remove readonly case for mapresponse, dont think it is used (#1556 )

Set online status in lite requests (#1555 )
add note about db backup to changelog (#1560 )
2026-02-17 05:07:40 +01:00 · 2023-09-25 14:27:24 -07:00 · 2023-09-25 14:27:14 -07:00 · 2023-09-25 14:27:03 -07:00 · 2023-09-25 09:33:31 -05:00 · 2023-09-24 14:34:53 -07:00
210 changed files with 17841 additions and 17267 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -33,7 +33,9 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run build
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,7 +16,8 @@ jobs:
        with:
          fetch-depth: 0

-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main

      - name: Run goreleaser
        run: nix develop --command -- goreleaser release --clean
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,22 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v5
+        with:
+          days-before-issue-stale: 180
+          days-before-issue-close: 14
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 180 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test-integration-cli.yml
+++ b/.github/workflows/test-integration-cli.yml
@@ -1,35 +0,0 @@
-name: Integration Test CLI
-
-on: [pull_request]
-
-jobs:
-  integration-test-cli:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run CLI integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_cli
--- a/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLAllowStarDst:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLAllowStarDst
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLAllowUser80Dst:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLAllowUser80Dst
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLAllowUserDst:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLAllowUserDst
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLDenyAllPort80:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLDenyAllPort80
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLDevice1CanAccessDevice2:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLDevice1CanAccessDevice2
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
+++ b/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLHostsInNetMapTable:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLHostsInNetMapTable
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLNamedHostsCanReach:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLNamedHostsCanReach
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestACLNamedHostsCanReachBySubnet:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestACLNamedHostsCanReachBySubnet
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
@@ -1,7 +1,7 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

-name: Integration Test v2 - TestSSUserOnlyIsolation
+name: Integration Test v2 - TestApiKeyCommand

 on: [pull_request]

@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestApiKeyCommand:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestApiKeyCommand
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,12 +45,12 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestSSUserOnlyIsolation$"
+                  -run "^TestApiKeyCommand$"

      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
--- a/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestAuthKeyLogoutAndRelogin:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestAuthKeyLogoutAndRelogin
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestAuthWebFlowAuthenticationPingAll:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestAuthWebFlowAuthenticationPingAll
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestAuthWebFlowLogoutAndRelogin:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestAuthWebFlowLogoutAndRelogin
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
+++ b/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestCreateTailscale:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestCreateTailscale
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
+++ b/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestDERPServerScenario:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestDERPServerScenario
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
+++ b/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestEnablingRoutes:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestEnablingRoutes
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestEphemeral.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestEphemeral:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestEphemeral
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestExpireNode.yaml
+++ b/.github/workflows/test-integration-v2-TestExpireNode.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestExpireNode:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestExpireNode
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestHeadscale.yaml
+++ b/.github/workflows/test-integration-v2-TestHeadscale.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestHeadscale:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestHeadscale
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
@@ -1,7 +1,7 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

-name: Integration Test v2 - TestSSHOneUserAllToAll
+name: Integration Test v2 - TestNodeCommand

 on: [pull_request]

@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestNodeCommand:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestNodeCommand
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,12 +45,12 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestSSHOneUserAllToAll$"
+                  -run "^TestNodeCommand$"

      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
--- a/.github/workflows/test-integration-v2-TestNodeExpireCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeExpireCommand.yaml
@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeExpireCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  TestNodeExpireCommand:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run TestNodeExpireCommand
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeExpireCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeMoveCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeMoveCommand.yaml
@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeMoveCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  TestNodeMoveCommand:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run TestNodeMoveCommand
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeMoveCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeRenameCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeRenameCommand.yaml
@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeRenameCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  TestNodeRenameCommand:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run TestNodeRenameCommand
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeRenameCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeTagCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeTagCommand.yaml
@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeTagCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  TestNodeTagCommand:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run TestNodeTagCommand
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeTagCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestOIDCAuthenticationPingAll:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestOIDCAuthenticationPingAll
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestOIDCExpireNodesBasedOnTokenExpiry:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestOIDCExpireNodesBasedOnTokenExpiry
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestPingAllByHostname:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestPingAllByHostname
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestPingAllByIP:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestPingAllByIP
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestPreAuthKeyCommand:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestPreAuthKeyCommand
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestPreAuthKeyCommandReusableEphemeral:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestPreAuthKeyCommandReusableEphemeral
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestPreAuthKeyCommandWithoutExpiry:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestPreAuthKeyCommandWithoutExpiry
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
+++ b/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestResolveMagicDNS:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestResolveMagicDNS
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestSSHIsBlockedInACL:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestSSHIsBlockedInACL
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestSSHMultipleUsersAllToAll:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestSSHMultipleUsersAllToAll
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestSSHNoSSHConfigured:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestSSHNoSSHConfigured
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestSSHOneUserToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserToAll.yaml
@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHOneUserToAll
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  TestSSHOneUserToAll:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run TestSSHOneUserToAll
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHOneUserToAll$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHUserOnlyIsolation.yaml
@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHUserOnlyIsolation
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  TestSSHUserOnlyIsolation:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run TestSSHUserOnlyIsolation
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHUserOnlyIsolation$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTaildrop.yaml
+++ b/.github/workflows/test-integration-v2-TestTaildrop.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestTaildrop:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestTaildrop
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
+++ b/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestTailscaleNodesJoiningHeadcale:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestTailscaleNodesJoiningHeadcale
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test-integration-v2-TestUserCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestUserCommand.yaml
@@ -10,7 +10,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  TestUserCommand:
    runs-on: ubuntu-latest

    steps:
@@ -18,6 +18,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -29,10 +34,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run TestUserCommand
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -43,7 +45,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -26,7 +26,9 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run tests
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 ignored/
+tailscale/

 # Binaries for programs and plugins
 *.exe
@@ -41,3 +42,5 @@ integration_test/etc/config.dump.yaml
 # MkDocs
 .cache
 /site
+
+__debug_bin
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -10,6 +10,8 @@ issues:
 linters:
  enable-all: true
  disable:
+    - depguard
+
    - exhaustivestruct
    - revive
    - lll
@@ -30,6 +32,7 @@ linters:
    - exhaustruct
    - nolintlint
    - musttag # causes issues with imported libs
+    - depguard

    # deprecated
    - structcheck # replaced by unused
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,47 @@

 ## 0.23.0 (2023-XX-XX)

+This release is mainly a code reorganisation and refactoring, significantly improving the maintainability of the codebase. This should allow us to improve further and make it easier for the maintainers to keep on top of the project.
+
+**Please remember to always back up your database between versions**
+
+#### Here is a short summary of the broad topics of changes:
+
+Code has been organised into modules, reducing use of global variables/objects, isolating concerns and “putting the right things in the logical place”.
+
+The new [policy](https://github.com/juanfont/headscale/tree/main/hscontrol/policy) and [mapper](https://github.com/juanfont/headscale/tree/main/hscontrol/mapper) package, containing the ACL/Policy logic and the logic for creating the data served to clients (the network “map”) has been rewritten and improved. This change has allowed us to finish SSH support and add additional tests throughout the code to ensure correctness.
+
+The [“poller”, or streaming logic](https://github.com/juanfont/headscale/blob/main/hscontrol/poll.go) has been rewritten and instead of keeping track of the latest updates, checking at a fixed interval, it now uses go channels, implemented in our new [notifier](https://github.com/juanfont/headscale/tree/main/hscontrol/notifier) package and it allows us to send updates to connected clients immediately. This should both improve performance and potential latency before a client picks up an update.
+
+Headscale now supports sending “delta” updates, thanks to the new mapper and poller logic, allowing us to only inform nodes about new nodes, changed nodes and removed nodes. Previously we sent the entire state of the network every time an update was due.
+
+While we have a pretty good [test harness](https://github.com/search?q=repo%3Ajuanfont%2Fheadscale+path%3A_test.go&type=code) for validating our changes, we have rewritten over [10000 lines of code](https://github.com/juanfont/headscale/compare/b01f1f1867136d9b2d7b1392776eb363b482c525...main) and bugs are expected. We need help testing this release. In addition, while we think the performance should in general be better, there might be regressions in parts of the platform, particularly where we prioritised correctness over speed.
+
+There are also several bugfixes that has been encountered and fixed as part of implementing these changes, particularly
+after improving the test harness as part of adopting [#1460](https://github.com/juanfont/headscale/pull/1460).
+
+### BREAKING
+
+Code reorganisation, a lot of code has moved, please review the following PRs accordingly [#1473](https://github.com/juanfont/headscale/pull/1473)
+API: Machine is now Node [#1553](https://github.com/juanfont/headscale/pull/1553)
+
+### Changes
+
+Make the OIDC callback page better [#1484](https://github.com/juanfont/headscale/pull/1484)
+SSH support [#1487](https://github.com/juanfont/headscale/pull/1487)
+State management has been improved [#1492](https://github.com/juanfont/headscale/pull/1492)
+Use error group handling to ensure tests actually pass [#1535](https://github.com/juanfont/headscale/pull/1535) based on [#1460](https://github.com/juanfont/headscale/pull/1460)
+Fix hang on SIGTERM [#1492](https://github.com/juanfont/headscale/pull/1492) taken from [#1480](https://github.com/juanfont/headscale/pull/1480)
+Send logs to stderr by default [#1524](https://github.com/juanfont/headscale/pull/1524)
+
+## 0.22.3 (2023-05-12)
+
+### Changes
+
+- Added missing ca-certificates in Docker image [#1463](https://github.com/juanfont/headscale/pull/1463)
+
+## 0.22.2 (2023-05-10)
+
 ### Changes

 - Add environment flags to enable pprof (profiling) [#1382](https://github.com/juanfont/headscale/pull/1382)
@@ -9,13 +50,14 @@
 - Fix systemd service file location in `.deb` packages [#1391](https://github.com/juanfont/headscale/pull/1391)
 - Improvements on Noise implementation [#1379](https://github.com/juanfont/headscale/pull/1379)
 - Replace node filter logic, ensuring nodes with access can see eachother [#1381](https://github.com/juanfont/headscale/pull/1381)
+- Disable (or delete) both exit routes at the same time [#1428](https://github.com/juanfont/headscale/pull/1428)
+- Ditch distroless for Docker image, create default socket dir in `/var/run/headscale` [#1450](https://github.com/juanfont/headscale/pull/1450)

 ## 0.22.1 (2023-04-20)

 ### Changes

 - Fix issue where systemd could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
- Disable (or delete) both exit routes at the same time [#1428](https://github.com/juanfont/headscale/pull/1428)

 ## 0.22.0 (2023-04-20)

--- a/11
+++ b/11
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.20-bullseye AS build
+FROM docker.io/golang:1.21-bookworm AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -14,10 +14,17 @@ RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale

 # Production image
-FROM gcr.io/distroless/base-debian11
+FROM docker.io/debian:bookworm-slim
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get clean

 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

+RUN mkdir -p /var/run/headscale
+
 EXPOSE 8080/tcp
 CMD ["headscale"]
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -18,6 +18,12 @@ FROM docker.io/golang:1.20.0-bullseye
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

+RUN apt-get update \
+    && apt-get install --no-install-recommends --yes less jq \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get clean
+RUN mkdir -p /var/run/headscale
+
 # Need to reset the entrypoint or everything will run as a busybox script
 ENTRYPOINT []
 EXPOSE 8080/tcp
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -1,16 +0,0 @@
-FROM ubuntu:22.04
-
-ARG TAILSCALE_VERSION=*
-ARG TAILSCALE_CHANNEL=stable
-
-RUN apt-get update \
-    && apt-get install -y gnupg curl ssh dnsutils ca-certificates \
-    && adduser --shell=/bin/bash ssh-it-user
-
-# Tailscale is deliberately split into a second stage so we can cash utils as a seperate layer.
-RUN curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
-    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
-    && apt-get update \
-    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
--- a/16
+++ b/16
@@ -24,21 +24,9 @@ build:
 dev: lint test build

 test:
-	@go test $(TAGS) -short -coverprofile=coverage.out ./...
+	gotestsum -- $(TAGS) -short -coverprofile=coverage.out ./...

-test_integration: test_integration_cli test_integration_derp test_integration_v2_general
-
-test_integration_cli:
-	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
-	docker network create headscale-test || true
-	docker run -t --rm \
-		--network headscale-test \
-		-v ~/.cache/hs-integration-go:/go \
-		-v $$PWD:$$PWD -w $$PWD \
-		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
-
-test_integration_v2_general:
+test_integration:
 	docker run \
 		-t --rm \
 		-v ~/.cache/hs-integration-go:/go \
--- a/README.md
+++ b/README.md
@@ -80,15 +80,6 @@ and container to run Headscale.**

 Please have a look at the [`documentation`](https://headscale.net/).

-## Graphical Control Panels
-
-Headscale provides an API for complete management of your Tailnet.
-These are community projects not directly affiliated with the Headscale project.
-
-| Name            | Repository Link                                      | Description                                            | Status |
-| --------------- | ---------------------------------------------------- | ------------------------------------------------------ | ------ |
-| headscale-webui | [Github](https://github.com/ifargle/headscale-webui) | A simple Headscale web UI for small-scale deployments. | Alpha  |
-
 ## Talks

 - Fosdem 2023 (video): [Headscale: How we are using integration testing to reimplement Tailscale](https://fosdem.org/2023/schedule/event/goheadscale/)
@@ -197,6 +188,13 @@ make build
            <sub style="font-size:14px"><b>Juan Font</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/restanrm>
+            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
+            <br />
+            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/cure>
            <img src=https://avatars.githubusercontent.com/u/149135?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ward Vandewege/>
@@ -218,6 +216,8 @@ make build
            <sub style="font-size:14px"><b>Benjamin Roberts</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/reynico>
            <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
@@ -225,8 +225,6 @@ make build
            <sub style="font-size:14px"><b>Nico</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/evenh>
            <img src=https://avatars.githubusercontent.com/u/2701536?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Even Holthe/>
@@ -242,7 +240,7 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/arch4ngel>
+        <a href=https://github.com/ImpostorKeanu>
            <img src=https://avatars.githubusercontent.com/u/11574161?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Justin Angel/>
            <br />
            <sub style="font-size:14px"><b>Justin Angel</b></sub>
@@ -256,12 +254,14 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/unreality>
-            <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
+        <a href=https://github.com/ohdearaugustin>
+            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
            <br />
-            <sub style="font-size:14px"><b>unreality</b></sub>
+            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/mpldr>
            <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
@@ -269,20 +269,11 @@ make build
            <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ohdearaugustin>
-            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+        <a href=https://github.com/Orhideous>
+            <img src=https://avatars.githubusercontent.com/u/2265184?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Andriy Kushnir/>
            <br />
-            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/restanrm>
-            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
-            <br />
-            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+            <sub style="font-size:14px"><b>Andriy Kushnir</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -394,15 +385,6 @@ make build
            <sub style="font-size:14px"><b>bravechamp</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/bravechamp>
-            <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
-            <br />
-            <sub style="font-size:14px"><b>bravechamp</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/deonthomasgy>
            <img src=https://avatars.githubusercontent.com/u/150036?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Deon Thomas/>
@@ -410,6 +392,8 @@ make build
            <sub style="font-size:14px"><b>Deon Thomas</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/madjam002>
            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
@@ -417,6 +401,13 @@ make build
            <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/jonathanspw>
+            <img src=https://avatars.githubusercontent.com/u/8390543?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan Wright/>
+            <br />
+            <sub style="font-size:14px"><b>Jonathan Wright</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ChibangLW>
            <img src=https://avatars.githubusercontent.com/u/22293464?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ChibangLW/>
@@ -424,6 +415,13 @@ make build
            <sub style="font-size:14px"><b>ChibangLW</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/majabojarska>
+            <img src=https://avatars.githubusercontent.com/u/33836570?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Maja Bojarska/>
+            <br />
+            <sub style="font-size:14px"><b>Maja Bojarska</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/mevansam>
            <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -438,6 +436,8 @@ make build
            <sub style="font-size:14px"><b>Michael G.</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ptman>
            <img src=https://avatars.githubusercontent.com/u/24669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Paul Tötterman/>
@@ -445,8 +445,6 @@ make build
            <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/samson4649>
            <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
@@ -454,6 +452,20 @@ make build
            <sub style="font-size:14px"><b>Samuel Lock</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/loprima-l>
+            <img src=https://avatars.githubusercontent.com/u/69201633?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=loprima-l/>
+            <br />
+            <sub style="font-size:14px"><b>loprima-l</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/unreality>
+            <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
+            <br />
+            <sub style="font-size:14px"><b>unreality</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/kevin1sMe>
            <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
@@ -468,6 +480,8 @@ make build
            <sub style="font-size:14px"><b>Snack</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/artemklevtsov>
            <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -489,8 +503,6 @@ make build
            <sub style="font-size:14px"><b>dbevacqua</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/joshuataylor>
            <img src=https://avatars.githubusercontent.com/u/225131?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Josh Taylor/>
@@ -500,9 +512,9 @@ make build
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/CNLHC>
-            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
+            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LIU HANCHENG/>
            <br />
-            <sub style="font-size:14px"><b>LiuHanCheng</b></sub>
+            <sub style="font-size:14px"><b>LIU HANCHENG</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -512,6 +524,8 @@ make build
            <sub style="font-size:14px"><b>Motiejus Jakštys</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pvinis>
            <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
@@ -533,8 +547,13 @@ make build
            <sub style="font-size:14px"><b>Steven Honson</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/vsychov>
+            <img src=https://avatars.githubusercontent.com/u/2186303?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=MichaelKo/>
+            <br />
+            <sub style="font-size:14px"><b>MichaelKo</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ratsclub>
            <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
@@ -542,6 +561,15 @@ make build
            <sub style="font-size:14px"><b>Victor Freire</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/qzydustin>
+            <img src=https://avatars.githubusercontent.com/u/44362429?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zhenyu Qi/>
+            <br />
+            <sub style="font-size:14px"><b>Zhenyu Qi</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/t56k>
            <img src=https://avatars.githubusercontent.com/u/12165422?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=thomas/>
@@ -577,8 +605,6 @@ make build
            <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/theryecatcher>
            <img src=https://avatars.githubusercontent.com/u/16442416?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anoop Sundaresh/>
@@ -586,6 +612,8 @@ make build
            <sub style="font-size:14px"><b>Anoop Sundaresh</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/apognu>
            <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -614,6 +642,13 @@ make build
            <sub style="font-size:14px"><b>Arnar</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/awoimbee>
+            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
+            <br />
+            <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/avirut>
            <img src=https://avatars.githubusercontent.com/u/27095602?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Avirut Mehta/>
@@ -639,9 +674,9 @@ make build
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/kundel>
-            <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kundel/>
+            <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Darrell Kundel/>
            <br />
-            <sub style="font-size:14px"><b>kundel</b></sub>
+            <sub style="font-size:14px"><b>Darrell Kundel</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -746,6 +781,15 @@ make build
            <sub style="font-size:14px"><b>Maxim Gajdaj</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mhameed>
+            <img src=https://avatars.githubusercontent.com/u/447017?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mesar Hameed/>
+            <br />
+            <sub style="font-size:14px"><b>Mesar Hameed</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/mikejsavage>
            <img src=https://avatars.githubusercontent.com/u/579299?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael Savage/>
@@ -753,8 +797,13 @@ make build
            <sub style="font-size:14px"><b>Michael Savage</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/pkrivanec>
+            <img src=https://avatars.githubusercontent.com/u/25530641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Philipp Krivanec/>
+            <br />
+            <sub style="font-size:14px"><b>Philipp Krivanec</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/piec>
            <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -783,6 +832,8 @@ make build
            <sub style="font-size:14px"><b>rcursaru</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/renovate-bot>
            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
@@ -797,8 +848,13 @@ make build
            <sub style="font-size:14px"><b>Ryan Fowler</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/muzy>
+            <img src=https://avatars.githubusercontent.com/u/321723?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sebastian Muszytowski/>
+            <br />
+            <sub style="font-size:14px"><b>Sebastian Muszytowski</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/shaananc>
            <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -806,6 +862,13 @@ make build
            <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/6ixfalls>
+            <img src=https://avatars.githubusercontent.com/u/23470032?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Six/>
+            <br />
+            <sub style="font-size:14px"><b>Six</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/stefanvanburen>
            <img src=https://avatars.githubusercontent.com/u/622527?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan VanBuren/>
@@ -813,6 +876,8 @@ make build
            <sub style="font-size:14px"><b>Stefan VanBuren</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/sophware>
            <img src=https://avatars.githubusercontent.com/u/41669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sophware/>
@@ -834,15 +899,6 @@ make build
            <sub style="font-size:14px"><b>Teteros</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/Teteros>
-            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
-            <br />
-            <sub style="font-size:14px"><b>Teteros</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/gitter-badger>
            <img src=https://avatars.githubusercontent.com/u/8518239?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=The Gitter Badger/>
@@ -864,6 +920,8 @@ make build
            <sub style="font-size:14px"><b>Till Hoffmann</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/woudsma>
            <img src=https://avatars.githubusercontent.com/u/6162978?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tjerk Woudsma/>
@@ -873,20 +931,18 @@ make build
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/y0ngb1n>
-            <img src=https://avatars.githubusercontent.com/u/25719408?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yang Bin/>
+            <img src=https://avatars.githubusercontent.com/u/25719408?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=杨斌 Aben/>
            <br />
-            <sub style="font-size:14px"><b>Yang Bin</b></sub>
+            <sub style="font-size:14px"><b>杨斌 Aben</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/gozssky>
+        <a href=https://github.com/sleepymole1>
            <img src=https://avatars.githubusercontent.com/u/17199941?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yujie Xia/>
            <br />
            <sub style="font-size:14px"><b>Yujie Xia</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/newellz2>
            <img src=https://avatars.githubusercontent.com/u/52436542?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zachary Newell/>
@@ -908,6 +964,8 @@ make build
            <sub style="font-size:14px"><b>Zhiyuan Zheng</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Bpazy>
            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ziyuan Han/>
@@ -929,8 +987,6 @@ make build
            <sub style="font-size:14px"><b>derelm</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/dnaq>
            <img src=https://avatars.githubusercontent.com/u/1299717?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=dnaq/>
@@ -952,6 +1008,8 @@ make build
            <sub style="font-size:14px"><b>ignoramous</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/jimyag>
            <img src=https://avatars.githubusercontent.com/u/69233189?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=jimyag/>
@@ -973,8 +1031,6 @@ make build
            <sub style="font-size:14px"><b>sharkonet</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ma6174>
            <img src=https://avatars.githubusercontent.com/u/1449133?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ma6174/>
@@ -996,6 +1052,8 @@ make build
            <sub style="font-size:14px"><b>nicholas-yap</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pernila>
            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tommi Pernila/>
@@ -1012,13 +1070,11 @@ make build
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Wakeful-Cloud>
-            <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>
+            <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful Cloud/>
            <br />
-            <sub style="font-size:14px"><b>Wakeful-Cloud</b></sub>
+            <sub style="font-size:14px"><b>Wakeful Cloud</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/xpzouying>
            <img src=https://avatars.githubusercontent.com/u/3946563?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=zy/>
--- a/acls_test.go
+++ b/acls_test.go
--- a/api_common.go
+++ b/api_common.go
@@ -1,113 +0,0 @@
-package headscale
-
-import (
-	"time"
-
-	"github.com/rs/zerolog/log"
-	"tailscale.com/tailcfg"
-)
-
-func (h *Headscale) generateMapResponse(
-	mapRequest tailcfg.MapRequest,
-	machine *Machine,
-) (*tailcfg.MapResponse, error) {
-	log.Trace().
-		Str("func", "generateMapResponse").
-		Str("machine", mapRequest.Hostinfo.Hostname).
-		Msg("Creating Map response")
-	node, err := h.toNode(*machine, h.cfg.BaseDomain, h.cfg.DNSConfig)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "generateMapResponse").
-			Err(err).
-			Msg("Cannot convert to node")
-
-		return nil, err
-	}
-
-	peers, err := h.getValidPeers(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "generateMapResponse").
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return nil, err
-	}
-
-	profiles := h.getMapResponseUserProfiles(*machine, peers)
-
-	nodePeers, err := h.toNodes(peers, h.cfg.BaseDomain, h.cfg.DNSConfig)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "generateMapResponse").
-			Err(err).
-			Msg("Failed to convert peers to Tailscale nodes")
-
-		return nil, err
-	}
-
-	dnsConfig := getMapResponseDNSConfig(
-		h.cfg.DNSConfig,
-		h.cfg.BaseDomain,
-		*machine,
-		peers,
-	)
-
-	now := time.Now()
-
-	resp := tailcfg.MapResponse{
-		KeepAlive: false,
-		Node:      node,
-
-		// TODO: Only send if updated
-		DERPMap: h.DERPMap,
-
-		// TODO: Only send if updated
-		Peers: nodePeers,
-
-		// TODO(kradalby): Implement:
-		// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L1351-L1374
-		// PeersChanged
-		// PeersRemoved
-		// PeersChangedPatch
-		// PeerSeenChange
-		// OnlineChange
-
-		// TODO: Only send if updated
-		DNSConfig: dnsConfig,
-
-		// TODO: Only send if updated
-		Domain: h.cfg.BaseDomain,
-
-		// Do not instruct clients to collect services, we do not
-		// support or do anything with them
-		CollectServices: "false",
-
-		// TODO: Only send if updated
-		PacketFilter: h.aclRules,
-
-		UserProfiles: profiles,
-
-		// TODO: Only send if updated
-		SSHPolicy: h.sshPolicy,
-
-		ControlTime: &now,
-
-		Debug: &tailcfg.Debug{
-			DisableLogTail:      !h.cfg.LogTail.Enabled,
-			RandomizeClientPort: h.cfg.RandomizeClientPort,
-		},
-	}
-
-	log.Trace().
-		Str("func", "generateMapResponse").
-		Str("machine", mapRequest.Hostinfo.Hostname).
-		// Interface("payload", resp).
-		Msgf("Generated map response: %s", tailMapResponseToString(resp))
-
-	return &resp, nil
-}
--- a/api_key.go
+++ b/api_key.go
@@ -1,157 +0,0 @@
-package headscale
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"golang.org/x/crypto/bcrypt"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-const (
-	apiPrefixLength = 7
-	apiKeyLength    = 32
-
-	ErrAPIKeyFailedToParse = Error("Failed to parse ApiKey")
-)
-
-// APIKey describes the datamodel for API keys used to remotely authenticate with
-// headscale.
-type APIKey struct {
-	ID     uint64 `gorm:"primary_key"`
-	Prefix string `gorm:"uniqueIndex"`
-	Hash   []byte
-
-	CreatedAt  *time.Time
-	Expiration *time.Time
-	LastSeen   *time.Time
-}
-
-// CreateAPIKey creates a new ApiKey in a user, and returns it.
-func (h *Headscale) CreateAPIKey(
-	expiration *time.Time,
-) (string, *APIKey, error) {
-	prefix, err := GenerateRandomStringURLSafe(apiPrefixLength)
-	if err != nil {
-		return "", nil, err
-	}
-
-	toBeHashed, err := GenerateRandomStringURLSafe(apiKeyLength)
-	if err != nil {
-		return "", nil, err
-	}
-
-	// Key to return to user, this will only be visible _once_
-	keyStr := prefix + "." + toBeHashed
-
-	hash, err := bcrypt.GenerateFromPassword([]byte(toBeHashed), bcrypt.DefaultCost)
-	if err != nil {
-		return "", nil, err
-	}
-
-	key := APIKey{
-		Prefix:     prefix,
-		Hash:       hash,
-		Expiration: expiration,
-	}
-
-	if err := h.db.Save(&key).Error; err != nil {
-		return "", nil, fmt.Errorf("failed to save API key to database: %w", err)
-	}
-
-	return keyStr, &key, nil
-}
-
-// ListAPIKeys returns the list of ApiKeys for a user.
-func (h *Headscale) ListAPIKeys() ([]APIKey, error) {
-	keys := []APIKey{}
-	if err := h.db.Find(&keys).Error; err != nil {
-		return nil, err
-	}
-
-	return keys, nil
-}
-
-// GetAPIKey returns a ApiKey for a given key.
-func (h *Headscale) GetAPIKey(prefix string) (*APIKey, error) {
-	key := APIKey{}
-	if result := h.db.First(&key, "prefix = ?", prefix); result.Error != nil {
-		return nil, result.Error
-	}
-
-	return &key, nil
-}
-
-// GetAPIKeyByID returns a ApiKey for a given id.
-func (h *Headscale) GetAPIKeyByID(id uint64) (*APIKey, error) {
-	key := APIKey{}
-	if result := h.db.Find(&APIKey{ID: id}).First(&key); result.Error != nil {
-		return nil, result.Error
-	}
-
-	return &key, nil
-}
-
-// DestroyAPIKey destroys a ApiKey. Returns error if the ApiKey
-// does not exist.
-func (h *Headscale) DestroyAPIKey(key APIKey) error {
-	if result := h.db.Unscoped().Delete(key); result.Error != nil {
-		return result.Error
-	}
-
-	return nil
-}
-
-// ExpireAPIKey marks a ApiKey as expired.
-func (h *Headscale) ExpireAPIKey(key *APIKey) error {
-	if err := h.db.Model(&key).Update("Expiration", time.Now()).Error; err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
-	prefix, hash, found := strings.Cut(keyStr, ".")
-	if !found {
-		return false, ErrAPIKeyFailedToParse
-	}
-
-	key, err := h.GetAPIKey(prefix)
-	if err != nil {
-		return false, fmt.Errorf("failed to validate api key: %w", err)
-	}
-
-	if key.Expiration.Before(time.Now()) {
-		return false, nil
-	}
-
-	if err := bcrypt.CompareHashAndPassword(key.Hash, []byte(hash)); err != nil {
-		return false, err
-	}
-
-	return true, nil
-}
-
-func (key *APIKey) toProto() *v1.ApiKey {
-	protoKey := v1.ApiKey{
-		Id:     key.ID,
-		Prefix: key.Prefix,
-	}
-
-	if key.Expiration != nil {
-		protoKey.Expiration = timestamppb.New(*key.Expiration)
-	}
-
-	if key.CreatedAt != nil {
-		protoKey.CreatedAt = timestamppb.New(*key.CreatedAt)
-	}
-
-	if key.LastSeen != nil {
-		protoKey.LastSeen = timestamppb.New(*key.LastSeen)
-	}
-
-	return &protoKey
-}
--- a/cmd/build-docker-img/main.go
+++ b/cmd/build-docker-img/main.go
@@ -21,7 +21,7 @@ func main() {
 		log.Fatalf("failed to create or get network: %s", err)
 	}

-	for _, version := range integration.TailscaleVersions {
+	for _, version := range integration.AllVersions {
 		log.Printf("creating container image for Tailscale (%s)", version)

 		tsClient, err := tsic.New(
--- a/cmd/gh-action-integration-generator/main.go
+++ b/cmd/gh-action-integration-generator/main.go
@@ -31,7 +31,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test:
+  {{.Name}}:
    runs-on: ubuntu-latest

    steps:
@@ -39,6 +39,11 @@ jobs:
        with:
          fetch-depth: 2

+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
@@ -50,10 +55,7 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: {{ "${{ env.ACT }}" }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
+      - name: Run {{.Name}}
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
@@ -64,7 +66,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
--- a/cmd/headscale/cli/api_key.go
+++ b/cmd/headscale/cli/api_key.go
@@ -5,8 +5,8 @@ import (
 	"strconv"
 	"time"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
@@ -83,7 +83,7 @@ var listAPIKeys = &cobra.Command{
 			}

 			tableData = append(tableData, []string{
-				strconv.FormatUint(key.GetId(), headscale.Base10),
+				strconv.FormatUint(key.GetId(), util.Base10),
 				key.GetPrefix(),
 				expiration,
 				key.GetCreatedAt().AsTime().Format(HeadscaleDateTimeFormat),
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -3,8 +3,8 @@ package cli
 import (
 	"fmt"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -57,7 +57,7 @@ var debugCmd = &cobra.Command{

 var createNodeCmd = &cobra.Command{
 	Use:   "create-node",
-	Short: "Create a node (machine) that can be registered with `nodes register <>` command",
+	Short: "Create a node that can be registered with `nodes register <>` command",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

@@ -93,7 +93,7 @@ var createNodeCmd = &cobra.Command{

 			return
 		}
-		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
+		if !util.NodePublicKeyRegex.Match([]byte(machineKey)) {
 			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,
@@ -115,24 +115,24 @@ var createNodeCmd = &cobra.Command{
 			return
 		}

-		request := &v1.DebugCreateMachineRequest{
+		request := &v1.DebugCreateNodeRequest{
 			Key:    machineKey,
 			Name:   name,
 			User:   user,
 			Routes: routes,
 		}

-		response, err := client.DebugCreateMachine(ctx, request)
+		response, err := client.DebugCreateNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot create machine: %s", status.Convert(err).Message()),
+				fmt.Sprintf("Cannot create node: %s", status.Convert(err).Message()),
 				output,
 			)

 			return
 		}

-		SuccessOutput(response.Machine, "Machine created", output)
+		SuccessOutput(response.Node, "Node created", output)
 	},
 }
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -9,8 +9,8 @@ import (
 	"time"

 	survey "github.com/AlecAivazis/survey/v2"
-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -107,7 +107,7 @@ var nodeCmd = &cobra.Command{

 var registerNodeCmd = &cobra.Command{
 	Use:   "register",
-	Short: "Registers a machine to your network",
+	Short: "Registers a node to your network",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
 		user, err := cmd.Flags().GetString("user")
@@ -132,17 +132,17 @@ var registerNodeCmd = &cobra.Command{
 			return
 		}

-		request := &v1.RegisterMachineRequest{
+		request := &v1.RegisterNodeRequest{
 			Key:  machineKey,
 			User: user,
 		}

-		response, err := client.RegisterMachine(ctx, request)
+		response, err := client.RegisterNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf(
-					"Cannot register machine: %s\n",
+					"Cannot register node: %s\n",
 					status.Convert(err).Message(),
 				),
 				output,
@@ -152,8 +152,8 @@ var registerNodeCmd = &cobra.Command{
 		}

 		SuccessOutput(
-			response.Machine,
-			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
+			response.Node,
+			fmt.Sprintf("Node %s registered", response.Node.GivenName), output)
 	},
 }

@@ -180,11 +180,11 @@ var listNodesCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()

-		request := &v1.ListMachinesRequest{
+		request := &v1.ListNodesRequest{
 			User: user,
 		}

-		response, err := client.ListMachines(ctx, request)
+		response, err := client.ListNodes(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -196,12 +196,12 @@ var listNodesCmd = &cobra.Command{
 		}

 		if output != "" {
-			SuccessOutput(response.Machines, "", output)
+			SuccessOutput(response.Nodes, "", output)

 			return
 		}

-		tableData, err := nodesToPtables(user, showTags, response.Machines)
+		tableData, err := nodesToPtables(user, showTags, response.Nodes)
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)

@@ -223,7 +223,7 @@ var listNodesCmd = &cobra.Command{

 var expireNodeCmd = &cobra.Command{
 	Use:     "expire",
-	Short:   "Expire (log out) a machine in your network",
+	Short:   "Expire (log out) a node in your network",
 	Long:    "Expiring a node will keep the node in the database and force it to reauthenticate.",
 	Aliases: []string{"logout", "exp", "e"},
 	Run: func(cmd *cobra.Command, args []string) {
@@ -244,16 +244,16 @@ var expireNodeCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()

-		request := &v1.ExpireMachineRequest{
-			MachineId: identifier,
+		request := &v1.ExpireNodeRequest{
+			NodeId: identifier,
 		}

-		response, err := client.ExpireMachine(ctx, request)
+		response, err := client.ExpireNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf(
-					"Cannot expire machine: %s\n",
+					"Cannot expire node: %s\n",
 					status.Convert(err).Message(),
 				),
 				output,
@@ -262,13 +262,13 @@ var expireNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(response.Machine, "Machine expired", output)
+		SuccessOutput(response.Node, "Node expired", output)
 	},
 }

 var renameNodeCmd = &cobra.Command{
 	Use:   "rename NEW_NAME",
-	Short: "Renames a machine in your network",
+	Short: "Renames a node in your network",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

@@ -291,17 +291,17 @@ var renameNodeCmd = &cobra.Command{
 		if len(args) > 0 {
 			newName = args[0]
 		}
-		request := &v1.RenameMachineRequest{
-			MachineId: identifier,
-			NewName:   newName,
+		request := &v1.RenameNodeRequest{
+			NodeId:  identifier,
+			NewName: newName,
 		}

-		response, err := client.RenameMachine(ctx, request)
+		response, err := client.RenameNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf(
-					"Cannot rename machine: %s\n",
+					"Cannot rename node: %s\n",
 					status.Convert(err).Message(),
 				),
 				output,
@@ -310,7 +310,7 @@ var renameNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(response.Machine, "Machine renamed", output)
+		SuccessOutput(response.Node, "Node renamed", output)
 	},
 }

@@ -336,11 +336,11 @@ var deleteNodeCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()

-		getRequest := &v1.GetMachineRequest{
-			MachineId: identifier,
+		getRequest := &v1.GetNodeRequest{
+			NodeId: identifier,
 		}

-		getResponse, err := client.GetMachine(ctx, getRequest)
+		getResponse, err := client.GetNode(ctx, getRequest)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -354,8 +354,8 @@ var deleteNodeCmd = &cobra.Command{
 			return
 		}

-		deleteRequest := &v1.DeleteMachineRequest{
-			MachineId: identifier,
+		deleteRequest := &v1.DeleteNodeRequest{
+			NodeId: identifier,
 		}

 		confirm := false
@@ -364,7 +364,7 @@ var deleteNodeCmd = &cobra.Command{
 			prompt := &survey.Confirm{
 				Message: fmt.Sprintf(
 					"Do you want to remove the node %s?",
-					getResponse.GetMachine().Name,
+					getResponse.GetNode().Name,
 				),
 			}
 			err = survey.AskOne(prompt, &confirm)
@@ -374,7 +374,7 @@ var deleteNodeCmd = &cobra.Command{
 		}

 		if confirm || force {
-			response, err := client.DeleteMachine(ctx, deleteRequest)
+			response, err := client.DeleteNode(ctx, deleteRequest)
 			if output != "" {
 				SuccessOutput(response, "", output)

@@ -436,11 +436,11 @@ var moveNodeCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()

-		getRequest := &v1.GetMachineRequest{
-			MachineId: identifier,
+		getRequest := &v1.GetNodeRequest{
+			NodeId: identifier,
 		}

-		_, err = client.GetMachine(ctx, getRequest)
+		_, err = client.GetNode(ctx, getRequest)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -454,12 +454,12 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		moveRequest := &v1.MoveMachineRequest{
-			MachineId: identifier,
-			User:      user,
+		moveRequest := &v1.MoveNodeRequest{
+			NodeId: identifier,
+			User:   user,
 		}

-		moveResponse, err := client.MoveMachine(ctx, moveRequest)
+		moveResponse, err := client.MoveNode(ctx, moveRequest)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -473,14 +473,14 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(moveResponse.Machine, "Node moved to another user", output)
+		SuccessOutput(moveResponse.Node, "Node moved to another user", output)
 	},
 }

 func nodesToPtables(
 	currentUser string,
 	showTags bool,
-	machines []*v1.Machine,
+	nodes []*v1.Node,
 ) (pterm.TableData, error) {
 	tableHeader := []string{
 		"ID",
@@ -505,23 +505,23 @@ func nodesToPtables(
 	}
 	tableData := pterm.TableData{tableHeader}

-	for _, machine := range machines {
+	for _, node := range nodes {
 		var ephemeral bool
-		if machine.PreAuthKey != nil && machine.PreAuthKey.Ephemeral {
+		if node.PreAuthKey != nil && node.PreAuthKey.Ephemeral {
 			ephemeral = true
 		}

 		var lastSeen time.Time
 		var lastSeenTime string
-		if machine.LastSeen != nil {
-			lastSeen = machine.LastSeen.AsTime()
+		if node.LastSeen != nil {
+			lastSeen = node.LastSeen.AsTime()
 			lastSeenTime = lastSeen.Format("2006-01-02 15:04:05")
 		}

 		var expiry time.Time
 		var expiryTime string
-		if machine.Expiry != nil {
-			expiry = machine.Expiry.AsTime()
+		if node.Expiry != nil {
+			expiry = node.Expiry.AsTime()
 			expiryTime = expiry.Format("2006-01-02 15:04:05")
 		} else {
 			expiryTime = "N/A"
@@ -529,7 +529,7 @@ func nodesToPtables(

 		var machineKey key.MachinePublic
 		err := machineKey.UnmarshalText(
-			[]byte(headscale.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(util.MachinePublicKeyEnsurePrefix(node.MachineKey)),
 		)
 		if err != nil {
 			machineKey = key.MachinePublic{}
@@ -537,14 +537,14 @@ func nodesToPtables(

 		var nodeKey key.NodePublic
 		err = nodeKey.UnmarshalText(
-			[]byte(headscale.NodePublicKeyEnsurePrefix(machine.NodeKey)),
+			[]byte(util.NodePublicKeyEnsurePrefix(node.NodeKey)),
 		)
 		if err != nil {
 			return nil, err
 		}

 		var online string
-		if machine.Online {
+		if node.Online {
 			online = pterm.LightGreen("online")
 		} else {
 			online = pterm.LightRed("offline")
@@ -558,36 +558,36 @@ func nodesToPtables(
 		}

 		var forcedTags string
-		for _, tag := range machine.ForcedTags {
+		for _, tag := range node.ForcedTags {
 			forcedTags += "," + tag
 		}
 		forcedTags = strings.TrimLeft(forcedTags, ",")
 		var invalidTags string
-		for _, tag := range machine.InvalidTags {
-			if !contains(machine.ForcedTags, tag) {
+		for _, tag := range node.InvalidTags {
+			if !contains(node.ForcedTags, tag) {
 				invalidTags += "," + pterm.LightRed(tag)
 			}
 		}
 		invalidTags = strings.TrimLeft(invalidTags, ",")
 		var validTags string
-		for _, tag := range machine.ValidTags {
-			if !contains(machine.ForcedTags, tag) {
+		for _, tag := range node.ValidTags {
+			if !contains(node.ForcedTags, tag) {
 				validTags += "," + pterm.LightGreen(tag)
 			}
 		}
 		validTags = strings.TrimLeft(validTags, ",")

 		var user string
-		if currentUser == "" || (currentUser == machine.User.Name) {
-			user = pterm.LightMagenta(machine.User.Name)
+		if currentUser == "" || (currentUser == node.User.Name) {
+			user = pterm.LightMagenta(node.User.Name)
 		} else {
 			// Shared into this user
-			user = pterm.LightYellow(machine.User.Name)
+			user = pterm.LightYellow(node.User.Name)
 		}

 		var IPV4Address string
 		var IPV6Address string
-		for _, addr := range machine.IpAddresses {
+		for _, addr := range node.IpAddresses {
 			if netip.MustParseAddr(addr).Is4() {
 				IPV4Address = addr
 			} else {
@@ -596,9 +596,9 @@ func nodesToPtables(
 		}

 		nodeData := []string{
-			strconv.FormatUint(machine.Id, headscale.Base10),
-			machine.Name,
-			machine.GetGivenName(),
+			strconv.FormatUint(node.Id, util.Base10),
+			node.Name,
+			node.GetGivenName(),
 			machineKey.ShortString(),
 			nodeKey.ShortString(),
 			user,
@@ -646,17 +646,17 @@ var tagCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error retrieving list of tags to add to machine, %v", err),
+				fmt.Sprintf("Error retrieving list of tags to add to node, %v", err),
 				output,
 			)

 			return
 		}

-		// Sending tags to machine
+		// Sending tags to node
 		request := &v1.SetTagsRequest{
-			MachineId: identifier,
-			Tags:      tagsToSet,
+			NodeId: identifier,
+			Tags:   tagsToSet,
 		}
 		resp, err := client.SetTags(ctx, request)
 		if err != nil {
@@ -671,8 +671,8 @@ var tagCmd = &cobra.Command{

 		if resp != nil {
 			SuccessOutput(
-				resp.GetMachine(),
-				"Machine updated",
+				resp.GetNode(),
+				"Node updated",
 				output,
 			)
 		}
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"runtime"

-	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -38,33 +38,33 @@ func initConfig() {
 		cfgFile = os.Getenv("HEADSCALE_CONFIG")
 	}
 	if cfgFile != "" {
-		err := headscale.LoadConfig(cfgFile, true)
+		err := types.LoadConfig(cfgFile, true)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
 		}
 	} else {
-		err := headscale.LoadConfig("", false)
+		err := types.LoadConfig("", false)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config")
 		}
 	}

-	cfg, err := headscale.GetHeadscaleConfig()
+	cfg, err := types.GetHeadscaleConfig()
 	if err != nil {
-		log.Fatal().Caller().Err(err)
+		log.Fatal().Caller().Err(err).Msg("Failed to get headscale configuration")
 	}

 	machineOutput := HasMachineOutputFlag()

 	zerolog.SetGlobalLevel(cfg.Log.Level)

-	// If the user has requested a "machine" readable format,
+	// If the user has requested a "node" readable format,
 	// then disable login so the output remains valid.
 	if machineOutput {
 		zerolog.SetGlobalLevel(zerolog.Disabled)
 	}

-	if cfg.Log.Format == headscale.JSONLogFormat {
+	if cfg.Log.Format == types.JSONLogFormat {
 		log.Logger = log.Output(os.Stdout)
 	}

--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -6,8 +6,8 @@ import (
 	"net/netip"
 	"strconv"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -94,13 +94,13 @@ var listRoutesCmd = &cobra.Command{

 			routes = response.Routes
 		} else {
-			response, err := client.GetMachineRoutes(ctx, &v1.GetMachineRoutesRequest{
-				MachineId: machineID,
+			response, err := client.GetNodeRoutes(ctx, &v1.GetNodeRoutesRequest{
+				NodeId: machineID,
 			})
 			if err != nil {
 				ErrorOutput(
 					err,
-					fmt.Sprintf("Cannot get routes for machine %d: %s", machineID, status.Convert(err).Message()),
+					fmt.Sprintf("Cannot get routes for node %d: %s", machineID, status.Convert(err).Message()),
 					output,
 				)

@@ -267,7 +267,7 @@ var deleteRouteCmd = &cobra.Command{

 // routesToPtables converts the list of routes to a nice table.
 func routesToPtables(routes []*v1.Route) pterm.TableData {
-	tableData := pterm.TableData{{"ID", "Machine", "Prefix", "Advertised", "Enabled", "Primary"}}
+	tableData := pterm.TableData{{"ID", "Node", "Prefix", "Advertised", "Enabled", "Primary"}}

 	for _, route := range routes {
 		var isPrimaryStr string
@@ -277,7 +277,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {

 			continue
 		}
-		if prefix == headscale.ExitRouteV4 || prefix == headscale.ExitRouteV6 {
+		if prefix == types.ExitRouteV4 || prefix == types.ExitRouteV6 {
 			isPrimaryStr = "-"
 		} else {
 			isPrimaryStr = strconv.FormatBool(route.IsPrimary)
@@ -286,7 +286,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 		tableData = append(tableData,
 			[]string{
 				strconv.FormatUint(route.Id, Base10),
-				route.Machine.GivenName,
+				route.Node.GivenName,
 				route.Prefix,
 				strconv.FormatBool(route.Advertised),
 				strconv.FormatBool(route.Enabled),
--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -1,10 +1,10 @@
 package cli

 import (
+	"errors"
 	"fmt"

 	survey "github.com/AlecAivazis/survey/v2"
-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
@@ -20,9 +20,7 @@ func init() {
 	userCmd.AddCommand(renameUserCmd)
 }

-const (
-	errMissingParameter = headscale.Error("missing parameters")
-)
+var errMissingParameter = errors.New("missing parameters")

 var userCmd = &cobra.Command{
 	Use:     "users",
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -8,8 +8,11 @@ import (
 	"os"
 	"reflect"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -22,8 +25,8 @@ const (
 	SocketWritePermissions  = 0o666
 )

-func getHeadscaleApp() (*headscale.Headscale, error) {
-	cfg, err := headscale.GetHeadscaleConfig()
+func getHeadscaleApp() (*hscontrol.Headscale, error) {
+	cfg, err := types.GetHeadscaleConfig()
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to load configuration while creating headscale instance: %w",
@@ -31,7 +34,7 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 		)
 	}

-	app, err := headscale.NewHeadscale(cfg)
+	app, err := hscontrol.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -39,21 +42,23 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 	// We are doing this here, as in the future could be cool to have it also hot-reload

 	if cfg.ACL.PolicyPath != "" {
-		aclPath := headscale.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		err = app.LoadACLPolicy(aclPath)
+		aclPath := util.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
+		pol, err := policy.LoadACLPolicyFromPath(aclPath)
 		if err != nil {
 			log.Fatal().
 				Str("path", aclPath).
 				Err(err).
 				Msg("Could not load the ACL policy")
 		}
+
+		app.ACLPolicy = pol
 	}

 	return app, nil
 }

 func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg, err := headscale.GetHeadscaleConfig()
+	cfg, err := types.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().
 			Err(err).
@@ -74,7 +79,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.

 	address := cfg.CLI.Address

-	// If the address is not set, we assume that we are on the server hosting headscale.
+	// If the address is not set, we assume that we are on the server hosting hscontrol.
 	if address == "" {
 		log.Debug().
 			Str("socket", cfg.UnixSocket).
@@ -98,7 +103,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 		grpcOptions = append(
 			grpcOptions,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithContextDialer(headscale.GrpcSocketDialer),
+			grpc.WithContextDialer(util.GrpcSocketDialer),
 		)
 	} else {
 		// If we are not connecting to a local server, require an API key for authentication
@@ -149,17 +154,17 @@ func SuccessOutput(result interface{}, override string, outputFormat string) {
 	case "json":
 		jsonBytes, err = json.MarshalIndent(result, "", "\t")
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	case "json-line":
 		jsonBytes, err = json.Marshal(result)
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	case "yaml":
 		jsonBytes, err = yaml.Marshal(result)
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	default:
 		//nolint
--- a/cmd/headscale/headscale.go
+++ b/cmd/headscale/headscale.go
@@ -48,7 +48,7 @@ func main() {

 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnix
 	log.Logger = log.Output(zerolog.ConsoleWriter{
-		Out:        os.Stdout,
+		Out:        os.Stderr,
 		TimeFormat: time.RFC3339,
 		NoColor:    !colors,
 	})
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -7,7 +7,8 @@ import (
 	"strings"
 	"testing"

-	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -50,7 +51,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(cfgFile, true)
+	err = types.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
@@ -64,7 +65,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		headscale.GetFileMode("unix_socket_permission"),
+		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -93,7 +94,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
@@ -107,7 +108,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		headscale.GetFileMode("unix_socket_permission"),
+		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -137,10 +138,10 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

-	dnsConfig, baseDomain := headscale.GetDNSConfig()
+	dnsConfig, baseDomain := types.GetDNSConfig()

 	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
 	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
@@ -172,7 +173,7 @@ noise:
 	writeConfig(c, tmpDir, configYaml)

 	// Check configuration validation errors (1)
-	err = headscale.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
@@ -201,6 +202,6 @@ tls_letsencrypt_hostname: example.com
 tls_letsencrypt_challenge_type: TLS-ALPN-01
 `)
 	writeConfig(c, tmpDir, configYaml)
-	err = headscale.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }
--- a/db.go
+++ b/db.go
@@ -1,404 +0,0 @@
-package headscale
-
-import (
-	"context"
-	"database/sql/driver"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/netip"
-	"time"
-
-	"github.com/glebarez/sqlite"
-	"github.com/rs/zerolog/log"
-	"gorm.io/driver/postgres"
-	"gorm.io/gorm"
-	"gorm.io/gorm/logger"
-	"tailscale.com/tailcfg"
-)
-
-const (
-	dbVersion = "1"
-
-	errValueNotFound     = Error("not found")
-	ErrCannotParsePrefix = Error("cannot parse prefix")
-)
-
-// KV is a key-value store in a psql table. For future use...
-type KV struct {
-	Key   string
-	Value string
-}
-
-func (h *Headscale) initDB() error {
-	db, err := h.openDB()
-	if err != nil {
-		return err
-	}
-	h.db = db
-
-	if h.dbType == Postgres {
-		db.Exec(`create extension if not exists "uuid-ossp";`)
-	}
-
-	_ = db.Migrator().RenameTable("namespaces", "users")
-
-	err = db.AutoMigrate(&User{})
-	if err != nil {
-		return err
-	}
-
-	_ = db.Migrator().RenameColumn(&Machine{}, "namespace_id", "user_id")
-	_ = db.Migrator().RenameColumn(&PreAuthKey{}, "namespace_id", "user_id")
-
-	_ = db.Migrator().RenameColumn(&Machine{}, "ip_address", "ip_addresses")
-	_ = db.Migrator().RenameColumn(&Machine{}, "name", "hostname")
-
-	// GivenName is used as the primary source of DNS names, make sure
-	// the field is populated and normalized if it was not when the
-	// machine was registered.
-	_ = db.Migrator().RenameColumn(&Machine{}, "nickname", "given_name")
-
-	// If the Machine table has a column for registered,
-	// find all occourences of "false" and drop them. Then
-	// remove the column.
-	if db.Migrator().HasColumn(&Machine{}, "registered") {
-		log.Info().
-			Msg(`Database has legacy "registered" column in machine, removing...`)
-
-		machines := Machines{}
-		if err := h.db.Not("registered").Find(&machines).Error; err != nil {
-			log.Error().Err(err).Msg("Error accessing db")
-		}
-
-		for _, machine := range machines {
-			log.Info().
-				Str("machine", machine.Hostname).
-				Str("machine_key", machine.MachineKey).
-				Msg("Deleting unregistered machine")
-			if err := h.db.Delete(&Machine{}, machine.ID).Error; err != nil {
-				log.Error().
-					Err(err).
-					Str("machine", machine.Hostname).
-					Str("machine_key", machine.MachineKey).
-					Msg("Error deleting unregistered machine")
-			}
-		}
-
-		err := db.Migrator().DropColumn(&Machine{}, "registered")
-		if err != nil {
-			log.Error().Err(err).Msg("Error dropping registered column")
-		}
-	}
-
-	err = db.AutoMigrate(&Route{})
-	if err != nil {
-		return err
-	}
-
-	if db.Migrator().HasColumn(&Machine{}, "enabled_routes") {
-		log.Info().Msgf("Database has legacy enabled_routes column in machine, migrating...")
-
-		type MachineAux struct {
-			ID            uint64
-			EnabledRoutes IPPrefixes
-		}
-
-		machinesAux := []MachineAux{}
-		err := db.Table("machines").Select("id, enabled_routes").Scan(&machinesAux).Error
-		if err != nil {
-			log.Fatal().Err(err).Msg("Error accessing db")
-		}
-		for _, machine := range machinesAux {
-			for _, prefix := range machine.EnabledRoutes {
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("enabled_route", prefix.String()).
-						Msg("Error parsing enabled_route")
-
-					continue
-				}
-
-				err = db.Preload("Machine").
-					Where("machine_id = ? AND prefix = ?", machine.ID, IPPrefix(prefix)).
-					First(&Route{}).
-					Error
-				if err == nil {
-					log.Info().
-						Str("enabled_route", prefix.String()).
-						Msg("Route already migrated to new table, skipping")
-
-					continue
-				}
-
-				route := Route{
-					MachineID:  machine.ID,
-					Advertised: true,
-					Enabled:    true,
-					Prefix:     IPPrefix(prefix),
-				}
-				if err := h.db.Create(&route).Error; err != nil {
-					log.Error().Err(err).Msg("Error creating route")
-				} else {
-					log.Info().
-						Uint64("machine_id", route.MachineID).
-						Str("prefix", prefix.String()).
-						Msg("Route migrated")
-				}
-			}
-		}
-
-		err = db.Migrator().DropColumn(&Machine{}, "enabled_routes")
-		if err != nil {
-			log.Error().Err(err).Msg("Error dropping enabled_routes column")
-		}
-	}
-
-	err = db.AutoMigrate(&Machine{})
-	if err != nil {
-		return err
-	}
-
-	if db.Migrator().HasColumn(&Machine{}, "given_name") {
-		machines := Machines{}
-		if err := h.db.Find(&machines).Error; err != nil {
-			log.Error().Err(err).Msg("Error accessing db")
-		}
-
-		for item, machine := range machines {
-			if machine.GivenName == "" {
-				normalizedHostname, err := NormalizeToFQDNRules(
-					machine.Hostname,
-					h.cfg.OIDC.StripEmaildomain,
-				)
-				if err != nil {
-					log.Error().
-						Caller().
-						Str("hostname", machine.Hostname).
-						Err(err).
-						Msg("Failed to normalize machine hostname in DB migration")
-				}
-
-				err = h.RenameMachine(&machines[item], normalizedHostname)
-				if err != nil {
-					log.Error().
-						Caller().
-						Str("hostname", machine.Hostname).
-						Err(err).
-						Msg("Failed to save normalized machine name in DB migration")
-				}
-			}
-		}
-	}
-
-	err = db.AutoMigrate(&KV{})
-	if err != nil {
-		return err
-	}
-
-	err = db.AutoMigrate(&PreAuthKey{})
-	if err != nil {
-		return err
-	}
-
-	err = db.AutoMigrate(&PreAuthKeyACLTag{})
-	if err != nil {
-		return err
-	}
-
-	_ = db.Migrator().DropTable("shared_machines")
-
-	err = db.AutoMigrate(&APIKey{})
-	if err != nil {
-		return err
-	}
-
-	err = h.setValue("db_version", dbVersion)
-
-	return err
-}
-
-func (h *Headscale) openDB() (*gorm.DB, error) {
-	var db *gorm.DB
-	var err error
-
-	var log logger.Interface
-	if h.dbDebug {
-		log = logger.Default
-	} else {
-		log = logger.Default.LogMode(logger.Silent)
-	}
-
-	switch h.dbType {
-	case Sqlite:
-		db, err = gorm.Open(
-			sqlite.Open(h.dbString+"?_synchronous=1&_journal_mode=WAL"),
-			&gorm.Config{
-				DisableForeignKeyConstraintWhenMigrating: true,
-				Logger:                                   log,
-			},
-		)
-
-		db.Exec("PRAGMA foreign_keys=ON")
-
-		// The pure Go SQLite library does not handle locking in
-		// the same way as the C based one and we cant use the gorm
-		// connection pool as of 2022/02/23.
-		sqlDB, _ := db.DB()
-		sqlDB.SetMaxIdleConns(1)
-		sqlDB.SetMaxOpenConns(1)
-		sqlDB.SetConnMaxIdleTime(time.Hour)
-
-	case Postgres:
-		db, err = gorm.Open(postgres.Open(h.dbString), &gorm.Config{
-			DisableForeignKeyConstraintWhenMigrating: true,
-			Logger:                                   log,
-		})
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return db, nil
-}
-
-// getValue returns the value for the given key in KV.
-func (h *Headscale) getValue(key string) (string, error) {
-	var row KV
-	if result := h.db.First(&row, "key = ?", key); errors.Is(
-		result.Error,
-		gorm.ErrRecordNotFound,
-	) {
-		return "", errValueNotFound
-	}
-
-	return row.Value, nil
-}
-
-// setValue sets value for the given key in KV.
-func (h *Headscale) setValue(key string, value string) error {
-	keyValue := KV{
-		Key:   key,
-		Value: value,
-	}
-
-	if _, err := h.getValue(key); err == nil {
-		h.db.Model(&keyValue).Where("key = ?", key).Update("value", value)
-
-		return nil
-	}
-
-	if err := h.db.Create(keyValue).Error; err != nil {
-		return fmt.Errorf("failed to create key value pair in the database: %w", err)
-	}
-
-	return nil
-}
-
-func (h *Headscale) pingDB(ctx context.Context) error {
-	ctx, cancel := context.WithTimeout(ctx, time.Second)
-	defer cancel()
-	db, err := h.db.DB()
-	if err != nil {
-		return err
-	}
-
-	return db.PingContext(ctx)
-}
-
-// This is a "wrapper" type around tailscales
-// Hostinfo to allow us to add database "serialization"
-// methods. This allows us to use a typed values throughout
-// the code and not have to marshal/unmarshal and error
-// check all over the code.
-type HostInfo tailcfg.Hostinfo
-
-func (hi *HostInfo) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case []byte:
-		return json.Unmarshal(value, hi)
-
-	case string:
-		return json.Unmarshal([]byte(value), hi)
-
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (hi HostInfo) Value() (driver.Value, error) {
-	bytes, err := json.Marshal(hi)
-
-	return string(bytes), err
-}
-
-type IPPrefix netip.Prefix
-
-func (i *IPPrefix) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case string:
-		prefix, err := netip.ParsePrefix(value)
-		if err != nil {
-			return err
-		}
-		*i = IPPrefix(prefix)
-
-		return nil
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrCannotParsePrefix, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (i IPPrefix) Value() (driver.Value, error) {
-	prefixStr := netip.Prefix(i).String()
-
-	return prefixStr, nil
-}
-
-type IPPrefixes []netip.Prefix
-
-func (i *IPPrefixes) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case []byte:
-		return json.Unmarshal(value, i)
-
-	case string:
-		return json.Unmarshal([]byte(value), i)
-
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (i IPPrefixes) Value() (driver.Value, error) {
-	bytes, err := json.Marshal(i)
-
-	return string(bytes), err
-}
-
-type StringList []string
-
-func (i *StringList) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case []byte:
-		return json.Unmarshal(value, i)
-
-	case string:
-		return json.Unmarshal([]byte(value), i)
-
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (i StringList) Value() (driver.Value, error) {
-	bytes, err := json.Marshal(i)
-
-	return string(bytes), err
-}
--- a/dns_test.go
+++ b/dns_test.go
@@ -1,394 +0,0 @@
-package headscale
-
-import (
-	"fmt"
-	"net/netip"
-
-	"gopkg.in/check.v1"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
-)
-
-func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("100.64.0.0/10"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	found := false
-	for _, domain := range domains {
-		if domain == "64.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "100.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "127.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-}
-
-func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("172.16.0.0/16"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	found := false
-	for _, domain := range domains {
-		if domain == "0.16.172.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "255.16.172.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-}
-
-// Happens when netmask is a multiple of 4 bits (sounds likely).
-func (s *Suite) TestMagicDNSRootDomainsIPv6Single(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	c.Assert(len(domains), check.Equals, 1)
-	c.Assert(
-		domains[0].WithTrailingDot(),
-		check.Equals,
-		"0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.",
-	)
-}
-
-func (s *Suite) TestMagicDNSRootDomainsIPv6SingleMultiple(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("fd7a:115c:a1e0::/50"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	yieldsRoot := func(dom string) bool {
-		for _, candidate := range domains {
-			if candidate.WithTrailingDot() == dom {
-				return true
-			}
-		}
-
-		return false
-	}
-
-	c.Assert(len(domains), check.Equals, 4)
-	c.Assert(yieldsRoot("0.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-	c.Assert(yieldsRoot("1.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-	c.Assert(yieldsRoot("2.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-	c.Assert(yieldsRoot("3.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-}
-
-func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
-	userShared1, err := app.CreateUser("shared1")
-	c.Assert(err, check.IsNil)
-
-	userShared2, err := app.CreateUser("shared2")
-	c.Assert(err, check.IsNil)
-
-	userShared3, err := app.CreateUser("shared3")
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared2, err := app.CreatePreAuthKey(
-		userShared2.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared3, err := app.CreatePreAuthKey(
-		userShared3.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	PreAuthKey2InShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(userShared1.Name, "test_get_shared_nodes_1")
-	c.Assert(err, check.NotNil)
-
-	machineInShared1 := &Machine{
-		ID:             1,
-		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Hostname:       "test_get_shared_nodes_1",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
-		AuthKeyID:      uint(preAuthKeyInShared1.ID),
-	}
-	app.db.Save(machineInShared1)
-
-	_, err = app.GetMachine(userShared1.Name, machineInShared1.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared2 := &Machine{
-		ID:             2,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_2",
-		UserID:         userShared2.ID,
-		User:           *userShared2,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
-		AuthKeyID:      uint(preAuthKeyInShared2.ID),
-	}
-	app.db.Save(machineInShared2)
-
-	_, err = app.GetMachine(userShared2.Name, machineInShared2.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared3 := &Machine{
-		ID:             3,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_3",
-		UserID:         userShared3.ID,
-		User:           *userShared3,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
-		AuthKeyID:      uint(preAuthKeyInShared3.ID),
-	}
-	app.db.Save(machineInShared3)
-
-	_, err = app.GetMachine(userShared3.Name, machineInShared3.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machine2InShared1 := &Machine{
-		ID:             4,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_4",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
-		AuthKeyID:      uint(PreAuthKey2InShared1.ID),
-	}
-	app.db.Save(machine2InShared1)
-
-	baseDomain := "foobar.headscale.net"
-	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]*dnstype.Resolver),
-		Domains: []string{baseDomain},
-		Proxied: true,
-	}
-
-	peersOfMachineInShared1, err := app.getPeers(machineInShared1)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig := getMapResponseDNSConfig(
-		&dnsConfigOrig,
-		baseDomain,
-		*machineInShared1,
-		peersOfMachineInShared1,
-	)
-	c.Assert(dnsConfig, check.NotNil)
-
-	c.Assert(len(dnsConfig.Routes), check.Equals, 3)
-
-	domainRouteShared1 := fmt.Sprintf("%s.%s", userShared1.Name, baseDomain)
-	_, ok := dnsConfig.Routes[domainRouteShared1]
-	c.Assert(ok, check.Equals, true)
-
-	domainRouteShared2 := fmt.Sprintf("%s.%s", userShared2.Name, baseDomain)
-	_, ok = dnsConfig.Routes[domainRouteShared2]
-	c.Assert(ok, check.Equals, true)
-
-	domainRouteShared3 := fmt.Sprintf("%s.%s", userShared3.Name, baseDomain)
-	_, ok = dnsConfig.Routes[domainRouteShared3]
-	c.Assert(ok, check.Equals, true)
-}
-
-func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
-	userShared1, err := app.CreateUser("shared1")
-	c.Assert(err, check.IsNil)
-
-	userShared2, err := app.CreateUser("shared2")
-	c.Assert(err, check.IsNil)
-
-	userShared3, err := app.CreateUser("shared3")
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared2, err := app.CreatePreAuthKey(
-		userShared2.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared3, err := app.CreatePreAuthKey(
-		userShared3.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKey2InShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(userShared1.Name, "test_get_shared_nodes_1")
-	c.Assert(err, check.NotNil)
-
-	machineInShared1 := &Machine{
-		ID:             1,
-		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Hostname:       "test_get_shared_nodes_1",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
-		AuthKeyID:      uint(preAuthKeyInShared1.ID),
-	}
-	app.db.Save(machineInShared1)
-
-	_, err = app.GetMachine(userShared1.Name, machineInShared1.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared2 := &Machine{
-		ID:             2,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_2",
-		UserID:         userShared2.ID,
-		User:           *userShared2,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
-		AuthKeyID:      uint(preAuthKeyInShared2.ID),
-	}
-	app.db.Save(machineInShared2)
-
-	_, err = app.GetMachine(userShared2.Name, machineInShared2.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared3 := &Machine{
-		ID:             3,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_3",
-		UserID:         userShared3.ID,
-		User:           *userShared3,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
-		AuthKeyID:      uint(preAuthKeyInShared3.ID),
-	}
-	app.db.Save(machineInShared3)
-
-	_, err = app.GetMachine(userShared3.Name, machineInShared3.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machine2InShared1 := &Machine{
-		ID:             4,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_4",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
-		AuthKeyID:      uint(preAuthKey2InShared1.ID),
-	}
-	app.db.Save(machine2InShared1)
-
-	baseDomain := "foobar.headscale.net"
-	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]*dnstype.Resolver),
-		Domains: []string{baseDomain},
-		Proxied: false,
-	}
-
-	peersOfMachine1Shared1, err := app.getPeers(machineInShared1)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig := getMapResponseDNSConfig(
-		&dnsConfigOrig,
-		baseDomain,
-		*machineInShared1,
-		peersOfMachine1Shared1,
-	)
-	c.Assert(dnsConfig, check.NotNil)
-	c.Assert(len(dnsConfig.Routes), check.Equals, 0)
-	c.Assert(len(dnsConfig.Domains), check.Equals, 1)
-}
--- a/docs/web-ui.md
+++ b/docs/web-ui.md
@@ -0,0 +1,14 @@
+# Headscale web interface
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the Headscale authors and are written by community members.
+
+| Name            | Repository Link                                         | Description                                                               | Status |
+| --------------- | ------------------------------------------------------- | ------------------------------------------------------------------------- | ------ |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple Headscale web UI for small-scale deployments.                    | Alpha  |
+| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server | Alpha  |
+| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend enviroment required               | Alpha  |
+
+You can ask for support on our dedicated [Discord channel](https://discord.com/channels/896711691637780480/1105842846386356294).
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1692799911,
+        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
        "type": "github"
      },
      "original": {
@@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1681753173,
-        "narHash": "sha256-MrGmzZWLUqh2VstoikKLFFIELXm/lsf/G9U9zR96VD4=",
+        "lastModified": 1693844670,
+        "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "0a4206a51b386e5cda731e8ac78d76ad924c7125",
+        "rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -6,177 +6,173 @@
    flake-utils.url = "github:numtide/flake-utils";
  };

-  outputs =
-    { self
-    , nixpkgs
-    , flake-utils
-    , ...
-    }:
-    let
-      headscaleVersion =
-        if (self ? shortRev)
-        then self.shortRev
-        else "dev";
-    in
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    ...
+  }: let
+    headscaleVersion =
+      if (self ? shortRev)
+      then self.shortRev
+      else "dev";
+  in
    {
-      overlay = _: prev:
-        let
-          pkgs = nixpkgs.legacyPackages.${prev.system};
-        in
-        rec {
-          headscale = pkgs.buildGo120Module rec {
-            pname = "headscale";
-            version = headscaleVersion;
-            src = pkgs.lib.cleanSource self;
+      overlay = _: prev: let
+        pkgs = nixpkgs.legacyPackages.${prev.system};
+      in rec {
+        headscale = pkgs.buildGo120Module rec {
+          pname = "headscale";
+          version = headscaleVersion;
+          src = pkgs.lib.cleanSource self;

-            tags = [ "ts2019" ];
+          tags = ["ts2019"];

-            # Only run unit tests when testing a build
-            checkFlags = [ "-short" ];
+          # Only run unit tests when testing a build
+          checkFlags = ["-short"];

-            # When updating go.mod or go.sum, a new sha will need to be calculated,
-            # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-cmDNYWYTgQp6CPgpL4d3TbkpAe7rhNAF+o8njJsgL7E=";
+          # When updating go.mod or go.sum, a new sha will need to be calculated,
+          # update this if you have a mismatch after doing a change to thos files.
+          vendorSha256 = "sha256-dNE5wgR3oWXlYzPNXp0v/GGwY0/hvhOB5JWCb5EIbg8=";

-            ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
-          };
-
-          golines = pkgs.buildGoModule rec {
-            pname = "golines";
-            version = "0.11.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "segmentio";
-              repo = "golines";
-              rev = "v${version}";
-              sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
-            };
-
-            vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
-
-            nativeBuildInputs = [ pkgs.installShellFiles ];
-          };
-
-          golangci-lint = prev.golangci-lint.override {
-            # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
-            # to buildGo118Module because it does not build on Darwin.
-            inherit (prev) buildGoModule;
-          };
-
-          protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
-            pname = "grpc-gateway";
-            version = "2.14.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "grpc-ecosystem";
-              repo = "grpc-gateway";
-              rev = "v${version}";
-              sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
-            };
-
-            vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
-
-            nativeBuildInputs = [ pkgs.installShellFiles ];
-
-            subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
-          };
+          ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
        };
+
+        golines = pkgs.buildGoModule rec {
+          pname = "golines";
+          version = "0.11.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "segmentio";
+            repo = "golines";
+            rev = "v${version}";
+            sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
+          };
+
+          vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+        };
+
+        golangci-lint = prev.golangci-lint.override {
+          # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
+          # to buildGo118Module because it does not build on Darwin.
+          inherit (prev) buildGoModule;
+        };
+
+        protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
+          pname = "grpc-gateway";
+          version = "2.14.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "grpc-ecosystem";
+            repo = "grpc-gateway";
+            rev = "v${version}";
+            sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
+          };
+
+          vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+
+          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
+        };
+      };
    }
    // flake-utils.lib.eachDefaultSystem
-      (system:
-      let
-        pkgs = import nixpkgs {
-          overlays = [ self.overlay ];
-          inherit system;
-        };
-        buildDeps = with pkgs; [ git go_1_20 gnumake ];
-        devDeps = with pkgs;
-          buildDeps
-          ++ [
-            golangci-lint
-            golines
-            nodePackages.prettier
-            goreleaser
-            nfpm
-            gotestsum
-            gotests
+    (system: let
+      pkgs = import nixpkgs {
+        overlays = [self.overlay];
+        inherit system;
+      };
+      buildDeps = with pkgs; [git go_1_20 gnumake];
+      devDeps = with pkgs;
+        buildDeps
+        ++ [
+          golangci-lint
+          golines
+          nodePackages.prettier
+          goreleaser
+          nfpm
+          gotestsum
+          gotests
+          ksh

-            # 'dot' is needed for pprof graphs
-            # go tool pprof -http=: <source>
-            graphviz
+          # 'dot' is needed for pprof graphs
+          # go tool pprof -http=: <source>
+          graphviz

-            # Protobuf dependencies
-            protobuf
-            protoc-gen-go
-            protoc-gen-go-grpc
-            protoc-gen-grpc-gateway
-            buf
-            clang-tools # clang-format
-          ];
+          # Protobuf dependencies
+          protobuf
+          protoc-gen-go
+          protoc-gen-go-grpc
+          protoc-gen-grpc-gateway
+          buf
+          clang-tools # clang-format
+        ];

-        # Add entry to build a docker image with headscale
-        # caveat: only works on Linux
-        #
-        # Usage:
-        # nix build .#headscale-docker
-        # docker load < result
-        headscale-docker = pkgs.dockerTools.buildLayeredImage {
-          name = "headscale";
-          tag = headscaleVersion;
-          contents = [ pkgs.headscale ];
-          config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
-        };
-      in
-      rec {
-        # `nix develop`
-        devShell = pkgs.mkShell {
-          buildInputs = devDeps;
+      # Add entry to build a docker image with headscale
+      # caveat: only works on Linux
+      #
+      # Usage:
+      # nix build .#headscale-docker
+      # docker load < result
+      headscale-docker = pkgs.dockerTools.buildLayeredImage {
+        name = "headscale";
+        tag = headscaleVersion;
+        contents = [pkgs.headscale];
+        config.Entrypoint = [(pkgs.headscale + "/bin/headscale")];
+      };
+    in rec {
+      # `nix develop`
+      devShell = pkgs.mkShell {
+        buildInputs = devDeps;

-          shellHook = ''
-            export GOFLAGS=-tags="ts2019"
-            export PATH="$PWD/result/bin:$PATH"
+        shellHook = ''
+          export GOFLAGS=-tags="ts2019"
+          export PATH="$PWD/result/bin:$PATH"

-            mkdir -p ./ignored
-            export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
-            export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
-            export HEADSCALE_DB_PATH="./ignored/db.sqlite"
-            export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
-            export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
+          mkdir -p ./ignored
+          export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
+          export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
+          export HEADSCALE_DB_PATH="./ignored/db.sqlite"
+          export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
+          export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
+        '';
+      };
+
+      # `nix build`
+      packages = with pkgs; {
+        inherit headscale;
+        inherit headscale-docker;
+      };
+      defaultPackage = pkgs.headscale;
+
+      # `nix run`
+      apps.headscale = flake-utils.lib.mkApp {
+        drv = packages.headscale;
+      };
+      apps.default = apps.headscale;
+
+      checks = {
+        format =
+          pkgs.runCommand "check-format"
+          {
+            buildInputs = with pkgs; [
+              gnumake
+              nixpkgs-fmt
+              golangci-lint
+              nodePackages.prettier
+              golines
+              clang-tools
+            ];
+          } ''
+            ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
+            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
+            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
+            ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
          '';
-        };
-
-        # `nix build`
-        packages = with pkgs; {
-          inherit headscale;
-          inherit headscale-docker;
-        };
-        defaultPackage = pkgs.headscale;
-
-        # `nix run`
-        apps.headscale = flake-utils.lib.mkApp {
-          drv = packages.headscale;
-        };
-        apps.default = apps.headscale;
-
-        checks = {
-          format =
-            pkgs.runCommand "check-format"
-              {
-                buildInputs = with pkgs; [
-                  gnumake
-                  nixpkgs-fmt
-                  golangci-lint
-                  nodePackages.prettier
-                  golines
-                  clang-tools
-                ];
-              } ''
-              ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
-              ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
-              ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-              ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-              ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
-            '';
-        };
-      });
+      };
+    });
 }
--- a/gen/go/headscale/v1/apikey.pb.go
+++ b/gen/go/headscale/v1/apikey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
 // source: headscale/v1/apikey.proto

--- a/gen/go/headscale/v1/device.pb.go
+++ b/gen/go/headscale/v1/device.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
 // source: headscale/v1/device.proto

--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
 // source: headscale/v1/headscale.proto

@@ -31,261 +31,252 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76,
 	0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x1a, 0x1a, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31,
-	0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x32, 0x8d, 0x18, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x63, 0x0a, 0x07, 0x47, 0x65, 0x74,
-	0x55, 0x73, 0x65, 0x72, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f,
-	0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x68,
-	0x0a, 0x0a, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65,
-	0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x3a, 0x01, 0x2a, 0x22, 0x0c, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x82, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x6e,
-	0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65,
-	0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73,
-	0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x31, 0x82, 0xd3, 0xe4, 0x93,
-	0x02, 0x2b, 0x22, 0x29, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72,
-	0x2f, 0x7b, 0x6f, 0x6c, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x2f, 0x72, 0x65, 0x6e, 0x61,
-	0x6d, 0x65, 0x2f, 0x7b, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x6c, 0x0a,
-	0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74,
-	0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65,
-	0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x2a, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x62, 0x0a, 0x09, 0x4c,
-	0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72,
-	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72,
-	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x14, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x0e, 0x12, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12,
-	0x80, 0x01, 0x0a, 0x10, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74,
+	0x74, 0x6f, 0x1a, 0x17, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31,
+	0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x32, 0x85, 0x17, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x63, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65,
+	0x72, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47,
+	0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b,
+	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x12, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
+	0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x68, 0x0a, 0x0a, 0x43,
+	0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55,
+	0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
+	0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x17, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x11, 0x3a, 0x01, 0x2a, 0x22, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x82, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65,
+	0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x31, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x2b, 0x22,
+	0x29, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6f,
+	0x6c, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x2f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x2f,
+	0x7b, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x6c, 0x0a, 0x0a, 0x44, 0x65,
+	0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55, 0x73,
+	0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55,
+	0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x15, 0x2a, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65,
+	0x72, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x62, 0x0a, 0x09, 0x4c, 0x69, 0x73, 0x74,
+	0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x14, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x0e, 0x12, 0x0c,
+	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x80, 0x01, 0x0a,
+	0x10, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65,
+	0x79, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72,
+	0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a, 0x22, 0x12, 0x2f, 0x61, 0x70,
+	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x12,
+	0x87, 0x01, 0x0a, 0x10, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74,
 	0x68, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74,
+	0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74,
 	0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72,
 	0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a, 0x22, 0x12,
+	0x6e, 0x73, 0x65, 0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x3a, 0x01, 0x2a, 0x22, 0x19,
 	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b,
-	0x65, 0x79, 0x12, 0x87, 0x01, 0x0a, 0x10, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65,
-	0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65,
-	0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78,
-	0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x3a, 0x01,
-	0x2a, 0x22, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75,
-	0x74, 0x68, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x7a, 0x0a, 0x0f,
-	0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x12,
-	0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c,
-	0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68,
-	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1a, 0x82, 0xd3,
-	0xe4, 0x93, 0x02, 0x14, 0x12, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72,
-	0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x12, 0x89, 0x01, 0x0a, 0x12, 0x44, 0x65, 0x62,
-	0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
-	0x27, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44,
-	0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x7a, 0x0a, 0x0f, 0x4c, 0x69, 0x73,
+	0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x24, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1a, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x14, 0x12, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75,
+	0x74, 0x68, 0x6b, 0x65, 0x79, 0x12, 0x7d, 0x0a, 0x0f, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72,
+	0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65,
-	0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x2f, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x12, 0x75, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x12, 0x1c, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b,
-	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x74, 0x0a, 0x07, 0x53,
-	0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x2c, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x26, 0x3a, 0x01, 0x2a, 0x22, 0x21,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f,
-	0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67,
-	0x73, 0x12, 0x80, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x72, 0x65, 0x67, 0x69,
-	0x73, 0x74, 0x65, 0x72, 0x12, 0x7e, 0x0a, 0x0d, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x24,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x2a, 0x1c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x5f, 0x69, 0x64, 0x7d, 0x12, 0x85, 0x01, 0x0a, 0x0d, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65,
-	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x22, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x90, 0x01, 0x0a,
-	0x0d, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x22,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65,
-	0x6e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x36, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x30, 0x22,
-	0x2e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x65,
+	0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65,
+	0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a,
+	0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x2f,
+	0x6e, 0x6f, 0x64, 0x65, 0x12, 0x66, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x12,
+	0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47,
+	0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74,
+	0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f,
+	0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x6e, 0x0a, 0x07,
+	0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x26, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x20, 0x3a, 0x01, 0x2a, 0x22,
+	0x1b, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e,
+	0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67, 0x73, 0x12, 0x74, 0x0a, 0x0c,
+	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x21, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52,
+	0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x22, 0x15, 0x2f, 0x61, 0x70,
+	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
+	0x65, 0x72, 0x12, 0x6f, 0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65,
+	0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x2a, 0x16, 0x2f, 0x61, 0x70,
+	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f,
+	0x69, 0x64, 0x7d, 0x12, 0x76, 0x0a, 0x0a, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64,
+	0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1f, 0x22, 0x1d, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65,
+	0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x81, 0x01, 0x0a, 0x0a,
+	0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65,
+	0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d,
+	0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x30, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x2a, 0x22, 0x28, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e,
+	0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x65,
 	0x6e, 0x61, 0x6d, 0x65, 0x2f, 0x7b, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12,
-	0x6e, 0x0a, 0x0c, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x12,
-	0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c,
-	0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x12, 0x0f,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
-	0x7d, 0x0a, 0x0b, 0x4d, 0x6f, 0x76, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x20,
+	0x62, 0x0a, 0x09, 0x4c, 0x69, 0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x12, 0x1e, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x4e, 0x6f, 0x64, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x4e, 0x6f, 0x64, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x14, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x0e, 0x12, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e,
+	0x6f, 0x64, 0x65, 0x12, 0x6e, 0x0a, 0x08, 0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12,
+	0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d,
+	0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e,
 	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x6f,
-	0x76, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x4d, 0x6f, 0x76, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x29, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x23, 0x22, 0x21, 0x2f, 0x61, 0x70,
-	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x64,
-	0x0a, 0x09, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3,
-	0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x12, 0x7c, 0x0a, 0x0b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22,
-	0x22, 0x20, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73,
-	0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x6e, 0x61, 0x62,
-	0x6c, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x82, 0xd3, 0xe4, 0x93,
-	0x02, 0x23, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x64, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x8e, 0x01, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
-	0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x75, 0x0a, 0x0b, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
-	0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x21, 0x82, 0xd3, 0xe4, 0x93,
-	0x02, 0x1b, 0x2a, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x70, 0x0a,
-	0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65,
-	0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22,
-	0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x12,
-	0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12,
-	0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45,
-	0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01,
-	0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65,
-	0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74,
-	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65,
-	0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69,
-	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3,
-	0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70,
-	0x69, 0x6b, 0x65, 0x79, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x76, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23,
+	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x22, 0x1b, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
+	0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x75,
+	0x73, 0x65, 0x72, 0x12, 0x64, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x7c, 0x0a, 0x0b, 0x45, 0x6e, 0x61,
+	0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x20, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72,
+	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d,
+	0x2f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x69, 0x73, 0x61,
+	0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62,
+	0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x29, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x23, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69,
+	0x64, 0x7d, 0x2f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x7f, 0x0a, 0x0d, 0x47, 0x65,
+	0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x22, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f,
+	0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x23, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47,
+	0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1f, 0x12, 0x1d, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65,
+	0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x75, 0x0a, 0x0b, 0x44,
+	0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65,
+	0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x21, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1b, 0x2a, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69,
+	0x64, 0x7d, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b,
+	0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70,
+	0x69, 0x6b, 0x65, 0x79, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70,
+	0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69,
+	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
+	0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x6a, 0x0a,
+	0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x20, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69,
+	0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74,
+	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74,
+	0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67,
+	0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var file_headscale_v1_headscale_proto_goTypes = []interface{}{
-	(*GetUserRequest)(nil),             // 0: headscale.v1.GetUserRequest
-	(*CreateUserRequest)(nil),          // 1: headscale.v1.CreateUserRequest
-	(*RenameUserRequest)(nil),          // 2: headscale.v1.RenameUserRequest
-	(*DeleteUserRequest)(nil),          // 3: headscale.v1.DeleteUserRequest
-	(*ListUsersRequest)(nil),           // 4: headscale.v1.ListUsersRequest
-	(*CreatePreAuthKeyRequest)(nil),    // 5: headscale.v1.CreatePreAuthKeyRequest
-	(*ExpirePreAuthKeyRequest)(nil),    // 6: headscale.v1.ExpirePreAuthKeyRequest
-	(*ListPreAuthKeysRequest)(nil),     // 7: headscale.v1.ListPreAuthKeysRequest
-	(*DebugCreateMachineRequest)(nil),  // 8: headscale.v1.DebugCreateMachineRequest
-	(*GetMachineRequest)(nil),          // 9: headscale.v1.GetMachineRequest
-	(*SetTagsRequest)(nil),             // 10: headscale.v1.SetTagsRequest
-	(*RegisterMachineRequest)(nil),     // 11: headscale.v1.RegisterMachineRequest
-	(*DeleteMachineRequest)(nil),       // 12: headscale.v1.DeleteMachineRequest
-	(*ExpireMachineRequest)(nil),       // 13: headscale.v1.ExpireMachineRequest
-	(*RenameMachineRequest)(nil),       // 14: headscale.v1.RenameMachineRequest
-	(*ListMachinesRequest)(nil),        // 15: headscale.v1.ListMachinesRequest
-	(*MoveMachineRequest)(nil),         // 16: headscale.v1.MoveMachineRequest
-	(*GetRoutesRequest)(nil),           // 17: headscale.v1.GetRoutesRequest
-	(*EnableRouteRequest)(nil),         // 18: headscale.v1.EnableRouteRequest
-	(*DisableRouteRequest)(nil),        // 19: headscale.v1.DisableRouteRequest
-	(*GetMachineRoutesRequest)(nil),    // 20: headscale.v1.GetMachineRoutesRequest
-	(*DeleteRouteRequest)(nil),         // 21: headscale.v1.DeleteRouteRequest
-	(*CreateApiKeyRequest)(nil),        // 22: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),        // 23: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),         // 24: headscale.v1.ListApiKeysRequest
-	(*GetUserResponse)(nil),            // 25: headscale.v1.GetUserResponse
-	(*CreateUserResponse)(nil),         // 26: headscale.v1.CreateUserResponse
-	(*RenameUserResponse)(nil),         // 27: headscale.v1.RenameUserResponse
-	(*DeleteUserResponse)(nil),         // 28: headscale.v1.DeleteUserResponse
-	(*ListUsersResponse)(nil),          // 29: headscale.v1.ListUsersResponse
-	(*CreatePreAuthKeyResponse)(nil),   // 30: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil),   // 31: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),    // 32: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateMachineResponse)(nil), // 33: headscale.v1.DebugCreateMachineResponse
-	(*GetMachineResponse)(nil),         // 34: headscale.v1.GetMachineResponse
-	(*SetTagsResponse)(nil),            // 35: headscale.v1.SetTagsResponse
-	(*RegisterMachineResponse)(nil),    // 36: headscale.v1.RegisterMachineResponse
-	(*DeleteMachineResponse)(nil),      // 37: headscale.v1.DeleteMachineResponse
-	(*ExpireMachineResponse)(nil),      // 38: headscale.v1.ExpireMachineResponse
-	(*RenameMachineResponse)(nil),      // 39: headscale.v1.RenameMachineResponse
-	(*ListMachinesResponse)(nil),       // 40: headscale.v1.ListMachinesResponse
-	(*MoveMachineResponse)(nil),        // 41: headscale.v1.MoveMachineResponse
-	(*GetRoutesResponse)(nil),          // 42: headscale.v1.GetRoutesResponse
-	(*EnableRouteResponse)(nil),        // 43: headscale.v1.EnableRouteResponse
-	(*DisableRouteResponse)(nil),       // 44: headscale.v1.DisableRouteResponse
-	(*GetMachineRoutesResponse)(nil),   // 45: headscale.v1.GetMachineRoutesResponse
-	(*DeleteRouteResponse)(nil),        // 46: headscale.v1.DeleteRouteResponse
-	(*CreateApiKeyResponse)(nil),       // 47: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),       // 48: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),        // 49: headscale.v1.ListApiKeysResponse
+	(*GetUserRequest)(nil),           // 0: headscale.v1.GetUserRequest
+	(*CreateUserRequest)(nil),        // 1: headscale.v1.CreateUserRequest
+	(*RenameUserRequest)(nil),        // 2: headscale.v1.RenameUserRequest
+	(*DeleteUserRequest)(nil),        // 3: headscale.v1.DeleteUserRequest
+	(*ListUsersRequest)(nil),         // 4: headscale.v1.ListUsersRequest
+	(*CreatePreAuthKeyRequest)(nil),  // 5: headscale.v1.CreatePreAuthKeyRequest
+	(*ExpirePreAuthKeyRequest)(nil),  // 6: headscale.v1.ExpirePreAuthKeyRequest
+	(*ListPreAuthKeysRequest)(nil),   // 7: headscale.v1.ListPreAuthKeysRequest
+	(*DebugCreateNodeRequest)(nil),   // 8: headscale.v1.DebugCreateNodeRequest
+	(*GetNodeRequest)(nil),           // 9: headscale.v1.GetNodeRequest
+	(*SetTagsRequest)(nil),           // 10: headscale.v1.SetTagsRequest
+	(*RegisterNodeRequest)(nil),      // 11: headscale.v1.RegisterNodeRequest
+	(*DeleteNodeRequest)(nil),        // 12: headscale.v1.DeleteNodeRequest
+	(*ExpireNodeRequest)(nil),        // 13: headscale.v1.ExpireNodeRequest
+	(*RenameNodeRequest)(nil),        // 14: headscale.v1.RenameNodeRequest
+	(*ListNodesRequest)(nil),         // 15: headscale.v1.ListNodesRequest
+	(*MoveNodeRequest)(nil),          // 16: headscale.v1.MoveNodeRequest
+	(*GetRoutesRequest)(nil),         // 17: headscale.v1.GetRoutesRequest
+	(*EnableRouteRequest)(nil),       // 18: headscale.v1.EnableRouteRequest
+	(*DisableRouteRequest)(nil),      // 19: headscale.v1.DisableRouteRequest
+	(*GetNodeRoutesRequest)(nil),     // 20: headscale.v1.GetNodeRoutesRequest
+	(*DeleteRouteRequest)(nil),       // 21: headscale.v1.DeleteRouteRequest
+	(*CreateApiKeyRequest)(nil),      // 22: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),      // 23: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),       // 24: headscale.v1.ListApiKeysRequest
+	(*GetUserResponse)(nil),          // 25: headscale.v1.GetUserResponse
+	(*CreateUserResponse)(nil),       // 26: headscale.v1.CreateUserResponse
+	(*RenameUserResponse)(nil),       // 27: headscale.v1.RenameUserResponse
+	(*DeleteUserResponse)(nil),       // 28: headscale.v1.DeleteUserResponse
+	(*ListUsersResponse)(nil),        // 29: headscale.v1.ListUsersResponse
+	(*CreatePreAuthKeyResponse)(nil), // 30: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil), // 31: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),  // 32: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateNodeResponse)(nil),  // 33: headscale.v1.DebugCreateNodeResponse
+	(*GetNodeResponse)(nil),          // 34: headscale.v1.GetNodeResponse
+	(*SetTagsResponse)(nil),          // 35: headscale.v1.SetTagsResponse
+	(*RegisterNodeResponse)(nil),     // 36: headscale.v1.RegisterNodeResponse
+	(*DeleteNodeResponse)(nil),       // 37: headscale.v1.DeleteNodeResponse
+	(*ExpireNodeResponse)(nil),       // 38: headscale.v1.ExpireNodeResponse
+	(*RenameNodeResponse)(nil),       // 39: headscale.v1.RenameNodeResponse
+	(*ListNodesResponse)(nil),        // 40: headscale.v1.ListNodesResponse
+	(*MoveNodeResponse)(nil),         // 41: headscale.v1.MoveNodeResponse
+	(*GetRoutesResponse)(nil),        // 42: headscale.v1.GetRoutesResponse
+	(*EnableRouteResponse)(nil),      // 43: headscale.v1.EnableRouteResponse
+	(*DisableRouteResponse)(nil),     // 44: headscale.v1.DisableRouteResponse
+	(*GetNodeRoutesResponse)(nil),    // 45: headscale.v1.GetNodeRoutesResponse
+	(*DeleteRouteResponse)(nil),      // 46: headscale.v1.DeleteRouteResponse
+	(*CreateApiKeyResponse)(nil),     // 47: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),     // 48: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),      // 49: headscale.v1.ListApiKeysResponse
 }
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	0,  // 0: headscale.v1.HeadscaleService.GetUser:input_type -> headscale.v1.GetUserRequest
@@ -296,19 +287,19 @@ var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	5,  // 5: headscale.v1.HeadscaleService.CreatePreAuthKey:input_type -> headscale.v1.CreatePreAuthKeyRequest
 	6,  // 6: headscale.v1.HeadscaleService.ExpirePreAuthKey:input_type -> headscale.v1.ExpirePreAuthKeyRequest
 	7,  // 7: headscale.v1.HeadscaleService.ListPreAuthKeys:input_type -> headscale.v1.ListPreAuthKeysRequest
-	8,  // 8: headscale.v1.HeadscaleService.DebugCreateMachine:input_type -> headscale.v1.DebugCreateMachineRequest
-	9,  // 9: headscale.v1.HeadscaleService.GetMachine:input_type -> headscale.v1.GetMachineRequest
+	8,  // 8: headscale.v1.HeadscaleService.DebugCreateNode:input_type -> headscale.v1.DebugCreateNodeRequest
+	9,  // 9: headscale.v1.HeadscaleService.GetNode:input_type -> headscale.v1.GetNodeRequest
 	10, // 10: headscale.v1.HeadscaleService.SetTags:input_type -> headscale.v1.SetTagsRequest
-	11, // 11: headscale.v1.HeadscaleService.RegisterMachine:input_type -> headscale.v1.RegisterMachineRequest
-	12, // 12: headscale.v1.HeadscaleService.DeleteMachine:input_type -> headscale.v1.DeleteMachineRequest
-	13, // 13: headscale.v1.HeadscaleService.ExpireMachine:input_type -> headscale.v1.ExpireMachineRequest
-	14, // 14: headscale.v1.HeadscaleService.RenameMachine:input_type -> headscale.v1.RenameMachineRequest
-	15, // 15: headscale.v1.HeadscaleService.ListMachines:input_type -> headscale.v1.ListMachinesRequest
-	16, // 16: headscale.v1.HeadscaleService.MoveMachine:input_type -> headscale.v1.MoveMachineRequest
+	11, // 11: headscale.v1.HeadscaleService.RegisterNode:input_type -> headscale.v1.RegisterNodeRequest
+	12, // 12: headscale.v1.HeadscaleService.DeleteNode:input_type -> headscale.v1.DeleteNodeRequest
+	13, // 13: headscale.v1.HeadscaleService.ExpireNode:input_type -> headscale.v1.ExpireNodeRequest
+	14, // 14: headscale.v1.HeadscaleService.RenameNode:input_type -> headscale.v1.RenameNodeRequest
+	15, // 15: headscale.v1.HeadscaleService.ListNodes:input_type -> headscale.v1.ListNodesRequest
+	16, // 16: headscale.v1.HeadscaleService.MoveNode:input_type -> headscale.v1.MoveNodeRequest
 	17, // 17: headscale.v1.HeadscaleService.GetRoutes:input_type -> headscale.v1.GetRoutesRequest
 	18, // 18: headscale.v1.HeadscaleService.EnableRoute:input_type -> headscale.v1.EnableRouteRequest
 	19, // 19: headscale.v1.HeadscaleService.DisableRoute:input_type -> headscale.v1.DisableRouteRequest
-	20, // 20: headscale.v1.HeadscaleService.GetMachineRoutes:input_type -> headscale.v1.GetMachineRoutesRequest
+	20, // 20: headscale.v1.HeadscaleService.GetNodeRoutes:input_type -> headscale.v1.GetNodeRoutesRequest
 	21, // 21: headscale.v1.HeadscaleService.DeleteRoute:input_type -> headscale.v1.DeleteRouteRequest
 	22, // 22: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
 	23, // 23: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
@@ -321,19 +312,19 @@ var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	30, // 30: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
 	31, // 31: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
 	32, // 32: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	33, // 33: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
-	34, // 34: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
+	33, // 33: headscale.v1.HeadscaleService.DebugCreateNode:output_type -> headscale.v1.DebugCreateNodeResponse
+	34, // 34: headscale.v1.HeadscaleService.GetNode:output_type -> headscale.v1.GetNodeResponse
 	35, // 35: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
-	36, // 36: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
-	37, // 37: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
-	38, // 38: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
-	39, // 39: headscale.v1.HeadscaleService.RenameMachine:output_type -> headscale.v1.RenameMachineResponse
-	40, // 40: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
-	41, // 41: headscale.v1.HeadscaleService.MoveMachine:output_type -> headscale.v1.MoveMachineResponse
+	36, // 36: headscale.v1.HeadscaleService.RegisterNode:output_type -> headscale.v1.RegisterNodeResponse
+	37, // 37: headscale.v1.HeadscaleService.DeleteNode:output_type -> headscale.v1.DeleteNodeResponse
+	38, // 38: headscale.v1.HeadscaleService.ExpireNode:output_type -> headscale.v1.ExpireNodeResponse
+	39, // 39: headscale.v1.HeadscaleService.RenameNode:output_type -> headscale.v1.RenameNodeResponse
+	40, // 40: headscale.v1.HeadscaleService.ListNodes:output_type -> headscale.v1.ListNodesResponse
+	41, // 41: headscale.v1.HeadscaleService.MoveNode:output_type -> headscale.v1.MoveNodeResponse
 	42, // 42: headscale.v1.HeadscaleService.GetRoutes:output_type -> headscale.v1.GetRoutesResponse
 	43, // 43: headscale.v1.HeadscaleService.EnableRoute:output_type -> headscale.v1.EnableRouteResponse
 	44, // 44: headscale.v1.HeadscaleService.DisableRoute:output_type -> headscale.v1.DisableRouteResponse
-	45, // 45: headscale.v1.HeadscaleService.GetMachineRoutes:output_type -> headscale.v1.GetMachineRoutesResponse
+	45, // 45: headscale.v1.HeadscaleService.GetNodeRoutes:output_type -> headscale.v1.GetNodeRoutesResponse
 	46, // 46: headscale.v1.HeadscaleService.DeleteRoute:output_type -> headscale.v1.DeleteRouteResponse
 	47, // 47: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
 	48, // 48: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
@@ -352,7 +343,7 @@ func file_headscale_v1_headscale_proto_init() {
 	}
 	file_headscale_v1_user_proto_init()
 	file_headscale_v1_preauthkey_proto_init()
-	file_headscale_v1_machine_proto_init()
+	file_headscale_v1_node_proto_init()
 	file_headscale_v1_routes_proto_init()
 	file_headscale_v1_apikey_proto_init()
 	type x struct{}
--- a/gen/go/headscale/v1/headscale.pb.gw.go
+++ b/gen/go/headscale/v1/headscale.pb.gw.go
--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
 // - protoc             (unknown)
 // source: headscale/v1/headscale.proto

@@ -18,6 +18,34 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7

+const (
+	HeadscaleService_GetUser_FullMethodName          = "/headscale.v1.HeadscaleService/GetUser"
+	HeadscaleService_CreateUser_FullMethodName       = "/headscale.v1.HeadscaleService/CreateUser"
+	HeadscaleService_RenameUser_FullMethodName       = "/headscale.v1.HeadscaleService/RenameUser"
+	HeadscaleService_DeleteUser_FullMethodName       = "/headscale.v1.HeadscaleService/DeleteUser"
+	HeadscaleService_ListUsers_FullMethodName        = "/headscale.v1.HeadscaleService/ListUsers"
+	HeadscaleService_CreatePreAuthKey_FullMethodName = "/headscale.v1.HeadscaleService/CreatePreAuthKey"
+	HeadscaleService_ExpirePreAuthKey_FullMethodName = "/headscale.v1.HeadscaleService/ExpirePreAuthKey"
+	HeadscaleService_ListPreAuthKeys_FullMethodName  = "/headscale.v1.HeadscaleService/ListPreAuthKeys"
+	HeadscaleService_DebugCreateNode_FullMethodName  = "/headscale.v1.HeadscaleService/DebugCreateNode"
+	HeadscaleService_GetNode_FullMethodName          = "/headscale.v1.HeadscaleService/GetNode"
+	HeadscaleService_SetTags_FullMethodName          = "/headscale.v1.HeadscaleService/SetTags"
+	HeadscaleService_RegisterNode_FullMethodName     = "/headscale.v1.HeadscaleService/RegisterNode"
+	HeadscaleService_DeleteNode_FullMethodName       = "/headscale.v1.HeadscaleService/DeleteNode"
+	HeadscaleService_ExpireNode_FullMethodName       = "/headscale.v1.HeadscaleService/ExpireNode"
+	HeadscaleService_RenameNode_FullMethodName       = "/headscale.v1.HeadscaleService/RenameNode"
+	HeadscaleService_ListNodes_FullMethodName        = "/headscale.v1.HeadscaleService/ListNodes"
+	HeadscaleService_MoveNode_FullMethodName         = "/headscale.v1.HeadscaleService/MoveNode"
+	HeadscaleService_GetRoutes_FullMethodName        = "/headscale.v1.HeadscaleService/GetRoutes"
+	HeadscaleService_EnableRoute_FullMethodName      = "/headscale.v1.HeadscaleService/EnableRoute"
+	HeadscaleService_DisableRoute_FullMethodName     = "/headscale.v1.HeadscaleService/DisableRoute"
+	HeadscaleService_GetNodeRoutes_FullMethodName    = "/headscale.v1.HeadscaleService/GetNodeRoutes"
+	HeadscaleService_DeleteRoute_FullMethodName      = "/headscale.v1.HeadscaleService/DeleteRoute"
+	HeadscaleService_CreateApiKey_FullMethodName     = "/headscale.v1.HeadscaleService/CreateApiKey"
+	HeadscaleService_ExpireApiKey_FullMethodName     = "/headscale.v1.HeadscaleService/ExpireApiKey"
+	HeadscaleService_ListApiKeys_FullMethodName      = "/headscale.v1.HeadscaleService/ListApiKeys"
+)
+
 // HeadscaleServiceClient is the client API for HeadscaleService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -32,21 +60,21 @@ type HeadscaleServiceClient interface {
 	CreatePreAuthKey(ctx context.Context, in *CreatePreAuthKeyRequest, opts ...grpc.CallOption) (*CreatePreAuthKeyResponse, error)
 	ExpirePreAuthKey(ctx context.Context, in *ExpirePreAuthKeyRequest, opts ...grpc.CallOption) (*ExpirePreAuthKeyResponse, error)
 	ListPreAuthKeys(ctx context.Context, in *ListPreAuthKeysRequest, opts ...grpc.CallOption) (*ListPreAuthKeysResponse, error)
-	// --- Machine start ---
-	DebugCreateMachine(ctx context.Context, in *DebugCreateMachineRequest, opts ...grpc.CallOption) (*DebugCreateMachineResponse, error)
-	GetMachine(ctx context.Context, in *GetMachineRequest, opts ...grpc.CallOption) (*GetMachineResponse, error)
+	// --- Node start ---
+	DebugCreateNode(ctx context.Context, in *DebugCreateNodeRequest, opts ...grpc.CallOption) (*DebugCreateNodeResponse, error)
+	GetNode(ctx context.Context, in *GetNodeRequest, opts ...grpc.CallOption) (*GetNodeResponse, error)
 	SetTags(ctx context.Context, in *SetTagsRequest, opts ...grpc.CallOption) (*SetTagsResponse, error)
-	RegisterMachine(ctx context.Context, in *RegisterMachineRequest, opts ...grpc.CallOption) (*RegisterMachineResponse, error)
-	DeleteMachine(ctx context.Context, in *DeleteMachineRequest, opts ...grpc.CallOption) (*DeleteMachineResponse, error)
-	ExpireMachine(ctx context.Context, in *ExpireMachineRequest, opts ...grpc.CallOption) (*ExpireMachineResponse, error)
-	RenameMachine(ctx context.Context, in *RenameMachineRequest, opts ...grpc.CallOption) (*RenameMachineResponse, error)
-	ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error)
-	MoveMachine(ctx context.Context, in *MoveMachineRequest, opts ...grpc.CallOption) (*MoveMachineResponse, error)
+	RegisterNode(ctx context.Context, in *RegisterNodeRequest, opts ...grpc.CallOption) (*RegisterNodeResponse, error)
+	DeleteNode(ctx context.Context, in *DeleteNodeRequest, opts ...grpc.CallOption) (*DeleteNodeResponse, error)
+	ExpireNode(ctx context.Context, in *ExpireNodeRequest, opts ...grpc.CallOption) (*ExpireNodeResponse, error)
+	RenameNode(ctx context.Context, in *RenameNodeRequest, opts ...grpc.CallOption) (*RenameNodeResponse, error)
+	ListNodes(ctx context.Context, in *ListNodesRequest, opts ...grpc.CallOption) (*ListNodesResponse, error)
+	MoveNode(ctx context.Context, in *MoveNodeRequest, opts ...grpc.CallOption) (*MoveNodeResponse, error)
 	// --- Route start ---
 	GetRoutes(ctx context.Context, in *GetRoutesRequest, opts ...grpc.CallOption) (*GetRoutesResponse, error)
 	EnableRoute(ctx context.Context, in *EnableRouteRequest, opts ...grpc.CallOption) (*EnableRouteResponse, error)
 	DisableRoute(ctx context.Context, in *DisableRouteRequest, opts ...grpc.CallOption) (*DisableRouteResponse, error)
-	GetMachineRoutes(ctx context.Context, in *GetMachineRoutesRequest, opts ...grpc.CallOption) (*GetMachineRoutesResponse, error)
+	GetNodeRoutes(ctx context.Context, in *GetNodeRoutesRequest, opts ...grpc.CallOption) (*GetNodeRoutesResponse, error)
 	DeleteRoute(ctx context.Context, in *DeleteRouteRequest, opts ...grpc.CallOption) (*DeleteRouteResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error)
@@ -64,7 +92,7 @@ func NewHeadscaleServiceClient(cc grpc.ClientConnInterface) HeadscaleServiceClie

 func (c *headscaleServiceClient) GetUser(ctx context.Context, in *GetUserRequest, opts ...grpc.CallOption) (*GetUserResponse, error) {
 	out := new(GetUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +101,7 @@ func (c *headscaleServiceClient) GetUser(ctx context.Context, in *GetUserRequest

 func (c *headscaleServiceClient) CreateUser(ctx context.Context, in *CreateUserRequest, opts ...grpc.CallOption) (*CreateUserResponse, error) {
 	out := new(CreateUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreateUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_CreateUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -82,7 +110,7 @@ func (c *headscaleServiceClient) CreateUser(ctx context.Context, in *CreateUserR

 func (c *headscaleServiceClient) RenameUser(ctx context.Context, in *RenameUserRequest, opts ...grpc.CallOption) (*RenameUserResponse, error) {
 	out := new(RenameUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RenameUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_RenameUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -91,7 +119,7 @@ func (c *headscaleServiceClient) RenameUser(ctx context.Context, in *RenameUserR

 func (c *headscaleServiceClient) DeleteUser(ctx context.Context, in *DeleteUserRequest, opts ...grpc.CallOption) (*DeleteUserResponse, error) {
 	out := new(DeleteUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeleteUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -100,7 +128,7 @@ func (c *headscaleServiceClient) DeleteUser(ctx context.Context, in *DeleteUserR

 func (c *headscaleServiceClient) ListUsers(ctx context.Context, in *ListUsersRequest, opts ...grpc.CallOption) (*ListUsersResponse, error) {
 	out := new(ListUsersResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListUsers", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListUsers_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +137,7 @@ func (c *headscaleServiceClient) ListUsers(ctx context.Context, in *ListUsersReq

 func (c *headscaleServiceClient) CreatePreAuthKey(ctx context.Context, in *CreatePreAuthKeyRequest, opts ...grpc.CallOption) (*CreatePreAuthKeyResponse, error) {
 	out := new(CreatePreAuthKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreatePreAuthKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_CreatePreAuthKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +146,7 @@ func (c *headscaleServiceClient) CreatePreAuthKey(ctx context.Context, in *Creat

 func (c *headscaleServiceClient) ExpirePreAuthKey(ctx context.Context, in *ExpirePreAuthKeyRequest, opts ...grpc.CallOption) (*ExpirePreAuthKeyResponse, error) {
 	out := new(ExpirePreAuthKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ExpirePreAuthKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ExpirePreAuthKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -127,25 +155,25 @@ func (c *headscaleServiceClient) ExpirePreAuthKey(ctx context.Context, in *Expir

 func (c *headscaleServiceClient) ListPreAuthKeys(ctx context.Context, in *ListPreAuthKeysRequest, opts ...grpc.CallOption) (*ListPreAuthKeysResponse, error) {
 	out := new(ListPreAuthKeysResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListPreAuthKeys", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListPreAuthKeys_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) DebugCreateMachine(ctx context.Context, in *DebugCreateMachineRequest, opts ...grpc.CallOption) (*DebugCreateMachineResponse, error) {
-	out := new(DebugCreateMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DebugCreateMachine", in, out, opts...)
+func (c *headscaleServiceClient) DebugCreateNode(ctx context.Context, in *DebugCreateNodeRequest, opts ...grpc.CallOption) (*DebugCreateNodeResponse, error) {
+	out := new(DebugCreateNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_DebugCreateNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) GetMachine(ctx context.Context, in *GetMachineRequest, opts ...grpc.CallOption) (*GetMachineResponse, error) {
-	out := new(GetMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachine", in, out, opts...)
+func (c *headscaleServiceClient) GetNode(ctx context.Context, in *GetNodeRequest, opts ...grpc.CallOption) (*GetNodeResponse, error) {
+	out := new(GetNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -154,61 +182,61 @@ func (c *headscaleServiceClient) GetMachine(ctx context.Context, in *GetMachineR

 func (c *headscaleServiceClient) SetTags(ctx context.Context, in *SetTagsRequest, opts ...grpc.CallOption) (*SetTagsResponse, error) {
 	out := new(SetTagsResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/SetTags", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_SetTags_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) RegisterMachine(ctx context.Context, in *RegisterMachineRequest, opts ...grpc.CallOption) (*RegisterMachineResponse, error) {
-	out := new(RegisterMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RegisterMachine", in, out, opts...)
+func (c *headscaleServiceClient) RegisterNode(ctx context.Context, in *RegisterNodeRequest, opts ...grpc.CallOption) (*RegisterNodeResponse, error) {
+	out := new(RegisterNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_RegisterNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) DeleteMachine(ctx context.Context, in *DeleteMachineRequest, opts ...grpc.CallOption) (*DeleteMachineResponse, error) {
-	out := new(DeleteMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteMachine", in, out, opts...)
+func (c *headscaleServiceClient) DeleteNode(ctx context.Context, in *DeleteNodeRequest, opts ...grpc.CallOption) (*DeleteNodeResponse, error) {
+	out := new(DeleteNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeleteNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) ExpireMachine(ctx context.Context, in *ExpireMachineRequest, opts ...grpc.CallOption) (*ExpireMachineResponse, error) {
-	out := new(ExpireMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ExpireMachine", in, out, opts...)
+func (c *headscaleServiceClient) ExpireNode(ctx context.Context, in *ExpireNodeRequest, opts ...grpc.CallOption) (*ExpireNodeResponse, error) {
+	out := new(ExpireNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_ExpireNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) RenameMachine(ctx context.Context, in *RenameMachineRequest, opts ...grpc.CallOption) (*RenameMachineResponse, error) {
-	out := new(RenameMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RenameMachine", in, out, opts...)
+func (c *headscaleServiceClient) RenameNode(ctx context.Context, in *RenameNodeRequest, opts ...grpc.CallOption) (*RenameNodeResponse, error) {
+	out := new(RenameNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_RenameNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error) {
-	out := new(ListMachinesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListMachines", in, out, opts...)
+func (c *headscaleServiceClient) ListNodes(ctx context.Context, in *ListNodesRequest, opts ...grpc.CallOption) (*ListNodesResponse, error) {
+	out := new(ListNodesResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListNodes_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) MoveMachine(ctx context.Context, in *MoveMachineRequest, opts ...grpc.CallOption) (*MoveMachineResponse, error) {
-	out := new(MoveMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/MoveMachine", in, out, opts...)
+func (c *headscaleServiceClient) MoveNode(ctx context.Context, in *MoveNodeRequest, opts ...grpc.CallOption) (*MoveNodeResponse, error) {
+	out := new(MoveNodeResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_MoveNode_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -217,7 +245,7 @@ func (c *headscaleServiceClient) MoveMachine(ctx context.Context, in *MoveMachin

 func (c *headscaleServiceClient) GetRoutes(ctx context.Context, in *GetRoutesRequest, opts ...grpc.CallOption) (*GetRoutesResponse, error) {
 	out := new(GetRoutesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetRoutes", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetRoutes_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -226,7 +254,7 @@ func (c *headscaleServiceClient) GetRoutes(ctx context.Context, in *GetRoutesReq

 func (c *headscaleServiceClient) EnableRoute(ctx context.Context, in *EnableRouteRequest, opts ...grpc.CallOption) (*EnableRouteResponse, error) {
 	out := new(EnableRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/EnableRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_EnableRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -235,16 +263,16 @@ func (c *headscaleServiceClient) EnableRoute(ctx context.Context, in *EnableRout

 func (c *headscaleServiceClient) DisableRoute(ctx context.Context, in *DisableRouteRequest, opts ...grpc.CallOption) (*DisableRouteResponse, error) {
 	out := new(DisableRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DisableRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DisableRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) GetMachineRoutes(ctx context.Context, in *GetMachineRoutesRequest, opts ...grpc.CallOption) (*GetMachineRoutesResponse, error) {
-	out := new(GetMachineRoutesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachineRoutes", in, out, opts...)
+func (c *headscaleServiceClient) GetNodeRoutes(ctx context.Context, in *GetNodeRoutesRequest, opts ...grpc.CallOption) (*GetNodeRoutesResponse, error) {
+	out := new(GetNodeRoutesResponse)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetNodeRoutes_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -253,7 +281,7 @@ func (c *headscaleServiceClient) GetMachineRoutes(ctx context.Context, in *GetMa

 func (c *headscaleServiceClient) DeleteRoute(ctx context.Context, in *DeleteRouteRequest, opts ...grpc.CallOption) (*DeleteRouteResponse, error) {
 	out := new(DeleteRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeleteRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -262,7 +290,7 @@ func (c *headscaleServiceClient) DeleteRoute(ctx context.Context, in *DeleteRout

 func (c *headscaleServiceClient) CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error) {
 	out := new(CreateApiKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreateApiKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_CreateApiKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -271,7 +299,7 @@ func (c *headscaleServiceClient) CreateApiKey(ctx context.Context, in *CreateApi

 func (c *headscaleServiceClient) ExpireApiKey(ctx context.Context, in *ExpireApiKeyRequest, opts ...grpc.CallOption) (*ExpireApiKeyResponse, error) {
 	out := new(ExpireApiKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ExpireApiKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ExpireApiKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -280,7 +308,7 @@ func (c *headscaleServiceClient) ExpireApiKey(ctx context.Context, in *ExpireApi

 func (c *headscaleServiceClient) ListApiKeys(ctx context.Context, in *ListApiKeysRequest, opts ...grpc.CallOption) (*ListApiKeysResponse, error) {
 	out := new(ListApiKeysResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListApiKeys", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListApiKeys_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -301,21 +329,21 @@ type HeadscaleServiceServer interface {
 	CreatePreAuthKey(context.Context, *CreatePreAuthKeyRequest) (*CreatePreAuthKeyResponse, error)
 	ExpirePreAuthKey(context.Context, *ExpirePreAuthKeyRequest) (*ExpirePreAuthKeyResponse, error)
 	ListPreAuthKeys(context.Context, *ListPreAuthKeysRequest) (*ListPreAuthKeysResponse, error)
-	// --- Machine start ---
-	DebugCreateMachine(context.Context, *DebugCreateMachineRequest) (*DebugCreateMachineResponse, error)
-	GetMachine(context.Context, *GetMachineRequest) (*GetMachineResponse, error)
+	// --- Node start ---
+	DebugCreateNode(context.Context, *DebugCreateNodeRequest) (*DebugCreateNodeResponse, error)
+	GetNode(context.Context, *GetNodeRequest) (*GetNodeResponse, error)
 	SetTags(context.Context, *SetTagsRequest) (*SetTagsResponse, error)
-	RegisterMachine(context.Context, *RegisterMachineRequest) (*RegisterMachineResponse, error)
-	DeleteMachine(context.Context, *DeleteMachineRequest) (*DeleteMachineResponse, error)
-	ExpireMachine(context.Context, *ExpireMachineRequest) (*ExpireMachineResponse, error)
-	RenameMachine(context.Context, *RenameMachineRequest) (*RenameMachineResponse, error)
-	ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error)
-	MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error)
+	RegisterNode(context.Context, *RegisterNodeRequest) (*RegisterNodeResponse, error)
+	DeleteNode(context.Context, *DeleteNodeRequest) (*DeleteNodeResponse, error)
+	ExpireNode(context.Context, *ExpireNodeRequest) (*ExpireNodeResponse, error)
+	RenameNode(context.Context, *RenameNodeRequest) (*RenameNodeResponse, error)
+	ListNodes(context.Context, *ListNodesRequest) (*ListNodesResponse, error)
+	MoveNode(context.Context, *MoveNodeRequest) (*MoveNodeResponse, error)
 	// --- Route start ---
 	GetRoutes(context.Context, *GetRoutesRequest) (*GetRoutesResponse, error)
 	EnableRoute(context.Context, *EnableRouteRequest) (*EnableRouteResponse, error)
 	DisableRoute(context.Context, *DisableRouteRequest) (*DisableRouteResponse, error)
-	GetMachineRoutes(context.Context, *GetMachineRoutesRequest) (*GetMachineRoutesResponse, error)
+	GetNodeRoutes(context.Context, *GetNodeRoutesRequest) (*GetNodeRoutesResponse, error)
 	DeleteRoute(context.Context, *DeleteRouteRequest) (*DeleteRouteResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(context.Context, *CreateApiKeyRequest) (*CreateApiKeyResponse, error)
@@ -352,32 +380,32 @@ func (UnimplementedHeadscaleServiceServer) ExpirePreAuthKey(context.Context, *Ex
 func (UnimplementedHeadscaleServiceServer) ListPreAuthKeys(context.Context, *ListPreAuthKeysRequest) (*ListPreAuthKeysResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListPreAuthKeys not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) DebugCreateMachine(context.Context, *DebugCreateMachineRequest) (*DebugCreateMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DebugCreateMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) DebugCreateNode(context.Context, *DebugCreateNodeRequest) (*DebugCreateNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DebugCreateNode not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) GetMachine(context.Context, *GetMachineRequest) (*GetMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) GetNode(context.Context, *GetNodeRequest) (*GetNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetNode not implemented")
 }
 func (UnimplementedHeadscaleServiceServer) SetTags(context.Context, *SetTagsRequest) (*SetTagsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SetTags not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) RegisterMachine(context.Context, *RegisterMachineRequest) (*RegisterMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RegisterMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) RegisterNode(context.Context, *RegisterNodeRequest) (*RegisterNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RegisterNode not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) DeleteMachine(context.Context, *DeleteMachineRequest) (*DeleteMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method DeleteMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) DeleteNode(context.Context, *DeleteNodeRequest) (*DeleteNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteNode not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) ExpireMachine(context.Context, *ExpireMachineRequest) (*ExpireMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ExpireMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) ExpireNode(context.Context, *ExpireNodeRequest) (*ExpireNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ExpireNode not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) RenameMachine(context.Context, *RenameMachineRequest) (*RenameMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method RenameMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) RenameNode(context.Context, *RenameNodeRequest) (*RenameNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RenameNode not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ListMachines not implemented")
+func (UnimplementedHeadscaleServiceServer) ListNodes(context.Context, *ListNodesRequest) (*ListNodesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListNodes not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method MoveMachine not implemented")
+func (UnimplementedHeadscaleServiceServer) MoveNode(context.Context, *MoveNodeRequest) (*MoveNodeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method MoveNode not implemented")
 }
 func (UnimplementedHeadscaleServiceServer) GetRoutes(context.Context, *GetRoutesRequest) (*GetRoutesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetRoutes not implemented")
@@ -388,8 +416,8 @@ func (UnimplementedHeadscaleServiceServer) EnableRoute(context.Context, *EnableR
 func (UnimplementedHeadscaleServiceServer) DisableRoute(context.Context, *DisableRouteRequest) (*DisableRouteResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DisableRoute not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) GetMachineRoutes(context.Context, *GetMachineRoutesRequest) (*GetMachineRoutesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetMachineRoutes not implemented")
+func (UnimplementedHeadscaleServiceServer) GetNodeRoutes(context.Context, *GetNodeRoutesRequest) (*GetNodeRoutesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetNodeRoutes not implemented")
 }
 func (UnimplementedHeadscaleServiceServer) DeleteRoute(context.Context, *DeleteRouteRequest) (*DeleteRouteResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DeleteRoute not implemented")
@@ -426,7 +454,7 @@ func _HeadscaleService_GetUser_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetUser",
+		FullMethod: HeadscaleService_GetUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).GetUser(ctx, req.(*GetUserRequest))
@@ -444,7 +472,7 @@ func _HeadscaleService_CreateUser_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/CreateUser",
+		FullMethod: HeadscaleService_CreateUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).CreateUser(ctx, req.(*CreateUserRequest))
@@ -462,7 +490,7 @@ func _HeadscaleService_RenameUser_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/RenameUser",
+		FullMethod: HeadscaleService_RenameUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).RenameUser(ctx, req.(*RenameUserRequest))
@@ -480,7 +508,7 @@ func _HeadscaleService_DeleteUser_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DeleteUser",
+		FullMethod: HeadscaleService_DeleteUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DeleteUser(ctx, req.(*DeleteUserRequest))
@@ -498,7 +526,7 @@ func _HeadscaleService_ListUsers_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListUsers",
+		FullMethod: HeadscaleService_ListUsers_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListUsers(ctx, req.(*ListUsersRequest))
@@ -516,7 +544,7 @@ func _HeadscaleService_CreatePreAuthKey_Handler(srv interface{}, ctx context.Con
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/CreatePreAuthKey",
+		FullMethod: HeadscaleService_CreatePreAuthKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).CreatePreAuthKey(ctx, req.(*CreatePreAuthKeyRequest))
@@ -534,7 +562,7 @@ func _HeadscaleService_ExpirePreAuthKey_Handler(srv interface{}, ctx context.Con
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ExpirePreAuthKey",
+		FullMethod: HeadscaleService_ExpirePreAuthKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ExpirePreAuthKey(ctx, req.(*ExpirePreAuthKeyRequest))
@@ -552,7 +580,7 @@ func _HeadscaleService_ListPreAuthKeys_Handler(srv interface{}, ctx context.Cont
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListPreAuthKeys",
+		FullMethod: HeadscaleService_ListPreAuthKeys_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListPreAuthKeys(ctx, req.(*ListPreAuthKeysRequest))
@@ -560,38 +588,38 @@ func _HeadscaleService_ListPreAuthKeys_Handler(srv interface{}, ctx context.Cont
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_DebugCreateMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(DebugCreateMachineRequest)
+func _HeadscaleService_DebugCreateNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DebugCreateNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).DebugCreateMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).DebugCreateNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DebugCreateMachine",
+		FullMethod: HeadscaleService_DebugCreateNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).DebugCreateMachine(ctx, req.(*DebugCreateMachineRequest))
+		return srv.(HeadscaleServiceServer).DebugCreateNode(ctx, req.(*DebugCreateNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_GetMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(GetMachineRequest)
+func _HeadscaleService_GetNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).GetMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).GetNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetMachine",
+		FullMethod: HeadscaleService_GetNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).GetMachine(ctx, req.(*GetMachineRequest))
+		return srv.(HeadscaleServiceServer).GetNode(ctx, req.(*GetNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -606,7 +634,7 @@ func _HeadscaleService_SetTags_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/SetTags",
+		FullMethod: HeadscaleService_SetTags_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).SetTags(ctx, req.(*SetTagsRequest))
@@ -614,110 +642,110 @@ func _HeadscaleService_SetTags_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_RegisterMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(RegisterMachineRequest)
+func _HeadscaleService_RegisterNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RegisterNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).RegisterMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).RegisterNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/RegisterMachine",
+		FullMethod: HeadscaleService_RegisterNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).RegisterMachine(ctx, req.(*RegisterMachineRequest))
+		return srv.(HeadscaleServiceServer).RegisterNode(ctx, req.(*RegisterNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_DeleteMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(DeleteMachineRequest)
+func _HeadscaleService_DeleteNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).DeleteMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).DeleteNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DeleteMachine",
+		FullMethod: HeadscaleService_DeleteNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).DeleteMachine(ctx, req.(*DeleteMachineRequest))
+		return srv.(HeadscaleServiceServer).DeleteNode(ctx, req.(*DeleteNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_ExpireMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ExpireMachineRequest)
+func _HeadscaleService_ExpireNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ExpireNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).ExpireMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).ExpireNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ExpireMachine",
+		FullMethod: HeadscaleService_ExpireNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).ExpireMachine(ctx, req.(*ExpireMachineRequest))
+		return srv.(HeadscaleServiceServer).ExpireNode(ctx, req.(*ExpireNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_RenameMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(RenameMachineRequest)
+func _HeadscaleService_RenameNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RenameNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).RenameMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).RenameNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/RenameMachine",
+		FullMethod: HeadscaleService_RenameNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).RenameMachine(ctx, req.(*RenameMachineRequest))
+		return srv.(HeadscaleServiceServer).RenameNode(ctx, req.(*RenameNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_ListMachines_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ListMachinesRequest)
+func _HeadscaleService_ListNodes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListNodesRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).ListMachines(ctx, in)
+		return srv.(HeadscaleServiceServer).ListNodes(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListMachines",
+		FullMethod: HeadscaleService_ListNodes_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).ListMachines(ctx, req.(*ListMachinesRequest))
+		return srv.(HeadscaleServiceServer).ListNodes(ctx, req.(*ListNodesRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_MoveMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(MoveMachineRequest)
+func _HeadscaleService_MoveNode_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(MoveNodeRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).MoveMachine(ctx, in)
+		return srv.(HeadscaleServiceServer).MoveNode(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/MoveMachine",
+		FullMethod: HeadscaleService_MoveNode_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).MoveMachine(ctx, req.(*MoveMachineRequest))
+		return srv.(HeadscaleServiceServer).MoveNode(ctx, req.(*MoveNodeRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -732,7 +760,7 @@ func _HeadscaleService_GetRoutes_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetRoutes",
+		FullMethod: HeadscaleService_GetRoutes_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).GetRoutes(ctx, req.(*GetRoutesRequest))
@@ -750,7 +778,7 @@ func _HeadscaleService_EnableRoute_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/EnableRoute",
+		FullMethod: HeadscaleService_EnableRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).EnableRoute(ctx, req.(*EnableRouteRequest))
@@ -768,7 +796,7 @@ func _HeadscaleService_DisableRoute_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DisableRoute",
+		FullMethod: HeadscaleService_DisableRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DisableRoute(ctx, req.(*DisableRouteRequest))
@@ -776,20 +804,20 @@ func _HeadscaleService_DisableRoute_Handler(srv interface{}, ctx context.Context
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_GetMachineRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(GetMachineRoutesRequest)
+func _HeadscaleService_GetNodeRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetNodeRoutesRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).GetMachineRoutes(ctx, in)
+		return srv.(HeadscaleServiceServer).GetNodeRoutes(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetMachineRoutes",
+		FullMethod: HeadscaleService_GetNodeRoutes_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).GetMachineRoutes(ctx, req.(*GetMachineRoutesRequest))
+		return srv.(HeadscaleServiceServer).GetNodeRoutes(ctx, req.(*GetNodeRoutesRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -804,7 +832,7 @@ func _HeadscaleService_DeleteRoute_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DeleteRoute",
+		FullMethod: HeadscaleService_DeleteRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DeleteRoute(ctx, req.(*DeleteRouteRequest))
@@ -822,7 +850,7 @@ func _HeadscaleService_CreateApiKey_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/CreateApiKey",
+		FullMethod: HeadscaleService_CreateApiKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).CreateApiKey(ctx, req.(*CreateApiKeyRequest))
@@ -840,7 +868,7 @@ func _HeadscaleService_ExpireApiKey_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ExpireApiKey",
+		FullMethod: HeadscaleService_ExpireApiKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ExpireApiKey(ctx, req.(*ExpireApiKeyRequest))
@@ -858,7 +886,7 @@ func _HeadscaleService_ListApiKeys_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListApiKeys",
+		FullMethod: HeadscaleService_ListApiKeys_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListApiKeys(ctx, req.(*ListApiKeysRequest))
@@ -906,40 +934,40 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _HeadscaleService_ListPreAuthKeys_Handler,
 		},
 		{
-			MethodName: "DebugCreateMachine",
-			Handler:    _HeadscaleService_DebugCreateMachine_Handler,
+			MethodName: "DebugCreateNode",
+			Handler:    _HeadscaleService_DebugCreateNode_Handler,
 		},
 		{
-			MethodName: "GetMachine",
-			Handler:    _HeadscaleService_GetMachine_Handler,
+			MethodName: "GetNode",
+			Handler:    _HeadscaleService_GetNode_Handler,
 		},
 		{
 			MethodName: "SetTags",
 			Handler:    _HeadscaleService_SetTags_Handler,
 		},
 		{
-			MethodName: "RegisterMachine",
-			Handler:    _HeadscaleService_RegisterMachine_Handler,
+			MethodName: "RegisterNode",
+			Handler:    _HeadscaleService_RegisterNode_Handler,
 		},
 		{
-			MethodName: "DeleteMachine",
-			Handler:    _HeadscaleService_DeleteMachine_Handler,
+			MethodName: "DeleteNode",
+			Handler:    _HeadscaleService_DeleteNode_Handler,
 		},
 		{
-			MethodName: "ExpireMachine",
-			Handler:    _HeadscaleService_ExpireMachine_Handler,
+			MethodName: "ExpireNode",
+			Handler:    _HeadscaleService_ExpireNode_Handler,
 		},
 		{
-			MethodName: "RenameMachine",
-			Handler:    _HeadscaleService_RenameMachine_Handler,
+			MethodName: "RenameNode",
+			Handler:    _HeadscaleService_RenameNode_Handler,
 		},
 		{
-			MethodName: "ListMachines",
-			Handler:    _HeadscaleService_ListMachines_Handler,
+			MethodName: "ListNodes",
+			Handler:    _HeadscaleService_ListNodes_Handler,
 		},
 		{
-			MethodName: "MoveMachine",
-			Handler:    _HeadscaleService_MoveMachine_Handler,
+			MethodName: "MoveNode",
+			Handler:    _HeadscaleService_MoveNode_Handler,
 		},
 		{
 			MethodName: "GetRoutes",
@@ -954,8 +982,8 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _HeadscaleService_DisableRoute_Handler,
 		},
 		{
-			MethodName: "GetMachineRoutes",
-			Handler:    _HeadscaleService_GetMachineRoutes_Handler,
+			MethodName: "GetNodeRoutes",
+			Handler:    _HeadscaleService_GetNodeRoutes_Handler,
 		},
 		{
 			MethodName: "DeleteRoute",
--- a/gen/go/headscale/v1/machine.pb.go
+++ b/gen/go/headscale/v1/machine.pb.go
--- a/gen/go/headscale/v1/node.pb.go
+++ b/gen/go/headscale/v1/node.pb.go
--- a/gen/go/headscale/v1/preauthkey.pb.go
+++ b/gen/go/headscale/v1/preauthkey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
 // source: headscale/v1/preauthkey.proto

--- a/gen/go/headscale/v1/routes.pb.go
+++ b/gen/go/headscale/v1/routes.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
 // source: headscale/v1/routes.proto

@@ -27,7 +27,7 @@ type Route struct {
 	unknownFields protoimpl.UnknownFields

 	Id         uint64                 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
-	Machine    *Machine               `protobuf:"bytes,2,opt,name=machine,proto3" json:"machine,omitempty"`
+	Node       *Node                  `protobuf:"bytes,2,opt,name=node,proto3" json:"node,omitempty"`
 	Prefix     string                 `protobuf:"bytes,3,opt,name=prefix,proto3" json:"prefix,omitempty"`
 	Advertised bool                   `protobuf:"varint,4,opt,name=advertised,proto3" json:"advertised,omitempty"`
 	Enabled    bool                   `protobuf:"varint,5,opt,name=enabled,proto3" json:"enabled,omitempty"`
@@ -76,9 +76,9 @@ func (x *Route) GetId() uint64 {
 	return 0
 }

-func (x *Route) GetMachine() *Machine {
+func (x *Route) GetNode() *Node {
 	if x != nil {
-		return x.Machine
+		return x.Node
 	}
 	return nil
 }
@@ -387,16 +387,16 @@ func (*DisableRouteResponse) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{6}
 }

-type GetMachineRoutesRequest struct {
+type GetNodeRoutesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
+	NodeId uint64 `protobuf:"varint,1,opt,name=node_id,json=nodeId,proto3" json:"node_id,omitempty"`
 }

-func (x *GetMachineRoutesRequest) Reset() {
-	*x = GetMachineRoutesRequest{}
+func (x *GetNodeRoutesRequest) Reset() {
+	*x = GetNodeRoutesRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -404,13 +404,13 @@ func (x *GetMachineRoutesRequest) Reset() {
 	}
 }

-func (x *GetMachineRoutesRequest) String() string {
+func (x *GetNodeRoutesRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*GetMachineRoutesRequest) ProtoMessage() {}
+func (*GetNodeRoutesRequest) ProtoMessage() {}

-func (x *GetMachineRoutesRequest) ProtoReflect() protoreflect.Message {
+func (x *GetNodeRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -422,19 +422,19 @@ func (x *GetMachineRoutesRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use GetMachineRoutesRequest.ProtoReflect.Descriptor instead.
-func (*GetMachineRoutesRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use GetNodeRoutesRequest.ProtoReflect.Descriptor instead.
+func (*GetNodeRoutesRequest) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{7}
 }

-func (x *GetMachineRoutesRequest) GetMachineId() uint64 {
+func (x *GetNodeRoutesRequest) GetNodeId() uint64 {
 	if x != nil {
-		return x.MachineId
+		return x.NodeId
 	}
 	return 0
 }

-type GetMachineRoutesResponse struct {
+type GetNodeRoutesResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
@@ -442,8 +442,8 @@ type GetMachineRoutesResponse struct {
 	Routes []*Route `protobuf:"bytes,1,rep,name=routes,proto3" json:"routes,omitempty"`
 }

-func (x *GetMachineRoutesResponse) Reset() {
-	*x = GetMachineRoutesResponse{}
+func (x *GetNodeRoutesResponse) Reset() {
+	*x = GetNodeRoutesResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -451,13 +451,13 @@ func (x *GetMachineRoutesResponse) Reset() {
 	}
 }

-func (x *GetMachineRoutesResponse) String() string {
+func (x *GetNodeRoutesResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*GetMachineRoutesResponse) ProtoMessage() {}
+func (*GetNodeRoutesResponse) ProtoMessage() {}

-func (x *GetMachineRoutesResponse) ProtoReflect() protoreflect.Message {
+func (x *GetNodeRoutesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -469,12 +469,12 @@ func (x *GetMachineRoutesResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use GetMachineRoutesResponse.ProtoReflect.Descriptor instead.
-func (*GetMachineRoutesResponse) Descriptor() ([]byte, []int) {
+// Deprecated: Use GetNodeRoutesResponse.ProtoReflect.Descriptor instead.
+func (*GetNodeRoutesResponse) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{8}
 }

-func (x *GetMachineRoutesResponse) GetRoutes() []*Route {
+func (x *GetNodeRoutesResponse) GetRoutes() []*Route {
 	if x != nil {
 		return x.Routes
 	}
@@ -573,62 +573,61 @@ var file_headscale_v1_routes_proto_rawDesc = []byte{
 	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x68, 0x65, 0x61,
 	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
 	0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1a, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xea, 0x02, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64,
-	0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
-	0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x64, 0x76,
-	0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x61,
-	0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62,
-	0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x70, 0x72, 0x69, 0x6d, 0x61, 0x72,
-	0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x50, 0x72, 0x69, 0x6d, 0x61,
-	0x72, 0x79, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74,
-	0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x39, 0x0a,
-	0x0a, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x75,
-	0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x39, 0x0a, 0x0a, 0x64, 0x65, 0x6c, 0x65,
-	0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
-	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65,
-	0x64, 0x41, 0x74, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x40, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2b, 0x0a, 0x06,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x2f, 0x0a, 0x12, 0x45, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
-	0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22, 0x15, 0x0a, 0x13, 0x45, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x30, 0x0a, 0x13, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x49, 0x64, 0x22, 0x16, 0x0a, 0x14, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x38, 0x0a, 0x17, 0x47,
-	0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x12, 0x2b, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x13, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
-	0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x2f,
-	0x0a, 0x12, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22,
-	0x15, 0x0a, 0x13, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76,
-	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x22, 0xe1, 0x02, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a,
+	0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x12, 0x26, 0x0a,
+	0x04, 0x6e, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x52,
+	0x04, 0x6e, 0x6f, 0x64, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x1e, 0x0a,
+	0x0a, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x08, 0x52, 0x0a, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x12, 0x18, 0x0a,
+	0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07,
+	0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x70, 0x72,
+	0x69, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x50,
+	0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65,
+	0x64, 0x5f, 0x61, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41,
+	0x74, 0x12, 0x39, 0x0a, 0x0a, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18,
+	0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
+	0x70, 0x52, 0x09, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x39, 0x0a, 0x0a,
+	0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x64, 0x65,
+	0x6c, 0x65, 0x74, 0x65, 0x64, 0x41, 0x74, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x40, 0x0a, 0x11, 0x47,
+	0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x2b, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x13, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x2f, 0x0a,
+	0x12, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22, 0x15,
+	0x0a, 0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x30, 0x0a, 0x13, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22, 0x16, 0x0a, 0x14, 0x44, 0x69, 0x73, 0x61, 0x62,
+	0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x2f, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x6e, 0x6f, 0x64, 0x65, 0x5f,
+	0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x6e, 0x6f, 0x64, 0x65, 0x49, 0x64,
+	0x22, 0x44, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2b, 0x0a, 0x06, 0x72, 0x6f, 0x75,
+	0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x2f, 0x0a, 0x12, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22, 0x15, 0x0a, 0x13, 0x44, 0x65, 0x6c, 0x65, 0x74,
+	0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x29,
+	0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61,
+	0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f,
+	0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
 }

 var (
@@ -645,27 +644,27 @@ func file_headscale_v1_routes_proto_rawDescGZIP() []byte {

 var file_headscale_v1_routes_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
 var file_headscale_v1_routes_proto_goTypes = []interface{}{
-	(*Route)(nil),                    // 0: headscale.v1.Route
-	(*GetRoutesRequest)(nil),         // 1: headscale.v1.GetRoutesRequest
-	(*GetRoutesResponse)(nil),        // 2: headscale.v1.GetRoutesResponse
-	(*EnableRouteRequest)(nil),       // 3: headscale.v1.EnableRouteRequest
-	(*EnableRouteResponse)(nil),      // 4: headscale.v1.EnableRouteResponse
-	(*DisableRouteRequest)(nil),      // 5: headscale.v1.DisableRouteRequest
-	(*DisableRouteResponse)(nil),     // 6: headscale.v1.DisableRouteResponse
-	(*GetMachineRoutesRequest)(nil),  // 7: headscale.v1.GetMachineRoutesRequest
-	(*GetMachineRoutesResponse)(nil), // 8: headscale.v1.GetMachineRoutesResponse
-	(*DeleteRouteRequest)(nil),       // 9: headscale.v1.DeleteRouteRequest
-	(*DeleteRouteResponse)(nil),      // 10: headscale.v1.DeleteRouteResponse
-	(*Machine)(nil),                  // 11: headscale.v1.Machine
-	(*timestamppb.Timestamp)(nil),    // 12: google.protobuf.Timestamp
+	(*Route)(nil),                 // 0: headscale.v1.Route
+	(*GetRoutesRequest)(nil),      // 1: headscale.v1.GetRoutesRequest
+	(*GetRoutesResponse)(nil),     // 2: headscale.v1.GetRoutesResponse
+	(*EnableRouteRequest)(nil),    // 3: headscale.v1.EnableRouteRequest
+	(*EnableRouteResponse)(nil),   // 4: headscale.v1.EnableRouteResponse
+	(*DisableRouteRequest)(nil),   // 5: headscale.v1.DisableRouteRequest
+	(*DisableRouteResponse)(nil),  // 6: headscale.v1.DisableRouteResponse
+	(*GetNodeRoutesRequest)(nil),  // 7: headscale.v1.GetNodeRoutesRequest
+	(*GetNodeRoutesResponse)(nil), // 8: headscale.v1.GetNodeRoutesResponse
+	(*DeleteRouteRequest)(nil),    // 9: headscale.v1.DeleteRouteRequest
+	(*DeleteRouteResponse)(nil),   // 10: headscale.v1.DeleteRouteResponse
+	(*Node)(nil),                  // 11: headscale.v1.Node
+	(*timestamppb.Timestamp)(nil), // 12: google.protobuf.Timestamp
 }
 var file_headscale_v1_routes_proto_depIdxs = []int32{
-	11, // 0: headscale.v1.Route.machine:type_name -> headscale.v1.Machine
+	11, // 0: headscale.v1.Route.node:type_name -> headscale.v1.Node
 	12, // 1: headscale.v1.Route.created_at:type_name -> google.protobuf.Timestamp
 	12, // 2: headscale.v1.Route.updated_at:type_name -> google.protobuf.Timestamp
 	12, // 3: headscale.v1.Route.deleted_at:type_name -> google.protobuf.Timestamp
 	0,  // 4: headscale.v1.GetRoutesResponse.routes:type_name -> headscale.v1.Route
-	0,  // 5: headscale.v1.GetMachineRoutesResponse.routes:type_name -> headscale.v1.Route
+	0,  // 5: headscale.v1.GetNodeRoutesResponse.routes:type_name -> headscale.v1.Route
 	6,  // [6:6] is the sub-list for method output_type
 	6,  // [6:6] is the sub-list for method input_type
 	6,  // [6:6] is the sub-list for extension type_name
@@ -678,7 +677,7 @@ func file_headscale_v1_routes_proto_init() {
 	if File_headscale_v1_routes_proto != nil {
 		return
 	}
-	file_headscale_v1_machine_proto_init()
+	file_headscale_v1_node_proto_init()
 	if !protoimpl.UnsafeEnabled {
 		file_headscale_v1_routes_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Route); i {
@@ -765,7 +764,7 @@ func file_headscale_v1_routes_proto_init() {
 			}
 		}
 		file_headscale_v1_routes_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetMachineRoutesRequest); i {
+			switch v := v.(*GetNodeRoutesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -777,7 +776,7 @@ func file_headscale_v1_routes_proto_init() {
 			}
 		}
 		file_headscale_v1_routes_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetMachineRoutesResponse); i {
+			switch v := v.(*GetNodeRoutesResponse); i {
 			case 0:
 				return &v.state
 			case 1:
--- a/gen/go/headscale/v1/user.pb.go
+++ b/gen/go/headscale/v1/user.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.31.0
 // 	protoc        (unknown)
 // source: headscale/v1/user.proto

--- a/gen/openapiv2/headscale/v1/headscale.swagger.json
+++ b/gen/openapiv2/headscale/v1/headscale.swagger.json
@@ -101,15 +101,15 @@
        ]
      }
    },
-    "/api/v1/debug/machine": {
+    "/api/v1/debug/node": {
      "post": {
-        "summary": "--- Machine start ---",
-        "operationId": "HeadscaleService_DebugCreateMachine",
+        "summary": "--- Node start ---",
+        "operationId": "HeadscaleService_DebugCreateNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1DebugCreateMachineResponse"
+              "$ref": "#/definitions/v1DebugCreateNodeResponse"
            }
          },
          "default": {
@@ -125,7 +125,7 @@
            "in": "body",
            "required": true,
            "schema": {
-              "$ref": "#/definitions/v1DebugCreateMachineRequest"
+              "$ref": "#/definitions/v1DebugCreateNodeRequest"
            }
          }
        ],
@@ -134,14 +134,14 @@
        ]
      }
    },
-    "/api/v1/machine": {
+    "/api/v1/node": {
      "get": {
-        "operationId": "HeadscaleService_ListMachines",
+        "operationId": "HeadscaleService_ListNodes",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1ListMachinesResponse"
+              "$ref": "#/definitions/v1ListNodesResponse"
            }
          },
          "default": {
@@ -164,14 +164,14 @@
        ]
      }
    },
-    "/api/v1/machine/register": {
+    "/api/v1/node/register": {
      "post": {
-        "operationId": "HeadscaleService_RegisterMachine",
+        "operationId": "HeadscaleService_RegisterNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1RegisterMachineResponse"
+              "$ref": "#/definitions/v1RegisterNodeResponse"
            }
          },
          "default": {
@@ -200,14 +200,14 @@
        ]
      }
    },
-    "/api/v1/machine/{machineId}": {
+    "/api/v1/node/{nodeId}": {
      "get": {
-        "operationId": "HeadscaleService_GetMachine",
+        "operationId": "HeadscaleService_GetNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1GetMachineResponse"
+              "$ref": "#/definitions/v1GetNodeResponse"
            }
          },
          "default": {
@@ -219,7 +219,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -231,12 +231,12 @@
        ]
      },
      "delete": {
-        "operationId": "HeadscaleService_DeleteMachine",
+        "operationId": "HeadscaleService_DeleteNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1DeleteMachineResponse"
+              "$ref": "#/definitions/v1DeleteNodeResponse"
            }
          },
          "default": {
@@ -248,7 +248,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -260,14 +260,14 @@
        ]
      }
    },
-    "/api/v1/machine/{machineId}/expire": {
+    "/api/v1/node/{nodeId}/expire": {
      "post": {
-        "operationId": "HeadscaleService_ExpireMachine",
+        "operationId": "HeadscaleService_ExpireNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1ExpireMachineResponse"
+              "$ref": "#/definitions/v1ExpireNodeResponse"
            }
          },
          "default": {
@@ -279,7 +279,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -291,14 +291,14 @@
        ]
      }
    },
-    "/api/v1/machine/{machineId}/rename/{newName}": {
+    "/api/v1/node/{nodeId}/rename/{newName}": {
      "post": {
-        "operationId": "HeadscaleService_RenameMachine",
+        "operationId": "HeadscaleService_RenameNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1RenameMachineResponse"
+              "$ref": "#/definitions/v1RenameNodeResponse"
            }
          },
          "default": {
@@ -310,7 +310,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -328,14 +328,14 @@
        ]
      }
    },
-    "/api/v1/machine/{machineId}/routes": {
+    "/api/v1/node/{nodeId}/routes": {
      "get": {
-        "operationId": "HeadscaleService_GetMachineRoutes",
+        "operationId": "HeadscaleService_GetNodeRoutes",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1GetMachineRoutesResponse"
+              "$ref": "#/definitions/v1GetNodeRoutesResponse"
            }
          },
          "default": {
@@ -347,7 +347,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -359,7 +359,7 @@
        ]
      }
    },
-    "/api/v1/machine/{machineId}/tags": {
+    "/api/v1/node/{nodeId}/tags": {
      "post": {
        "operationId": "HeadscaleService_SetTags",
        "responses": {
@@ -378,7 +378,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -406,14 +406,14 @@
        ]
      }
    },
-    "/api/v1/machine/{machineId}/user": {
+    "/api/v1/node/{nodeId}/user": {
      "post": {
-        "operationId": "HeadscaleService_MoveMachine",
+        "operationId": "HeadscaleService_MoveNode",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1MoveMachineResponse"
+              "$ref": "#/definitions/v1MoveNodeResponse"
            }
          },
          "default": {
@@ -425,7 +425,7 @@
        },
        "parameters": [
          {
-            "name": "machineId",
+            "name": "nodeId",
            "in": "path",
            "required": true,
            "type": "string",
@@ -917,7 +917,7 @@
        }
      }
    },
-    "v1DebugCreateMachineRequest": {
+    "v1DebugCreateNodeRequest": {
      "type": "object",
      "properties": {
        "user": {
@@ -937,15 +937,15 @@
        }
      }
    },
-    "v1DebugCreateMachineResponse": {
+    "v1DebugCreateNodeResponse": {
      "type": "object",
      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
+        "node": {
+          "$ref": "#/definitions/v1Node"
        }
      }
    },
-    "v1DeleteMachineResponse": {
+    "v1DeleteNodeResponse": {
      "type": "object"
    },
    "v1DeleteRouteResponse": {
@@ -971,11 +971,11 @@
    "v1ExpireApiKeyResponse": {
      "type": "object"
    },
-    "v1ExpireMachineResponse": {
+    "v1ExpireNodeResponse": {
      "type": "object",
      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
+        "node": {
+          "$ref": "#/definitions/v1Node"
        }
      }
    },
@@ -993,15 +993,15 @@
    "v1ExpirePreAuthKeyResponse": {
      "type": "object"
    },
-    "v1GetMachineResponse": {
+    "v1GetNodeResponse": {
      "type": "object",
      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
+        "node": {
+          "$ref": "#/definitions/v1Node"
        }
      }
    },
-    "v1GetMachineRoutesResponse": {
+    "v1GetNodeRoutesResponse": {
      "type": "object",
      "properties": {
        "routes": {
@@ -1042,13 +1042,13 @@
        }
      }
    },
-    "v1ListMachinesResponse": {
+    "v1ListNodesResponse": {
      "type": "object",
      "properties": {
-        "machines": {
+        "nodes": {
          "type": "array",
          "items": {
-            "$ref": "#/definitions/v1Machine"
+            "$ref": "#/definitions/v1Node"
          }
        }
      }
@@ -1075,7 +1075,15 @@
        }
      }
    },
-    "v1Machine": {
+    "v1MoveNodeResponse": {
+      "type": "object",
+      "properties": {
+        "node": {
+          "$ref": "#/definitions/v1Node"
+        }
+      }
+    },
+    "v1Node": {
      "type": "object",
      "properties": {
        "id": {
@@ -1151,14 +1159,6 @@
        }
      }
    },
-    "v1MoveMachineResponse": {
-      "type": "object",
-      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
-        }
-      }
-    },
    "v1PreAuthKey": {
      "type": "object",
      "properties": {
@@ -1196,14 +1196,6 @@
        }
      }
    },
-    "v1RegisterMachineResponse": {
-      "type": "object",
-      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
-        }
-      }
-    },
    "v1RegisterMethod": {
      "type": "string",
      "enum": [
@@ -1214,11 +1206,19 @@
      ],
      "default": "REGISTER_METHOD_UNSPECIFIED"
    },
-    "v1RenameMachineResponse": {
+    "v1RegisterNodeResponse": {
      "type": "object",
      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
+        "node": {
+          "$ref": "#/definitions/v1Node"
+        }
+      }
+    },
+    "v1RenameNodeResponse": {
+      "type": "object",
+      "properties": {
+        "node": {
+          "$ref": "#/definitions/v1Node"
        }
      }
    },
@@ -1237,8 +1237,8 @@
          "type": "string",
          "format": "uint64"
        },
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
+        "node": {
+          "$ref": "#/definitions/v1Node"
        },
        "prefix": {
          "type": "string"
@@ -1269,8 +1269,8 @@
    "v1SetTagsResponse": {
      "type": "object",
      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
+        "node": {
+          "$ref": "#/definitions/v1Node"
        }
      }
    },
--- a/gen/openapiv2/headscale/v1/machine.swagger.json
+++ b/gen/openapiv2/headscale/v1/machine.swagger.json
@@ -1,7 +1,7 @@
 {
  "swagger": "2.0",
  "info": {
-    "title": "headscale/v1/machine.proto",
+    "title": "headscale/v1/node.proto",
    "version": "version not set"
  },
  "consumes": [
--- a/go.mod
+++ b/go.mod
@@ -15,13 +15,13 @@ require (
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
-	github.com/klauspost/compress v1.16.4
+	github.com/klauspost/compress v1.16.5
 	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/pkg/profile v1.7.0
-	github.com/prometheus/client_golang v1.14.0
+	github.com/prometheus/client_golang v1.15.1
 	github.com/prometheus/common v0.42.0
 	github.com/pterm/pterm v0.12.58
 	github.com/puzpuzpuz/xsync/v2 v2.4.0
@@ -33,10 +33,10 @@ require (
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
-	golang.org/x/crypto v0.7.0
-	golang.org/x/net v0.9.0
+	golang.org/x/crypto v0.8.0
+	golang.org/x/net v0.10.0
 	golang.org/x/oauth2 v0.7.0
-	golang.org/x/sync v0.1.0
+	golang.org/x/sync v0.2.0
 	google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd
 	google.golang.org/grpc v1.54.0
 	google.golang.org/protobuf v1.30.0
@@ -44,7 +44,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.4.8
 	gorm.io/gorm v1.24.6
-	tailscale.com v1.38.4
+	tailscale.com v1.44.0
 )

 require (
@@ -52,7 +52,7 @@ require (
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
@@ -60,8 +60,8 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/docker/cli v23.0.1+incompatible // indirect
-	github.com/docker/docker v23.0.1+incompatible // indirect
+	github.com/docker/cli v23.0.5+incompatible // indirect
+	github.com/docker/docker v24.0.4+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -83,7 +83,7 @@ require (
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
@@ -91,7 +91,7 @@ require (
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
-	github.com/jsimonetti/rtnetlink v1.3.1 // indirect
+	github.com/jsimonetti/rtnetlink v1.3.2 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -99,28 +99,28 @@ require (
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.18 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/netlink v1.7.1 // indirect
-	github.com/mdlayher/socket v0.4.0 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
 	github.com/opencontainers/runc v1.1.4 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.4 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -131,13 +131,13 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a // indirect
+	golang.org/x/term v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -44,13 +44,12 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek=
 filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns=
-filippo.io/mkcert v1.4.3 h1:axpnmtrZMM8u5Hf4N3UXxboGemMOV+Tn+e+pkHM6E3o=
+filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc=
 github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
 github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/MarvinJWendt/testza v0.1.0/go.mod h1:7AxNvlfeHP7Z/hDQ5JtE3OKYT3XFUeLCDE2DQninSqs=
 github.com/MarvinJWendt/testza v0.2.1/go.mod h1:God7bhG8n6uQxwdScay+gjm9/LnO4D3kkcZX4hv9Rp8=
@@ -60,8 +59,8 @@ github.com/MarvinJWendt/testza v0.2.12/go.mod h1:JOIegYyV7rX+7VZ9r77L/eH6CfJHHzX
 github.com/MarvinJWendt/testza v0.3.0/go.mod h1:eFcL4I0idjtIx8P9C6KkAuLgATNKpX4/2oUqKc6bF2c=
 github.com/MarvinJWendt/testza v0.4.2/go.mod h1:mSdhXiKH8sg/gQehJ63bINcCKp7RtYewEjXsvsVUPbE=
 github.com/MarvinJWendt/testza v0.5.2 h1:53KDo64C1z/h/d/stCYCPY69bt/OSwjq5KpFNwi+zB4=
-github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
@@ -108,10 +107,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deckarep/golang-set/v2 v2.3.0 h1:qs18EKUfHm2X9fA50Mr/M5hccg2tNnVqsiBImnyDs0g=
 github.com/deckarep/golang-set/v2 v2.3.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
-github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy13Ul2Q5oM=
-github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v23.0.1+incompatible h1:vjgvJZxprTTE1A37nm+CLNAdwu6xZekyoiVlUZEINcY=
-github.com/docker/docker v23.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
+github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v24.0.4+incompatible h1:s/LVDftw9hjblvqIeTiGYXBCD95nOEEl7qRsRrIOuQI=
+github.com/docker/docker v24.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
@@ -130,7 +129,7 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
@@ -275,8 +274,8 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4Dvx
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
-github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
-github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
+github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
+github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -293,8 +292,8 @@ github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
-github.com/jsimonetti/rtnetlink v1.3.1 h1:Bl3VxrWwi3eNj2pFuG2x3xcIArSAvHf9paz1OXiDT9A=
-github.com/jsimonetti/rtnetlink v1.3.1/go.mod h1:Wcc80IISX10gdeQoRzNPcCd1joPy+P0NyPPgOhQAvpk=
+github.com/jsimonetti/rtnetlink v1.3.2 h1:dcn0uWkfxycEEyNy0IGfx3GrhQ38LH7odjxAghimsVI=
+github.com/jsimonetti/rtnetlink v1.3.2/go.mod h1:BBu4jZCpTjP6Gk0/wfrO8qcqymnN3g0hoFqObRmUo6U=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -304,8 +303,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.16.4 h1:91KN02FnsOYhuunwU4ssRe8lc2JosWmizWa91B5v1PU=
-github.com/klauspost/compress v1.16.4/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
+github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
@@ -338,17 +337,17 @@ github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcME
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
+github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/mdlayher/netlink v1.7.1 h1:FdUaT/e33HjEXagwELR8R3/KL1Fq5x3G5jgHLp/BTmg=
-github.com/mdlayher/netlink v1.7.1/go.mod h1:nKO5CSjE/DJjVhk/TNp6vCE1ktVxEA8VEh8drhZzxsQ=
-github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
-github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -368,8 +367,8 @@ github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282 h1:TQMyrpijt
 github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282/go.mod h1:rW25Kyd08Wdn3UVn0YBsDTSvReu0jqpmJKzxITPSjks=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
-github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
+github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg=
 github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -379,8 +378,8 @@ github.com/ory/dockertest/v3 v3.9.1 h1:v4dkG+dlu76goxMiTT2j8zV7s4oPPEppKT8K8p2f1
 github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
-github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
+github.com/pelletier/go-toml/v2 v2.0.7 h1:muncTPStnKRos5dpVKULv2FVd4bMOhNePj9CjgDb8Us=
+github.com/pelletier/go-toml/v2 v2.0.7/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
 github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -392,11 +391,11 @@ github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDj
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
-github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
+github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
+github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
 github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
 github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
@@ -420,8 +419,9 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
 github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
@@ -430,15 +430,15 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
 github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/afero v1.9.4 h1:Sd43wM1IWz/s1aVXdOBkjJvuP8UdyqioeE4AmM0QsBs=
-github.com/spf13/afero v1.9.4/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
+github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
@@ -518,11 +518,11 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -533,9 +533,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
-golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE=
+golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 h1:5llv2sWeaMSnA3w2kS57ouQQ4pudlXrR0dCgw51QK9o=
+golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -560,8 +559,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
+golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -598,8 +597,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -623,8 +622,9 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -688,8 +688,9 @@ golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a h1:qMsju+PNttu/NMbq8bQ9waDdxgJMu9QNoUDuhnBaYt0=
+golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
@@ -697,8 +698,8 @@ golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -767,8 +768,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
+golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -892,7 +893,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.4.8 h1:NDWizaclb7Q2aupT0jkwK8jx1HVCNzt+PQ8v/VnxviA=
@@ -909,7 +909,6 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.4.2 h1:6qXr+R5w+ktL5UkwEbPp+fEvfyoMPche6GkOpGHZcLc=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 modernc.org/libc v1.22.2 h1:4U7v51GyhlWqQmwCHj28Rdq2Yzwk55ovjFrdPjs8Hb0=
 modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
@@ -925,5 +924,5 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
-tailscale.com v1.38.4 h1:ItZfSYhLCnY/fjwlBqdgcf0mjjh2W8eFhUM5XIsSqdE=
-tailscale.com v1.38.4/go.mod h1:UWLQxcd8dz+lds2I+HpfXSruHrvXM1j4zd4zdx86t7w=
+tailscale.com v1.44.0 h1:MPos9n30kJvdyfL52045gVFyNg93K+bwgDsr8gqKq2o=
+tailscale.com v1.44.0/go.mod h1:+iYwTdeHyVJuNDu42Zafwihq1Uqfh+pW7pRaY1GD328=
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"context"
@@ -8,9 +8,10 @@ import (
 	"io"
 	"net"
 	"net/http"
+	_ "net/http/pprof" //nolint
 	"os"
 	"os/signal"
-	"sort"
+	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -20,12 +21,19 @@ import (
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware"
-	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	grpcRuntime "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/db"
+	"github.com/juanfont/headscale/hscontrol/derp"
+	derpServer "github.com/juanfont/headscale/hscontrol/derp/server"
+	"github.com/juanfont/headscale/hscontrol/notifier"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/puzpuzpuz/xsync/v2"
 	zl "github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/acme"
@@ -40,68 +48,59 @@ import (
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/grpc/status"
-	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 )

-const (
-	errSTUNAddressNotSet                   = Error("STUN address not set")
-	errUnsupportedDatabase                 = Error("unsupported DB")
-	errUnsupportedLetsEncryptChallengeType = Error(
+var (
+	errSTUNAddressNotSet                   = errors.New("STUN address not set")
+	errUnsupportedDatabase                 = errors.New("unsupported DB")
+	errUnsupportedLetsEncryptChallengeType = errors.New(
 		"unknown value for Lets Encrypt challenge type",
 	)
 )

 const (
-	AuthPrefix          = "Bearer "
-	Postgres            = "postgres"
-	Sqlite              = "sqlite3"
-	updateInterval      = 5000
-	HTTPReadTimeout     = 30 * time.Second
-	HTTPShutdownTimeout = 3 * time.Second
-	privateKeyFileMode  = 0o600
+	AuthPrefix         = "Bearer "
+	updateInterval     = 5000
+	privateKeyFileMode = 0o600

 	registerCacheExpiration = time.Minute * 15
 	registerCacheCleanup    = time.Minute * 20
-
-	DisabledClientAuth = "disabled"
-	RelaxedClientAuth  = "relaxed"
-	EnforcedClientAuth = "enforced"
 )

 // Headscale represents the base app of the service.
 type Headscale struct {
-	cfg             *Config
-	db              *gorm.DB
+	cfg             *types.Config
+	db              *db.HSDatabase
 	dbString        string
 	dbType          string
 	dbDebug         bool
-	privateKey      *key.MachinePrivate
+	privateKey2019  *key.MachinePrivate
 	noisePrivateKey *key.MachinePrivate

 	DERPMap    *tailcfg.DERPMap
-	DERPServer *DERPServer
+	DERPServer *derpServer.DERPServer

-	aclPolicy *ACLPolicy
-	aclRules  []tailcfg.FilterRule
-	sshPolicy *tailcfg.SSHPolicy
+	ACLPolicy *policy.ACLPolicy

-	lastStateChange *xsync.MapOf[string, time.Time]
+	nodeNotifier *notifier.Notifier

 	oidcProvider *oidc.Provider
 	oauth2Config *oauth2.Config

 	registrationCache *cache.Cache

-	ipAllocationMutex sync.Mutex
-
 	shutdownChan       chan struct{}
 	pollNetMapStreamWG sync.WaitGroup
 }

-func NewHeadscale(cfg *Config) (*Headscale, error) {
+func NewHeadscale(cfg *types.Config) (*Headscale, error) {
+	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
+		runtime.SetBlockProfileRate(1)
+	}
+
 	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read or create private key: %w", err)
@@ -119,7 +118,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {

 	var dbString string
 	switch cfg.DBtype {
-	case Postgres:
+	case db.Postgres:
 		dbString = fmt.Sprintf(
 			"host=%s dbname=%s user=%s",
 			cfg.DBhost,
@@ -142,7 +141,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 		if cfg.DBpass != "" {
 			dbString += fmt.Sprintf(" password=%s", cfg.DBpass)
 		}
-	case Sqlite:
+	case db.Sqlite:
 		dbString = cfg.DBpath
 	default:
 		return nil, errUnsupportedDatabase
@@ -157,19 +156,26 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 		cfg:                cfg,
 		dbType:             cfg.DBtype,
 		dbString:           dbString,
-		privateKey:         privateKey,
+		privateKey2019:     privateKey,
 		noisePrivateKey:    noisePrivateKey,
-		aclRules:           tailcfg.FilterAllowAll, // default allowall
 		registrationCache:  registrationCache,
 		pollNetMapStreamWG: sync.WaitGroup{},
-		lastStateChange:    xsync.NewMapOf[time.Time](),
+		nodeNotifier:       notifier.NewNotifier(),
 	}

-	err = app.initDB()
+	database, err := db.NewHeadscaleDatabase(
+		cfg.DBtype,
+		dbString,
+		app.dbDebug,
+		app.nodeNotifier,
+		cfg.IPPrefixes,
+		cfg.BaseDomain)
 	if err != nil {
 		return nil, err
 	}

+	app.db = database
+
 	if cfg.OIDC.Issuer != "" {
 		err = app.initOIDC()
 		if err != nil {
@@ -182,7 +188,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	}

 	if app.cfg.DNSConfig != nil && app.cfg.DNSConfig.Proxied { // if MagicDNS
-		magicDNSDomains := generateMagicDNSRootDomains(app.cfg.IPPrefixes)
+		magicDNSDomains := util.GenerateMagicDNSRootDomains(app.cfg.IPPrefixes)
 		// we might have routes already from Split DNS
 		if app.cfg.DNSConfig.Routes == nil {
 			app.cfg.DNSConfig.Routes = make(map[string][]*dnstype.Resolver)
@@ -193,7 +199,12 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	}

 	if cfg.DERP.ServerEnabled {
-		embeddedDERPServer, err := app.NewDERPServer()
+		// TODO(kradalby): replace this key with a dedicated DERP key.
+		embeddedDERPServer, err := derpServer.NewDERPServer(
+			cfg.ServerURL,
+			key.NodePrivate(*privateKey),
+			&cfg.DERP,
+		)
 		if err != nil {
 			return nil, err
 		}
@@ -209,126 +220,67 @@ func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
 	http.Redirect(w, req, target, http.StatusFound)
 }

-// expireEphemeralNodes deletes ephemeral machine records that have not been
+// expireEphemeralNodes deletes ephemeral node records that have not been
 // seen for longer than h.cfg.EphemeralNodeInactivityTimeout.
 func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
 	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
 	for range ticker.C {
-		h.expireEphemeralNodesWorker()
+		h.db.ExpireEphemeralNodes(h.cfg.EphemeralNodeInactivityTimeout)
 	}
 }

-// expireExpiredMachines expires machines that have an explicit expiry set
+// expireExpiredMachines expires nodes that have an explicit expiry set
 // after that expiry time has passed.
-func (h *Headscale) expireExpiredMachines(milliSeconds int64) {
-	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
+func (h *Headscale) expireExpiredMachines(intervalMs int64) {
+	interval := time.Duration(intervalMs) * time.Millisecond
+	ticker := time.NewTicker(interval)
+
+	lastCheck := time.Unix(0, 0)
+
 	for range ticker.C {
-		h.expireExpiredMachinesWorker()
+		lastCheck = h.db.ExpireExpiredNodes(lastCheck)
+	}
+}
+
+// scheduledDERPMapUpdateWorker refreshes the DERPMap stored on the global object
+// at a set interval.
+func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
+	log.Info().
+		Dur("frequency", h.cfg.DERP.UpdateFrequency).
+		Msg("Setting up a DERPMap update worker")
+	ticker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
+
+	for {
+		select {
+		case <-cancelChan:
+			return
+
+		case <-ticker.C:
+			log.Info().Msg("Fetching DERPMap updates")
+			h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
+			if h.cfg.DERP.ServerEnabled {
+				region, _ := h.DERPServer.GenerateRegion()
+				h.DERPMap.Regions[region.RegionID] = &region
+			}
+
+			h.nodeNotifier.NotifyAll(types.StateUpdate{
+				Type:    types.StateDERPUpdated,
+				DERPMap: *h.DERPMap,
+			})
+		}
 	}
 }

 func (h *Headscale) failoverSubnetRoutes(milliSeconds int64) {
 	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
 	for range ticker.C {
-		err := h.handlePrimarySubnetFailover()
+		err := h.db.HandlePrimarySubnetFailover()
 		if err != nil {
 			log.Error().Err(err).Msg("failed to handle primary subnet failover")
 		}
 	}
 }

-func (h *Headscale) expireEphemeralNodesWorker() {
-	users, err := h.ListUsers()
-	if err != nil {
-		log.Error().Err(err).Msg("Error listing users")
-
-		return
-	}
-
-	for _, user := range users {
-		machines, err := h.ListMachinesByUser(user.Name)
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("user", user.Name).
-				Msg("Error listing machines in user")
-
-			return
-		}
-
-		expiredFound := false
-		for _, machine := range machines {
-			if machine.isEphemeral() && machine.LastSeen != nil &&
-				time.Now().
-					After(machine.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
-				expiredFound = true
-				log.Info().
-					Str("machine", machine.Hostname).
-					Msg("Ephemeral client removed from database")
-
-				err = h.db.Unscoped().Delete(machine).Error
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("machine", machine.Hostname).
-						Msg("🤮 Cannot delete ephemeral machine from the database")
-				}
-			}
-		}
-
-		if expiredFound {
-			h.setLastStateChangeToNow()
-		}
-	}
-}
-
-func (h *Headscale) expireExpiredMachinesWorker() {
-	users, err := h.ListUsers()
-	if err != nil {
-		log.Error().Err(err).Msg("Error listing users")
-
-		return
-	}
-
-	for _, user := range users {
-		machines, err := h.ListMachinesByUser(user.Name)
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("user", user.Name).
-				Msg("Error listing machines in user")
-
-			return
-		}
-
-		expiredFound := false
-		for index, machine := range machines {
-			if machine.isExpired() &&
-				machine.Expiry.After(h.getLastStateChange(user)) {
-				expiredFound = true
-
-				err := h.ExpireMachine(&machines[index])
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("machine", machine.Hostname).
-						Str("name", machine.GivenName).
-						Msg("🤮 Cannot expire machine")
-				} else {
-					log.Info().
-						Str("machine", machine.Hostname).
-						Str("name", machine.GivenName).
-						Msg("Machine successfully expired")
-				}
-			}
-		}
-
-		if expiredFound {
-			h.setLastStateChangeToNow()
-		}
-	}
-}
-
 func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 	req interface{},
 	info *grpc.UnaryServerInfo,
@@ -386,7 +338,7 @@ func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 		)
 	}

-	valid, err := h.ValidateAPIKey(strings.TrimPrefix(token, AuthPrefix))
+	valid, err := h.db.ValidateAPIKey(strings.TrimPrefix(token, AuthPrefix))
 	if err != nil {
 		log.Error().
 			Caller().
@@ -437,7 +389,7 @@ func (h *Headscale) httpAuthenticationMiddleware(next http.Handler) http.Handler
 			return
 		}

-		valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
+		valid, err := h.db.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
 		if err != nil {
 			log.Error().
 				Caller().
@@ -489,8 +441,9 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error {
 	return os.Remove(h.cfg.UnixSocket)
 }

-func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
+func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router := mux.NewRouter()
+	router.PathPrefix("/debug/pprof/").Handler(http.DefaultServeMux)

 	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost)

@@ -507,14 +460,16 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	router.HandleFunc("/windows", h.WindowsConfigMessage).Methods(http.MethodGet)
 	router.HandleFunc("/windows/tailscale.reg", h.WindowsRegConfig).
 		Methods(http.MethodGet)
-	router.HandleFunc("/swagger", SwaggerUI).Methods(http.MethodGet)
-	router.HandleFunc("/swagger/v1/openapiv2.json", SwaggerAPIv1).
+
+	// TODO(kristoffer): move swagger into a package
+	router.HandleFunc("/swagger", headscale.SwaggerUI).Methods(http.MethodGet)
+	router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
 		Methods(http.MethodGet)

 	if h.cfg.DERP.ServerEnabled {
-		router.HandleFunc("/derp", h.DERPHandler)
-		router.HandleFunc("/derp/probe", h.DERPProbeHandler)
-		router.HandleFunc("/bootstrap-dns", h.DERPBootstrapDNSHandler)
+		router.HandleFunc("/derp", h.DERPServer.DERPHandler)
+		router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)
+		router.HandleFunc("/bootstrap-dns", derpServer.DERPBootstrapDNSHandler(h.DERPMap))
 	}

 	apiRouter := router.PathPrefix("/api").Subrouter()
@@ -531,7 +486,7 @@ func (h *Headscale) Serve() error {
 	var err error

 	// Fetch an initial DERP Map before we start serving
-	h.DERPMap = GetDERPMap(h.cfg.DERP)
+	h.DERPMap = derp.GetDERPMap(h.cfg.DERP)

 	if h.cfg.DERP.ServerEnabled {
 		// When embedded DERP is enabled we always need a STUN server
@@ -539,8 +494,14 @@ func (h *Headscale) Serve() error {
 			return errSTUNAddressNotSet
 		}

-		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
-		go h.ServeSTUN()
+		region, err := h.DERPServer.GenerateRegion()
+		if err != nil {
+			return err
+		}
+
+		h.DERPMap.Regions[region.RegionID] = &region
+
+		go h.DERPServer.ServeSTUN()
 	}

 	if h.cfg.DERP.AutoUpdate {
@@ -549,6 +510,8 @@ func (h *Headscale) Serve() error {
 		go h.scheduledDERPMapUpdateWorker(derpMapCancelChannel)
 	}

+	// TODO(kradalby): These should have cancel channels and be cleaned
+	// up on shutdown.
 	go h.expireEphemeralNodes(updateInterval)
 	go h.expireExpiredMachines(updateInterval)

@@ -587,14 +550,14 @@ func (h *Headscale) Serve() error {
 		return fmt.Errorf("failed change permission of gRPC socket: %w", err)
 	}

-	grpcGatewayMux := runtime.NewServeMux()
+	grpcGatewayMux := grpcRuntime.NewServeMux()

 	// Make the grpc-gateway connect to grpc over socket
 	grpcGatewayConn, err := grpc.Dial(
 		h.cfg.UnixSocket,
 		[]grpc.DialOption{
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithContextDialer(GrpcSocketDialer),
+			grpc.WithContextDialer(util.GrpcSocketDialer),
 		}...,
 	)
 	if err != nil {
@@ -689,7 +652,7 @@ func (h *Headscale) Serve() error {
 	httpServer := &http.Server{
 		Addr:        h.cfg.Addr,
 		Handler:     router,
-		ReadTimeout: HTTPReadTimeout,
+		ReadTimeout: types.HTTPReadTimeout,
 		// Go does not handle timeouts in HTTP very well, and there is
 		// no good way to handle streaming timeouts, therefore we need to
 		// keep this at unlimited and be careful to clean up connections
@@ -719,7 +682,7 @@ func (h *Headscale) Serve() error {
 	promHTTPServer := &http.Server{
 		Addr:         h.cfg.MetricsAddr,
 		Handler:      promMux,
-		ReadTimeout:  HTTPReadTimeout,
+		ReadTimeout:  types.HTTPReadTimeout,
 		WriteTimeout: 0,
 	}

@@ -757,16 +720,20 @@ func (h *Headscale) Serve() error {
 				// TODO(kradalby): Reload config on SIGHUP

 				if h.cfg.ACL.PolicyPath != "" {
-					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
-					err := h.LoadACLPolicy(aclPath)
+					aclPath := util.AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
+					pol, err := policy.LoadACLPolicyFromPath(aclPath)
 					if err != nil {
 						log.Error().Err(err).Msg("Failed to reload ACL policy")
 					}
+
+					h.ACLPolicy = pol
 					log.Info().
 						Str("path", aclPath).
 						Msg("ACL policy successfully reloaded, notifying nodes of change")

-					h.setLastStateChangeToNow()
+					h.nodeNotifier.NotifyAll(types.StateUpdate{
+						Type: types.StateFullUpdate,
+					})
 				}

 			default:
@@ -775,12 +742,13 @@ func (h *Headscale) Serve() error {
 					Msg("Received signal to stop, shutting down gracefully")

 				close(h.shutdownChan)
+
 				h.pollNetMapStreamWG.Wait()

 				// Gracefully shut down servers
 				ctx, cancel := context.WithTimeout(
 					context.Background(),
-					HTTPShutdownTimeout,
+					types.HTTPShutdownTimeout,
 				)
 				if err := promHTTPServer.Shutdown(ctx); err != nil {
 					log.Error().Err(err).Msg("Failed to shutdown prometheus http")
@@ -804,11 +772,7 @@ func (h *Headscale) Serve() error {
 				socketListener.Close()

 				// Close db connections
-				db, err := h.db.DB()
-				if err != nil {
-					log.Error().Err(err).Msg("Failed to get db handle")
-				}
-				err = db.Close()
+				err = h.db.Close()
 				if err != nil {
 					log.Error().Err(err).Msg("Failed to close db")
 				}
@@ -818,6 +782,8 @@ func (h *Headscale) Serve() error {

 				// And we're done:
 				cancel()
+
+				return
 			}
 		}
 	}
@@ -849,13 +815,13 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		}

 		switch h.cfg.TLS.LetsEncrypt.ChallengeType {
-		case tlsALPN01ChallengeType:
+		case types.TLSALPN01ChallengeType:
 			// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
 			// The RFC requires that the validation is done on port 443; in other words, headscale
 			// must be reachable on port 443.
 			return certManager.TLSConfig(), nil

-		case http01ChallengeType:
+		case types.HTTP01ChallengeType:
 			// Configuration via autocert with HTTP-01. This requires listening on
 			// port 80 for the certificate validation in addition to the headscale
 			// service, which can be configured to run on any other port.
@@ -863,7 +829,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			server := &http.Server{
 				Addr:        h.cfg.TLS.LetsEncrypt.Listen,
 				Handler:     certManager.HTTPHandler(http.HandlerFunc(h.redirect)),
-				ReadTimeout: HTTPReadTimeout,
+				ReadTimeout: types.HTTPReadTimeout,
 			}

 			go func() {
@@ -902,60 +868,6 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 	}
 }

-func (h *Headscale) setLastStateChangeToNow() {
-	var err error
-
-	now := time.Now().UTC()
-
-	users, err := h.ListUsers()
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("failed to fetch all users, failing to update last changed state.")
-	}
-
-	for _, user := range users {
-		lastStateUpdate.WithLabelValues(user.Name, "headscale").Set(float64(now.Unix()))
-		if h.lastStateChange == nil {
-			h.lastStateChange = xsync.NewMapOf[time.Time]()
-		}
-		h.lastStateChange.Store(user.Name, now)
-	}
-}
-
-func (h *Headscale) getLastStateChange(users ...User) time.Time {
-	times := []time.Time{}
-
-	// getLastStateChange takes a list of users as a "filter", if no users
-	// are past, then use the entier list of users and look for the last update
-	if len(users) > 0 {
-		for _, user := range users {
-			if lastChange, ok := h.lastStateChange.Load(user.Name); ok {
-				times = append(times, lastChange)
-			}
-		}
-	} else {
-		h.lastStateChange.Range(func(key string, value time.Time) bool {
-			times = append(times, value)
-
-			return true
-		})
-	}
-
-	sort.Slice(times, func(i, j int) bool {
-		return times[i].After(times[j])
-	})
-
-	log.Trace().Msgf("Latest times %#v", times)
-
-	if len(times) == 0 {
-		return time.Now().UTC()
-	} else {
-		return times[0]
-	}
-}
-
 func notFoundHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
@@ -999,7 +911,7 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 	}

 	trimmedPrivateKey := strings.TrimSpace(string(privateKey))
-	privateKeyEnsurePrefix := PrivateKeyEnsurePrefix(trimmedPrivateKey)
+	privateKeyEnsurePrefix := util.PrivateKeyEnsurePrefix(trimmedPrivateKey)

 	var machineKey key.MachinePrivate
 	if err = machineKey.UnmarshalText([]byte(privateKeyEnsurePrefix)); err != nil {
--- a/hscontrol/assets/oidc_callback_template.html
+++ b/hscontrol/assets/oidc_callback_template.html
@@ -0,0 +1,307 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Headscale Authentication Succeeded</title>
+    <style>
+      body {
+        font-size: 14px;
+        font-family:
+          system-ui,
+          -apple-system,
+          BlinkMacSystemFont,
+          "Segoe UI",
+          "Roboto",
+          "Oxygen",
+          "Ubuntu",
+          "Cantarell",
+          "Fira Sans",
+          "Droid Sans",
+          "Helvetica Neue",
+          sans-serif;
+      }
+
+      hr {
+        border-color: #fdfdfe;
+        margin: 24px 0;
+      }
+
+      .container {
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        height: 70vh;
+      }
+
+      #logo {
+        display: block;
+        margin-left: -20px;
+        margin-bottom: 16px;
+      }
+
+      .message {
+        display: flex;
+        min-width: 40vw;
+        background: #fafdfa;
+        border: 1px solid #c6e9c9;
+        margin-bottom: 12px;
+        padding: 12px 16px 16px 12px;
+        position: relative;
+        border-radius: 2px;
+        font-size: 14px;
+      }
+
+      .message-content {
+        margin-left: 4px;
+      }
+
+      .message #checkbox {
+        fill: #2eb039;
+      }
+
+      .message .message-title {
+        color: #1e7125;
+        font-size: 16px;
+        font-weight: 700;
+        line-height: 1.25;
+      }
+
+      .message .message-body {
+        border: 0;
+        margin-top: 4px;
+      }
+
+      .message p {
+        font-size: 12px;
+        margin: 0;
+        padding: 0;
+        color: #17421b;
+      }
+
+      a {
+        display: block;
+        margin: 8px 0;
+        color: #1563ff;
+        text-decoration: none;
+        font-weight: 600;
+      }
+
+      a:hover {
+        color: black;
+      }
+
+      a svg {
+        fill: currentcolor;
+      }
+
+      .icon {
+        align-items: center;
+        display: inline-flex;
+        justify-content: center;
+        height: 21px;
+        width: 21px;
+        vertical-align: middle;
+      }
+
+      h1 {
+        font-size: 17.5px;
+        font-weight: 700;
+        margin-bottom: 0;
+      }
+
+      h1 + p {
+        margin: 8px 0 16px 0;
+      }
+    </style>
+  </head>
+  <body translate="no">
+    <div class="container">
+      <div>
+        <svg
+          id="logo"
+          width="146"
+          height="51"
+          xmlns="http://www.w3.org/2000/svg"
+          xml:space="preserve"
+          style="
+            fill-rule: evenodd;
+            clip-rule: evenodd;
+            stroke-linejoin: round;
+            stroke-miterlimit: 2;
+          "
+          viewBox="0 0 1280 640"
+        >
+          <path
+            d="M.08 0v-.736h.068v.3C.203-.509.27-.545.347-.545c.029 0 .055.005.079.015.024.01.045.025.062.045.017.02.031.045.041.075.009.03.014.065.014.105V0H.475v-.289C.475-.352.464-.4.443-.433.422-.466.385-.483.334-.483c-.027 0-.052.006-.075.017C.236-.455.216-.439.2-.419c-.017.02-.029.044-.038.072-.009.028-.014.059-.014.093V0H.08Z"
+            style="fill: #f8b5cb; fill-rule: nonzero"
+            transform="translate(32.92220721 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.264c0-.036.007-.071.02-.105.013-.034.031-.064.055-.09.023-.026.052-.047.086-.063.033-.015.071-.023.112-.023.039 0 .076.007.109.021.033.014.062.033.087.058.025.025.044.054.058.088.014.035.021.072.021.113v.005H.121c.001.031.007.059.018.084.01.025.024.047.042.065.018.019.04.033.065.043.025.01.052.015.082.015.026 0 .049-.003.069-.01.02-.007.038-.016.054-.028C.466-.102.48-.115.492-.13c.011-.015.022-.03.032-.046l.057.03C.556-.097.522-.058.48-.03.437-.001.387.013.328.013.284.013.245.006.21-.01.175-.024.146-.045.123-.07.1-.095.082-.125.07-.159.057-.192.051-.227.051-.264ZM.128-.32h.396C.51-.375.485-.416.449-.441.412-.466.371-.479.325-.479c-.048 0-.089.013-.123.039-.034.026-.059.066-.074.12Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(177.16674681 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.097h.067V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.012-.027.018-.056.018-.089 0-.031-.005-.059-.016-.086C.515-.375.501-.398.482-.417.462-.436.44-.452.415-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(327.76463481 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.302h.068V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.011-.027.017-.056.017-.089 0-.031-.005-.059-.016-.086C.514-.375.5-.398.481-.417.462-.436.439-.452.414-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(488.71612761 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="m.034-.062.043-.049c.017.019.035.034.054.044.018.01.037.015.057.015.013 0 .026-.002.038-.007.011-.004.021-.01.031-.018.009-.008.016-.017.021-.028.005-.011.008-.022.008-.035 0-.019-.005-.034-.014-.047C.263-.199.248-.21.229-.221.205-.234.183-.247.162-.259.14-.271.122-.284.107-.298.092-.311.08-.327.071-.344.062-.361.058-.381.058-.404c0-.021.004-.04.012-.058.007-.016.018-.031.031-.044.013-.013.028-.022.046-.029.018-.007.037-.01.057-.01.029 0 .056.006.079.019s.045.031.068.053l-.044.045C.291-.443.275-.456.258-.465.241-.474.221-.479.2-.479c-.022 0-.041.007-.056.02C.128-.445.12-.428.12-.408c0 .019.006.035.017.048.011.013.027.026.048.037.027.015.05.028.071.04.021.013.038.026.052.039.014.013.025.028.032.044.007.016.011.035.011.057 0 .021-.004.041-.011.059-.008.019-.019.036-.033.05-.014.015-.031.026-.05.035C.237.01.215.014.191.014c-.03 0-.059-.006-.086-.02C.077-.019.053-.037.034-.062Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(649.90292961 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.266c0-.04.007-.077.022-.111.014-.034.034-.063.059-.089.025-.025.054-.044.089-.058.035-.014.072-.021.113-.021.051 0 .098.01.139.03.041.021.075.049.1.085l-.05.043C.498-.418.47-.441.439-.456.408-.471.372-.479.331-.479c-.03 0-.058.005-.083.016C.222-.452.2-.436.181-.418.162-.399.148-.376.137-.35c-.011.026-.016.054-.016.084 0 .031.005.06.016.086.011.027.025.049.044.068.019.019.041.034.067.044.025.011.053.016.084.016.077 0 .141-.03.191-.09l.051.04c-.028.036-.062.064-.103.085C.43.004.384.014.332.014.291.014.254.007.219-.008.184-.022.155-.042.13-.067.105-.092.086-.121.072-.156.058-.19.051-.227.051-.266Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(741.20289921 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.097h.067V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.012-.027.018-.056.018-.089 0-.031-.005-.059-.016-.086C.515-.375.501-.398.482-.417.462-.436.44-.452.415-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(884.27089281 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.066-.736h.068V0H.066z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(1045.22238561 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.264c0-.036.007-.071.02-.105.013-.034.031-.064.055-.09.023-.026.052-.047.086-.063.033-.015.071-.023.112-.023.039 0 .076.007.109.021.033.014.062.033.087.058.025.025.044.054.058.088.014.035.021.072.021.113v.005H.121c.001.031.007.059.018.084.01.025.024.047.042.065.018.019.04.033.065.043.025.01.052.015.082.015.026 0 .049-.003.069-.01.02-.007.038-.016.054-.028C.466-.102.48-.115.492-.13c.011-.015.022-.03.032-.046l.057.03C.556-.097.522-.058.48-.03.437-.001.387.013.328.013.284.013.245.006.21-.01.175-.024.146-.045.123-.07.1-.095.082-.125.07-.159.057-.192.051-.227.051-.264ZM.128-.32h.396C.51-.375.485-.416.449-.441.412-.466.371-.479.325-.479c-.048 0-.089.013-.123.039-.034.026-.059.066-.074.12Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(1092.28422561 521.8022953) scale(235.3092)"
+          />
+          <circle
+            cx="141.023"
+            cy="338.36"
+            r="117.472"
+            style="fill: #f8b5cb"
+            transform="matrix(.581302 0 0 .58613 40.06479894 12.59842153)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 32.39345942 21.2386)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 32.39345942 88.80371146)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 120.7528627 88.80371146)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 120.99825939 21.2386)"
+          />
+          <circle
+            cx="805.557"
+            cy="336.915"
+            r="118.199"
+            style="fill: #8d8d8d"
+            transform="matrix(.5782 0 0 .58289 36.19871106 15.26642564)"
+          />
+          <circle
+            cx="805.557"
+            cy="336.915"
+            r="118.199"
+            style="fill: #8d8d8d"
+            transform="matrix(.5782 0 0 .58289 183.24041937 15.26642564)"
+          />
+          <path
+            d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z"
+            style="fill: #303030"
+            transform="translate(34.2345 21.2386) scale(.58289)"
+          />
+          <path
+            d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z"
+            style="fill: #303030"
+            transform="matrix(-.58289 0 0 .58289 1116.7719791 21.2386)"
+          />
+        </svg>
+        <div class="message is-success">
+          <svg
+            id="checkbox"
+            aria-hidden="true"
+            xmlns="http://www.w3.org/2000/svg"
+            width="20"
+            height="20"
+            viewBox="0 0 512 512"
+          >
+            <path
+              d="M256 32C132.3 32 32 132.3 32 256s100.3 224 224 224 224-100.3 224-224S379.7 32 256 32zm114.9 149.1L231.8 359.6c-1.1 1.1-2.9 3.5-5.1 3.5-2.3 0-3.8-1.6-5.1-2.9-1.3-1.3-78.9-75.9-78.9-75.9l-1.5-1.5c-.6-.9-1.1-2-1.1-3.2 0-1.2.5-2.3 1.1-3.2.4-.4.7-.7 1.1-1.2 7.7-8.1 23.3-24.5 24.3-25.5 1.3-1.3 2.4-3 4.8-3 2.5 0 4.1 2.1 5.3 3.3 1.2 1.2 45 43.3 45 43.3l111.3-143c1-.8 2.2-1.4 3.5-1.4 1.3 0 2.5.5 3.5 1.3l30.6 24.1c.8 1 1.3 2.2 1.3 3.5.1 1.3-.4 2.4-1 3.3z"
+            ></path>
+          </svg>
+          <div class="message-content">
+            <div class="message-title">Signed in via your OIDC provider</div>
+            <p class="message-body">
+              {{.Verb}} as {{.User}}, you can now close this window.
+            </p>
+          </div>
+        </div>
+        <hr />
+        <h1>Not sure how to get started?</h1>
+        <p class="learn">
+          Check out beginner and advanced guides on, or read more in the
+          documentation.
+        </p>
+        <a
+          href="https://github.com/juanfont/headscale/tree/main/docs"
+          rel="noreferrer noopener"
+          target="_blank"
+        >
+          <span class="icon">
+            <svg
+              width="16"
+              height="16"
+              viewBox="0 0 16 16"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="M13.307 1H11.5a.5.5 0 1 1 0-1h3a.499.499 0 0 1 .5.65V3.5a.5.5 0 1 1-1 0V1.72l-1.793 1.774a.5.5 0 0 1-.713-.701L13.307 1zM12 14V8a.5.5 0 1 1 1 0v6.5a.5.5 0 0 1-.5.5H.563a.5.5 0 0 1-.5-.5v-13a.5.5 0 0 1 .5-.5H8a.5.5 0 0 1 0 1H1v12h11zM4 6a.5.5 0 0 1 0-1h3a.5.5 0 0 1 0 1H4zm0 2.5a.5.5 0 0 1 0-1h5a.5.5 0 0 1 0 1H4zM4 11a.5.5 0 1 1 0-1h5a.5.5 0 1 1 0 1H4z"
+              />
+            </svg>
+          </span>
+          View the headscale documentation
+        </a>
+        <a
+          href="https://tailscale.com/kb/"
+          rel="noreferrer noopener"
+          target="_blank"
+        >
+          <span class="icon">
+            <svg
+              width="16"
+              height="16"
+              viewBox="0 0 16 16"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="M13.307 1H11.5a.5.5 0 1 1 0-1h3a.499.499 0 0 1 .5.65V3.5a.5.5 0 1 1-1 0V1.72l-1.793 1.774a.5.5 0 0 1-.713-.701L13.307 1zM12 14V8a.5.5 0 1 1 1 0v6.5a.5.5 0 0 1-.5.5H.563a.5.5 0 0 1-.5-.5v-13a.5.5 0 0 1 .5-.5H8a.5.5 0 0 1 0 1H1v12h11zM4 6a.5.5 0 0 1 0-1h3a.5.5 0 0 1 0 1H4zm0 2.5a.5.5 0 0 1 0-1h5a.5.5 0 0 1 0 1H4zM4 11a.5.5 0 1 1 0-1h5a.5.5 0 1 1 0 1H4z"
+              />
+            </svg>
+          </span>
+          View the tailscale documentation
+        </a>
+      </div>
+    </div>
+  </body>
+</html>
--- a/protocol_common.go
+++ b/protocol_common.go
@@ -1,100 +1,25 @@
-package headscale
+package hscontrol

 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
-	"strconv"
 	"strings"
 	"time"

+	"github.com/juanfont/headscale/hscontrol/mapper"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )

-const (
-	// The CapabilityVersion is used by Tailscale clients to indicate
-	// their codebase version. Tailscale clients can communicate over TS2021
-	// from CapabilityVersion 28, but we only have good support for it
-	// since https://github.com/tailscale/tailscale/pull/4323 (Noise in any HTTPS port).
-	//
-	// Related to this change, there is https://github.com/tailscale/tailscale/pull/5379,
-	// where CapabilityVersion 39 is introduced to indicate #4323 was merged.
-	//
-	// See also https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
-	NoiseCapabilityVersion = 39
-)
-
-// KeyHandler provides the Headscale pub key
-// Listens in /key.
-func (h *Headscale) KeyHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	// New Tailscale clients send a 'v' parameter to indicate the CurrentCapabilityVersion
-	clientCapabilityStr := req.URL.Query().Get("v")
-	if clientCapabilityStr != "" {
-		log.Debug().
-			Str("handler", "/key").
-			Str("v", clientCapabilityStr).
-			Msg("New noise client")
-		clientCapabilityVersion, err := strconv.Atoi(clientCapabilityStr)
-		if err != nil {
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-			writer.WriteHeader(http.StatusBadRequest)
-			_, err := writer.Write([]byte("Wrong params"))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
-
-			return
-		}
-
-		// TS2021 (Tailscale v2 protocol) requires to have a different key
-		if clientCapabilityVersion >= NoiseCapabilityVersion {
-			resp := tailcfg.OverTLSPublicKeyResponse{
-				LegacyPublicKey: h.privateKey.Public(),
-				PublicKey:       h.noisePrivateKey.Public(),
-			}
-			writer.Header().Set("Content-Type", "application/json")
-			writer.WriteHeader(http.StatusOK)
-			err = json.NewEncoder(writer).Encode(resp)
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
-
-			return
-		}
-	}
-	log.Debug().
-		Str("handler", "/key").
-		Msg("New legacy client")
-
-	// Old clients don't send a 'v' parameter, so we send the legacy public key
-	writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write([]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-}
-
-// handleRegisterCommon is the common logic for registering a client in the legacy and Noise protocols
+// handleRegister is the common logic for registering a client in the legacy and Noise protocols
 //
 // When using Noise, the machineKey is Zero.
-func (h *Headscale) handleRegisterCommon(
+func (h *Headscale) handleRegister(
 	writer http.ResponseWriter,
 	req *http.Request,
 	registerRequest tailcfg.RegisterRequest,
@@ -102,11 +27,11 @@ func (h *Headscale) handleRegisterCommon(
 	isNoise bool,
 ) {
 	now := time.Now().UTC()
-	machine, err := h.GetMachineByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
+	node, err := h.db.GetNodeByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
-		// If the machine has AuthKey set, handle registration via PreAuthKeys
+		// If the node has AuthKey set, handle registration via PreAuthKeys
 		if registerRequest.Auth.AuthKey != "" {
-			h.handleAuthKeyCommon(writer, registerRequest, machineKey, isNoise)
+			h.handleAuthKey(writer, registerRequest, machineKey, isNoise)

 			return
 		}
@@ -115,27 +40,27 @@ func (h *Headscale) handleRegisterCommon(
 		//
 		// TODO(juan): We could use this field to improve our protocol implementation,
 		// and hold the request until the client closes it, or the interactive
-		// login is completed (i.e., the user registers the machine).
+		// login is completed (i.e., the user registers the node).
 		// This is not implemented yet, as it is no strictly required. The only side-effect
 		// is that the client will hammer headscale with requests until it gets a
 		// successful RegisterResponse.
 		if registerRequest.Followup != "" {
-			if _, ok := h.registrationCache.Get(NodePublicKeyStripPrefix(registerRequest.NodeKey)); ok {
+			if _, ok := h.registrationCache.Get(util.NodePublicKeyStripPrefix(registerRequest.NodeKey)); ok {
 				log.Debug().
 					Caller().
-					Str("machine", registerRequest.Hostinfo.Hostname).
+					Str("node", registerRequest.Hostinfo.Hostname).
 					Str("machine_key", machineKey.ShortString()).
 					Str("node_key", registerRequest.NodeKey.ShortString()).
 					Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
 					Str("follow_up", registerRequest.Followup).
 					Bool("noise", isNoise).
-					Msg("Machine is waiting for interactive login")
+					Msg("Node is waiting for interactive login")

 				select {
 				case <-req.Context().Done():
 					return
 				case <-time.After(registrationHoldoff):
-					h.handleNewMachineCommon(writer, registerRequest, machineKey, isNoise)
+					h.handleNewNode(writer, registerRequest, machineKey, isNoise)

 					return
 				}
@@ -144,15 +69,15 @@ func (h *Headscale) handleRegisterCommon(

 		log.Info().
 			Caller().
-			Str("machine", registerRequest.Hostinfo.Hostname).
+			Str("node", registerRequest.Hostinfo.Hostname).
 			Str("machine_key", machineKey.ShortString()).
 			Str("node_key", registerRequest.NodeKey.ShortString()).
 			Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
 			Str("follow_up", registerRequest.Followup).
 			Bool("noise", isNoise).
-			Msg("New machine not yet in the database")
+			Msg("New node not yet in the database")

-		givenName, err := h.GenerateGivenName(
+		givenName, err := h.db.GenerateGivenName(
 			machineKey.String(),
 			registerRequest.Hostinfo.Hostname,
 		)
@@ -161,20 +86,21 @@ func (h *Headscale) handleRegisterCommon(
 				Caller().
 				Str("func", "RegistrationHandler").
 				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
-				Err(err)
+				Err(err).
+				Msg("Failed to generate given name for node")

 			return
 		}

-		// The machine did not have a key to authenticate, which means
+		// The node did not have a key to authenticate, which means
 		// that we rely on a method that calls back some how (OpenID or CLI)
-		// We create the machine and then keep it around until a callback
+		// We create the node and then keep it around until a callback
 		// happens
-		newMachine := Machine{
-			MachineKey: MachinePublicKeyStripPrefix(machineKey),
+		newNode := types.Node{
+			MachineKey: util.MachinePublicKeyStripPrefix(machineKey),
 			Hostname:   registerRequest.Hostinfo.Hostname,
 			GivenName:  givenName,
-			NodeKey:    NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			NodeKey:    util.NodePublicKeyStripPrefix(registerRequest.NodeKey),
 			LastSeen:   &now,
 			Expiry:     &time.Time{},
 		}
@@ -183,42 +109,41 @@ func (h *Headscale) handleRegisterCommon(
 			log.Trace().
 				Caller().
 				Bool("noise", isNoise).
-				Str("machine", registerRequest.Hostinfo.Hostname).
+				Str("node", registerRequest.Hostinfo.Hostname).
 				Time("expiry", registerRequest.Expiry).
 				Msg("Non-zero expiry time requested")
-			newMachine.Expiry = &registerRequest.Expiry
+			newNode.Expiry = &registerRequest.Expiry
 		}

 		h.registrationCache.Set(
-			newMachine.NodeKey,
-			newMachine,
+			newNode.NodeKey,
+			newNode,
 			registerCacheExpiration,
 		)

-		h.handleNewMachineCommon(writer, registerRequest, machineKey, isNoise)
+		h.handleNewNode(writer, registerRequest, machineKey, isNoise)

 		return
 	}

-	// The machine is already in the DB. This could mean one of the following:
-	// - The machine is authenticated and ready to /map
+	// The node is already in the DB. This could mean one of the following:
+	// - The node is authenticated and ready to /map
 	// - We are doing a key refresh
-	// - The machine is logged out (or expired) and pending to be authorized. TODO(juan): We need to keep alive the connection here
-	if machine != nil {
+	// - The node is logged out (or expired) and pending to be authorized. TODO(juan): We need to keep alive the connection here
+	if node != nil {
 		// (juan): For a while we had a bug where we were not storing the MachineKey for the nodes using the TS2021,
 		// due to a misunderstanding of the protocol https://github.com/juanfont/headscale/issues/1054
-		// So if we have a not valid MachineKey (but we were able to fetch the machine with the NodeKeys), we update it.
+		// So if we have a not valid MachineKey (but we were able to fetch the node with the NodeKeys), we update it.
 		var storedMachineKey key.MachinePublic
 		err = storedMachineKey.UnmarshalText(
-			[]byte(MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(util.MachinePublicKeyEnsurePrefix(node.MachineKey)),
 		)
 		if err != nil || storedMachineKey.IsZero() {
-			machine.MachineKey = MachinePublicKeyStripPrefix(machineKey)
-			if err := h.db.Save(&machine).Error; err != nil {
+			if err := h.db.NodeSetMachineKey(node, machineKey); err != nil {
 				log.Error().
 					Caller().
 					Str("func", "RegistrationHandler").
-					Str("machine", machine.Hostname).
+					Str("node", node.Hostname).
 					Err(err).
 					Msg("Error saving machine key to database")

@@ -229,34 +154,34 @@ func (h *Headscale) handleRegisterCommon(
 		// If the NodeKey stored in headscale is the same as the key presented in a registration
 		// request, then we have a node that is either:
 		// - Trying to log out (sending a expiry in the past)
-		// - A valid, registered machine, looking for /map
-		// - Expired machine wanting to reauthenticate
-		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.NodeKey) {
+		// - A valid, registered node, looking for /map
+		// - Expired node wanting to reauthenticate
+		if node.NodeKey == util.NodePublicKeyStripPrefix(registerRequest.NodeKey) {
 			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
 			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
 			if !registerRequest.Expiry.IsZero() &&
 				registerRequest.Expiry.UTC().Before(now) {
-				h.handleMachineLogOutCommon(writer, *machine, machineKey, isNoise)
+				h.handleNodeLogOut(writer, *node, machineKey, isNoise)

 				return
 			}

-			// If machine is not expired, and it is register, we have a already accepted this machine,
+			// If node is not expired, and it is register, we have a already accepted this node,
 			// let it proceed with a valid registration
-			if !machine.isExpired() {
-				h.handleMachineValidRegistrationCommon(writer, *machine, machineKey, isNoise)
+			if !node.IsExpired() {
+				h.handleNodeWithValidRegistration(writer, *node, machineKey, isNoise)

 				return
 			}
 		}

 		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.OldNodeKey) &&
-			!machine.isExpired() {
-			h.handleMachineRefreshKeyCommon(
+		if node.NodeKey == util.NodePublicKeyStripPrefix(registerRequest.OldNodeKey) &&
+			!node.IsExpired() {
+			h.handleNodeKeyRefresh(
 				writer,
 				registerRequest,
-				*machine,
+				*node,
 				machineKey,
 				isNoise,
 			)
@@ -272,20 +197,20 @@ func (h *Headscale) handleRegisterCommon(
 			}
 		}

-		// The machine has expired or it is logged out
-		h.handleMachineExpiredOrLoggedOutCommon(writer, registerRequest, *machine, machineKey, isNoise)
+		// The node has expired or it is logged out
+		h.handleNodeExpiredOrLoggedOut(writer, registerRequest, *node, machineKey, isNoise)

 		// TODO(juan): RegisterRequest includes an Expiry time, that we could optionally use
-		machine.Expiry = &time.Time{}
+		node.Expiry = &time.Time{}

 		// If we are here it means the client needs to be reauthorized,
 		// we need to make sure the NodeKey matches the one in the request
 		// TODO(juan): What happens when using fast user switching between two
 		// headscale-managed tailnets?
-		machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
+		node.NodeKey = util.NodePublicKeyStripPrefix(registerRequest.NodeKey)
 		h.registrationCache.Set(
-			NodePublicKeyStripPrefix(registerRequest.NodeKey),
-			*machine,
+			util.NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			*node,
 			registerCacheExpiration,
 		)

@@ -293,46 +218,44 @@ func (h *Headscale) handleRegisterCommon(
 	}
 }

-// handleAuthKeyCommon contains the logic to manage auth key client registration
+// handleAuthKey contains the logic to manage auth key client registration
 // It is used both by the legacy and the new Noise protocol.
 // When using Noise, the machineKey is Zero.
 //
 // TODO: check if any locks are needed around IP allocation.
-func (h *Headscale) handleAuthKeyCommon(
+func (h *Headscale) handleAuthKey(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
 	log.Debug().
-		Str("func", "handleAuthKeyCommon").
-		Str("machine", registerRequest.Hostinfo.Hostname).
+		Caller().
+		Str("node", registerRequest.Hostinfo.Hostname).
 		Bool("noise", isNoise).
 		Msgf("Processing auth key for %s", registerRequest.Hostinfo.Hostname)
 	resp := tailcfg.RegisterResponse{}

-	pak, err := h.checkKeyValidity(registerRequest.Auth.AuthKey)
+	pak, err := h.db.ValidatePreAuthKey(registerRequest.Auth.AuthKey)
 	if err != nil {
 		log.Error().
 			Caller().
-			Str("func", "handleAuthKeyCommon").
 			Bool("noise", isNoise).
-			Str("machine", registerRequest.Hostinfo.Hostname).
+			Str("node", registerRequest.Hostinfo.Hostname).
 			Err(err).
 			Msg("Failed authentication via AuthKey")
 		resp.MachineAuthorized = false

-		respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+		respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 		if err != nil {
 			log.Error().
 				Caller().
-				Str("func", "handleAuthKeyCommon").
 				Bool("noise", isNoise).
-				Str("machine", registerRequest.Hostinfo.Hostname).
+				Str("node", registerRequest.Hostinfo.Hostname).
 				Err(err).
 				Msg("Cannot encode message")
 			http.Error(writer, "Internal server error", http.StatusInternalServerError)
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+			nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 				Inc()

 			return
@@ -351,68 +274,67 @@ func (h *Headscale) handleAuthKeyCommon(

 		log.Error().
 			Caller().
-			Str("func", "handleAuthKeyCommon").
 			Bool("noise", isNoise).
-			Str("machine", registerRequest.Hostinfo.Hostname).
+			Str("node", registerRequest.Hostinfo.Hostname).
 			Msg("Failed authentication via AuthKey")

 		if pak != nil {
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+			nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 				Inc()
 		} else {
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", "unknown").Inc()
+			nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", "unknown").Inc()
 		}

 		return
 	}

 	log.Debug().
-		Str("func", "handleAuthKeyCommon").
+		Caller().
 		Bool("noise", isNoise).
-		Str("machine", registerRequest.Hostinfo.Hostname).
+		Str("node", registerRequest.Hostinfo.Hostname).
 		Msg("Authentication key was valid, proceeding to acquire IP addresses")

-	nodeKey := NodePublicKeyStripPrefix(registerRequest.NodeKey)
+	nodeKey := util.NodePublicKeyStripPrefix(registerRequest.NodeKey)

-	// retrieve machine information if it exist
+	// retrieve node information if it exist
 	// The error is not important, because if it does not
-	// exist, then this is a new machine and we will move
+	// exist, then this is a new node and we will move
 	// on to registration.
-	machine, _ := h.GetMachineByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
-	if machine != nil {
+	node, _ := h.db.GetNodeByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
+	if node != nil {
 		log.Trace().
 			Caller().
 			Bool("noise", isNoise).
-			Str("machine", machine.Hostname).
-			Msg("machine was already registered before, refreshing with new auth key")
+			Str("node", node.Hostname).
+			Msg("node was already registered before, refreshing with new auth key")

-		machine.NodeKey = nodeKey
-		machine.AuthKeyID = uint(pak.ID)
-		err := h.RefreshMachine(machine, registerRequest.Expiry)
+		node.NodeKey = nodeKey
+		node.AuthKeyID = uint(pak.ID)
+		err := h.db.NodeSetExpiry(node, registerRequest.Expiry)
 		if err != nil {
 			log.Error().
 				Caller().
 				Bool("noise", isNoise).
-				Str("machine", machine.Hostname).
+				Str("node", node.Hostname).
 				Err(err).
-				Msg("Failed to refresh machine")
+				Msg("Failed to refresh node")

 			return
 		}

-		aclTags := pak.toProto().AclTags
+		aclTags := pak.Proto().AclTags
 		if len(aclTags) > 0 {
 			// This conditional preserves the existing behaviour, although SaaS would reset the tags on auth-key login
-			err = h.SetTags(machine, aclTags)
+			err = h.db.SetTags(node, aclTags)

 			if err != nil {
 				log.Error().
 					Caller().
 					Bool("noise", isNoise).
-					Str("machine", machine.Hostname).
+					Str("node", node.Hostname).
 					Strs("aclTags", aclTags).
 					Err(err).
-					Msg("Failed to set tags after refreshing machine")
+					Msg("Failed to set tags after refreshing node")

 				return
 			}
@@ -420,41 +342,42 @@ func (h *Headscale) handleAuthKeyCommon(
 	} else {
 		now := time.Now().UTC()

-		givenName, err := h.GenerateGivenName(MachinePublicKeyStripPrefix(machineKey), registerRequest.Hostinfo.Hostname)
+		givenName, err := h.db.GenerateGivenName(util.MachinePublicKeyStripPrefix(machineKey), registerRequest.Hostinfo.Hostname)
 		if err != nil {
 			log.Error().
 				Caller().
 				Bool("noise", isNoise).
 				Str("func", "RegistrationHandler").
 				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
-				Err(err)
+				Err(err).
+				Msg("Failed to generate given name for node")

 			return
 		}

-		machineToRegister := Machine{
+		nodeToRegister := types.Node{
 			Hostname:       registerRequest.Hostinfo.Hostname,
 			GivenName:      givenName,
 			UserID:         pak.User.ID,
-			MachineKey:     MachinePublicKeyStripPrefix(machineKey),
-			RegisterMethod: RegisterMethodAuthKey,
+			MachineKey:     util.MachinePublicKeyStripPrefix(machineKey),
+			RegisterMethod: util.RegisterMethodAuthKey,
 			Expiry:         &registerRequest.Expiry,
 			NodeKey:        nodeKey,
 			LastSeen:       &now,
 			AuthKeyID:      uint(pak.ID),
-			ForcedTags:     pak.toProto().AclTags,
+			ForcedTags:     pak.Proto().AclTags,
 		}

-		machine, err = h.RegisterMachine(
-			machineToRegister,
+		node, err = h.db.RegisterNode(
+			nodeToRegister,
 		)
 		if err != nil {
 			log.Error().
 				Caller().
 				Bool("noise", isNoise).
 				Err(err).
-				Msg("could not register machine")
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+				Msg("could not register node")
+			nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 				Inc()
 			http.Error(writer, "Internal server error", http.StatusInternalServerError)

@@ -462,14 +385,14 @@ func (h *Headscale) handleAuthKeyCommon(
 		}
 	}

-	err = h.UsePreAuthKey(pak)
+	err = h.db.UsePreAuthKey(pak)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
 			Err(err).
 			Msg("Failed to use pre-auth key")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+		nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 			Inc()
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)

@@ -477,27 +400,26 @@ func (h *Headscale) handleAuthKeyCommon(
 	}

 	resp.MachineAuthorized = true
-	resp.User = *pak.User.toTailscaleUser()
+	resp.User = *pak.User.TailscaleUser()
 	// Provide LoginName when registering with pre-auth key
 	// Otherwise it will need to exec `tailscale up` twice to fetch the *LoginName*
-	resp.Login = *pak.User.toTailscaleLogin()
+	resp.Login = *pak.User.TailscaleLogin()

-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
-			Str("func", "handleAuthKeyCommon").
-			Str("machine", registerRequest.Hostinfo.Hostname).
+			Str("node", registerRequest.Hostinfo.Hostname).
 			Err(err).
 			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+		nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 			Inc()
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
-	machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "success", pak.User.Name).
+	nodeRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "success", pak.User.Name).
 		Inc()
 	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
@@ -511,16 +433,15 @@ func (h *Headscale) handleAuthKeyCommon(
 	}

 	log.Info().
-		Str("func", "handleAuthKeyCommon").
 		Bool("noise", isNoise).
-		Str("machine", registerRequest.Hostinfo.Hostname).
-		Str("ips", strings.Join(machine.IPAddresses.ToStringSlice(), ", ")).
+		Str("node", registerRequest.Hostinfo.Hostname).
+		Str("ips", strings.Join(node.IPAddresses.StringSlice(), ", ")).
 		Msg("Successfully authenticated via AuthKey")
 }

-// handleNewMachineCommon exposes for both legacy and Noise the functionality to get a URL
-// for authorizing the machine. This url is then showed to the user by the local Tailscale client.
-func (h *Headscale) handleNewMachineCommon(
+// handleNewNode exposes for both legacy and Noise the functionality to get a URL
+// for authorizing the node. This url is then showed to the user by the local Tailscale client.
+func (h *Headscale) handleNewNode(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
@@ -528,11 +449,11 @@ func (h *Headscale) handleNewMachineCommon(
 ) {
 	resp := tailcfg.RegisterResponse{}

-	// The machine registration is new, redirect the client to the registration URL
+	// The node registration is new, redirect the client to the registration URL
 	log.Debug().
 		Caller().
 		Bool("noise", isNoise).
-		Str("machine", registerRequest.Hostinfo.Hostname).
+		Str("node", registerRequest.Hostinfo.Hostname).
 		Msg("The node seems to be new, sending auth url")

 	if h.oauth2Config != nil {
@@ -547,7 +468,7 @@ func (h *Headscale) handleNewMachineCommon(
 			registerRequest.NodeKey)
 	}

-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -574,13 +495,13 @@ func (h *Headscale) handleNewMachineCommon(
 		Caller().
 		Bool("noise", isNoise).
 		Str("AuthURL", resp.AuthURL).
-		Str("machine", registerRequest.Hostinfo.Hostname).
+		Str("node", registerRequest.Hostinfo.Hostname).
 		Msg("Successfully sent auth url")
 }

-func (h *Headscale) handleMachineLogOutCommon(
+func (h *Headscale) handleNodeLogOut(
 	writer http.ResponseWriter,
-	machine Machine,
+	node types.Node,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
@@ -588,17 +509,17 @@ func (h *Headscale) handleMachineLogOutCommon(

 	log.Info().
 		Bool("noise", isNoise).
-		Str("machine", machine.Hostname).
+		Str("node", node.Hostname).
 		Msg("Client requested logout")

-	err := h.ExpireMachine(&machine)
+	now := time.Now()
+	err := h.db.NodeSetExpiry(&node, now)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
-			Str("func", "handleMachineLogOutCommon").
 			Err(err).
-			Msg("Failed to expire machine")
+			Msg("Failed to expire node")
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
@@ -607,8 +528,8 @@ func (h *Headscale) handleMachineLogOutCommon(
 	resp.AuthURL = ""
 	resp.MachineAuthorized = false
 	resp.NodeKeyExpired = true
-	resp.User = *machine.User.toTailscaleUser()
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	resp.User = *node.User.TailscaleUser()
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -633,13 +554,13 @@ func (h *Headscale) handleMachineLogOutCommon(
 		return
 	}

-	if machine.isEphemeral() {
-		err = h.HardDeleteMachine(&machine)
+	if node.IsEphemeral() {
+		err = h.db.DeleteNode(&node)
 		if err != nil {
 			log.Error().
 				Err(err).
-				Str("machine", machine.Hostname).
-				Msg("Cannot delete ephemeral machine from the database")
+				Str("node", node.Hostname).
+				Msg("Cannot delete ephemeral node from the database")
 		}

 		return
@@ -648,44 +569,44 @@ func (h *Headscale) handleMachineLogOutCommon(
 	log.Info().
 		Caller().
 		Bool("noise", isNoise).
-		Str("machine", machine.Hostname).
+		Str("node", node.Hostname).
 		Msg("Successfully logged out")
 }

-func (h *Headscale) handleMachineValidRegistrationCommon(
+func (h *Headscale) handleNodeWithValidRegistration(
 	writer http.ResponseWriter,
-	machine Machine,
+	node types.Node,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
 	resp := tailcfg.RegisterResponse{}

-	// The machine registration is valid, respond with redirect to /map
+	// The node registration is valid, respond with redirect to /map
 	log.Debug().
 		Caller().
 		Bool("noise", isNoise).
-		Str("machine", machine.Hostname).
+		Str("node", node.Hostname).
 		Msg("Client is registered and we have the current NodeKey. All clear to /map")

 	resp.AuthURL = ""
 	resp.MachineAuthorized = true
-	resp.User = *machine.User.toTailscaleUser()
-	resp.Login = *machine.User.toTailscaleLogin()
+	resp.User = *node.User.TailscaleUser()
+	resp.Login = *node.User.TailscaleLogin()

-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
 			Err(err).
 			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("update", "web", "error", machine.User.Name).
+		nodeRegistrations.WithLabelValues("update", "web", "error", node.User.Name).
 			Inc()
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
-	machineRegistrations.WithLabelValues("update", "web", "success", machine.User.Name).
+	nodeRegistrations.WithLabelValues("update", "web", "success", node.User.Name).
 		Inc()

 	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -702,14 +623,14 @@ func (h *Headscale) handleMachineValidRegistrationCommon(
 	log.Info().
 		Caller().
 		Bool("noise", isNoise).
-		Str("machine", machine.Hostname).
-		Msg("Machine successfully authorized")
+		Str("node", node.Hostname).
+		Msg("Node successfully authorized")
 }

-func (h *Headscale) handleMachineRefreshKeyCommon(
+func (h *Headscale) handleNodeKeyRefresh(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
+	node types.Node,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
@@ -718,11 +639,11 @@ func (h *Headscale) handleMachineRefreshKeyCommon(
 	log.Info().
 		Caller().
 		Bool("noise", isNoise).
-		Str("machine", machine.Hostname).
+		Str("node", node.Hostname).
 		Msg("We have the OldNodeKey in the database. This is a key refresh")
-	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)

-	if err := h.db.Save(&machine).Error; err != nil {
+	err := h.db.NodeSetNodeKey(&node, registerRequest.NodeKey)
+	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
@@ -733,8 +654,8 @@ func (h *Headscale) handleMachineRefreshKeyCommon(
 	}

 	resp.AuthURL = ""
-	resp.User = *machine.User.toTailscaleUser()
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	resp.User = *node.User.TailscaleUser()
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -762,21 +683,21 @@ func (h *Headscale) handleMachineRefreshKeyCommon(
 		Bool("noise", isNoise).
 		Str("node_key", registerRequest.NodeKey.ShortString()).
 		Str("old_node_key", registerRequest.OldNodeKey.ShortString()).
-		Str("machine", machine.Hostname).
+		Str("node", node.Hostname).
 		Msg("Node key successfully refreshed")
 }

-func (h *Headscale) handleMachineExpiredOrLoggedOutCommon(
+func (h *Headscale) handleNodeExpiredOrLoggedOut(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
+	node types.Node,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
 	resp := tailcfg.RegisterResponse{}

 	if registerRequest.Auth.AuthKey != "" {
-		h.handleAuthKeyCommon(writer, registerRequest, machineKey, isNoise)
+		h.handleAuthKey(writer, registerRequest, machineKey, isNoise)

 		return
 	}
@@ -785,11 +706,11 @@ func (h *Headscale) handleMachineExpiredOrLoggedOutCommon(
 	log.Trace().
 		Caller().
 		Bool("noise", isNoise).
-		Str("machine", machine.Hostname).
+		Str("node", node.Hostname).
 		Str("machine_key", machineKey.ShortString()).
 		Str("node_key", registerRequest.NodeKey.ShortString()).
 		Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-		Msg("Machine registration has expired or logged out. Sending a auth url to register")
+		Msg("Node registration has expired or logged out. Sending a auth url to register")

 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
@@ -801,20 +722,20 @@ func (h *Headscale) handleMachineExpiredOrLoggedOutCommon(
 			registerRequest.NodeKey)
 	}

-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
 			Err(err).
 			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("reauth", "web", "error", machine.User.Name).
+		nodeRegistrations.WithLabelValues("reauth", "web", "error", node.User.Name).
 			Inc()
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
-	machineRegistrations.WithLabelValues("reauth", "web", "success", machine.User.Name).
+	nodeRegistrations.WithLabelValues("reauth", "web", "success", node.User.Name).
 		Inc()

 	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -834,6 +755,6 @@ func (h *Headscale) handleMachineExpiredOrLoggedOutCommon(
 		Str("machine_key", machineKey.ShortString()).
 		Str("node_key", registerRequest.NodeKey.ShortString()).
 		Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-		Str("machine", machine.Hostname).
-		Msg("Machine logged out. Sent AuthURL for reauthentication")
+		Str("node", node.Hostname).
+		Msg("Node logged out. Sent AuthURL for reauthentication")
 }
--- a/hscontrol/auth_legacy.go
+++ b/hscontrol/auth_legacy.go
@@ -1,12 +1,13 @@
 //go:build ts2019

-package headscale
+package hscontrol

 import (
 	"io"
 	"net/http"

 	"github.com/gorilla/mux"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -32,29 +33,29 @@ func (h *Headscale) RegistrationHandler(
 	body, _ := io.ReadAll(req.Body)

 	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
+	err := machineKey.UnmarshalText([]byte(util.MachinePublicKeyEnsurePrefix(machineKeyStr)))
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("Cannot parse machine key")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
+		nodeRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
 		http.Error(writer, "Cannot parse machine key", http.StatusBadRequest)

 		return
 	}
 	registerRequest := tailcfg.RegisterRequest{}
-	err = decode(body, &registerRequest, &machineKey, h.privateKey)
+	err = util.DecodeAndUnmarshalNaCl(body, &registerRequest, &machineKey, h.privateKey2019)
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("Cannot decode message")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
+		nodeRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
 		http.Error(writer, "Cannot decode message", http.StatusBadRequest)

 		return
 	}

-	h.handleRegisterCommon(writer, req, registerRequest, machineKey, false)
+	h.handleRegister(writer, req, registerRequest, machineKey, false)
 }
--- a/hscontrol/auth_noise.go
+++ b/hscontrol/auth_noise.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"encoding/json"
@@ -9,7 +9,7 @@ import (
 	"tailscale.com/tailcfg"
 )

-// // NoiseRegistrationHandler handles the actual registration process of a machine.
+// // NoiseRegistrationHandler handles the actual registration process of a node.
 func (ns *noiseServer) NoiseRegistrationHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
@@ -23,6 +23,7 @@ func (ns *noiseServer) NoiseRegistrationHandler(

 	log.Trace().
 		Any("headers", req.Header).
+		Caller().
 		Msg("Headers")

 	body, _ := io.ReadAll(req.Body)
@@ -32,7 +33,7 @@ func (ns *noiseServer) NoiseRegistrationHandler(
 			Caller().
 			Err(err).
 			Msg("Cannot parse RegisterRequest")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
+		nodeRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
 		http.Error(writer, "Internal error", http.StatusInternalServerError)

 		return
@@ -40,5 +41,5 @@ func (ns *noiseServer) NoiseRegistrationHandler(

 	ns.nodeKey = registerRequest.NodeKey

-	ns.headscale.handleRegisterCommon(writer, req, registerRequest, ns.conn.Peer(), true)
+	ns.headscale.handleRegister(writer, req, registerRequest, ns.conn.Peer(), true)
 }
--- a/hscontrol/db/addresses.go
+++ b/hscontrol/db/addresses.go
@@ -0,0 +1,99 @@
+// Codehere is mostly taken from github.com/tailscale/tailscale
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package db
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"go4.org/netipx"
+)
+
+var ErrCouldNotAllocateIP = errors.New("could not find any suitable IP")
+
+func (hsdb *HSDatabase) getAvailableIPs() (types.NodeAddresses, error) {
+	var ips types.NodeAddresses
+	var err error
+	for _, ipPrefix := range hsdb.ipPrefixes {
+		var ip *netip.Addr
+		ip, err = hsdb.getAvailableIP(ipPrefix)
+		if err != nil {
+			return ips, err
+		}
+		ips = append(ips, *ip)
+	}
+
+	return ips, err
+}
+
+func (hsdb *HSDatabase) getAvailableIP(ipPrefix netip.Prefix) (*netip.Addr, error) {
+	usedIps, err := hsdb.getUsedIPs()
+	if err != nil {
+		return nil, err
+	}
+
+	ipPrefixNetworkAddress, ipPrefixBroadcastAddress := util.GetIPPrefixEndpoints(ipPrefix)
+
+	// Get the first IP in our prefix
+	ip := ipPrefixNetworkAddress.Next()
+
+	for {
+		if !ipPrefix.Contains(ip) {
+			return nil, ErrCouldNotAllocateIP
+		}
+
+		switch {
+		case ip.Compare(ipPrefixBroadcastAddress) == 0:
+			fallthrough
+		case usedIps.Contains(ip):
+			fallthrough
+		case ip == netip.Addr{} || ip.IsLoopback():
+			ip = ip.Next()
+
+			continue
+
+		default:
+			return &ip, nil
+		}
+	}
+}
+
+func (hsdb *HSDatabase) getUsedIPs() (*netipx.IPSet, error) {
+	// FIXME: This really deserves a better data model,
+	// but this was quick to get running and it should be enough
+	// to begin experimenting with a dual stack tailnet.
+	var addressesSlices []string
+	hsdb.db.Model(&types.Node{}).Pluck("ip_addresses", &addressesSlices)
+
+	var ips netipx.IPSetBuilder
+	for _, slice := range addressesSlices {
+		var machineAddresses types.NodeAddresses
+		err := machineAddresses.Scan(slice)
+		if err != nil {
+			return &netipx.IPSet{}, fmt.Errorf(
+				"failed to read ip from database: %w",
+				err,
+			)
+		}
+
+		for _, ip := range machineAddresses {
+			ips.Add(ip)
+		}
+	}
+
+	ipSet, err := ips.IPSet()
+	if err != nil {
+		return &netipx.IPSet{}, fmt.Errorf(
+			"failed to build IP Set: %w",
+			err,
+		)
+	}
+
+	return ipSet, nil
+}
--- a/hscontrol/db/addresses_test.go
+++ b/hscontrol/db/addresses_test.go
@@ -1,14 +1,16 @@
-package headscale
+package db

 import (
 	"net/netip"

+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"go4.org/netipx"
 	"gopkg.in/check.v1"
 )

 func (s *Suite) TestGetAvailableIp(c *check.C) {
-	ips, err := app.getAvailableIPs()
+	ips, err := db.getAvailableIPs()

 	c.Assert(err, check.IsNil)

@@ -19,32 +21,32 @@ func (s *Suite) TestGetAvailableIp(c *check.C) {
 }

 func (s *Suite) TestGetUsedIps(c *check.C) {
-	ips, err := app.getAvailableIPs()
+	ips, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)

-	user, err := app.CreateUser("test-ip")
+	user, err := db.CreateUser("test-ip")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = app.GetMachine("test", "testmachine")
+	_, err = db.GetNode("test", "testnode")
 	c.Assert(err, check.NotNil)

-	machine := Machine{
+	node := types.Node{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Hostname:       "testmachine",
+		Hostname:       "testnode",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 		IPAddresses:    ips,
 	}
-	app.db.Save(&machine)
+	db.db.Save(&node)

-	usedIps, err := app.getUsedIPs()
+	usedIps, err := db.getUsedIPs()

 	c.Assert(err, check.IsNil)

@@ -56,46 +58,46 @@ func (s *Suite) TestGetUsedIps(c *check.C) {
 	c.Assert(usedIps.Equal(expectedIPSet), check.Equals, true)
 	c.Assert(usedIps.Contains(expected), check.Equals, true)

-	machine1, err := app.GetMachineByID(0)
+	node1, err := db.GetNodeByID(0)
 	c.Assert(err, check.IsNil)

-	c.Assert(len(machine1.IPAddresses), check.Equals, 1)
-	c.Assert(machine1.IPAddresses[0], check.Equals, expected)
+	c.Assert(len(node1.IPAddresses), check.Equals, 1)
+	c.Assert(node1.IPAddresses[0], check.Equals, expected)
 }

 func (s *Suite) TestGetMultiIp(c *check.C) {
-	user, err := app.CreateUser("test-ip-multi")
+	user, err := db.CreateUser("test-ip-multi")
 	c.Assert(err, check.IsNil)

 	for index := 1; index <= 350; index++ {
-		app.ipAllocationMutex.Lock()
+		db.ipAllocationMutex.Lock()

-		ips, err := app.getAvailableIPs()
+		ips, err := db.getAvailableIPs()
 		c.Assert(err, check.IsNil)

-		pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+		pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 		c.Assert(err, check.IsNil)

-		_, err = app.GetMachine("test", "testmachine")
+		_, err = db.GetNode("test", "testnode")
 		c.Assert(err, check.NotNil)

-		machine := Machine{
+		node := types.Node{
 			ID:             uint64(index),
 			MachineKey:     "foo",
 			NodeKey:        "bar",
 			DiscoKey:       "faa",
-			Hostname:       "testmachine",
+			Hostname:       "testnode",
 			UserID:         user.ID,
-			RegisterMethod: RegisterMethodAuthKey,
+			RegisterMethod: util.RegisterMethodAuthKey,
 			AuthKeyID:      uint(pak.ID),
 			IPAddresses:    ips,
 		}
-		app.db.Save(&machine)
+		db.db.Save(&node)

-		app.ipAllocationMutex.Unlock()
+		db.ipAllocationMutex.Unlock()
 	}

-	usedIps, err := app.getUsedIPs()
+	usedIps, err := db.getUsedIPs()
 	c.Assert(err, check.IsNil)

 	expected0 := netip.MustParseAddr("10.27.0.1")
@@ -117,26 +119,26 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 	c.Assert(usedIps.Contains(expected300), check.Equals, true)

 	// Check that we can read back the IPs
-	machine1, err := app.GetMachineByID(1)
+	node1, err := db.GetNodeByID(1)
 	c.Assert(err, check.IsNil)
-	c.Assert(len(machine1.IPAddresses), check.Equals, 1)
+	c.Assert(len(node1.IPAddresses), check.Equals, 1)
 	c.Assert(
-		machine1.IPAddresses[0],
+		node1.IPAddresses[0],
 		check.Equals,
 		netip.MustParseAddr("10.27.0.1"),
 	)

-	machine50, err := app.GetMachineByID(50)
+	node50, err := db.GetNodeByID(50)
 	c.Assert(err, check.IsNil)
-	c.Assert(len(machine50.IPAddresses), check.Equals, 1)
+	c.Assert(len(node50.IPAddresses), check.Equals, 1)
 	c.Assert(
-		machine50.IPAddresses[0],
+		node50.IPAddresses[0],
 		check.Equals,
 		netip.MustParseAddr("10.27.0.50"),
 	)

 	expectedNextIP := netip.MustParseAddr("10.27.1.95")
-	nextIP, err := app.getAvailableIPs()
+	nextIP, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)

 	c.Assert(len(nextIP), check.Equals, 1)
@@ -144,15 +146,15 @@ func (s *Suite) TestGetMultiIp(c *check.C) {

 	// If we call get Available again, we should receive
 	// the same IP, as it has not been reserved.
-	nextIP2, err := app.getAvailableIPs()
+	nextIP2, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)

 	c.Assert(len(nextIP2), check.Equals, 1)
 	c.Assert(nextIP2[0].String(), check.Equals, expectedNextIP.String())
 }

-func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
-	ips, err := app.getAvailableIPs()
+func (s *Suite) TestGetAvailableIpNodeWithoutIP(c *check.C) {
+	ips, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)

 	expected := netip.MustParseAddr("10.27.0.1")
@@ -160,42 +162,30 @@ func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
 	c.Assert(len(ips), check.Equals, 1)
 	c.Assert(ips[0].String(), check.Equals, expected.String())

-	user, err := app.CreateUser("test-ip")
+	user, err := db.CreateUser("test-ip")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = app.GetMachine("test", "testmachine")
+	_, err = db.GetNode("test", "testnode")
 	c.Assert(err, check.NotNil)

-	machine := Machine{
+	node := types.Node{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Hostname:       "testmachine",
+		Hostname:       "testnode",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&node)

-	ips2, err := app.getAvailableIPs()
+	ips2, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)

 	c.Assert(len(ips2), check.Equals, 1)
 	c.Assert(ips2[0].String(), check.Equals, expected.String())
 }
-
-func (s *Suite) TestGenerateRandomStringDNSSafe(c *check.C) {
-	for i := 0; i < 100000; i++ {
-		str, err := GenerateRandomStringDNSSafe(8)
-		if err != nil {
-			c.Error(err)
-		}
-		if len(str) != 8 {
-			c.Error("invalid length", len(str), str)
-		}
-	}
-}
--- a/hscontrol/db/api_key.go
+++ b/hscontrol/db/api_key.go
@@ -0,0 +1,146 @@
+package db
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const (
+	apiPrefixLength = 7
+	apiKeyLength    = 32
+)
+
+var ErrAPIKeyFailedToParse = errors.New("failed to parse ApiKey")
+
+// CreateAPIKey creates a new ApiKey in a user, and returns it.
+func (hsdb *HSDatabase) CreateAPIKey(
+	expiration *time.Time,
+) (string, *types.APIKey, error) {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	prefix, err := util.GenerateRandomStringURLSafe(apiPrefixLength)
+	if err != nil {
+		return "", nil, err
+	}
+
+	toBeHashed, err := util.GenerateRandomStringURLSafe(apiKeyLength)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Key to return to user, this will only be visible _once_
+	keyStr := prefix + "." + toBeHashed
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(toBeHashed), bcrypt.DefaultCost)
+	if err != nil {
+		return "", nil, err
+	}
+
+	key := types.APIKey{
+		Prefix:     prefix,
+		Hash:       hash,
+		Expiration: expiration,
+	}
+
+	if err := hsdb.db.Save(&key).Error; err != nil {
+		return "", nil, fmt.Errorf("failed to save API key to database: %w", err)
+	}
+
+	return keyStr, &key, nil
+}
+
+// ListAPIKeys returns the list of ApiKeys for a user.
+func (hsdb *HSDatabase) ListAPIKeys() ([]types.APIKey, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	keys := []types.APIKey{}
+	if err := hsdb.db.Find(&keys).Error; err != nil {
+		return nil, err
+	}
+
+	return keys, nil
+}
+
+// GetAPIKey returns a ApiKey for a given key.
+func (hsdb *HSDatabase) GetAPIKey(prefix string) (*types.APIKey, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	key := types.APIKey{}
+	if result := hsdb.db.First(&key, "prefix = ?", prefix); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &key, nil
+}
+
+// GetAPIKeyByID returns a ApiKey for a given id.
+func (hsdb *HSDatabase) GetAPIKeyByID(id uint64) (*types.APIKey, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	key := types.APIKey{}
+	if result := hsdb.db.Find(&types.APIKey{ID: id}).First(&key); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &key, nil
+}
+
+// DestroyAPIKey destroys a ApiKey. Returns error if the ApiKey
+// does not exist.
+func (hsdb *HSDatabase) DestroyAPIKey(key types.APIKey) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if result := hsdb.db.Unscoped().Delete(key); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// ExpireAPIKey marks a ApiKey as expired.
+func (hsdb *HSDatabase) ExpireAPIKey(key *types.APIKey) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if err := hsdb.db.Model(&key).Update("Expiration", time.Now()).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) ValidateAPIKey(keyStr string) (bool, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	prefix, hash, found := strings.Cut(keyStr, ".")
+	if !found {
+		return false, ErrAPIKeyFailedToParse
+	}
+
+	key, err := hsdb.GetAPIKey(prefix)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate api key: %w", err)
+	}
+
+	if key.Expiration.Before(time.Now()) {
+		return false, nil
+	}
+
+	if err := bcrypt.CompareHashAndPassword(key.Hash, []byte(hash)); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
--- a/hscontrol/db/api_key_test.go
+++ b/hscontrol/db/api_key_test.go
@@ -1,4 +1,4 @@
-package headscale
+package db

 import (
 	"time"
@@ -7,7 +7,7 @@ import (
 )

 func (*Suite) TestCreateAPIKey(c *check.C) {
-	apiKeyStr, apiKey, err := app.CreateAPIKey(nil)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(nil)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)

@@ -16,74 +16,74 @@ func (*Suite) TestCreateAPIKey(c *check.C) {
 	c.Assert(apiKey.Hash, check.NotNil)
 	c.Assert(apiKeyStr, check.Not(check.Equals), "")

-	_, err = app.ListAPIKeys()
+	_, err = db.ListAPIKeys()
 	c.Assert(err, check.IsNil)

-	keys, err := app.ListAPIKeys()
+	keys, err := db.ListAPIKeys()
 	c.Assert(err, check.IsNil)
 	c.Assert(len(keys), check.Equals, 1)
 }

 func (*Suite) TestAPIKeyDoesNotExist(c *check.C) {
-	key, err := app.GetAPIKey("does-not-exist")
+	key, err := db.GetAPIKey("does-not-exist")
 	c.Assert(err, check.NotNil)
 	c.Assert(key, check.IsNil)
 }

 func (*Suite) TestValidateAPIKeyOk(c *check.C) {
 	nowPlus2 := time.Now().Add(2 * time.Hour)
-	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowPlus2)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(&nowPlus2)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)

-	valid, err := app.ValidateAPIKey(apiKeyStr)
+	valid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(valid, check.Equals, true)
 }

 func (*Suite) TestValidateAPIKeyNotOk(c *check.C) {
 	nowMinus2 := time.Now().Add(time.Duration(-2) * time.Hour)
-	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowMinus2)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(&nowMinus2)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)

-	valid, err := app.ValidateAPIKey(apiKeyStr)
+	valid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(valid, check.Equals, false)

 	now := time.Now()
-	apiKeyStrNow, apiKey, err := app.CreateAPIKey(&now)
+	apiKeyStrNow, apiKey, err := db.CreateAPIKey(&now)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)

-	validNow, err := app.ValidateAPIKey(apiKeyStrNow)
+	validNow, err := db.ValidateAPIKey(apiKeyStrNow)
 	c.Assert(err, check.IsNil)
 	c.Assert(validNow, check.Equals, false)

-	validSilly, err := app.ValidateAPIKey("nota.validkey")
+	validSilly, err := db.ValidateAPIKey("nota.validkey")
 	c.Assert(err, check.NotNil)
 	c.Assert(validSilly, check.Equals, false)

-	validWithErr, err := app.ValidateAPIKey("produceerrorkey")
+	validWithErr, err := db.ValidateAPIKey("produceerrorkey")
 	c.Assert(err, check.NotNil)
 	c.Assert(validWithErr, check.Equals, false)
 }

 func (*Suite) TestExpireAPIKey(c *check.C) {
 	nowPlus2 := time.Now().Add(2 * time.Hour)
-	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowPlus2)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(&nowPlus2)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)

-	valid, err := app.ValidateAPIKey(apiKeyStr)
+	valid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(valid, check.Equals, true)

-	err = app.ExpireAPIKey(apiKey)
+	err = db.ExpireAPIKey(apiKey)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey.Expiration, check.NotNil)

-	notValid, err := app.ValidateAPIKey(apiKeyStr)
+	notValid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(notValid, check.Equals, false)
 }
--- a/hscontrol/db/db.go
+++ b/hscontrol/db/db.go
@@ -0,0 +1,358 @@
+package db
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"sync"
+	"time"
+
+	"github.com/glebarez/sqlite"
+	"github.com/juanfont/headscale/hscontrol/notifier"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/rs/zerolog/log"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+)
+
+const (
+	dbVersion = "1"
+	Postgres  = "postgres"
+	Sqlite    = "sqlite3"
+)
+
+var (
+	errValueNotFound        = errors.New("not found")
+	errDatabaseNotSupported = errors.New("database type not supported")
+)
+
+// KV is a key-value store in a psql table. For future use...
+// TODO(kradalby): Is this used for anything?
+type KV struct {
+	Key   string
+	Value string
+}
+
+type HSDatabase struct {
+	db       *gorm.DB
+	notifier *notifier.Notifier
+
+	mu sync.RWMutex
+
+	ipAllocationMutex sync.Mutex
+
+	ipPrefixes []netip.Prefix
+	baseDomain string
+}
+
+// TODO(kradalby): assemble this struct from toptions or something typed
+// rather than arguments.
+func NewHeadscaleDatabase(
+	dbType, connectionAddr string,
+	debug bool,
+	notifier *notifier.Notifier,
+	ipPrefixes []netip.Prefix,
+	baseDomain string,
+) (*HSDatabase, error) {
+	dbConn, err := openDB(dbType, connectionAddr, debug)
+	if err != nil {
+		return nil, err
+	}
+
+	db := HSDatabase{
+		db:       dbConn,
+		notifier: notifier,
+
+		ipPrefixes: ipPrefixes,
+		baseDomain: baseDomain,
+	}
+
+	log.Debug().Msgf("database %#v", dbConn)
+
+	if dbType == Postgres {
+		dbConn.Exec(`create extension if not exists "uuid-ossp";`)
+	}
+
+	_ = dbConn.Migrator().RenameTable("namespaces", "users")
+
+	// the big rename from Machine to Node
+	_ = dbConn.Migrator().RenameTable("machines", "nodes")
+	_ = dbConn.Migrator().RenameColumn(&types.Route{}, "machine_id", "node_id")
+
+	err = dbConn.AutoMigrate(types.User{})
+	if err != nil {
+		return nil, err
+	}
+
+	_ = dbConn.Migrator().RenameColumn(&types.Node{}, "namespace_id", "user_id")
+	_ = dbConn.Migrator().RenameColumn(&types.PreAuthKey{}, "namespace_id", "user_id")
+
+	_ = dbConn.Migrator().RenameColumn(&types.Node{}, "ip_address", "ip_addresses")
+	_ = dbConn.Migrator().RenameColumn(&types.Node{}, "name", "hostname")
+
+	// GivenName is used as the primary source of DNS names, make sure
+	// the field is populated and normalized if it was not when the
+	// node was registered.
+	_ = dbConn.Migrator().RenameColumn(&types.Node{}, "nickname", "given_name")
+
+	// If the MacNodehine table has a column for registered,
+	// find all occourences of "false" and drop them. Then
+	// remove the column.
+	if dbConn.Migrator().HasColumn(&types.Node{}, "registered") {
+		log.Info().
+			Msg(`Database has legacy "registered" column in node, removing...`)
+
+		nodes := types.Nodes{}
+		if err := dbConn.Not("registered").Find(&nodes).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for _, node := range nodes {
+			log.Info().
+				Str("node", node.Hostname).
+				Str("machine_key", node.MachineKey).
+				Msg("Deleting unregistered node")
+			if err := dbConn.Delete(&types.Node{}, node.ID).Error; err != nil {
+				log.Error().
+					Err(err).
+					Str("node", node.Hostname).
+					Str("machine_key", node.MachineKey).
+					Msg("Error deleting unregistered node")
+			}
+		}
+
+		err := dbConn.Migrator().DropColumn(&types.Node{}, "registered")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping registered column")
+		}
+	}
+
+	err = dbConn.AutoMigrate(&types.Route{})
+	if err != nil {
+		return nil, err
+	}
+
+	if dbConn.Migrator().HasColumn(&types.Node{}, "enabled_routes") {
+		log.Info().Msgf("Database has legacy enabled_routes column in node, migrating...")
+
+		type NodeAux struct {
+			ID            uint64
+			EnabledRoutes types.IPPrefixes
+		}
+
+		nodesAux := []NodeAux{}
+		err := dbConn.Table("nodes").Select("id, enabled_routes").Scan(&nodesAux).Error
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error accessing db")
+		}
+		for _, node := range nodesAux {
+			for _, prefix := range node.EnabledRoutes {
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("enabled_route", prefix.String()).
+						Msg("Error parsing enabled_route")
+
+					continue
+				}
+
+				err = dbConn.Preload("Node").
+					Where("node_id = ? AND prefix = ?", node.ID, types.IPPrefix(prefix)).
+					First(&types.Route{}).
+					Error
+				if err == nil {
+					log.Info().
+						Str("enabled_route", prefix.String()).
+						Msg("Route already migrated to new table, skipping")
+
+					continue
+				}
+
+				route := types.Route{
+					NodeID:     node.ID,
+					Advertised: true,
+					Enabled:    true,
+					Prefix:     types.IPPrefix(prefix),
+				}
+				if err := dbConn.Create(&route).Error; err != nil {
+					log.Error().Err(err).Msg("Error creating route")
+				} else {
+					log.Info().
+						Uint64("node_id", route.NodeID).
+						Str("prefix", prefix.String()).
+						Msg("Route migrated")
+				}
+			}
+		}
+
+		err = dbConn.Migrator().DropColumn(&types.Node{}, "enabled_routes")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping enabled_routes column")
+		}
+	}
+
+	err = dbConn.AutoMigrate(&types.Node{})
+	if err != nil {
+		return nil, err
+	}
+
+	if dbConn.Migrator().HasColumn(&types.Node{}, "given_name") {
+		nodes := types.Nodes{}
+		if err := dbConn.Find(&nodes).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for item, node := range nodes {
+			if node.GivenName == "" {
+				normalizedHostname, err := util.NormalizeToFQDNRulesConfigFromViper(
+					node.Hostname,
+				)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", node.Hostname).
+						Err(err).
+						Msg("Failed to normalize node hostname in DB migration")
+				}
+
+				err = db.RenameNode(nodes[item], normalizedHostname)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", node.Hostname).
+						Err(err).
+						Msg("Failed to save normalized node name in DB migration")
+				}
+			}
+		}
+	}
+
+	err = dbConn.AutoMigrate(&KV{})
+	if err != nil {
+		return nil, err
+	}
+
+	err = dbConn.AutoMigrate(&types.PreAuthKey{})
+	if err != nil {
+		return nil, err
+	}
+
+	err = dbConn.AutoMigrate(&types.PreAuthKeyACLTag{})
+	if err != nil {
+		return nil, err
+	}
+
+	_ = dbConn.Migrator().DropTable("shared_machines")
+
+	err = dbConn.AutoMigrate(&types.APIKey{})
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO(kradalby): is this needed?
+	err = db.setValue("db_version", dbVersion)
+
+	return &db, err
+}
+
+func openDB(dbType, connectionAddr string, debug bool) (*gorm.DB, error) {
+	log.Debug().Str("type", dbType).Str("connection", connectionAddr).Msg("opening database")
+
+	var dbLogger logger.Interface
+	if debug {
+		dbLogger = logger.Default
+	} else {
+		dbLogger = logger.Default.LogMode(logger.Silent)
+	}
+
+	switch dbType {
+	case Sqlite:
+		db, err := gorm.Open(
+			sqlite.Open(connectionAddr+"?_synchronous=1&_journal_mode=WAL"),
+			&gorm.Config{
+				DisableForeignKeyConstraintWhenMigrating: true,
+				Logger:                                   dbLogger,
+			},
+		)
+
+		db.Exec("PRAGMA foreign_keys=ON")
+
+		// The pure Go SQLite library does not handle locking in
+		// the same way as the C based one and we cant use the gorm
+		// connection pool as of 2022/02/23.
+		sqlDB, _ := db.DB()
+		sqlDB.SetMaxIdleConns(1)
+		sqlDB.SetMaxOpenConns(1)
+		sqlDB.SetConnMaxIdleTime(time.Hour)
+
+		return db, err
+
+	case Postgres:
+		return gorm.Open(postgres.Open(connectionAddr), &gorm.Config{
+			DisableForeignKeyConstraintWhenMigrating: true,
+			Logger:                                   dbLogger,
+		})
+	}
+
+	return nil, fmt.Errorf(
+		"database of type %s is not supported: %w",
+		dbType,
+		errDatabaseNotSupported,
+	)
+}
+
+// getValue returns the value for the given key in KV.
+func (hsdb *HSDatabase) getValue(key string) (string, error) {
+	var row KV
+	if result := hsdb.db.First(&row, "key = ?", key); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return "", errValueNotFound
+	}
+
+	return row.Value, nil
+}
+
+// setValue sets value for the given key in KV.
+func (hsdb *HSDatabase) setValue(key string, value string) error {
+	keyValue := KV{
+		Key:   key,
+		Value: value,
+	}
+
+	if _, err := hsdb.getValue(key); err == nil {
+		hsdb.db.Model(&keyValue).Where("key = ?", key).Update("value", value)
+
+		return nil
+	}
+
+	if err := hsdb.db.Create(keyValue).Error; err != nil {
+		return fmt.Errorf("failed to create key value pair in the database: %w", err)
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) PingDB(ctx context.Context) error {
+	ctx, cancel := context.WithTimeout(ctx, time.Second)
+	defer cancel()
+	sqlDB, err := hsdb.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return sqlDB.PingContext(ctx)
+}
+
+func (hsdb *HSDatabase) Close() error {
+	db, err := hsdb.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return db.Close()
+}
--- a/hscontrol/db/node.go
+++ b/hscontrol/db/node.go
@@ -0,0 +1,877 @@
+package db
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/patrickmn/go-cache"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+const (
+	NodeGivenNameHashLength = 8
+	NodeGivenNameTrimSize   = 2
+)
+
+var (
+	ErrNodeNotFound                  = errors.New("node not found")
+	ErrNodeRouteIsNotAvailable       = errors.New("route is not available on node")
+	ErrNodeNotFoundRegistrationCache = errors.New(
+		"node not found in registration cache",
+	)
+	ErrCouldNotConvertNodeInterface = errors.New("failed to convert node interface")
+	ErrDifferentRegisteredUser      = errors.New(
+		"node was previously registered with a different user",
+	)
+)
+
+// ListPeers returns all peers of node, regardless of any Policy or if the node is expired.
+func (hsdb *HSDatabase) ListPeers(node *types.Node) (types.Nodes, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.listPeers(node)
+}
+
+func (hsdb *HSDatabase) listPeers(node *types.Node) (types.Nodes, error) {
+	log.Trace().
+		Caller().
+		Str("node", node.Hostname).
+		Msg("Finding direct peers")
+
+	nodes := types.Nodes{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Where("node_key <> ?",
+			node.NodeKey).Find(&nodes).Error; err != nil {
+		return types.Nodes{}, err
+	}
+
+	sort.Slice(nodes, func(i, j int) bool { return nodes[i].ID < nodes[j].ID })
+
+	log.Trace().
+		Caller().
+		Str("node", node.Hostname).
+		Msgf("Found peers: %s", nodes.String())
+
+	return nodes, nil
+}
+
+func (hsdb *HSDatabase) ListNodes() ([]types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.listNodes()
+}
+
+func (hsdb *HSDatabase) listNodes() ([]types.Node, error) {
+	nodes := []types.Node{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Find(&nodes).Error; err != nil {
+		return nil, err
+	}
+
+	return nodes, nil
+}
+
+func (hsdb *HSDatabase) ListNodesByGivenName(givenName string) (types.Nodes, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.listNodesByGivenName(givenName)
+}
+
+func (hsdb *HSDatabase) listNodesByGivenName(givenName string) (types.Nodes, error) {
+	nodes := types.Nodes{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Where("given_name = ?", givenName).Find(&nodes).Error; err != nil {
+		return nil, err
+	}
+
+	return nodes, nil
+}
+
+// GetNode finds a Node by name and user and returns the Node struct.
+func (hsdb *HSDatabase) GetNode(user string, name string) (*types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	nodes, err := hsdb.ListNodesByUser(user)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, m := range nodes {
+		if m.Hostname == name {
+			return m, nil
+		}
+	}
+
+	return nil, ErrNodeNotFound
+}
+
+// GetNodeByGivenName finds a Node by given name and user and returns the Node struct.
+func (hsdb *HSDatabase) GetNodeByGivenName(
+	user string,
+	givenName string,
+) (*types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	node := types.Node{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Where("given_name = ?", givenName).First(&node).Error; err != nil {
+		return nil, err
+	}
+
+	return nil, ErrNodeNotFound
+}
+
+// GetNodeByID finds a Node by ID and returns the Node struct.
+func (hsdb *HSDatabase) GetNodeByID(id uint64) (*types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	mach := types.Node{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Find(&types.Node{ID: id}).First(&mach); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &mach, nil
+}
+
+// GetNodeByMachineKey finds a Node by its MachineKey and returns the Node struct.
+func (hsdb *HSDatabase) GetNodeByMachineKey(
+	machineKey key.MachinePublic,
+) (*types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	mach := types.Node{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		First(&mach, "machine_key = ?", util.MachinePublicKeyStripPrefix(machineKey)); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &mach, nil
+}
+
+// GetNodeByNodeKey finds a Node by its current NodeKey.
+func (hsdb *HSDatabase) GetNodeByNodeKey(
+	nodeKey key.NodePublic,
+) (*types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	node := types.Node{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		First(&node, "node_key = ?",
+			util.NodePublicKeyStripPrefix(nodeKey)); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &node, nil
+}
+
+// GetNodeByAnyKey finds a Node by its MachineKey, its current NodeKey or the old one, and returns the Node struct.
+func (hsdb *HSDatabase) GetNodeByAnyKey(
+	machineKey key.MachinePublic, nodeKey key.NodePublic, oldNodeKey key.NodePublic,
+) (*types.Node, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	node := types.Node{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		First(&node, "machine_key = ? OR node_key = ? OR node_key = ?",
+			util.MachinePublicKeyStripPrefix(machineKey),
+			util.NodePublicKeyStripPrefix(nodeKey),
+			util.NodePublicKeyStripPrefix(oldNodeKey)); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &node, nil
+}
+
+func (hsdb *HSDatabase) NodeReloadFromDatabase(node *types.Node) error {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	if result := hsdb.db.Find(node).First(&node); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// SetTags takes a Node struct pointer and update the forced tags.
+func (hsdb *HSDatabase) SetTags(
+	node *types.Node,
+	tags []string,
+) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	newTags := []string{}
+	for _, tag := range tags {
+		if !util.StringOrPrefixListContains(newTags, tag) {
+			newTags = append(newTags, tag)
+		}
+	}
+
+	if err := hsdb.db.Model(node).Updates(types.Node{
+		ForcedTags: newTags,
+	}).Error; err != nil {
+		return fmt.Errorf("failed to update tags for node in the database: %w", err)
+	}
+
+	hsdb.notifier.NotifyWithIgnore(types.StateUpdate{
+		Type:    types.StatePeerChanged,
+		Changed: types.Nodes{node},
+	}, node.MachineKey)
+
+	return nil
+}
+
+// RenameNode takes a Node struct and a new GivenName for the nodes
+// and renames it.
+func (hsdb *HSDatabase) RenameNode(node *types.Node, newName string) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	err := util.CheckForFQDNRules(
+		newName,
+	)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "RenameNode").
+			Str("node", node.Hostname).
+			Str("newName", newName).
+			Err(err).
+			Msg("failed to rename node")
+
+		return err
+	}
+	node.GivenName = newName
+
+	if err := hsdb.db.Model(node).Updates(types.Node{
+		GivenName: newName,
+	}).Error; err != nil {
+		return fmt.Errorf("failed to rename node in the database: %w", err)
+	}
+
+	hsdb.notifier.NotifyWithIgnore(types.StateUpdate{
+		Type:    types.StatePeerChanged,
+		Changed: types.Nodes{node},
+	}, node.MachineKey)
+
+	return nil
+}
+
+// NodeSetExpiry takes a Node struct and  a new expiry time.
+func (hsdb *HSDatabase) NodeSetExpiry(node *types.Node, expiry time.Time) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.nodeSetExpiry(node, expiry)
+}
+
+func (hsdb *HSDatabase) nodeSetExpiry(node *types.Node, expiry time.Time) error {
+	if err := hsdb.db.Model(node).Updates(types.Node{
+		Expiry: &expiry,
+	}).Error; err != nil {
+		return fmt.Errorf(
+			"failed to refresh node (update expiration) in the database: %w",
+			err,
+		)
+	}
+
+	hsdb.notifier.NotifyWithIgnore(types.StateUpdate{
+		Type:    types.StatePeerChanged,
+		Changed: types.Nodes{node},
+	}, node.MachineKey)
+
+	return nil
+}
+
+// DeleteNode deletes a Node from the database.
+func (hsdb *HSDatabase) DeleteNode(node *types.Node) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.deleteNode(node)
+}
+
+func (hsdb *HSDatabase) deleteNode(node *types.Node) error {
+	err := hsdb.deleteNodeRoutes(node)
+	if err != nil {
+		return err
+	}
+
+	// Unscoped causes the node to be fully removed from the database.
+	if err := hsdb.db.Unscoped().Delete(&node).Error; err != nil {
+		return err
+	}
+
+	hsdb.notifier.NotifyAll(types.StateUpdate{
+		Type:    types.StatePeerRemoved,
+		Removed: []tailcfg.NodeID{tailcfg.NodeID(node.ID)},
+	})
+
+	return nil
+}
+
+// UpdateLastSeen sets a node's last seen field indicating that we
+// have recently communicating with this node.
+// This is mostly used to indicate if a node is online and is not
+// extremely important to make sure is fully correct and to avoid
+// holding up the hot path, does not contain any locks and isnt
+// concurrency safe. But that should be ok.
+func (hsdb *HSDatabase) UpdateLastSeen(node *types.Node) error {
+	return hsdb.db.Model(node).Updates(types.Node{
+		LastSeen: node.LastSeen,
+	}).Error
+}
+
+func (hsdb *HSDatabase) RegisterNodeFromAuthCallback(
+	cache *cache.Cache,
+	nodeKeyStr string,
+	userName string,
+	nodeExpiry *time.Time,
+	registrationMethod string,
+) (*types.Node, error) {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	nodeKey := key.NodePublic{}
+	err := nodeKey.UnmarshalText([]byte(nodeKeyStr))
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debug().
+		Str("nodeKey", nodeKey.ShortString()).
+		Str("userName", userName).
+		Str("registrationMethod", registrationMethod).
+		Str("expiresAt", fmt.Sprintf("%v", nodeExpiry)).
+		Msg("Registering node from API/CLI or auth callback")
+
+	if nodeInterface, ok := cache.Get(util.NodePublicKeyStripPrefix(nodeKey)); ok {
+		if registrationNode, ok := nodeInterface.(types.Node); ok {
+			user, err := hsdb.getUser(userName)
+			if err != nil {
+				return nil, fmt.Errorf(
+					"failed to find user in register node from auth callback, %w",
+					err,
+				)
+			}
+
+			// Registration of expired node with different user
+			if registrationNode.ID != 0 &&
+				registrationNode.UserID != user.ID {
+				return nil, ErrDifferentRegisteredUser
+			}
+
+			registrationNode.UserID = user.ID
+			registrationNode.RegisterMethod = registrationMethod
+
+			if nodeExpiry != nil {
+				registrationNode.Expiry = nodeExpiry
+			}
+
+			node, err := hsdb.registerNode(
+				registrationNode,
+			)
+
+			if err == nil {
+				cache.Delete(nodeKeyStr)
+			}
+
+			return node, err
+		} else {
+			return nil, ErrCouldNotConvertNodeInterface
+		}
+	}
+
+	return nil, ErrNodeNotFoundRegistrationCache
+}
+
+// RegisterNode is executed from the CLI to register a new Node using its MachineKey.
+func (hsdb *HSDatabase) RegisterNode(node types.Node) (*types.Node, error) {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.registerNode(node)
+}
+
+func (hsdb *HSDatabase) registerNode(node types.Node) (*types.Node, error) {
+	log.Debug().
+		Str("node", node.Hostname).
+		Str("machine_key", node.MachineKey).
+		Str("node_key", node.NodeKey).
+		Str("user", node.User.Name).
+		Msg("Registering node")
+
+	// If the node exists and we had already IPs for it, we just save it
+	// so we store the node.Expire and node.Nodekey that has been set when
+	// adding it to the registrationCache
+	if len(node.IPAddresses) > 0 {
+		if err := hsdb.db.Save(&node).Error; err != nil {
+			return nil, fmt.Errorf("failed register existing node in the database: %w", err)
+		}
+
+		log.Trace().
+			Caller().
+			Str("node", node.Hostname).
+			Str("machine_key", node.MachineKey).
+			Str("node_key", node.NodeKey).
+			Str("user", node.User.Name).
+			Msg("Node authorized again")
+
+		return &node, nil
+	}
+
+	hsdb.ipAllocationMutex.Lock()
+	defer hsdb.ipAllocationMutex.Unlock()
+
+	ips, err := hsdb.getAvailableIPs()
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("node", node.Hostname).
+			Msg("Could not find IP for the new node")
+
+		return nil, err
+	}
+
+	node.IPAddresses = ips
+
+	if err := hsdb.db.Save(&node).Error; err != nil {
+		return nil, fmt.Errorf("failed register(save) node in the database: %w", err)
+	}
+
+	log.Trace().
+		Caller().
+		Str("node", node.Hostname).
+		Str("ip", strings.Join(ips.StringSlice(), ",")).
+		Msg("Node registered with the database")
+
+	return &node, nil
+}
+
+// NodeSetNodeKey sets the node key of a node and saves it to the database.
+func (hsdb *HSDatabase) NodeSetNodeKey(node *types.Node, nodeKey key.NodePublic) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if err := hsdb.db.Model(node).Updates(types.Node{
+		NodeKey: util.NodePublicKeyStripPrefix(nodeKey),
+	}).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// NodeSetMachineKey sets the node key of a node and saves it to the database.
+func (hsdb *HSDatabase) NodeSetMachineKey(
+	node *types.Node,
+	machineKey key.MachinePublic,
+) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if err := hsdb.db.Model(node).Updates(types.Node{
+		MachineKey: util.MachinePublicKeyStripPrefix(machineKey),
+	}).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// NodeSave saves a node object to the database, prefer to use a specific save method rather
+// than this. It is intended to be used when we are changing or.
+func (hsdb *HSDatabase) NodeSave(node *types.Node) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if err := hsdb.db.Save(node).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// GetAdvertisedRoutes returns the routes that are be advertised by the given node.
+func (hsdb *HSDatabase) GetAdvertisedRoutes(node *types.Node) ([]netip.Prefix, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.getAdvertisedRoutes(node)
+}
+
+func (hsdb *HSDatabase) getAdvertisedRoutes(node *types.Node) ([]netip.Prefix, error) {
+	routes := types.Routes{}
+
+	err := hsdb.db.
+		Preload("Node").
+		Where("node_id = ? AND advertised = ?", node.ID, true).Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("node", node.Hostname).
+			Msg("Could not get advertised routes for node")
+
+		return nil, err
+	}
+
+	prefixes := []netip.Prefix{}
+	for _, route := range routes {
+		prefixes = append(prefixes, netip.Prefix(route.Prefix))
+	}
+
+	return prefixes, nil
+}
+
+// GetEnabledRoutes returns the routes that are enabled for the node.
+func (hsdb *HSDatabase) GetEnabledRoutes(node *types.Node) ([]netip.Prefix, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.getEnabledRoutes(node)
+}
+
+func (hsdb *HSDatabase) getEnabledRoutes(node *types.Node) ([]netip.Prefix, error) {
+	routes := types.Routes{}
+
+	err := hsdb.db.
+		Preload("Node").
+		Where("node_id = ? AND advertised = ? AND enabled = ?", node.ID, true, true).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("node", node.Hostname).
+			Msg("Could not get enabled routes for node")
+
+		return nil, err
+	}
+
+	prefixes := []netip.Prefix{}
+	for _, route := range routes {
+		prefixes = append(prefixes, netip.Prefix(route.Prefix))
+	}
+
+	return prefixes, nil
+}
+
+func (hsdb *HSDatabase) IsRoutesEnabled(node *types.Node, routeStr string) bool {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	route, err := netip.ParsePrefix(routeStr)
+	if err != nil {
+		return false
+	}
+
+	enabledRoutes, err := hsdb.getEnabledRoutes(node)
+	if err != nil {
+		log.Error().Err(err).Msg("Could not get enabled routes")
+
+		return false
+	}
+
+	for _, enabledRoute := range enabledRoutes {
+		if route == enabledRoute {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (hsdb *HSDatabase) ListOnlineNodes(
+	node *types.Node,
+) (map[tailcfg.NodeID]bool, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	peers, err := hsdb.listPeers(node)
+	if err != nil {
+		return nil, err
+	}
+
+	return peers.OnlineNodeMap(), nil
+}
+
+// enableRoutes enables new routes based on a list of new routes.
+func (hsdb *HSDatabase) enableRoutes(node *types.Node, routeStrs ...string) error {
+	newRoutes := make([]netip.Prefix, len(routeStrs))
+	for index, routeStr := range routeStrs {
+		route, err := netip.ParsePrefix(routeStr)
+		if err != nil {
+			return err
+		}
+
+		newRoutes[index] = route
+	}
+
+	advertisedRoutes, err := hsdb.getAdvertisedRoutes(node)
+	if err != nil {
+		return err
+	}
+
+	for _, newRoute := range newRoutes {
+		if !util.StringOrPrefixListContains(advertisedRoutes, newRoute) {
+			return fmt.Errorf(
+				"route (%s) is not available on node %s: %w",
+				node.Hostname,
+				newRoute, ErrNodeRouteIsNotAvailable,
+			)
+		}
+	}
+
+	// Separate loop so we don't leave things in a half-updated state
+	for _, prefix := range newRoutes {
+		route := types.Route{}
+		err := hsdb.db.Preload("Node").
+			Where("node_id = ? AND prefix = ?", node.ID, types.IPPrefix(prefix)).
+			First(&route).Error
+		if err == nil {
+			route.Enabled = true
+
+			// Mark already as primary if there is only this node offering this subnet
+			// (and is not an exit route)
+			if !route.IsExitRoute() {
+				route.IsPrimary = hsdb.isUniquePrefix(route)
+			}
+
+			err = hsdb.db.Save(&route).Error
+			if err != nil {
+				return fmt.Errorf("failed to enable route: %w", err)
+			}
+		} else {
+			return fmt.Errorf("failed to find route: %w", err)
+		}
+	}
+
+	hsdb.notifier.NotifyWithIgnore(types.StateUpdate{
+		Type:    types.StatePeerChanged,
+		Changed: types.Nodes{node},
+	}, node.MachineKey)
+
+	return nil
+}
+
+func generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
+	normalizedHostname, err := util.NormalizeToFQDNRulesConfigFromViper(
+		suppliedName,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	if randomSuffix {
+		// Trim if a hostname will be longer than 63 chars after adding the hash.
+		trimmedHostnameLength := util.LabelHostnameLength - NodeGivenNameHashLength - NodeGivenNameTrimSize
+		if len(normalizedHostname) > trimmedHostnameLength {
+			normalizedHostname = normalizedHostname[:trimmedHostnameLength]
+		}
+
+		suffix, err := util.GenerateRandomStringDNSSafe(NodeGivenNameHashLength)
+		if err != nil {
+			return "", err
+		}
+
+		normalizedHostname += "-" + suffix
+	}
+
+	return normalizedHostname, nil
+}
+
+func (hsdb *HSDatabase) GenerateGivenName(machineKey string, suppliedName string) (string, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	givenName, err := generateGivenName(suppliedName, false)
+	if err != nil {
+		return "", err
+	}
+
+	// Tailscale rules (may differ) https://tailscale.com/kb/1098/machine-names/
+	nodes, err := hsdb.listNodesByGivenName(givenName)
+	if err != nil {
+		return "", err
+	}
+
+	for _, node := range nodes {
+		if node.MachineKey != machineKey && node.GivenName == givenName {
+			postfixedName, err := generateGivenName(suppliedName, true)
+			if err != nil {
+				return "", err
+			}
+
+			givenName = postfixedName
+		}
+	}
+
+	return givenName, nil
+}
+
+func (hsdb *HSDatabase) ExpireEphemeralNodes(inactivityThreshhold time.Duration) {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	users, err := hsdb.listUsers()
+	if err != nil {
+		log.Error().Err(err).Msg("Error listing users")
+
+		return
+	}
+
+	for _, user := range users {
+		nodes, err := hsdb.listNodesByUser(user.Name)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("user", user.Name).
+				Msg("Error listing nodes in user")
+
+			return
+		}
+
+		expired := make([]tailcfg.NodeID, 0)
+		for idx, node := range nodes {
+			if node.IsEphemeral() && node.LastSeen != nil &&
+				time.Now().
+					After(node.LastSeen.Add(inactivityThreshhold)) {
+				expired = append(expired, tailcfg.NodeID(node.ID))
+
+				log.Info().
+					Str("node", node.Hostname).
+					Msg("Ephemeral client removed from database")
+
+				err = hsdb.deleteNode(nodes[idx])
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("node", node.Hostname).
+						Msg("🤮 Cannot delete ephemeral node from the database")
+				}
+			}
+		}
+
+		if len(expired) > 0 {
+			hsdb.notifier.NotifyAll(types.StateUpdate{
+				Type:    types.StatePeerRemoved,
+				Removed: expired,
+			})
+		}
+	}
+}
+
+func (hsdb *HSDatabase) ExpireExpiredNodes(lastCheck time.Time) time.Time {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	// use the time of the start of the function to ensure we
+	// dont miss some nodes by returning it _after_ we have
+	// checked everything.
+	started := time.Now()
+
+	users, err := hsdb.listUsers()
+	if err != nil {
+		log.Error().Err(err).Msg("Error listing users")
+
+		return time.Unix(0, 0)
+	}
+
+	for _, user := range users {
+		nodes, err := hsdb.listNodesByUser(user.Name)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("user", user.Name).
+				Msg("Error listing nodes in user")
+
+			return time.Unix(0, 0)
+		}
+
+		expired := make([]tailcfg.NodeID, 0)
+		for index, node := range nodes {
+			if node.IsExpired() &&
+				node.Expiry.After(lastCheck) {
+				expired = append(expired, tailcfg.NodeID(node.ID))
+
+				now := time.Now()
+				err := hsdb.nodeSetExpiry(nodes[index], now)
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("node", node.Hostname).
+						Str("name", node.GivenName).
+						Msg("🤮 Cannot expire node")
+				} else {
+					log.Info().
+						Str("node", node.Hostname).
+						Str("name", node.GivenName).
+						Msg("Node successfully expired")
+				}
+			}
+		}
+
+		if len(expired) > 0 {
+			hsdb.notifier.NotifyAll(types.StateUpdate{
+				Type:    types.StatePeerRemoved,
+				Removed: expired,
+			})
+		}
+	}
+
+	return started
+}
--- a/hscontrol/db/node_test.go
+++ b/hscontrol/db/node_test.go
@@ -0,0 +1,605 @@
+package db
+
+import (
+	"fmt"
+	"net/netip"
+	"regexp"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"gopkg.in/check.v1"
+	"tailscale.com/types/key"
+)
+
+func (s *Suite) TestGetNode(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNode("test", "testnode")
+	c.Assert(err, check.NotNil)
+
+	node := &types.Node{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testnode",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(node)
+
+	_, err = db.GetNode("test", "testnode")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *Suite) TestGetNodeByID(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNodeByID(0)
+	c.Assert(err, check.NotNil)
+
+	node := types.Node{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testnode",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&node)
+
+	_, err = db.GetNodeByID(0)
+	c.Assert(err, check.IsNil)
+}
+
+func (s *Suite) TestGetNodeByNodeKey(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNodeByID(0)
+	c.Assert(err, check.NotNil)
+
+	nodeKey := key.NewNode()
+	machineKey := key.NewMachine()
+
+	node := types.Node{
+		ID:             0,
+		MachineKey:     util.MachinePublicKeyStripPrefix(machineKey.Public()),
+		NodeKey:        util.NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "testnode",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&node)
+
+	_, err = db.GetNodeByNodeKey(nodeKey.Public())
+	c.Assert(err, check.IsNil)
+}
+
+func (s *Suite) TestGetNodeByAnyNodeKey(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNodeByID(0)
+	c.Assert(err, check.NotNil)
+
+	nodeKey := key.NewNode()
+	oldNodeKey := key.NewNode()
+
+	machineKey := key.NewMachine()
+
+	node := types.Node{
+		ID:             0,
+		MachineKey:     util.MachinePublicKeyStripPrefix(machineKey.Public()),
+		NodeKey:        util.NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "testnode",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&node)
+
+	_, err = db.GetNodeByAnyKey(machineKey.Public(), nodeKey.Public(), oldNodeKey.Public())
+	c.Assert(err, check.IsNil)
+}
+
+func (s *Suite) TestHardDeleteNode(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+	node := types.Node{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testnode3",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(1),
+	}
+	db.db.Save(&node)
+
+	err = db.DeleteNode(&node)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNode(user.Name, "testnode3")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *Suite) TestListPeers(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNodeByID(0)
+	c.Assert(err, check.NotNil)
+
+	for index := 0; index <= 10; index++ {
+		node := types.Node{
+			ID:             uint64(index),
+			MachineKey:     "foo" + strconv.Itoa(index),
+			NodeKey:        "bar" + strconv.Itoa(index),
+			DiscoKey:       "faa" + strconv.Itoa(index),
+			Hostname:       "testnode" + strconv.Itoa(index),
+			UserID:         user.ID,
+			RegisterMethod: util.RegisterMethodAuthKey,
+			AuthKeyID:      uint(pak.ID),
+		}
+		db.db.Save(&node)
+	}
+
+	node0ByID, err := db.GetNodeByID(0)
+	c.Assert(err, check.IsNil)
+
+	peersOfNode0, err := db.ListPeers(node0ByID)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(len(peersOfNode0), check.Equals, 9)
+	c.Assert(peersOfNode0[0].Hostname, check.Equals, "testnode2")
+	c.Assert(peersOfNode0[5].Hostname, check.Equals, "testnode7")
+	c.Assert(peersOfNode0[8].Hostname, check.Equals, "testnode10")
+}
+
+func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
+	type base struct {
+		user *types.User
+		key  *types.PreAuthKey
+	}
+
+	stor := make([]base, 0)
+
+	for _, name := range []string{"test", "admin"} {
+		user, err := db.CreateUser(name)
+		c.Assert(err, check.IsNil)
+		pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+		c.Assert(err, check.IsNil)
+		stor = append(stor, base{user, pak})
+	}
+
+	_, err := db.GetNodeByID(0)
+	c.Assert(err, check.NotNil)
+
+	for index := 0; index <= 10; index++ {
+		node := types.Node{
+			ID:         uint64(index),
+			MachineKey: "foo" + strconv.Itoa(index),
+			NodeKey:    "bar" + strconv.Itoa(index),
+			DiscoKey:   "faa" + strconv.Itoa(index),
+			IPAddresses: types.NodeAddresses{
+				netip.MustParseAddr(fmt.Sprintf("100.64.0.%v", strconv.Itoa(index+1))),
+			},
+			Hostname:       "testnode" + strconv.Itoa(index),
+			UserID:         stor[index%2].user.ID,
+			RegisterMethod: util.RegisterMethodAuthKey,
+			AuthKeyID:      uint(stor[index%2].key.ID),
+		}
+		db.db.Save(&node)
+	}
+
+	aclPolicy := &policy.ACLPolicy{
+		Groups: map[string][]string{
+			"group:test": {"admin"},
+		},
+		Hosts:     map[string]netip.Prefix{},
+		TagOwners: map[string][]string{},
+		ACLs: []policy.ACL{
+			{
+				Action:       "accept",
+				Sources:      []string{"admin"},
+				Destinations: []string{"*:*"},
+			},
+			{
+				Action:       "accept",
+				Sources:      []string{"test"},
+				Destinations: []string{"test:*"},
+			},
+		},
+		Tests: []policy.ACLTest{},
+	}
+
+	adminNode, err := db.GetNodeByID(1)
+	c.Logf("Node(%v), user: %v", adminNode.Hostname, adminNode.User)
+	c.Assert(err, check.IsNil)
+
+	testNode, err := db.GetNodeByID(2)
+	c.Logf("Node(%v), user: %v", testNode.Hostname, testNode.User)
+	c.Assert(err, check.IsNil)
+
+	adminPeers, err := db.ListPeers(adminNode)
+	c.Assert(err, check.IsNil)
+
+	testPeers, err := db.ListPeers(testNode)
+	c.Assert(err, check.IsNil)
+
+	adminRules, _, err := policy.GenerateFilterAndSSHRules(aclPolicy, adminNode, adminPeers)
+	c.Assert(err, check.IsNil)
+
+	testRules, _, err := policy.GenerateFilterAndSSHRules(aclPolicy, testNode, testPeers)
+	c.Assert(err, check.IsNil)
+
+	peersOfAdminNode := policy.FilterNodesByACL(adminNode, adminPeers, adminRules)
+	peersOfTestNode := policy.FilterNodesByACL(testNode, testPeers, testRules)
+
+	c.Log(peersOfTestNode)
+	c.Assert(len(peersOfTestNode), check.Equals, 9)
+	c.Assert(peersOfTestNode[0].Hostname, check.Equals, "testnode1")
+	c.Assert(peersOfTestNode[1].Hostname, check.Equals, "testnode3")
+	c.Assert(peersOfTestNode[3].Hostname, check.Equals, "testnode5")
+
+	c.Log(peersOfAdminNode)
+	c.Assert(len(peersOfAdminNode), check.Equals, 9)
+	c.Assert(peersOfAdminNode[0].Hostname, check.Equals, "testnode2")
+	c.Assert(peersOfAdminNode[2].Hostname, check.Equals, "testnode4")
+	c.Assert(peersOfAdminNode[5].Hostname, check.Equals, "testnode7")
+}
+
+func (s *Suite) TestExpireNode(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNode("test", "testnode")
+	c.Assert(err, check.NotNil)
+
+	node := &types.Node{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testnode",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		Expiry:         &time.Time{},
+	}
+	db.db.Save(node)
+
+	nodeFromDB, err := db.GetNode("test", "testnode")
+	c.Assert(err, check.IsNil)
+	c.Assert(nodeFromDB, check.NotNil)
+
+	c.Assert(nodeFromDB.IsExpired(), check.Equals, false)
+
+	now := time.Now()
+	err = db.NodeSetExpiry(nodeFromDB, now)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(nodeFromDB.IsExpired(), check.Equals, true)
+}
+
+func (s *Suite) TestSerdeAddressStrignSlice(c *check.C) {
+	input := types.NodeAddresses([]netip.Addr{
+		netip.MustParseAddr("192.0.2.1"),
+		netip.MustParseAddr("2001:db8::1"),
+	})
+	serialized, err := input.Value()
+	c.Assert(err, check.IsNil)
+	if serial, ok := serialized.(string); ok {
+		c.Assert(serial, check.Equals, "192.0.2.1,2001:db8::1")
+	}
+
+	var deserialized types.NodeAddresses
+	err = deserialized.Scan(serialized)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(len(deserialized), check.Equals, len(input))
+	for i := range deserialized {
+		c.Assert(deserialized[i], check.Equals, input[i])
+	}
+}
+
+func (s *Suite) TestGenerateGivenName(c *check.C) {
+	user1, err := db.CreateUser("user-1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user1.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNode("user-1", "testnode")
+	c.Assert(err, check.NotNil)
+
+	node := &types.Node{
+		ID:             0,
+		MachineKey:     "node-key-1",
+		NodeKey:        "node-key-1",
+		DiscoKey:       "disco-key-1",
+		Hostname:       "hostname-1",
+		GivenName:      "hostname-1",
+		UserID:         user1.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(node)
+
+	givenName, err := db.GenerateGivenName("node-key-2", "hostname-2")
+	comment := check.Commentf("Same user, unique nodes, unique hostnames, no conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Equals, "hostname-2", comment)
+
+	givenName, err = db.GenerateGivenName("node-key-1", "hostname-1")
+	comment = check.Commentf("Same user, same node, same hostname, no conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Equals, "hostname-1", comment)
+
+	givenName, err = db.GenerateGivenName("node-key-2", "hostname-1")
+	comment = check.Commentf("Same user, unique nodes, same hostname, conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Matches, fmt.Sprintf("^hostname-1-[a-z0-9]{%d}$", NodeGivenNameHashLength), comment)
+
+	givenName, err = db.GenerateGivenName("node-key-2", "hostname-1")
+	comment = check.Commentf("Unique users, unique nodes, same hostname, conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Matches, fmt.Sprintf("^hostname-1-[a-z0-9]{%d}$", NodeGivenNameHashLength), comment)
+}
+
+func (s *Suite) TestSetTags(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetNode("test", "testnode")
+	c.Assert(err, check.NotNil)
+
+	node := &types.Node{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testnode",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(node)
+
+	// assign simple tags
+	sTags := []string{"tag:test", "tag:foo"}
+	err = db.SetTags(node, sTags)
+	c.Assert(err, check.IsNil)
+	node, err = db.GetNode("test", "testnode")
+	c.Assert(err, check.IsNil)
+	c.Assert(node.ForcedTags, check.DeepEquals, types.StringList(sTags))
+
+	// assign duplicat tags, expect no errors but no doubles in DB
+	eTags := []string{"tag:bar", "tag:test", "tag:unknown", "tag:test"}
+	err = db.SetTags(node, eTags)
+	c.Assert(err, check.IsNil)
+	node, err = db.GetNode("test", "testnode")
+	c.Assert(err, check.IsNil)
+	c.Assert(
+		node.ForcedTags,
+		check.DeepEquals,
+		types.StringList([]string{"tag:bar", "tag:test", "tag:unknown"}),
+	)
+}
+
+func TestHeadscale_generateGivenName(t *testing.T) {
+	type args struct {
+		suppliedName string
+		randomSuffix bool
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *regexp.Regexp
+		wantErr bool
+	}{
+		{
+			name: "simple node name generation",
+			args: args{
+				suppliedName: "testnode",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^testnode$"),
+			wantErr: false,
+		},
+		{
+			name: "node name with 53 chars",
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine$"),
+			wantErr: false,
+		},
+		{
+			name: "node name with 63 chars",
+			args: args{
+				suppliedName: "nodeeeeeee12345678901234567890123456789012345678901234567890123",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^nodeeeeeee12345678901234567890123456789012345678901234567890123$"),
+			wantErr: false,
+		},
+		{
+			name: "node name with 64 chars",
+			args: args{
+				suppliedName: "nodeeeeeee123456789012345678901234567890123456789012345678901234",
+				randomSuffix: false,
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "node name with 73 chars",
+			args: args{
+				suppliedName: "nodeeeeeee123456789012345678901234567890123456789012345678901234567890123",
+				randomSuffix: false,
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "node name with random suffix",
+			args: args{
+				suppliedName: "test",
+				randomSuffix: true,
+			},
+			want:    regexp.MustCompile(fmt.Sprintf("^test-[a-z0-9]{%d}$", NodeGivenNameHashLength)),
+			wantErr: false,
+		},
+		{
+			name: "node name with 63 chars with random suffix",
+			args: args{
+				suppliedName: "nodeeee12345678901234567890123456789012345678901234567890123",
+				randomSuffix: true,
+			},
+			want:    regexp.MustCompile(fmt.Sprintf("^nodeeee1234567890123456789012345678901234567890123456-[a-z0-9]{%d}$", NodeGivenNameHashLength)),
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := generateGivenName(tt.args.suppliedName, tt.args.randomSuffix)
+			if (err != nil) != tt.wantErr {
+				t.Errorf(
+					"Headscale.GenerateGivenName() error = %v, wantErr %v",
+					err,
+					tt.wantErr,
+				)
+
+				return
+			}
+
+			if tt.want != nil && !tt.want.MatchString(got) {
+				t.Errorf(
+					"Headscale.GenerateGivenName() = %v, does not match %v",
+					tt.want,
+					got,
+				)
+			}
+
+			if len(got) > util.LabelHostnameLength {
+				t.Errorf(
+					"Headscale.GenerateGivenName() = %v is larger than allowed DNS segment %d",
+					got,
+					util.LabelHostnameLength,
+				)
+			}
+		})
+	}
+}
+
+func (s *Suite) TestAutoApproveRoutes(c *check.C) {
+	acl := []byte(`
+{
+	"tagOwners": {
+		"tag:exit": ["test"],
+	},
+
+	"groups": {
+		"group:test": ["test"]
+	},
+
+	"acls": [
+		{"action": "accept", "users": ["*"], "ports": ["*:*"]},
+	],
+
+	"autoApprovers": {
+		"exitNode": ["tag:exit"],
+		"routes": {
+			"10.10.0.0/16": ["group:test"],
+			"10.11.0.0/16": ["test"],
+		}
+	}
+}
+	`)
+
+	pol, err := policy.LoadACLPolicyFromBytes(acl, "hujson")
+	c.Assert(err, check.IsNil)
+	c.Assert(pol, check.NotNil)
+
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	nodeKey := key.NewNode()
+
+	defaultRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
+	defaultRouteV6 := netip.MustParsePrefix("::/0")
+	route1 := netip.MustParsePrefix("10.10.0.0/16")
+	// Check if a subprefix of an autoapproved route is approved
+	route2 := netip.MustParsePrefix("10.11.0.0/24")
+
+	node := types.Node{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        util.NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "test",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo: types.HostInfo{
+			RequestTags: []string{"tag:exit"},
+			RoutableIPs: []netip.Prefix{defaultRouteV4, defaultRouteV6, route1, route2},
+		},
+		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.1")},
+	}
+
+	db.db.Save(&node)
+
+	err = db.SaveNodeRoutes(&node)
+	c.Assert(err, check.IsNil)
+
+	node0ByID, err := db.GetNodeByID(0)
+	c.Assert(err, check.IsNil)
+
+	err = db.EnableAutoApprovedRoutes(pol, node0ByID)
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes, err := db.GetEnabledRoutes(node0ByID)
+	c.Assert(err, check.IsNil)
+	c.Assert(enabledRoutes, check.HasLen, 4)
+}
--- a/hscontrol/db/preauth_keys.go
+++ b/hscontrol/db/preauth_keys.go
@@ -0,0 +1,229 @@
+package db
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"gorm.io/gorm"
+)
+
+var (
+	ErrPreAuthKeyNotFound          = errors.New("AuthKey not found")
+	ErrPreAuthKeyExpired           = errors.New("AuthKey expired")
+	ErrSingleUseAuthKeyHasBeenUsed = errors.New("AuthKey has already been used")
+	ErrUserMismatch                = errors.New("user mismatch")
+	ErrPreAuthKeyACLTagInvalid     = errors.New("AuthKey tag is invalid")
+)
+
+// CreatePreAuthKey creates a new PreAuthKey in a user, and returns it.
+func (hsdb *HSDatabase) CreatePreAuthKey(
+	userName string,
+	reusable bool,
+	ephemeral bool,
+	expiration *time.Time,
+	aclTags []string,
+) (*types.PreAuthKey, error) {
+	// TODO(kradalby): figure out this lock
+	// hsdb.mu.Lock()
+	// defer hsdb.mu.Unlock()
+
+	user, err := hsdb.GetUser(userName)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, tag := range aclTags {
+		if !strings.HasPrefix(tag, "tag:") {
+			return nil, fmt.Errorf(
+				"%w: '%s' did not begin with 'tag:'",
+				ErrPreAuthKeyACLTagInvalid,
+				tag,
+			)
+		}
+	}
+
+	now := time.Now().UTC()
+	kstr, err := hsdb.generateKey()
+	if err != nil {
+		return nil, err
+	}
+
+	key := types.PreAuthKey{
+		Key:        kstr,
+		UserID:     user.ID,
+		User:       *user,
+		Reusable:   reusable,
+		Ephemeral:  ephemeral,
+		CreatedAt:  &now,
+		Expiration: expiration,
+	}
+
+	err = hsdb.db.Transaction(func(db *gorm.DB) error {
+		if err := db.Save(&key).Error; err != nil {
+			return fmt.Errorf("failed to create key in the database: %w", err)
+		}
+
+		if len(aclTags) > 0 {
+			seenTags := map[string]bool{}
+
+			for _, tag := range aclTags {
+				if !seenTags[tag] {
+					if err := db.Save(&types.PreAuthKeyACLTag{PreAuthKeyID: key.ID, Tag: tag}).Error; err != nil {
+						return fmt.Errorf(
+							"failed to ceate key tag in the database: %w",
+							err,
+						)
+					}
+					seenTags[tag] = true
+				}
+			}
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &key, nil
+}
+
+// ListPreAuthKeys returns the list of PreAuthKeys for a user.
+func (hsdb *HSDatabase) ListPreAuthKeys(userName string) ([]types.PreAuthKey, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.listPreAuthKeys(userName)
+}
+
+func (hsdb *HSDatabase) listPreAuthKeys(userName string) ([]types.PreAuthKey, error) {
+	user, err := hsdb.getUser(userName)
+	if err != nil {
+		return nil, err
+	}
+
+	keys := []types.PreAuthKey{}
+	if err := hsdb.db.Preload("User").Preload("ACLTags").Where(&types.PreAuthKey{UserID: user.ID}).Find(&keys).Error; err != nil {
+		return nil, err
+	}
+
+	return keys, nil
+}
+
+// GetPreAuthKey returns a PreAuthKey for a given key.
+func (hsdb *HSDatabase) GetPreAuthKey(user string, key string) (*types.PreAuthKey, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	pak, err := hsdb.ValidatePreAuthKey(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if pak.User.Name != user {
+		return nil, ErrUserMismatch
+	}
+
+	return pak, nil
+}
+
+// DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey
+// does not exist.
+func (hsdb *HSDatabase) DestroyPreAuthKey(pak types.PreAuthKey) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.destroyPreAuthKey(pak)
+}
+
+func (hsdb *HSDatabase) destroyPreAuthKey(pak types.PreAuthKey) error {
+	return hsdb.db.Transaction(func(db *gorm.DB) error {
+		if result := db.Unscoped().Where(types.PreAuthKeyACLTag{PreAuthKeyID: pak.ID}).Delete(&types.PreAuthKeyACLTag{}); result.Error != nil {
+			return result.Error
+		}
+
+		if result := db.Unscoped().Delete(pak); result.Error != nil {
+			return result.Error
+		}
+
+		return nil
+	})
+}
+
+// MarkExpirePreAuthKey marks a PreAuthKey as expired.
+func (hsdb *HSDatabase) ExpirePreAuthKey(k *types.PreAuthKey) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if err := hsdb.db.Model(&k).Update("Expiration", time.Now()).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// UsePreAuthKey marks a PreAuthKey as used.
+func (hsdb *HSDatabase) UsePreAuthKey(k *types.PreAuthKey) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	k.Used = true
+	if err := hsdb.db.Save(k).Error; err != nil {
+		return fmt.Errorf("failed to update key used status in the database: %w", err)
+	}
+
+	return nil
+}
+
+// ValidatePreAuthKey does the heavy lifting for validation of the PreAuthKey coming from a node
+// If returns no error and a PreAuthKey, it can be used.
+func (hsdb *HSDatabase) ValidatePreAuthKey(k string) (*types.PreAuthKey, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	pak := types.PreAuthKey{}
+	if result := hsdb.db.Preload("User").Preload("ACLTags").First(&pak, "key = ?", k); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return nil, ErrPreAuthKeyNotFound
+	}
+
+	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
+		return nil, ErrPreAuthKeyExpired
+	}
+
+	if pak.Reusable || pak.Ephemeral { // we don't need to check if has been used before
+		return &pak, nil
+	}
+
+	nodes := types.Nodes{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Where(&types.Node{AuthKeyID: uint(pak.ID)}).
+		Find(&nodes).Error; err != nil {
+		return nil, err
+	}
+
+	if len(nodes) != 0 || pak.Used {
+		return nil, ErrSingleUseAuthKeyHasBeenUsed
+	}
+
+	return &pak, nil
+}
+
+func (hsdb *HSDatabase) generateKey() (string, error) {
+	size := 24
+	bytes := make([]byte, size)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(bytes), nil
+}
--- a/hscontrol/db/preauth_keys_test.go
+++ b/hscontrol/db/preauth_keys_test.go
@@ -1,20 +1,22 @@
-package headscale
+package db

 import (
 	"time"

+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"gopkg.in/check.v1"
 )

 func (*Suite) TestCreatePreAuthKey(c *check.C) {
-	_, err := app.CreatePreAuthKey("bogus", true, false, nil, nil)
+	_, err := db.CreatePreAuthKey("bogus", true, false, nil, nil)

 	c.Assert(err, check.NotNil)

-	user, err := app.CreateUser("test")
+	user, err := db.CreateUser("test")
 	c.Assert(err, check.IsNil)

-	key, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	key, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	// Did we get a valid key?
@@ -24,10 +26,10 @@ func (*Suite) TestCreatePreAuthKey(c *check.C) {
 	// Make sure the User association is populated
 	c.Assert(key.User.Name, check.Equals, user.Name)

-	_, err = app.ListPreAuthKeys("bogus")
+	_, err = db.ListPreAuthKeys("bogus")
 	c.Assert(err, check.NotNil)

-	keys, err := app.ListPreAuthKeys(user.Name)
+	keys, err := db.ListPreAuthKeys(user.Name)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(keys), check.Equals, 1)

@@ -36,174 +38,174 @@ func (*Suite) TestCreatePreAuthKey(c *check.C) {
 }

 func (*Suite) TestExpiredPreAuthKey(c *check.C) {
-	user, err := app.CreateUser("test2")
+	user, err := db.CreateUser("test2")
 	c.Assert(err, check.IsNil)

 	now := time.Now()
-	pak, err := app.CreatePreAuthKey(user.Name, true, false, &now, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, &now, nil)
 	c.Assert(err, check.IsNil)

-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
 	c.Assert(key, check.IsNil)
 }

 func (*Suite) TestPreAuthKeyDoesNotExist(c *check.C) {
-	key, err := app.checkKeyValidity("potatoKey")
+	key, err := db.ValidatePreAuthKey("potatoKey")
 	c.Assert(err, check.Equals, ErrPreAuthKeyNotFound)
 	c.Assert(key, check.IsNil)
 }

 func (*Suite) TestValidateKeyOk(c *check.C) {
-	user, err := app.CreateUser("test3")
+	user, err := db.CreateUser("test3")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.IsNil)
 	c.Assert(key.ID, check.Equals, pak.ID)
 }

 func (*Suite) TestAlreadyUsedKey(c *check.C) {
-	user, err := app.CreateUser("test4")
+	user, err := db.CreateUser("test4")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	machine := Machine{
+	node := types.Node{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testest",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&node)

-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
 	c.Assert(key, check.IsNil)
 }

 func (*Suite) TestReusableBeingUsedKey(c *check.C) {
-	user, err := app.CreateUser("test5")
+	user, err := db.CreateUser("test5")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	machine := Machine{
+	node := types.Node{
 		ID:             1,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testest",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&node)

-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.IsNil)
 	c.Assert(key.ID, check.Equals, pak.ID)
 }

 func (*Suite) TestNotReusableNotBeingUsedKey(c *check.C) {
-	user, err := app.CreateUser("test6")
+	user, err := db.CreateUser("test6")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.IsNil)
 	c.Assert(key.ID, check.Equals, pak.ID)
 }

 func (*Suite) TestEphemeralKey(c *check.C) {
-	user, err := app.CreateUser("test7")
+	user, err := db.CreateUser("test7")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, false, true, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, true, nil, nil)
 	c.Assert(err, check.IsNil)

-	now := time.Now()
-	machine := Machine{
+	now := time.Now().Add(-time.Second * 30)
+	node := types.Node{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testest",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		LastSeen:       &now,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&node)

-	_, err = app.checkKeyValidity(pak.Key)
+	_, err = db.ValidatePreAuthKey(pak.Key)
 	// Ephemeral keys are by definition reusable
 	c.Assert(err, check.IsNil)

-	_, err = app.GetMachine("test7", "testest")
+	_, err = db.GetNode("test7", "testest")
 	c.Assert(err, check.IsNil)

-	app.expireEphemeralNodesWorker()
+	db.ExpireEphemeralNodes(time.Second * 20)

 	// The machine record should have been deleted
-	_, err = app.GetMachine("test7", "testest")
+	_, err = db.GetNode("test7", "testest")
 	c.Assert(err, check.NotNil)
 }

 func (*Suite) TestExpirePreauthKey(c *check.C) {
-	user, err := app.CreateUser("test3")
+	user, err := db.CreateUser("test3")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)
 	c.Assert(pak.Expiration, check.IsNil)

-	err = app.ExpirePreAuthKey(pak)
+	err = db.ExpirePreAuthKey(pak)
 	c.Assert(err, check.IsNil)
 	c.Assert(pak.Expiration, check.NotNil)

-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
 	c.Assert(key, check.IsNil)
 }

 func (*Suite) TestNotReusableMarkedAsUsed(c *check.C) {
-	user, err := app.CreateUser("test6")
+	user, err := db.CreateUser("test6")
 	c.Assert(err, check.IsNil)

-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 	pak.Used = true
-	app.db.Save(&pak)
+	db.db.Save(&pak)

-	_, err = app.checkKeyValidity(pak.Key)
+	_, err = db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
 }

 func (*Suite) TestPreAuthKeyACLTags(c *check.C) {
-	user, err := app.CreateUser("test8")
+	user, err := db.CreateUser("test8")
 	c.Assert(err, check.IsNil)

-	_, err = app.CreatePreAuthKey(user.Name, false, false, nil, []string{"badtag"})
+	_, err = db.CreatePreAuthKey(user.Name, false, false, nil, []string{"badtag"})
 	c.Assert(err, check.NotNil) // Confirm that malformed tags are rejected

 	tags := []string{"tag:test1", "tag:test2"}
 	tagsWithDuplicate := []string{"tag:test1", "tag:test2", "tag:test2"}
-	_, err = app.CreatePreAuthKey(user.Name, false, false, nil, tagsWithDuplicate)
+	_, err = db.CreatePreAuthKey(user.Name, false, false, nil, tagsWithDuplicate)
 	c.Assert(err, check.IsNil)

-	listedPaks, err := app.ListPreAuthKeys("test8")
+	listedPaks, err := db.ListPreAuthKeys("test8")
 	c.Assert(err, check.IsNil)
-	c.Assert(listedPaks[0].toProto().AclTags, check.DeepEquals, tags)
+	c.Assert(listedPaks[0].Proto().AclTags, check.DeepEquals, tags)
 }
--- a/hscontrol/db/routes.go
+++ b/hscontrol/db/routes.go
@@ -0,0 +1,531 @@
+package db
+
+import (
+	"errors"
+	"net/netip"
+
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+)
+
+var ErrRouteIsNotAvailable = errors.New("route is not available")
+
+func (hsdb *HSDatabase) GetRoutes() (types.Routes, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.getRoutes()
+}
+
+func (hsdb *HSDatabase) getRoutes() (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.Preload("Node").Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) GetNodeAdvertisedRoutes(node *types.Node) (types.Routes, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.getNodeAdvertisedRoutes(node)
+}
+
+func (hsdb *HSDatabase) getNodeAdvertisedRoutes(node *types.Node) (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Node").
+		Where("node_id = ? AND advertised = true", node.ID).
+		Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) GetNodeRoutes(node *types.Node) (types.Routes, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.getNodeRoutes(node)
+}
+
+func (hsdb *HSDatabase) getNodeRoutes(node *types.Node) (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Node").
+		Where("node_id = ?", node.ID).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) GetRoute(id uint64) (*types.Route, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	return hsdb.getRoute(id)
+}
+
+func (hsdb *HSDatabase) getRoute(id uint64) (*types.Route, error) {
+	var route types.Route
+	err := hsdb.db.Preload("Node").First(&route, id).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return &route, nil
+}
+
+func (hsdb *HSDatabase) EnableRoute(id uint64) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.enableRoute(id)
+}
+
+func (hsdb *HSDatabase) enableRoute(id uint64) error {
+	route, err := hsdb.getRoute(id)
+	if err != nil {
+		return err
+	}
+
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if route.IsExitRoute() {
+		return hsdb.enableRoutes(
+			&route.Node,
+			types.ExitRouteV4.String(),
+			types.ExitRouteV6.String(),
+		)
+	}
+
+	return hsdb.enableRoutes(&route.Node, netip.Prefix(route.Prefix).String())
+}
+
+func (hsdb *HSDatabase) DisableRoute(id uint64) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	route, err := hsdb.getRoute(id)
+	if err != nil {
+		return err
+	}
+
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if !route.IsExitRoute() {
+		route.Enabled = false
+		route.IsPrimary = false
+		err = hsdb.db.Save(route).Error
+		if err != nil {
+			return err
+		}
+
+		return hsdb.handlePrimarySubnetFailover()
+	}
+
+	routes, err := hsdb.getNodeRoutes(&route.Node)
+	if err != nil {
+		return err
+	}
+
+	for i := range routes {
+		if routes[i].IsExitRoute() {
+			routes[i].Enabled = false
+			routes[i].IsPrimary = false
+			err = hsdb.db.Save(&routes[i]).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return hsdb.handlePrimarySubnetFailover()
+}
+
+func (hsdb *HSDatabase) DeleteRoute(id uint64) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	route, err := hsdb.getRoute(id)
+	if err != nil {
+		return err
+	}
+
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if !route.IsExitRoute() {
+		if err := hsdb.db.Unscoped().Delete(&route).Error; err != nil {
+			return err
+		}
+
+		return hsdb.handlePrimarySubnetFailover()
+	}
+
+	routes, err := hsdb.getNodeRoutes(&route.Node)
+	if err != nil {
+		return err
+	}
+
+	routesToDelete := types.Routes{}
+	for _, r := range routes {
+		if r.IsExitRoute() {
+			routesToDelete = append(routesToDelete, r)
+		}
+	}
+
+	if err := hsdb.db.Unscoped().Delete(&routesToDelete).Error; err != nil {
+		return err
+	}
+
+	return hsdb.handlePrimarySubnetFailover()
+}
+
+func (hsdb *HSDatabase) deleteNodeRoutes(node *types.Node) error {
+	routes, err := hsdb.getNodeRoutes(node)
+	if err != nil {
+		return err
+	}
+
+	for i := range routes {
+		if err := hsdb.db.Unscoped().Delete(&routes[i]).Error; err != nil {
+			return err
+		}
+	}
+
+	return hsdb.handlePrimarySubnetFailover()
+}
+
+// isUniquePrefix returns if there is another node providing the same route already.
+func (hsdb *HSDatabase) isUniquePrefix(route types.Route) bool {
+	var count int64
+	hsdb.db.
+		Model(&types.Route{}).
+		Where("prefix = ? AND node_id != ? AND advertised = ? AND enabled = ?",
+			route.Prefix,
+			route.NodeID,
+			true, true).Count(&count)
+
+	return count == 0
+}
+
+func (hsdb *HSDatabase) getPrimaryRoute(prefix netip.Prefix) (*types.Route, error) {
+	var route types.Route
+	err := hsdb.db.
+		Preload("Node").
+		Where("prefix = ? AND advertised = ? AND enabled = ? AND is_primary = ?", types.IPPrefix(prefix), true, true, true).
+		First(&route).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, err
+	}
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, gorm.ErrRecordNotFound
+	}
+
+	return &route, nil
+}
+
+// getNodePrimaryRoutes returns the routes that are enabled and marked as primary (for subnet failover)
+// Exit nodes are not considered for this, as they are never marked as Primary.
+func (hsdb *HSDatabase) GetNodePrimaryRoutes(node *types.Node) (types.Routes, error) {
+	hsdb.mu.RLock()
+	defer hsdb.mu.RUnlock()
+
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Node").
+		Where("node_id = ? AND advertised = ? AND enabled = ? AND is_primary = ?", node.ID, true, true, true).
+		Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+// SaveNodeRoutes takes a node and updates the database with
+// the new routes.
+func (hsdb *HSDatabase) SaveNodeRoutes(node *types.Node) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.saveNodeRoutes(node)
+}
+
+func (hsdb *HSDatabase) saveNodeRoutes(node *types.Node) error {
+	currentRoutes := types.Routes{}
+	err := hsdb.db.Where("node_id = ?", node.ID).Find(&currentRoutes).Error
+	if err != nil {
+		return err
+	}
+
+	advertisedRoutes := map[netip.Prefix]bool{}
+	for _, prefix := range node.HostInfo.RoutableIPs {
+		advertisedRoutes[prefix] = false
+	}
+
+	log.Trace().
+		Str("node", node.Hostname).
+		Interface("advertisedRoutes", advertisedRoutes).
+		Interface("currentRoutes", currentRoutes).
+		Msg("updating routes")
+
+	for pos, route := range currentRoutes {
+		if _, ok := advertisedRoutes[netip.Prefix(route.Prefix)]; ok {
+			if !route.Advertised {
+				currentRoutes[pos].Advertised = true
+				err := hsdb.db.Save(&currentRoutes[pos]).Error
+				if err != nil {
+					return err
+				}
+			}
+			advertisedRoutes[netip.Prefix(route.Prefix)] = true
+		} else if route.Advertised {
+			currentRoutes[pos].Advertised = false
+			currentRoutes[pos].Enabled = false
+			err := hsdb.db.Save(&currentRoutes[pos]).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	for prefix, exists := range advertisedRoutes {
+		if !exists {
+			route := types.Route{
+				NodeID:     node.ID,
+				Prefix:     types.IPPrefix(prefix),
+				Advertised: true,
+				Enabled:    false,
+			}
+			err := hsdb.db.Create(&route).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) HandlePrimarySubnetFailover() error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	return hsdb.handlePrimarySubnetFailover()
+}
+
+func (hsdb *HSDatabase) handlePrimarySubnetFailover() error {
+	// first, get all the enabled routes
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Node").
+		Where("advertised = ? AND enabled = ?", true, true).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().Err(err).Msg("error getting routes")
+	}
+
+	changedNodes := make(types.Nodes, 0)
+	for pos, route := range routes {
+		if route.IsExitRoute() {
+			continue
+		}
+
+		node := &route.Node
+
+		if !route.IsPrimary {
+			_, err := hsdb.getPrimaryRoute(netip.Prefix(route.Prefix))
+			if hsdb.isUniquePrefix(route) || errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Info().
+					Str("prefix", netip.Prefix(route.Prefix).String()).
+					Str("node", route.Node.GivenName).
+					Msg("Setting primary route")
+				routes[pos].IsPrimary = true
+				err := hsdb.db.Save(&routes[pos]).Error
+				if err != nil {
+					log.Error().Err(err).Msg("error marking route as primary")
+
+					return err
+				}
+
+				changedNodes = append(changedNodes, node)
+
+				continue
+			}
+		}
+
+		if route.IsPrimary {
+			if route.Node.IsOnline() {
+				continue
+			}
+
+			// node offline, find a new primary
+			log.Info().
+				Str("node", route.Node.Hostname).
+				Str("prefix", netip.Prefix(route.Prefix).String()).
+				Msgf("node offline, finding a new primary subnet")
+
+			// find a new primary route
+			var newPrimaryRoutes types.Routes
+			err := hsdb.db.
+				Preload("Node").
+				Where("prefix = ? AND node_id != ? AND advertised = ? AND enabled = ?",
+					route.Prefix,
+					route.NodeID,
+					true, true).
+				Find(&newPrimaryRoutes).Error
+			if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Error().Err(err).Msg("error finding new primary route")
+
+				return err
+			}
+
+			var newPrimaryRoute *types.Route
+			for pos, r := range newPrimaryRoutes {
+				if r.Node.IsOnline() {
+					newPrimaryRoute = &newPrimaryRoutes[pos]
+
+					break
+				}
+			}
+
+			if newPrimaryRoute == nil {
+				log.Warn().
+					Str("node", route.Node.Hostname).
+					Str("prefix", netip.Prefix(route.Prefix).String()).
+					Msgf("no alternative primary route found")
+
+				continue
+			}
+
+			log.Info().
+				Str("old_node", route.Node.Hostname).
+				Str("prefix", netip.Prefix(route.Prefix).String()).
+				Str("new_node", newPrimaryRoute.Node.Hostname).
+				Msgf("found new primary route")
+
+			// disable the old primary route
+			routes[pos].IsPrimary = false
+			err = hsdb.db.Save(&routes[pos]).Error
+			if err != nil {
+				log.Error().Err(err).Msg("error disabling old primary route")
+
+				return err
+			}
+
+			// enable the new primary route
+			newPrimaryRoute.IsPrimary = true
+			err = hsdb.db.Save(&newPrimaryRoute).Error
+			if err != nil {
+				log.Error().Err(err).Msg("error enabling new primary route")
+
+				return err
+			}
+
+			changedNodes = append(changedNodes, node)
+		}
+	}
+
+	if len(changedNodes) > 0 {
+		hsdb.notifier.NotifyAll(types.StateUpdate{
+			Type:    types.StatePeerChanged,
+			Changed: changedNodes,
+		})
+	}
+
+	return nil
+}
+
+// EnableAutoApprovedRoutes enables any routes advertised by a node that match the ACL autoApprovers policy.
+func (hsdb *HSDatabase) EnableAutoApprovedRoutes(
+	aclPolicy *policy.ACLPolicy,
+	node *types.Node,
+) error {
+	hsdb.mu.Lock()
+	defer hsdb.mu.Unlock()
+
+	if len(node.IPAddresses) == 0 {
+		return nil // This node has no IPAddresses, so can't possibly match any autoApprovers ACLs
+	}
+
+	routes, err := hsdb.getNodeAdvertisedRoutes(node)
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("node", node.Hostname).
+			Msg("Could not get advertised routes for node")
+
+		return err
+	}
+
+	approvedRoutes := types.Routes{}
+
+	for _, advertisedRoute := range routes {
+		if advertisedRoute.Enabled {
+			continue
+		}
+
+		routeApprovers, err := aclPolicy.AutoApprovers.GetRouteApprovers(
+			netip.Prefix(advertisedRoute.Prefix),
+		)
+		if err != nil {
+			log.Err(err).
+				Str("advertisedRoute", advertisedRoute.String()).
+				Uint64("nodeId", node.ID).
+				Msg("Failed to resolve autoApprovers for advertised route")
+
+			return err
+		}
+
+		for _, approvedAlias := range routeApprovers {
+			if approvedAlias == node.User.Name {
+				approvedRoutes = append(approvedRoutes, advertisedRoute)
+			} else {
+				// TODO(kradalby): figure out how to get this to depend on less stuff
+				approvedIps, err := aclPolicy.ExpandAlias(types.Nodes{node}, approvedAlias)
+				if err != nil {
+					log.Err(err).
+						Str("alias", approvedAlias).
+						Msg("Failed to expand alias when processing autoApprovers policy")
+
+					return err
+				}
+
+				// approvedIPs should contain all of node's IPs if it matches the rule, so check for first
+				if approvedIps.Contains(node.IPAddresses[0]) {
+					approvedRoutes = append(approvedRoutes, advertisedRoute)
+				}
+			}
+		}
+	}
+
+	for _, approvedRoute := range approvedRoutes {
+		err := hsdb.enableRoute(uint64(approvedRoute.ID))
+		if err != nil {
+			log.Err(err).
+				Str("approvedRoute", approvedRoute.String()).
+				Uint64("nodeId", node.ID).
+				Msg("Failed to enable approved route")
+
+			return err
+		}
+	}
+
+	return nil
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kristoffer Dalby	01b85e5232	remove readonly case for mapresponse, dont think it is used (#1556 )	2023-09-25 14:27:24 -07:00
Kristoffer Dalby	64c0a6523f	Set online status in lite requests (#1555 )	2023-09-25 14:27:14 -07:00
Kristoffer Dalby	84fbca97f7	add note about db backup to changelog (#1560 )	2023-09-25 14:27:03 -07:00
Kristoffer Dalby	56cf4b082e	Add github stale action (#1559 )	2023-09-25 09:33:31 -05:00
github-actions[bot]	6cd0f77511	docs(README): update contributors (#1558 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2023-09-24 14:34:53 -07:00
Kristoffer Dalby	b27e8ab5a1	add 0.23.0 changelog entry (#1557 )	2023-09-24 14:18:19 -07:00
Juan Font	0030af3fa4	Rename Machine to Node (#1553 )	2023-09-24 06:42:05 -05:00
Kristoffer Dalby	096ac31bb3	handle route updates correctly Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	c957f893bd	Return simple responses immediatly This commit rearranges the poll handler to immediatly accept updates and notify its peers and return, not travel down the function for a bit. This reduces the DB calls and other holdups that isnt necessary to send a "lite response", a map response without peers, or accepting an endpoint update. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	217ccd6540	improve debug logging, rw lock for notifier Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	3bef63bb80	Remove LastSuccessfulUpdate from Machine This field is no longer used, it was used in our old state "algorithm" to determine if we should send an update. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	591ff8d347	add pprof endpoint Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	14f8c1ba34	order path Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	ca4a48afbb	gitignore infolder tailscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	9ccf87c566	add lock around saving ts clients Closes #1544 Co-Authored-By: Patrick Huang <huangxiaoman@gmail.com> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	4c12c02e71	Upgrade go and debian in headscale docker Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	2434d76ade	give ci more tollerance for timeouts Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	432e975a7f	move MapResponse peer logic into function and reuse Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	387aa03adb	Remove database from Mapper This commit changes the internals of the mapper to track all the changes to peers over its lifetime. This means that it no longer depends on the database and this should hopefully help with locks and timing issues. When the mapper is created, it needs the current list of peers, the world view, when the polling session was started. Then as update changes are called, it tracks the changes and generates responses based on its internal list. As a side, the types.Machines and types.MachinesP, as well as types.Machine being passed as a full struct and pointer has been changed to always be pointers, everywhere. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	3b0749a320	Update packetfilter when peers change Previously we did not update the packet filter when nodes changed, which would cause new nodes to be missing from packet filters of old nodes. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	a8079a2096	rearrange poll, lock, notify Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	593b3ad981	filter out peers without endpoints Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	e90a669951	remove retries for pings in tsic Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	9c5301ee2e	add maprequest to all mapper calls Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	13a7285658	fix lint Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	e55fe0671a	only send lite map responses when omitpeers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	e0ba325b3b	additional debug logging, use mapper pointer Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	eff529f2c5	introduce rw lock for db, ish... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	a1a3ff4ba8	disable online map by default for now Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	78268d78a0	add debug option to save all map responses Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	f73172fb21	add less/jq to hs debug container Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	b7c6e0ec88	add annoying linter to golangci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	2d87085cbc	rearrange channel closing defers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	13fe4ec91b	add script to run integration tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	53a9e28faf	Add missing return in shutdown Co-Authored-By: Jason <armooo@armooo.net> Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	4b65cf48d0	Split up MapResponse This commits extends the mapper with functions for creating "delta" MapResponses for different purposes (peer changed, peer removed, derp). This wires up the new state management with a new StateUpdate struct letting the poll worker know what kind of update to send to the connected nodes. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	66ff1fcd40	Replace the timestamp based state system This commit replaces the timestamp based state system with a new one that has update channels directly to the connected nodes. It will send an update to all listening clients via the polling mechanism. It introduces a new package notifier, which has a concurrency safe manager for all our channels to the connected nodes. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	056d3a81c5	format with prettier 3.0 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-19 10:20:21 -05:00
Kristoffer Dalby	7edc953d35	Update tsic.go	2023-09-05 08:47:43 +02:00
Kristoffer Dalby	12a04f9459	fix relogin test, pass accept route flag Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-05 08:47:43 +02:00
Kristoffer Dalby	1766e6b5df	General fixups discovered by checking errors There was a lot of tests that actually threw a lot of errors and that did not pass all the way because we didnt check everything. This commit should fix all of these cases. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-05 08:47:43 +02:00
Kristoffer Dalby	f8a58aa15b	introduce a version subset we must test against Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-05 08:47:43 +02:00
Kristoffer Dalby	b4a4d0f760	Handle errors in integration test setups Thanks @kev-the-dev Closes #1460 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-05 08:47:43 +02:00
Kristoffer Dalby	63caf9a222	update flake, fix prettier lint Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-05 08:47:43 +02:00
Kristoffer Dalby	47255d267e	add script to run integration tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-09-05 08:47:43 +02:00
Juan Font	e3acc95859	Send logs to stderr, rather than stdout	2023-08-11 20:59:38 +02:00
qzydustin	fb203a2e45	Format code	2023-07-23 23:46:02 +02:00
qzydustin	6567af7730	Fix IP Address Order Bug	2023-07-23 23:46:02 +02:00
Kristoffer Dalby	23a3adf8d2	use cmp.Diff instead of reflect.DeepEqual Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-07-01 21:55:47 +02:00
Kristoffer Dalby	665a3cc666	add generic logerr func to shorten code Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-07-01 08:35:04 +01:00
Kristoffer Dalby	fe75b71620	use nix caching and docker caching in CI Also bumps tailscale version to trigger build and fixes a CLI test that had the wrong capitalisation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-29 12:49:36 +01:00
Kristoffer Dalby	19dc0ac702	rename acl "get" funcs to "expand" for consistency Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	155cc072f7	migrate last acl tests away from database Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	e2c08db3b5	reduce filter rules at the end, so we filter nodes correctly Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	fcdc7a6f7d	remove redundant tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	88ca2501d1	only send relevant filterrules to nodes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	2675ff4b94	make parse destination string into a func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	717abe89c1	remove "stripEmailDomain" argument This commit makes a wrapper function round the normalisation requiring "stripEmailDomain" which has to be passed in almost all functions of headscale by loading it from Viper instead. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	161243c787	make generateFilterRules take machine and peers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	9c425a1c08	Finish SSH This commit allows SSH rules to be assigned to each relevant not and by doing that allow SSH to be rejected, completing the initial SSH support. This commit enables SSH by default and removes the experimental flag. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	db6cf4ac0a	make GenerateFilterRules take machine and peers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Kristoffer Dalby	35770278f7	upgrade tailscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-21 10:31:48 +02:00
Viacheslav Sychov	36c9b5ce74	Adjust the template for the OIDC callback login page	2023-06-14 18:08:49 +02:00
Kristoffer Dalby	0562260fe0	rename handler files This commit renames a bunch of files to try to make it a bit less confusing; protocol_ is now auth as they contained registration, auth and login/out flow protocol_.*_poll is now poll.go api.go and other generic handlers are now handlers.go Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	c1218ad3c2	move reminder of dns funcs to util Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	d36336a572	fix lint Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	80ea87c032	move derp_server to derp server module Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	8c4c4c8633	move derp.go to derp module Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	2289a2acbf	move Config definitions into types Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Viacheslav Sychov	c72401a99b	Fix IPv6 in ACLs	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	725bbd7408	Remove variables and leftovers of pregenerated ACL content Prior to the code reorg, we would generate rules from the Policy and store it on the global object. Now we generate it on the fly for each node and this commit cleans up the old variables to make sure we have no unexpected side effects. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	084d1d5d6e	Add initial test for mapresponse Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	f9f6e1557a	Remove complicated testcase obsoleated by tailNode test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	5bad48a24e	remove DB dependency of tailNode conversion, add test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	bce8427423	Map route into machine Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
Kristoffer Dalby	f7f472ae07	introduce mapper package The mapper package contains functions related to creating and marshalling reponses to machines. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-06-08 16:34:15 +02:00
github-actions[bot]	699655a93f	docs(README): update contributors	2023-05-27 16:21:42 +02:00
Kristoffer Dalby	feb15365b5	Split code into modules This is a massive commit that restructures the code into modules: db/ All functions related to modifying the Database types/ All type definitions and methods that can be exclusivly used on these types without dependencies policy/ All Policy related code, now without dependencies on the Database. policy/matcher/ Dedicated code to match machines in a list of FilterRules Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-26 12:24:50 +02:00
Kristoffer Dalby	14e29a7bee	create DB struct This is step one in detaching the Database layer from Headscale (h). The ultimate goal is to have all function that does database operations in its own package, and keep the business logic and writing separate. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-26 12:24:50 +02:00
Juan Font	b01f1f1867	Clean apt	2023-05-12 10:09:36 +02:00
Juan Font	c027ef0f6c	Added changelog for 0.22.3	2023-05-12 10:09:36 +02:00
Six	db97a7ab10	Add ca-certificates to Dockerfile	2023-05-12 09:24:55 +02:00
Kristoffer Dalby	252342a0a5	update nix hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	cdf3c47d63	changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	61a2915f17	port reminder of integrationv1 test to v2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	a16f0c9f60	clean up unused legacy stuff Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	52ad138c32	update dependency path for integration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	d2413d0a2f	move swagger to root for now Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	51dc0d5784	update dependency path for cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	2d365c8c9c	inline old acl hujson tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	f2c1d1b8f9	regenerate gen Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	2d6356fa13	move templates Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	3bfc598ccc	move generated files Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	3683d3e82f	rename package name to hscontrol Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	4a7921ead5	move all go files from root to hscontrol Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Juan Font	22e397e0b6	Use common path in unix_socket default setting	2023-05-10 18:18:04 +02:00
Juan Font	c7db99d6ca	Update changelog + prepare for 0.22.2	2023-05-10 18:18:04 +02:00
Juan Font	f73354b4f4	Create default sock path in Docker	2023-05-10 18:18:04 +02:00
Juan Font	4c8f8c6a1c	Ditch distroless for Docker image distroless has proven a mantenance burden for us, and it has caused headaches for user when trying to debug issues in the container. And in 2023, 20MB of extra disk space are neglectible.	2023-05-10 18:18:04 +02:00
Juan Font	997e93455d	Added web ui section Added discord	2023-05-10 16:16:12 +02:00
Juan Font	9f381256c4	Update config.go	2023-05-10 14:25:13 +02:00
Juan Font	f60c5a1398	Fix socket location in config.go	2023-05-10 14:25:13 +02:00
Juan Font	5706f84cb0	Revert "Revert unix_socket to default value" This reverts commit `ca54fb9f56`.	2023-05-10 14:25:13 +02:00