					var indexExists bool
-					err = hsdb.DB.Raw("SELECT COUNT(*) FROM sqlite_master WHERE type='index' AND name=?", indexName).Row().Scan(&indexExists)
-					require.NoError(t, err)
-					actualIndexMap[indexName] = indexExists
-				}
-
-				if diff := cmp.Diff(expectedIndexMap, actualIndexMap); diff != "" {
-					t.Errorf("TestSQLiteMigrationAndDataValidation() indexes existence mismatch (-want +got):\n%s", diff)
-				}
-
-				// Verify proper foreign key constraints are set
-				// Check that pre_auth_keys has correct FK constraint (SET NULL, not CASCADE)
-				var preAuthKeyConstraint string
-				err = hsdb.DB.Raw("SELECT sql FROM sqlite_master WHERE type='table' AND name='pre_auth_keys'").Row().Scan(&preAuthKeyConstraint)
-				require.NoError(t, err)
-				assert.Contains(t, preAuthKeyConstraint, "ON DELETE SET NULL", "pre_auth_keys should have SET NULL constraint")
-				assert.NotContains(t, preAuthKeyConstraint, "ON DELETE CASCADE", "pre_auth_keys should not have CASCADE constraint")
-
-				// Verify that user unique constraints work properly
-				// Try to create duplicate local user (should fail)
-				err = hsdb.DB.Create(&types.User{Name: users[0].Name}).Error
-				require.Error(t, err, "should not allow duplicate local usernames")
-				assert.Contains(t, err.Error(), "UNIQUE constraint", "should fail with unique constraint error")
-			},
-		},
 	}

 	for _, tt := range tests {
@@ -869,25 +231,7 @@ func TestPostgresMigrationAndDataValidation(t *testing.T) {
 		name     string
 		dbPath   string
 		wantFunc func(*testing.T, *HSDatabase)
-	}{
-		{
-			name:   "user-idx-breaking",
-			dbPath: "testdata/postgres/pre-24-postgresdb.pssql.dump",
-			wantFunc: func(t *testing.T, hsdb *HSDatabase) {
-				t.Helper()
-				users, err := Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-					return ListUsers(rx)
-				})
-				require.NoError(t, err)
-
-				for _, user := range users {
-					assert.NotEmpty(t, user.Name)
-					assert.Empty(t, user.ProfilePicURL)
-					assert.Empty(t, user.Email)
-				}
-			},
-		},
-	}
+	}{}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -970,11 +314,10 @@ func dbForTestWithPath(t *testing.T, sqlFilePath string) *HSDatabase {
 // in the testdata directory. It verifies they can be successfully migrated to the current
 // schema version. This test only validates migration success, not data integrity.
 //
-// A lot of the schemas have been automatically generated with old Headscale binaries on empty databases
-// (no user/node data):
-// - `headscale_<VERSION>_schema.sql` (created with `sqlite3 headscale.db .schema`)
-// - `headscale_<VERSION>_dump.sql` (created with `sqlite3 headscale.db .dump`)
-// where `_dump.sql` contains the migration steps that have been applied to the database.
+// All test database files are SQL dumps (created with `sqlite3 headscale.db .dump`) generated
+// with old Headscale binaries on empty databases (no user/node data). These dumps include the
+// migration history in the `migrations` table, which allows the migration system to correctly
+// skip already-applied migrations and only run new ones.
 func TestSQLiteAllTestdataMigrations(t *testing.T) {
 	t.Parallel()
 	schemas, err := os.ReadDir("testdata/sqlite")
--- a/hscontrol/db/ephemeral_garbage_collector_test.go
+++ b/hscontrol/db/ephemeral_garbage_collector_test.go
@@ -1,9 +1,9 @@
 package db

 import (
-	"math/rand"
 	"runtime"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"

@@ -68,31 +68,18 @@ func TestEphemeralGarbageCollectorGoRoutineLeak(t *testing.T) {
 		gc.Cancel(nodeID)
 	}

-	// Create a channel to signal when we're done with cleanup checks
-	cleanupDone := make(chan struct{})
+	// Close GC
+	gc.Close()

-	// Close GC and check for leaks in a separate goroutine
-	go func() {
-		// Close GC
-		gc.Close()
-
-		// Give any potential leaked goroutines a chance to exit
-		// Still need a small sleep here as we're checking for absence of goroutines
-		time.Sleep(oneHundred)
-
-		// Check for leaked goroutines
+	// Wait for goroutines to clean up and verify no leaks
+	assert.EventuallyWithT(t, func(c *assert.CollectT) {
 		finalGoroutines := runtime.NumGoroutine()
-		t.Logf("Final number of goroutines: %d", finalGoroutines)
-
 		// NB: We have to allow for a small number of extra goroutines because of test itself
-		assert.LessOrEqual(t, finalGoroutines, initialGoroutines+5,
+		assert.LessOrEqual(c, finalGoroutines, initialGoroutines+5,
 			"There are significantly more goroutines after GC usage, which suggests a leak")
+	}, time.Second, 10*time.Millisecond, "goroutines should clean up after GC close")

-		close(cleanupDone)
-	}()
-
-	// Wait for cleanup to complete
-	<-cleanupDone
+	t.Logf("Final number of goroutines: %d", runtime.NumGoroutine())
 }

 // TestEphemeralGarbageCollectorReschedule is a test for the rescheduling of nodes in EphemeralGarbageCollector().
@@ -103,10 +90,14 @@ func TestEphemeralGarbageCollectorReschedule(t *testing.T) {
 	var deletedIDs []types.NodeID
 	var deleteMutex sync.Mutex

+	deletionNotifier := make(chan types.NodeID, 1)
+
 	deleteFunc := func(nodeID types.NodeID) {
 		deleteMutex.Lock()
 		deletedIDs = append(deletedIDs, nodeID)
 		deleteMutex.Unlock()
+
+		deletionNotifier <- nodeID
 	}

 	// Start GC
@@ -125,10 +116,15 @@ func TestEphemeralGarbageCollectorReschedule(t *testing.T) {
 	// Reschedule the same node with a shorter expiry
 	gc.Schedule(nodeID, shortExpiry)

-	// Wait for deletion
-	time.Sleep(shortExpiry * 2)
+	// Wait for deletion notification with timeout
+	select {
+	case deletedNodeID := <-deletionNotifier:
+		assert.Equal(t, nodeID, deletedNodeID, "The correct node should be deleted")
+	case <-time.After(time.Second):
+		t.Fatal("Timed out waiting for node deletion")
+	}

-	// Verify that the node was deleted once
+	// Verify that the node was deleted exactly once
 	deleteMutex.Lock()
 	assert.Len(t, deletedIDs, 1, "Node should be deleted exactly once")
 	assert.Equal(t, nodeID, deletedIDs[0], "The correct node should be deleted")
@@ -203,18 +199,24 @@ func TestEphemeralGarbageCollectorCloseBeforeTimerFires(t *testing.T) {
 	var deletedIDs []types.NodeID
 	var deleteMutex sync.Mutex

+	deletionNotifier := make(chan types.NodeID, 1)
+
 	deleteFunc := func(nodeID types.NodeID) {
 		deleteMutex.Lock()
 		deletedIDs = append(deletedIDs, nodeID)
 		deleteMutex.Unlock()
+
+		deletionNotifier <- nodeID
 	}

 	// Start the GC
 	gc := NewEphemeralGarbageCollector(deleteFunc)
 	go gc.Start()

-	const longExpiry = 1 * time.Hour
-	const shortExpiry = fifty
+	const (
+		longExpiry = 1 * time.Hour
+		shortWait  = fifty * 2
+	)

 	// Schedule node deletion with a long expiry
 	gc.Schedule(types.NodeID(1), longExpiry)
@@ -222,8 +224,13 @@ func TestEphemeralGarbageCollectorCloseBeforeTimerFires(t *testing.T) {
 	// Close the GC before the timer
 	gc.Close()

-	// Wait a short time
-	time.Sleep(shortExpiry * 2)
+	// Verify that no deletion occurred within a reasonable time
+	select {
+	case <-deletionNotifier:
+		t.Fatal("Node was deleted after GC was closed, which should not happen")
+	case <-time.After(shortWait):
+		// Expected: no deletion should occur
+	}

 	// Verify that no deletion occurred
 	deleteMutex.Lock()
@@ -265,29 +272,17 @@ func TestEphemeralGarbageCollectorScheduleAfterClose(t *testing.T) {
 	// Close GC right away
 	gc.Close()

-	// Use a channel to signal when we should check for goroutine count
-	gcClosedCheck := make(chan struct{})
-	go func() {
-		// Give the GC time to fully close and clean up resources
-		// This is still time-based but only affects when we check the goroutine count,
-		// not the actual test logic
-		time.Sleep(oneHundred)
-		close(gcClosedCheck)
-	}()
-
 	// Now try to schedule node for deletion with a very short expiry
 	// If the Schedule operation incorrectly creates a timer, it would fire quickly
 	nodeID := types.NodeID(1)
 	gc.Schedule(nodeID, 1*time.Millisecond)

-	// Set up a timeout channel for our test
-	timeout := time.After(fiveHundred)
-
 	// Check if any node was deleted (which shouldn't happen)
+	// Use timeout to wait for potential deletion
 	select {
 	case <-nodeDeleted:
 		t.Fatal("Node was deleted after GC was closed, which should not happen")
-	case <-timeout:
+	case <-time.After(fiveHundred):
 		// This is the expected path - no deletion should occur
 	}

@@ -298,13 +293,14 @@ func TestEphemeralGarbageCollectorScheduleAfterClose(t *testing.T) {
 	assert.Equal(t, 0, nodesDeleted, "No nodes should be deleted when Schedule is called after Close")

 	// Check for goroutine leaks after GC is fully closed
-	<-gcClosedCheck
-	finalGoroutines := runtime.NumGoroutine()
-	t.Logf("Final number of goroutines: %d", finalGoroutines)
+	assert.EventuallyWithT(t, func(c *assert.CollectT) {
+		finalGoroutines := runtime.NumGoroutine()
+		// Allow for small fluctuations in goroutine count for testing routines etc
+		assert.LessOrEqual(c, finalGoroutines, initialGoroutines+2,
+			"There should be no significant goroutine leaks when Schedule is called after Close")
+	}, time.Second, 10*time.Millisecond, "goroutines should clean up after GC close")

-	// Allow for small fluctuations in goroutine count for testing routines etc
-	assert.LessOrEqual(t, finalGoroutines, initialGoroutines+2,
-		"There should be no significant goroutine leaks when Schedule is called after Close")
+	t.Logf("Final number of goroutines: %d", runtime.NumGoroutine())
 }

 // TestEphemeralGarbageCollectorConcurrentScheduleAndClose tests the behavior of the garbage collector
@@ -331,7 +327,8 @@ func TestEphemeralGarbageCollectorConcurrentScheduleAndClose(t *testing.T) {
 	// Number of concurrent scheduling goroutines
 	const numSchedulers = 10
 	const nodesPerScheduler = 50
-	const schedulingDuration = fiveHundred
+
+	const closeAfterNodes = 25 // Close GC after this many nodes per scheduler

 	// Use WaitGroup to wait for all scheduling goroutines to finish
 	var wg sync.WaitGroup
@@ -340,6 +337,9 @@ func TestEphemeralGarbageCollectorConcurrentScheduleAndClose(t *testing.T) {
 	// Create a stopper channel to signal scheduling goroutines to stop
 	stopScheduling := make(chan struct{})

+	// Track how many nodes have been scheduled
+	var scheduledCount int64
+
 	// Launch goroutines that continuously schedule nodes
 	for schedulerIndex := range numSchedulers {
 		go func(schedulerID int) {
@@ -355,18 +355,23 @@ func TestEphemeralGarbageCollectorConcurrentScheduleAndClose(t *testing.T) {
 				default:
 					nodeID := types.NodeID(baseNodeID + j + 1)
 					gc.Schedule(nodeID, 1*time.Hour) // Long expiry to ensure it doesn't trigger during test
+					atomic.AddInt64(&scheduledCount, 1)

-					// Random (short) sleep to introduce randomness/variability
-					time.Sleep(time.Duration(rand.Intn(5)) * time.Millisecond)
+					// Yield to other goroutines to introduce variability
+					runtime.Gosched()
 				}
 			}
 		}(schedulerIndex)
 	}

-	// After a short delay, close the garbage collector while schedulers are still running
+	// Close the garbage collector after some nodes have been scheduled
 	go func() {
 		defer wg.Done()
-		time.Sleep(schedulingDuration / 2)
+
+		// Wait until enough nodes have been scheduled
+		for atomic.LoadInt64(&scheduledCount) < int64(numSchedulers*closeAfterNodes) {
+			runtime.Gosched()
+		}

 		// Close GC
 		gc.Close()
@@ -378,14 +383,13 @@ func TestEphemeralGarbageCollectorConcurrentScheduleAndClose(t *testing.T) {
 	// Wait for all goroutines to complete
 	wg.Wait()

-	// Wait a bit longer to allow any leaked goroutines to do their work
-	time.Sleep(oneHundred)
+	// Check for leaks using EventuallyWithT
+	assert.EventuallyWithT(t, func(c *assert.CollectT) {
+		finalGoroutines := runtime.NumGoroutine()
+		// Allow for a reasonable small variable routine count due to testing
+		assert.LessOrEqual(c, finalGoroutines, initialGoroutines+5,
+			"There should be no significant goroutine leaks during concurrent Schedule and Close operations")
+	}, time.Second, 10*time.Millisecond, "goroutines should clean up")

-	// Check for leaks
-	finalGoroutines := runtime.NumGoroutine()
-	t.Logf("Final number of goroutines: %d", finalGoroutines)
-
-	// Allow for a reasonable small variable routine count due to testing
-	assert.LessOrEqual(t, finalGoroutines, initialGoroutines+5,
-		"There should be no significant goroutine leaks during concurrent Schedule and Close operations")
+	t.Logf("Final number of goroutines: %d", runtime.NumGoroutine())
 }
--- a/Show More
+++ b/Show More