The preauthkeys commands expect a user id instead of a username

(cherry picked from commit a98d9bd05f)

.dockerignore

@@ -3,6 +3,7 @@
 // development
 integration_test.go
 integration_test/
+!integration_test/etc_embedded_derp/tls/server.crt
 
 Dockerfile*
 docker-compose*

.envrc

@@ -0,0 +1 @@
+use flake

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @juanfont @kradalby
+
+*.md @ohdearaugustin @nblock
+*.yml @ohdearaugustin @nblock
+*.yaml @ohdearaugustin @nblock
+Dockerfile* @ohdearaugustin @nblock
+.goreleaser.yaml @ohdearaugustin @nblock
+/docs/ @ohdearaugustin @nblock
+/.github/workflows/ @ohdearaugustin @nblock
+/.github/renovate.json @ohdearaugustin @nblock

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+ko_fi: headscale

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -0,0 +1,97 @@
+name: 🐞 Bug
+description: File a bug/issue
+title: "[Bug] <title>"
+labels: ["bug", "needs triage"]
+body:
+  - type: checkboxes
+    attributes:
+      label: Is this a support request?
+      description: This issue tracker is for bugs and feature requests only. If you need help, please use ask in our Discord community
+      options:
+        - label: This is not a support request
+          required: true
+  - type: checkboxes
+    attributes:
+      label: Is there an existing issue for this?
+      description: Please search to see if an issue already exists for the bug you encountered.
+      options:
+        - label: I have searched the existing issues
+          required: true
+  - type: textarea
+    attributes:
+      label: Current Behavior
+      description: A concise description of what you're experiencing.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: A concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: Steps to reproduce the behavior.
+      placeholder: |
+        1. In this environment...
+        1. With this config...
+        1. Run '...'
+        1. See error...
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Environment
+      description: |
+        Please provide information about your environment.
+        If you are using a container, always provide the headscale version and not only the Docker image version.
+        Please do not put "latest".
+
+        If you are experiencing a problem during an upgrade, please provide the versions of the old and new versions of Headscale and Tailscale.
+
+        examples:
+          - **OS**: Ubuntu 24.04
+          - **Headscale version**: 0.24.3
+          - **Tailscale version**: 1.80.0
+      value: |
+        - OS:
+        - Headscale version:
+        - Tailscale version:
+      render: markdown
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Runtime environment
+      options:
+        - label: Headscale is behind a (reverse) proxy
+          required: false
+        - label: Headscale runs in a container
+          required: false
+  - type: textarea
+    attributes:
+      label: Debug information
+      description: |
+        Links? References? Anything that will give us more context about the issue you are encountering.
+        If **any** of these are omitted we will likely close your issue, do **not** ignore them.
+
+        - Client netmap dump (see below)
+        - Policy configuration
+        - Headscale configuration
+        - Headscale log (with `trace` enabled)
+
+        Dump the netmap of tailscale clients:
+        `tailscale debug netmap > DESCRIPTIVE_NAME.json`
+
+        Dump the status of tailscale clients:
+        `tailscale status --json > DESCRIPTIVE_NAME.json`
+
+        Get the logs of a Tailscale client that is not working as expected.
+        `tailscale daemon-logs`
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+        **Ensure** you use formatting for files you attach.
+        Do **not** paste in long files.
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+# Issues must have some content
+blank_issues_enabled: false
+
+# Contact links
+contact_links:
+  - name: "headscale usage documentation"
+    url: "https://github.com/juanfont/headscale/blob/main/docs"
+    about: "Find documentation about how to configure and run headscale."
+  - name: "headscale Discord community"
+    url: "https://discord.gg/xGj2TuqyxY"
+    about: "Please ask and answer questions about usage of headscale here."

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -0,0 +1,36 @@
+name: 🚀 Feature Request
+description: Suggest an idea for Headscale
+title: "[Feature] <title>"
+labels: [enhancement]
+body:
+  - type: textarea
+    attributes:
+      label: Use case
+      description: Please describe the use case for this feature.
+      placeholder: |
+        <!-- Include the reason, why you would need the feature. E.g. what problem
+          does it solve? Or which workflow is currently frustrating and will be improved by
+          this? -->
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Description
+      description: A clear and precise description of what new or changed feature you want.
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Contribution
+      description: Are you willing to contribute to the implementation of this feature?
+      options:
+        - label: I can write the design doc for this feature
+          required: false
+        - label: I can contribute this feature
+          required: false
+  - type: textarea
+    attributes:
+      label: How can it be implemented?
+      description: Free text for your ideas on how this feature could be implemented.
+    validations:
+      required: false

.github/pull_request_template.md

@@ -0,0 +1,22 @@
+<!--
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+-->
+
+<!-- Please tick if the following things apply. You… -->
+
+- [ ] have read the [CONTRIBUTING.md](./CONTRIBUTING.md) file
+- [ ] raised a GitHub issue or discussed it on the projects chat beforehand
+- [ ] added unit tests
+- [ ] added integration tests
+- [ ] updated documentation if needed
+- [ ] updated CHANGELOG.md
+
+<!-- If applicable, please reference the issue using `Fixes #XXX` and add tests to cover your new code. -->

.github/renovate.json

@@ -0,0 +1,34 @@
+{
+  "baseBranches": ["main"],
+  "username": "renovate-release",
+  "gitAuthor": "Renovate Bot <bot@renovateapp.com>",
+  "branchPrefix": "renovateaction/",
+  "onboarding": false,
+  "extends": ["config:base", ":rebaseStalePrs"],
+  "ignorePresets": [":prHourlyLimit2"],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions", "regex"],
+  "includeForks": true,
+  "repositories": ["juanfont/headscale"],
+  "platform": "github",
+  "packageRules": [
+    {
+      "matchDatasources": ["go"],
+      "groupName": "Go modules",
+      "groupSlug": "gomod",
+      "separateMajorMinor": false
+    },
+    {
+      "matchDatasources": ["docker"],
+      "groupName": "Dockerfiles",
+      "groupSlug": "dockerfiles"
+    }
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": [".github/workflows/.*.yml$"],
+      "matchStrings": ["\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"],
+      "datasourceTemplate": "golang-version",
+      "depNameTemplate": "actions/go-version"
+    }
+  ]
+}

.github/workflows/build.yml

@@ -8,28 +8,88 @@ on:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  build:
+  build-nix:
     runs-on: ubuntu-latest
-
+    permissions: write-all
     steps:
-      - uses: actions/checkout@v2
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v4
         with:
-          go-version: "1.17.3"
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
 
-      - name: Install dependencies
+      - name: Run nix build
+        id: build
+        if: steps.changed-files.outputs.files == 'true'
         run: |
-          go version
-          sudo apt update
-          sudo apt install -y make
+          nix build |& tee build-result
+          BUILD_STATUS="${PIPESTATUS[0]}"
 
-      - name: Run build
-        run: make build
+          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
+          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
 
-      - uses: actions/upload-artifact@v2
+          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
+          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
+
+          exit $BUILD_STATUS
+
+      - name: Nix gosum diverging
+        uses: actions/github-script@v6
+        if: failure() && steps.build.outcome == 'failure'
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.pulls.createReviewComment({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
+            })
+
+      - uses: actions/upload-artifact@v4
+        if: steps.changed-files.outputs.files == 'true'
         with:
           name: headscale-linux
-          path: headscale
+          path: result/bin/headscale
+  build-cross:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        env:
+          - "GOARCH=arm   GOOS=linux GOARM=5"
+          - "GOARCH=arm   GOOS=linux GOARM=6"
+          - "GOARCH=arm   GOOS=linux GOARM=7"
+          - "GOARCH=arm64 GOOS=linux"
+          - "GOARCH=386   GOOS=linux"
+          - "GOARCH=amd64 GOOS=linux"
+          - "GOARCH=arm64 GOOS=darwin"
+          - "GOARCH=amd64 GOOS=darwin"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Run go cross compile
+        run: env ${{ matrix.env }} nix develop --command -- go build -o "headscale" ./cmd/headscale
+      - uses: actions/upload-artifact@v4
+        with:
+          name: "headscale-${{ matrix.env }}"
+          path: "headscale"

.github/workflows/check-tests.yaml

@@ -0,0 +1,41 @@
+name: Check integration tests workflow
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
+
+      - name: Generate and check integration tests
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          nix develop --command bash -c "cd .github/workflows && go generate"
+          git diff --exit-code .github/workflows/test-integration.yaml
+
+      - name: Show missing tests
+        if: failure()
+        run: |
+          git diff .github/workflows/test-integration.yaml

.github/workflows/contributors.yml

@@ -1,24 +0,0 @@
-name: Contributors
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  add-contributors:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: BobAnkh/add-contributors@master
-        with:
-          CONTRIBUTOR: "## Contributors"
-          COLUMN_PER_ROW: "6"
-          ACCESS_TOKEN: ${{secrets.GITHUB_TOKEN}}
-          IMG_WIDTH: "100"
-          FONT_SIZE: "14"
-          PATH: "/README.md"
-          COMMIT_MESSAGE: "docs(README): update contributors"
-          AVATAR_SHAPE: "round"
-          BRANCH: "update-contributors"
-          PULL_REQUEST: "main"

.github/workflows/docs-deploy.yml

@@ -0,0 +1,51 @@
+name: Deploy docs
+
+on:
+  push:
+    branches:
+      # Main branch for development docs
+      - main
+
+      # Doc maintenance branches
+      - doc/[0-9]+.[0-9]+.[0-9]+
+    tags:
+      # Stable release tags
+      - v[0-9]+.[0-9]+.[0-9]+
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Setup cache
+        uses: actions/cache@v4
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - name: Setup dependencies
+        run: pip install -r docs/requirements.txt
+      - name: Configure git
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+      - name: Deploy development docs
+        if: github.ref == 'refs/heads/main'
+        run: mike deploy --push development unstable
+      - name: Deploy stable docs from doc branches
+        if: startsWith(github.ref, 'refs/heads/doc/')
+        run: mike deploy --push ${GITHUB_REF_NAME##*/}
+      - name: Deploy stable docs from tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        # This assumes that only newer tags are pushed
+        run: mike deploy --push --update-aliases ${GITHUB_REF_NAME#v} stable latest

.github/workflows/docs-test.yml

@@ -0,0 +1,27 @@
+name: Test documentation build
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Setup cache
+        uses: actions/cache@v4
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - name: Setup dependencies
+        run: pip install -r docs/requirements.txt
+      - name: Build docs
+        run: mkdocs build --strict

.github/workflows/gh-action-integration-generator.go

@@ -0,0 +1,74 @@
+package main
+
+//go:generate go run ./gh-action-integration-generator.go
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os/exec"
+	"strings"
+)
+
+func findTests() []string {
+	rgBin, err := exec.LookPath("rg")
+	if err != nil {
+		log.Fatalf("failed to find rg (ripgrep) binary")
+	}
+
+	args := []string{
+		"--regexp", "func (Test.+)\\(.*",
+		"../../integration/",
+		"--replace", "$1",
+		"--sort", "path",
+		"--no-line-number",
+		"--no-filename",
+		"--no-heading",
+	}
+
+	cmd := exec.Command(rgBin, args...)
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	err = cmd.Run()
+	if err != nil {
+		log.Fatalf("failed to run command: %s", err)
+	}
+
+	tests := strings.Split(strings.TrimSpace(out.String()), "\n")
+	return tests
+}
+
+func updateYAML(tests []string, testPath string) {
+	testsForYq := fmt.Sprintf("[%s]", strings.Join(tests, ", "))
+
+	yqCommand := fmt.Sprintf(
+		"yq eval '.jobs.integration-test.strategy.matrix.test = %s' %s -i",
+		testsForYq,
+		testPath,
+	)
+	cmd := exec.Command("bash", "-c", yqCommand)
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		log.Printf("stdout: %s", stdout.String())
+		log.Printf("stderr: %s", stderr.String())
+		log.Fatalf("failed to run yq command: %s", err)
+	}
+
+	fmt.Printf("YAML file (%s) updated successfully\n", testPath)
+}
+
+func main() {
+	tests := findTests()
+
+	quotedTests := make([]string, len(tests))
+	for i, test := range tests {
+		quotedTests[i] = fmt.Sprintf("\"%s\"", test)
+	}
+
+	updateYAML(quotedTests, "./test-integration.yaml")
+}

.github/workflows/gh-actions-updater.yaml

@@ -0,0 +1,23 @@
+name: GitHub Actions Version Updater
+
+on:
+  schedule:
+    # Automatically run on every Sunday
+    - cron: "0 0 * * 0"
+
+jobs:
+  build:
+    if: github.repository == 'juanfont/headscale'
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}
+
+      - name: Run GitHub Actions Version Updater
+        uses: saadmk11/github-actions-version-updater@v0.8.1
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}

.github/workflows/lint.yml

@@ -1,37 +1,75 @@
----
-name: CI
+name: Lint
 
-on: [push, pull_request]
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
   golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
-        with:
-          version: latest
+        if: steps.changed-files.outputs.files == 'true'
+        run: nix develop --command -- golangci-lint run --new-from-rev=${{github.event.pull_request.base.sha}} --out-format=colored-line-number
 
   prettier-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - '**/*.md'
+              - '**/*.yml'
+              - '**/*.yaml'
+              - '**/*.ts'
+              - '**/*.js'
+              - '**/*.sass'
+              - '**/*.css'
+              - '**/*.scss'
+              - '**/*.html'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
 
       - name: Prettify code
-        uses: creyD/prettier_action@v4.0
-        with:
-          prettier_options: >-
-            --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}
-          only_changed: false
-          dry: true
+        if: steps.changed-files.outputs.files == 'true'
+        run: nix develop --command -- prettier --no-error-on-unmatched-pattern --ignore-unknown --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}
 
   proto-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: bufbuild/buf-setup-action@v0.7.0
-      - uses: bufbuild/buf-lint-action@v1
-        with:
-          input: "proto"
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Buf lint
+        run: nix develop --command -- buf lint proto

.github/workflows/release.yml

@@ -1,5 +1,5 @@
 ---
-name: release
+name: Release
 
 on:
   push:
@@ -9,146 +9,31 @@ on:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-18.04 # due to CGO we need to user an older version
+    if: github.repository == 'juanfont/headscale'
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17
 
-      - name: Install dependencies
-        run: |
-          sudo apt update
-          sudo apt install -y gcc-aarch64-linux-gnu
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
         with:
-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Run goreleaser
+        run: nix develop --command -- goreleaser release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  docker-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
-  docker-debug-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-debug
-          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-debug-
-      - name: Docker meta
-        id: meta-debug
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            latest=false
-          tags: |
-            type=semver,pattern={{version}}-debug
-            type=semver,pattern={{major}}.{{minor}}-debug
-            type=semver,pattern={{major}}-debug
-            type=raw,value=latest-debug
-            type=sha,suffix=-debug
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.debug
-          tags: ${{ steps.meta-debug.outputs.tags }}
-          labels: ${{ steps.meta-debug.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-debug
-          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug

.github/workflows/stale.yml

@@ -0,0 +1,25 @@
+name: Close inactive issues
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    if: github.repository == 'juanfont/headscale'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-issue-stale: 90
+          days-before-issue-close: 7
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 90 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          exempt-issue-labels: "no-stale-bot"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-integration.yaml

@@ -0,0 +1,168 @@
+name: Integration Tests
+# To debug locally on a branch, and when needing secrets
+# change this to include `push` so the build is ran on
+# the main repository.
+on: [pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+jobs:
+  integration-test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        test:
+          - TestACLHostsInNetMapTable
+          - TestACLAllowUser80Dst
+          - TestACLDenyAllPort80
+          - TestACLAllowUserDst
+          - TestACLAllowStarDst
+          - TestACLNamedHostsCanReachBySubnet
+          - TestACLNamedHostsCanReach
+          - TestACLDevice1CanAccessDevice2
+          - TestPolicyUpdateWhileRunningWithCLIInDatabase
+          - TestAuthKeyLogoutAndReloginSameUser
+          - TestAuthKeyLogoutAndReloginNewUser
+          - TestAuthKeyLogoutAndReloginSameUserExpiredKey
+          - TestOIDCAuthenticationPingAll
+          - TestOIDCExpireNodesBasedOnTokenExpiry
+          - TestOIDC024UserCreation
+          - TestOIDCAuthenticationWithPKCE
+          - TestOIDCReloginSameNodeNewUser
+          - TestAuthWebFlowAuthenticationPingAll
+          - TestAuthWebFlowLogoutAndRelogin
+          - TestUserCommand
+          - TestPreAuthKeyCommand
+          - TestPreAuthKeyCommandWithoutExpiry
+          - TestPreAuthKeyCommandReusableEphemeral
+          - TestPreAuthKeyCorrectUserLoggedInCommand
+          - TestApiKeyCommand
+          - TestNodeTagCommand
+          - TestNodeAdvertiseTagCommand
+          - TestNodeCommand
+          - TestNodeExpireCommand
+          - TestNodeRenameCommand
+          - TestNodeMoveCommand
+          - TestPolicyCommand
+          - TestPolicyBrokenConfigCommand
+          - TestDERPVerifyEndpoint
+          - TestResolveMagicDNS
+          - TestResolveMagicDNSExtraRecordsPath
+          - TestDERPServerScenario
+          - TestDERPServerWebsocketScenario
+          - TestPingAllByIP
+          - TestPingAllByIPPublicDERP
+          - TestEphemeral
+          - TestEphemeralInAlternateTimezone
+          - TestEphemeral2006DeletedTooQuickly
+          - TestPingAllByHostname
+          - TestTaildrop
+          - TestUpdateHostnameFromClient
+          - TestExpireNode
+          - TestNodeOnlineStatus
+          - TestPingAllByIPManyUpDown
+          - Test2118DeletingOnlineNodePanics
+          - TestEnablingRoutes
+          - TestHASubnetRouterFailover
+          - TestSubnetRouteACL
+          - TestEnablingExitRoutes
+          - TestSubnetRouterMultiNetwork
+          - TestSubnetRouterMultiNetworkExitNode
+          - TestAutoApproveMultiNetwork
+          - TestSubnetRouteACLFiltering
+          - TestHeadscale
+          - TestTailscaleNodesJoiningHeadcale
+          - TestSSHOneUserToAll
+          - TestSSHMultipleUsersAllToAll
+          - TestSSHNoSSHConfigured
+          - TestSSHIsBlockedInACL
+          - TestSSHUserOnlyIsolation
+        database: [postgres, sqlite]
+    env:
+      # Github does not allow us to access secrets in pull requests,
+      # so this env var is used to check if we have the secret or not.
+      # If we have the secrets, meaning we are running on push in a fork,
+      # there might be secrets available for more debugging.
+      # If TS_OAUTH_CLIENT_ID and TS_OAUTH_SECRET is set, then the job
+      # will join a debug tailscale network, set up SSH and a tmux session.
+      # The SSH will be configured to use the SSH key of the Github user
+      # that triggered the build.
+      HAS_TAILSCALE_SECRET: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - name: Tailscale
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: tailscale/github-action@v2
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:gh
+      - name: Setup SSH server for Actor
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/setup-sshd-actor@master
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: satackey/action-docker-layer-caching@main
+        if: steps.changed-files.outputs.files == 'true'
+        continue-on-error: true
+      - name: Run Integration Test
+        uses: Wandalen/wretry.action@master
+        if: steps.changed-files.outputs.files == 'true'
+        env:
+          USE_POSTGRES: ${{ matrix.database == 'postgres' && '1' || '0' }}
+        with:
+          # Our integration tests are started like a thundering herd, often
+          # hitting limits of the various external repositories we depend on
+          # like docker hub. This will retry jobs every 5 min, 10 times,
+          # hopefully letting us avoid manual intervention and restarting jobs.
+          # One could of course argue that we should invest in trying to avoid
+          # this, but currently it seems like a larger investment to be cleverer
+          # about this.
+          # Some of the jobs might still require manual restart as they are really
+          # slow and this will cause them to eventually be killed by Github actions.
+          attempt_delay: 300000 # 5 min
+          attempt_limit: 10
+          command: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              --env HEADSCALE_INTEGRATION_POSTGRES=${{env.USE_POSTGRES}} \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^${{ matrix.test }}$"
+      - uses: actions/upload-artifact@v4
+        if: always() && steps.changed-files.outputs.files == 'true'
+        with:
+          name: ${{ matrix.test }}-${{matrix.database}}-logs
+          path: "control_logs/*.log"
+      - uses: actions/upload-artifact@v4
+        if: always() && steps.changed-files.outputs.files == 'true'
+        with:
+          name: ${{ matrix.test }}-${{matrix.database}}-pprof
+          path: "control_logs/*.pprof.tar"
+      - name: Setup a blocking tmux session
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/block-with-tmux-action@master

.github/workflows/test-integration.yml

@@ -1,23 +0,0 @@
-name: CI
-
-on: [pull_request]
-
-jobs:
-  # The "build" workflow
-  integration-test:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Setup Go
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.17.3"
-
-      - name: Run Integration tests
-        run: go test -tags integration -timeout 30m

.github/workflows/test.yml

@@ -1,33 +1,43 @@
-name: CI
+name: Tests
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  # The "build" workflow
   test:
-    # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Setup Go
-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v4
         with:
-          go-version: "1.17.3" # The Go version to download (if necessary) and use.
+          fetch-depth: 2
 
-      # Install all the dependencies
-      - name: Install dependencies
-        run: |
-          go version
-          sudo apt update
-          sudo apt install -y make
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
 
       - name: Run tests
-        run: make test
-
-      - name: Run build
-        run: make
+        if: steps.changed-files.outputs.files == 'true'
+        env:
+          # As of 2025-01-06, these env vars was not automatically
+          # set anymore which breaks the initdb for postgres on
+          # some of the database migration tests.
+          LC_ALL: "en_US.UTF-8"
+          LC_CTYPE: "en_US.UTF-8"
+        run: nix develop --command -- gotestsum

.github/workflows/update-flake.yml

@@ -0,0 +1,19 @@
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: "0 0 * * 0" # runs weekly on Sunday at 00:00
+
+jobs:
+  lockfile:
+    if: github.repository == 'juanfont/headscale'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@main
+        with:
+          pr-title: "Update flake.lock"

.gitignore

@@ -1,3 +1,7 @@
+ignored/
+tailscale/
+.vscode/
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -12,11 +16,15 @@
 *.out
 
 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
 
+dist/
 /headscale
 config.json
 config.yaml
+config*.yaml
+derp.yaml
+*.hujson
 *.key
 /db.sqlite
 *.sqlite3
@@ -24,4 +32,17 @@ config.yaml
 # Exclude Jetbrains Editors
 .idea
 
-test_output/ 
+test_output/
+control_logs/
+
+# Nix build output
+result
+.direnv/
+
+integration_test/etc/config.dump.yaml
+
+# MkDocs
+.cache
+/site
+
+__debug_bin

.golangci.yaml

@@ -1,56 +1,79 @@
 ---
-run:
-  timeout: 10m
-
-issues:
-  skip-dirs:
-    - gen
+version: "2"
 linters:
-  enable-all: true
+  default: all
   disable:
-    - exhaustivestruct
-    - revive
-    - lll
-    - interfacer
-    - scopelint
-    - maligned
-    - golint
-    - gofmt
+    - cyclop
+    - depguard
+    - dupl
+    - exhaustruct
+    - funlen
     - gochecknoglobals
     - gochecknoinits
     - gocognit
-    - funlen
-    - exhaustivestruct
-    - tagliatelle
     - godox
+    - interfacebloat
     - ireturn
-
-    # We should strive to enable these:
-    - wrapcheck
-    - dupl
+    - lll
+    - maintidx
     - makezero
-
-    # We might want to enable this, but it might be a lot of work
-    - cyclop
+    - musttag
     - nestif
-    - wsl # might be incompatible with gofumpt
-    - testpackage
+    - nolintlint
     - paralleltest
+    - revive
+    - tagliatelle
+    - testpackage
+    - wrapcheck
+    - wsl
+  settings:
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - ifElseChain
+    nlreturn:
+      block-size: 4
+    varnamelen:
+      ignore-names:
+        - err
+        - db
+        - id
+        - ip
+        - ok
+        - c
+        - tt
+        - tx
+        - rx
+        - sb
+        - wg
+        - pr
+        - p
+        - p2
+      ignore-type-assert-ok: true
+      ignore-map-index-ok: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - gen
 
-linters-settings:
-  varnamelen:
-    ignore-type-assert-ok: true
-    ignore-map-index-ok: true
-    ignore-names:
-      - err
-      - db
-      - id
-      - ip
-      - ok
-      - c
-
-  gocritic:
-    disabled-checks:
-      - appendAssign
-      # TODO(kradalby): Remove this
-      - ifElseChain
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - gen

.goreleaser.yml

@@ -1,90 +1,153 @@
-# This is an example .goreleaser.yml file with some sane defaults.
-# Make sure to check the documentation at http://goreleaser.com
+---
+version: 2
 before:
   hooks:
-    - go mod tidy
+    - go mod tidy -compat=1.24
+    - go mod vendor
 
 release:
   prerelease: auto
 
 builds:
-  - id: darwin-amd64
-    main: ./cmd/headscale/headscale.go
+  - id: headscale
+    main: ./cmd/headscale
     mod_timestamp: "{{ .CommitTimestamp }}"
-    goos:
-      - darwin
-    goarch:
-      - amd64
     env:
-      - PKG_CONFIG_SYSROOT_DIR=/sysroot/macos/amd64
-      - PKG_CONFIG_PATH=/sysroot/macos/amd64/usr/local/lib/pkgconfig
-      - CC=o64-clang
-      - CXX=o64-clang++
+      - CGO_ENABLED=0
+    targets:
+      - darwin_amd64
+      - darwin_arm64
+      - freebsd_amd64
+      - linux_386
+      - linux_amd64
+      - linux_arm64
+      - linux_arm_5
+      - linux_arm_6
+      - linux_arm_7
     flags:
       - -mod=readonly
     ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-
-  - id: linux-armhf
-    main: ./cmd/headscale/headscale.go
-    mod_timestamp: "{{ .CommitTimestamp }}"
-    goos:
-      - linux
-    goarch:
-      - arm
-    goarm:
-      - 7
-    env:
-      - CC=arm-linux-gnueabihf-gcc
-      - CXX=arm-linux-gnueabihf-g++
-      - CGO_FLAGS=--sysroot=/sysroot/linux/armhf
-      - CGO_LDFLAGS=--sysroot=/sysroot/linux/armhf
-      - PKG_CONFIG_SYSROOT_DIR=/sysroot/linux/armhf
-      - PKG_CONFIG_PATH=/sysroot/linux/armhf/opt/vc/lib/pkgconfig:/sysroot/linux/armhf/usr/lib/arm-linux-gnueabihf/pkgconfig:/sysroot/linux/armhf/usr/lib/pkgconfig:/sysroot/linux/armhf/usr/local/lib/pkgconfig
-    flags:
-      - -mod=readonly
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-
-  - id: linux-amd64
-    env:
-      - CGO_ENABLED=1
-    goos:
-      - linux
-    goarch:
-      - amd64
-    main: ./cmd/headscale/headscale.go
-    mod_timestamp: "{{ .CommitTimestamp }}"
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-
-  - id: linux-arm64
-    goos:
-      - linux
-    goarch:
-      - arm64
-    env:
-      - CGO_ENABLED=1
-      - CC=aarch64-linux-gnu-gcc
-    main: ./cmd/headscale/headscale.go
-    mod_timestamp: "{{ .CommitTimestamp }}"
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+      - -s -w
+      - -X github.com/juanfont/headscale/hscontrol/types.Version={{ .Version }}
+      - -X github.com/juanfont/headscale/hscontrol/types.GitCommitHash={{ .Commit }}
+    tags:
+      - ts2019
 
 archives:
   - id: golang-cross
-    builds:
-      - darwin-amd64
-      - linux-armhf
-      - linux-amd64
-      - linux-arm64
-    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    format: binary
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    formats:
+      - binary
+
+source:
+  enabled: true
+  name_template: "{{ .ProjectName }}_{{ .Version }}"
+  format: tar.gz
+  files:
+    - "vendor/"
+
+nfpms:
+  # Configure nFPM for .deb and .rpm releases
+  #
+  # See https://nfpm.goreleaser.com/configuration/
+  # and https://goreleaser.com/customization/nfpm/
+  #
+  # Useful tools for debugging .debs:
+  # List file contents: dpkg -c dist/headscale...deb
+  # Package metadata: dpkg --info dist/headscale....deb
+  #
+  - ids:
+      - headscale
+    package_name: headscale
+    priority: optional
+    vendor: headscale
+    maintainer: Kristoffer Dalby <kristoffer@dalby.cc>
+    homepage: https://github.com/juanfont/headscale
+    license: BSD
+    bindir: /usr/bin
+    formats:
+      - deb
+    contents:
+      - src: ./config-example.yaml
+        dst: /etc/headscale/config.yaml
+        type: config|noreplace
+        file_info:
+          mode: 0644
+      - src: ./docs/packaging/headscale.systemd.service
+        dst: /usr/lib/systemd/system/headscale.service
+      - dst: /var/lib/headscale
+        type: dir
+      - dst: /var/run/headscale
+        type: dir
+    scripts:
+      postinstall: ./docs/packaging/postinstall.sh
+      postremove: ./docs/packaging/postremove.sh
+
+kos:
+  - id: ghcr
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
+
+    # bare tells KO to only use the repository
+    # for tagging and naming the container.
+    bare: true
+    base_image: gcr.io/distroless/base-debian12
+    build: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - "{{ if not .Prerelease }}latest{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}{{ end }}"
+      - "{{ if not .Prerelease }}stable{{ else }}unstable{{ end }}"
+      - "{{ .Tag }}"
+      - '{{ trimprefix .Tag "v" }}'
+      - "sha-{{ .ShortCommit }}"
+
+  - id: ghcr-debug
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
+
+    bare: true
+    base_image: gcr.io/distroless/base-debian12:debug
+    build: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - "{{ if not .Prerelease }}latest-debug{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
+      - "{{ .Tag }}-debug"
+      - '{{ trimprefix .Tag "v" }}-debug'
+      - "sha-{{ .ShortCommit }}-debug"
 
 checksum:
   name_template: "checksums.txt"
 snapshot:
-  name_template: "{{ .Tag }}-next"
+  version_template: "{{ .Tag }}-next"
 changelog:
   sort: asc
   filters:

.prettierignore

@@ -0,0 +1,4 @@
+.github/workflows/test-integration-v2*
+docs/about/features.md
+docs/ref/configuration.md
+docs/ref/remote-cli.md

CODE_OF_CONDUCT.md

@@ -0,0 +1,134 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation
+in our community a harassment-free experience for everyone, regardless
+of age, body size, visible or invisible disability, ethnicity, sex
+characteristics, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance,
+race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open,
+welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for
+our community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our
+  mistakes, and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+- Trolling, insulting or derogatory comments, and personal or
+  political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in
+  a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our
+standards of acceptable behavior and will take appropriate and fair
+corrective action in response to any behavior that they deem
+inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit,
+or reject comments, commits, code, wiki edits, issues, and other
+contributions that are not aligned to this Code of Conduct, and will
+communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also
+applies when an individual is officially representing the community in
+public spaces. Examples of representing our community include using an
+official e-mail address, posting via an official social media account,
+or acting as an appointed representative at an online or offline
+event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported to the community leaders responsible for enforcement
+on our [Discord server](https://discord.gg/c84AZQhmpx). All complaints
+will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and
+security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in
+determining the consequences for any action they deem in violation of
+this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior
+deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders,
+providing clarity around the nature of the violation and an
+explanation of why the behavior was inappropriate. A public apology
+may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued
+behavior. No interaction with the people involved, including
+unsolicited interaction with those enforcing the Code of Conduct, for
+a specified period of time. This includes avoiding interactions in
+community spaces as well as external channels like social
+media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards,
+including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or
+public communication with the community for a specified period of
+time. No public or private interaction with the people involved,
+including unsolicited interaction with those enforcing the Code of
+Conduct, is allowed during this period. Violating these terms may lead
+to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of
+community standards, including sustained inappropriate behavior,
+harassment of an individual, or aggression toward or disparagement of
+classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction
+within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor
+Covenant][homepage], version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of
+conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the
+FAQ at https://www.contributor-covenant.org/faq. Translations are
+available at https://www.contributor-covenant.org/translations.

CONTRIBUTING.md

@@ -0,0 +1,34 @@
+# Contributing
+
+Headscale is "Open Source, acknowledged contribution", this means that any contribution will have to be discussed with the maintainers before being added to the project.
+This model has been chosen to reduce the risk of burnout by limiting the maintenance overhead of reviewing and validating third-party code.
+
+## Why do we have this model?
+
+Headscale has a small maintainer team that tries to balance working on the project, fixing bugs and reviewing contributions.
+
+When we work on issues ourselves, we develop first hand knowledge of the code and it makes it possible for us to maintain and own the code as the project develops.
+
+Code contributions are seen as a positive thing. People enjoy and engage with our project, but it also comes with some challenges; we have to understand the code, we have to understand the feature, we might have to become familiar with external libraries or services and we think about security implications. All those steps are required during the reviewing process. After the code has been merged, the feature has to be maintained. Any changes reliant on external services must be updated and expanded accordingly.
+
+The review and day-1 maintenance adds a significant burden on the maintainers. Often we hope that the contributor will help out, but we found that most of the time, they disappear after their new feature was added.
+
+This means that when someone contributes, we are mostly happy about it, but we do have to run it through a series of checks to establish if we actually can maintain this feature.
+
+## What do we require?
+
+A general description is provided here and an explicit list is provided in our pull request template.
+
+All new features have to start out with a design document, which should be discussed on the issue tracker (not discord). It should include a use case for the feature, how it can be implemented, who will implement it and a plan for maintaining it.
+
+All features have to be end-to-end tested (integration tests) and have good unit test coverage to ensure that they work as expected. This will also ensure that the feature continues to work as expected over time. If a change cannot be tested, a strong case for why this is not possible needs to be presented.
+
+The contributor should help to maintain the feature over time. In case the feature is not maintained probably, the maintainers reserve themselves the right to remove features they redeem as unmaintainable. This should help to improve the quality of the software and keep it in a maintainable state.
+
+## Bug fixes
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+## Documentation
+
+If you find mistakes in the documentation, please submit a fix to the documentation.

Dockerfile

@@ -1,21 +0,0 @@
-# Builder image
-FROM golang:1.17.1-bullseye AS build
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN go mod download
-
-COPY . .
-
-RUN go install -a -ldflags="-extldflags=-static" -tags netgo,sqlite_omit_load_extension ./cmd/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM gcr.io/distroless/base-debian11
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-EXPOSE 8080/tcp
-CMD ["headscale"]

Dockerfile.debug

@@ -1,23 +0,0 @@
-# Builder image
-FROM golang:1.17.1-bullseye AS build
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN go mod download
-
-COPY . .
-
-RUN go install -a -ldflags="-extldflags=-static" -tags netgo,sqlite_omit_load_extension ./cmd/headscale
-RUN test -e /go/bin/headscale
-
-# Debug image
-FROM gcr.io/distroless/base-debian11:debug
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-# Need to reset the entrypoint or everything will run as a busybox script
-ENTRYPOINT []
-EXPOSE 8080/tcp
-CMD ["headscale"]

Dockerfile.derper

@@ -0,0 +1,19 @@
+# For testing purposes only
+
+FROM golang:alpine AS build-env
+
+WORKDIR /go/src
+
+RUN apk add --no-cache git
+ARG VERSION_BRANCH=main
+RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
+WORKDIR /go/src/tailscale
+
+ARG TARGETARCH
+RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+ENTRYPOINT [ "/usr/local/bin/derper" ]

Dockerfile.integration

@@ -0,0 +1,26 @@
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
+FROM docker.io/golang:1.24-bookworm
+ARG VERSION=dev
+ENV GOPATH /go
+WORKDIR /go/src/headscale
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends --yes less jq sqlite3 dnsutils \
+  && rm -rf /var/lib/apt/lists/* \
+  && apt-get clean
+RUN mkdir -p /var/run/headscale
+
+COPY go.mod go.sum /go/src/headscale/
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale && test -e /go/bin/headscale
+
+# Need to reset the entrypoint or everything will run as a busybox script
+ENTRYPOINT []
+EXPOSE 8080/tcp
+CMD ["headscale"]

Dockerfile.tailscale

@@ -1,11 +0,0 @@
-FROM ubuntu:latest
-
-ARG TAILSCALE_VERSION
-
-RUN apt-get update \
-    && apt-get install -y gnupg curl \
-    && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | apt-key add - \
-    && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
-    && apt-get update \
-    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
-    && rm -rf /var/lib/apt/lists/*

Dockerfile.tailscale-HEAD

@@ -0,0 +1,45 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+# This Dockerfile is more or less lifted from tailscale/tailscale
+# to ensure a similar build process when testing the HEAD of tailscale.
+
+FROM golang:1.24-alpine AS build-env
+
+WORKDIR /go/src
+
+RUN apk add --no-cache git
+
+# Replace `RUN git...` with `COPY` and a local checked out version of Tailscale in `./tailscale`
+# to test specific commits of the Tailscale client. This is useful when trying to find out why
+# something specific broke between two versions of Tailscale with for example `git bisect`.
+# COPY ./tailscale .
+RUN git clone https://github.com/tailscale/tailscale.git
+
+WORKDIR /go/src/tailscale
+
+
+# see build_docker.sh
+ARG VERSION_LONG=""
+ENV VERSION_LONG=$VERSION_LONG
+ARG VERSION_SHORT=""
+ENV VERSION_SHORT=$VERSION_SHORT
+ARG VERSION_GIT_HASH=""
+ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
+ARG TARGETARCH
+
+ARG BUILD_TAGS=""
+
+RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
+      -X tailscale.com/version.longStamp=$VERSION_LONG \
+      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
+      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
+      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+# For compat with the previous run.sh, although ideally you should be
+# using build_docker.sh which sets an entrypoint for the image.
+RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh

Makefile

@@ -1,8 +1,15 @@
 # Calculate version
-version = $(shell ./scripts/version-at-commit.sh)
+version ?= $(shell git describe --always --tags --dirty)
 
 rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
 
+# Determine if OS supports pie
+GOOS ?= $(shell uname | tr '[:upper:]' '[:lower:]')
+ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
+	pieflags = -buildmode=pie
+else
+endif
+
 # GO_SOURCES = $(wildcard *.go)
 # PROTO_SOURCES = $(wildcard **/*.proto)
 GO_SOURCES = $(call rwildcard,,*.go)
@@ -10,35 +17,44 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)
 
 
 build:
-	go build -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	nix build
 
 dev: lint test build
 
 test:
-	@go test -coverprofile=coverage.out ./...
+	gotestsum -- -short -race -coverprofile=coverage.out ./...
 
 test_integration:
-	go test -tags integration -timeout 30m ./...
-
-test_integration_cli:
-	go test -tags integration -v integration_cli_test.go integration_common_test.go
-
-coverprofile_func:
-	go tool cover -func=coverage.out
-
-coverprofile_html:
-	go tool cover -html=coverage.out
+	docker run \
+		-t --rm \
+		-v ~/.cache/hs-integration-go:/go \
+		--name headscale-test-suite \
+		-v $$PWD:$$PWD -w $$PWD/integration \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		-v $$PWD/control_logs:/tmp/control \
+		golang:1 \
+		go run gotest.tools/gotestsum@latest -- -race -failfast ./... -timeout 120m -parallel 8
 
 lint:
 	golangci-lint run --fix --timeout 10m
 
-fmt:
+fmt: fmt-go fmt-prettier fmt-proto
+
+fmt-prettier:
 	prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-	golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
-	clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i $(PROTO_SOURCES)
+	prettier --write --print-width 80 --prose-wrap always CHANGELOG.md
+
+fmt-go:
+	# TODO(kradalby): Reeval if we want to use 88 in the future.
+	# golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
+	gofumpt -l -w .
+	golangci-lint run --fix
+
+fmt-proto:
+	clang-format -i $(PROTO_SOURCES)
 
 proto-lint:
-	cd proto/ && buf lint
+	cd proto/ && go run github.com/bufbuild/buf/cmd/buf lint
 
 compress: build
 	upx --brute headscale
@@ -46,10 +62,3 @@ compress: build
 generate:
 	rm -rf gen
 	buf generate proto
-
-install-protobuf-plugins:
-	go install \
-		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
-		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
-		google.golang.org/protobuf/cmd/protoc-gen-go \
-		google.golang.org/grpc/cmd/protoc-gen-go-grpc

README.md

@@ -1,71 +1,98 @@
-# headscale
+![headscale logo](./docs/logo/headscale3_header_stacked_left.png)
 
 ![ci](https://github.com/juanfont/headscale/actions/workflows/test.yml/badge.svg)
 
-An open source, self-hosted implementation of the Tailscale coordination server.
+An open source, self-hosted implementation of the Tailscale control server.
 
-Join our [Discord](https://discord.gg/XcQxk2VHjx) server for a chat.
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat.
 
-**Note:** Always select the same GitHub tag as the released version you use to ensure you have the correct example configuration and documentation. The `main` branch might contain unreleased changes.
+**Note:** Always select the same GitHub tag as the released version you use
+to ensure you have the correct example configuration. The `main` branch might
+contain unreleased changes. The documentation is available for stable and
+development versions:
 
-## Overview
+* [Documentation for the stable version](https://headscale.net/stable/)
+* [Documentation for the development version](https://headscale.net/development/)
 
-Tailscale is [a modern VPN](https://tailscale.com/) built on top of [Wireguard](https://www.wireguard.com/). It [works like an overlay network](https://tailscale.com/blog/how-tailscale-works/) between the computers of your networks - using all kinds of [NAT traversal sorcery](https://tailscale.com/blog/how-nat-traversal-works/).
+## What is Tailscale
 
-Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the 'coordination/control server'.
+Tailscale is [a modern VPN](https://tailscale.com/) built on top of
+[Wireguard](https://www.wireguard.com/).
+It [works like an overlay network](https://tailscale.com/blog/how-tailscale-works/)
+between the computers of your networks - using
+[NAT traversal](https://tailscale.com/blog/how-nat-traversal-works/).
 
-The control server works as an exchange point of Wireguard public keys for the nodes in the Tailscale network. It also assigns the IP addresses of the clients, creates the boundaries between each user, enables sharing machines between users, and exposes the advertised routes of your nodes.
+Everything in Tailscale is Open Source, except the GUI clients for proprietary OS
+(Windows and macOS/iOS), and the control server.
 
-headscale implements this coordination server.
+The control server works as an exchange point of Wireguard public keys for the
+nodes in the Tailscale network. It assigns the IP addresses of the clients,
+creates the boundaries between each user, enables sharing machines between users,
+and exposes the advertised routes of your nodes.
 
-## Status
+A [Tailscale network (tailnet)](https://tailscale.com/kb/1136/tailnet/) is private
+network which Tailscale assigns to a user in terms of private users or an
+organisation.
 
-- [x] Base functionality (nodes can communicate with each other)
-- [x] Node registration through the web flow
-- [x] Network changes are relayed to the nodes
-- [x] Namespaces support (~tailnets in Tailscale.com naming)
-- [x] Routing (advertise & accept, including exit nodes)
-- [x] Node registration via pre-auth keys (including reusable keys, and ephemeral node support)
-- [x] JSON-formatted output
-- [x] ACLs
-- [x] Taildrop (File Sharing)
-- [x] Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10)
-- [x] DNS (passing DNS servers to nodes)
-- [x] Single-Sign-On (via Open ID Connect)
-- [x] Share nodes between namespaces
-- [x] MagicDNS (see `docs/`)
+## Design goal
+
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
+
+## Supporting Headscale
+
+If you like `headscale` and find it useful, there is a sponsorship and donation
+buttons available in the repo.
+
+## Features
+
+Please see ["Features" in the documentation](https://headscale.net/stable/about/features/).
 
 ## Client OS support
 
-| OS      | Supports headscale                                                                                                |
-| ------- | ----------------------------------------------------------------------------------------------------------------- |
-| Linux   | Yes                                                                                                               |
-| OpenBSD | Yes                                                                                                               |
-| macOS   | Yes (see `/apple` on your headscale for more information)                                                         |
-| Windows | Yes                                                                                                               |
-| Android | [You need to compile the client yourself](https://github.com/juanfont/headscale/issues/58#issuecomment-885255270) |
-| iOS     | Not yet                                                                                                           |
-
-## Roadmap 🤷
-
-Suggestions/PRs welcomed!
+Please see ["Client and operating system support" in the documentation](https://headscale.net/stable/about/clients/).
 
 ## Running headscale
 
-Please have a look at the documentation under [`docs/`](docs/).
+**Please note that we do not support nor encourage the use of reverse proxies
+and container to run Headscale.**
+
+Please have a look at the [`documentation`](https://headscale.net/stable/).
+
+## Talks
+
+- Fosdem 2023 (video): [Headscale: How we are using integration testing to reimplement Tailscale](https://fosdem.org/2023/schedule/event/goheadscale/)
+  - presented by Juan Font Alonso and Kristoffer Dalby
 
 ## Disclaimer
 
-1. We have nothing to do with Tailscale, or Tailscale Inc.
-2. The purpose of writing this was to learn how Tailscale works.
+This project is not associated with Tailscale Inc.
+
+However, one of the active maintainers for Headscale [is employed by Tailscale](https://tailscale.com/blog/opensource) and he is allowed to spend work hours contributing to the project. Contributions from this maintainer are reviewed by other maintainers.
+
+The maintainers work together on setting the direction for the project. The underlying principle is to serve the community of self-hosters, enthusiasts and hobbyists - while having a sustainable project.
 
 ## Contributing
 
-To contribute to Headscale you would need the lastest version of [Go](https://golang.org) and [Buf](https://buf.build)(Protobuf generator).
+Please read the [CONTRIBUTING.md](./CONTRIBUTING.md) file.
+
+### Requirements
+
+To contribute to headscale you would need the latest version of [Go](https://golang.org)
+and [Buf](https://buf.build) (Protobuf generator).
+
+We recommend using [Nix](https://nixos.org/) to setup a development environment. This can
+be done with `nix develop`, which will install the tools and give you a shell.
+This guarantees that you will have the same dev env as `headscale` maintainers.
 
 ### Code style
 
-To ensure we have some consistency with a growing number of contributes, this project has adopted linting and style/formatting rules:
+To ensure we have some consistency with a growing number of contributions,
+this project has adopted linting and style/formatting rules:
 
 The **Go** code is linted with [`golangci-lint`](https://golangci-lint.run) and
 formatted with [`golines`](https://github.com/segmentio/golines) (width 88) and
@@ -76,7 +103,7 @@ run `make lint` and `make fmt` before committing any code.
 The **Proto** code is linted with [`buf`](https://docs.buf.build/lint/overview) and
 formatted with [`clang-format`](https://clang.llvm.org/docs/ClangFormat.html).
 
-The **rest** (markdown, yaml, etc) is formatted with [`prettier`](https://prettier.io).
+The **rest** (Markdown, YAML, etc) is formatted with [`prettier`](https://prettier.io).
 
 Check out the `.golangci.yaml` and `Makefile` to see the specific configuration.
 
@@ -84,15 +111,18 @@ Check out the `.golangci.yaml` and `Makefile` to see the specific configuration.
 
 - Go
 - Buf
-- Protobuf tools:
+- Protobuf tools
+
+Install and activate:
 
 ```shell
-make install-protobuf-plugins
+nix develop
 ```
 
 ### Testing and building
 
-Some parts of the project requires the generation of Go code from Protobuf (if changes is made in `proto/`) and it must be (re-)generated with:
+Some parts of the project require the generation of Go code from Protobuf
+(if changes are made in `proto/`) and it must be (re-)generated with:
 
 ```shell
 make generate
@@ -108,173 +138,20 @@ make test
 
 To build the program:
 
+```shell
+nix build
+```
+
+or
+
 ```shell
 make build
 ```
 
 ## Contributors
 
-<table>
-<tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/juanfont>
-            <img src=https://avatars.githubusercontent.com/u/181059?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Juan Font/>
-            <br />
-            <sub style="font-size:14px"><b>Juan Font</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/kradalby>
-            <img src=https://avatars.githubusercontent.com/u/98431?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Kristoffer Dalby/>
-            <br />
-            <sub style="font-size:14px"><b>Kristoffer Dalby</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/cure>
-            <img src=https://avatars.githubusercontent.com/u/149135?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ward Vandewege/>
-            <br />
-            <sub style="font-size:14px"><b>Ward Vandewege</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ohdearaugustin>
-            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
-            <br />
-            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/unreality>
-            <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
-            <br />
-            <sub style="font-size:14px"><b>unreality</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/qbit>
-            <img src=https://avatars.githubusercontent.com/u/68368?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aaron Bieber/>
-            <br />
-            <sub style="font-size:14px"><b>Aaron Bieber</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ptman>
-            <img src=https://avatars.githubusercontent.com/u/24669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Paul Tötterman/>
-            <br />
-            <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/cmars>
-            <img src=https://avatars.githubusercontent.com/u/23741?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Casey Marshall/>
-            <br />
-            <sub style="font-size:14px"><b>Casey Marshall</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/SilverBut>
-            <img src=https://avatars.githubusercontent.com/u/6560655?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Silver Bullet/>
-            <br />
-            <sub style="font-size:14px"><b>Silver Bullet</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/t56k>
-            <img src=https://avatars.githubusercontent.com/u/12165422?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=thomas/>
-            <br />
-            <sub style="font-size:14px"><b>thomas</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/awoimbee>
-            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
-            <br />
-            <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/fkr>
-            <img src=https://avatars.githubusercontent.com/u/51063?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Kronlage-Dammers/>
-            <br />
-            <sub style="font-size:14px"><b>Felix Kronlage-Dammers</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/felixonmars>
-            <img src=https://avatars.githubusercontent.com/u/1006477?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Yan/>
-            <br />
-            <sub style="font-size:14px"><b>Felix Yan</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/shaananc>
-            <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
-            <br />
-            <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/Teteros>
-            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
-            <br />
-            <sub style="font-size:14px"><b>Teteros</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/gitter-badger>
-            <img src=https://avatars.githubusercontent.com/u/8518239?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=The Gitter Badger/>
-            <br />
-            <sub style="font-size:14px"><b>The Gitter Badger</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/tianon>
-            <img src=https://avatars.githubusercontent.com/u/161631?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tianon Gravi/>
-            <br />
-            <sub style="font-size:14px"><b>Tianon Gravi</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/woudsma>
-            <img src=https://avatars.githubusercontent.com/u/6162978?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tjerk Woudsma/>
-            <br />
-            <sub style="font-size:14px"><b>Tjerk Woudsma</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/zekker6>
-            <img src=https://avatars.githubusercontent.com/u/1367798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zakhar Bessarab/>
-            <br />
-            <sub style="font-size:14px"><b>Zakhar Bessarab</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/derelm>
-            <img src=https://avatars.githubusercontent.com/u/465155?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=derelm/>
-            <br />
-            <sub style="font-size:14px"><b>derelm</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ignoramous>
-            <img src=https://avatars.githubusercontent.com/u/852289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ignoramous/>
-            <br />
-            <sub style="font-size:14px"><b>ignoramous</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/xpzouying>
-            <img src=https://avatars.githubusercontent.com/u/3946563?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=zy/>
-            <br />
-            <sub style="font-size:14px"><b>zy</b></sub>
-        </a>
-    </td>
-</tr>
-</table>
+<a href="https://github.com/juanfont/headscale/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=juanfont/headscale" />
+</a>
+
+Made with [contrib.rocks](https://contrib.rocks).

acls.go

@@ -1,298 +0,0 @@
-package headscale
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/rs/zerolog/log"
-	"github.com/tailscale/hujson"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-)
-
-const (
-	errEmptyPolicy        = Error("empty policy")
-	errInvalidAction      = Error("invalid action")
-	errInvalidUserSection = Error("invalid user section")
-	errInvalidGroup       = Error("invalid group")
-	errInvalidTag         = Error("invalid tag")
-	errInvalidNamespace   = Error("invalid namespace")
-	errInvalidPortFormat  = Error("invalid port format")
-)
-
-const (
-	Base10             = 10
-	BitSize16          = 16
-	portRangeBegin     = 0
-	portRangeEnd       = 65535
-	expectedTokenItems = 2
-)
-
-// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
-func (h *Headscale) LoadACLPolicy(path string) error {
-	policyFile, err := os.Open(path)
-	if err != nil {
-		return err
-	}
-	defer policyFile.Close()
-
-	var policy ACLPolicy
-	policyBytes, err := io.ReadAll(policyFile)
-	if err != nil {
-		return err
-	}
-
-	ast, err := hujson.Parse(policyBytes)
-	if err != nil {
-		return err
-	}
-	ast.Standardize()
-	policyBytes = ast.Pack()
-	err = json.Unmarshal(policyBytes, &policy)
-	if err != nil {
-		return err
-	}
-	if policy.IsZero() {
-		return errEmptyPolicy
-	}
-
-	h.aclPolicy = &policy
-	rules, err := h.generateACLRules()
-	if err != nil {
-		return err
-	}
-	h.aclRules = rules
-
-	return nil
-}
-
-func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
-	rules := []tailcfg.FilterRule{}
-
-	for index, acl := range h.aclPolicy.ACLs {
-		if acl.Action != "accept" {
-			return nil, errInvalidAction
-		}
-
-		filterRule := tailcfg.FilterRule{}
-
-		srcIPs := []string{}
-		for innerIndex, user := range acl.Users {
-			srcs, err := h.generateACLPolicySrcIP(user)
-			if err != nil {
-				log.Error().
-					Msgf("Error parsing ACL %d, User %d", index, innerIndex)
-
-				return nil, err
-			}
-			srcIPs = append(srcIPs, srcs...)
-		}
-		filterRule.SrcIPs = srcIPs
-
-		destPorts := []tailcfg.NetPortRange{}
-		for innerIndex, ports := range acl.Ports {
-			dests, err := h.generateACLPolicyDestPorts(ports)
-			if err != nil {
-				log.Error().
-					Msgf("Error parsing ACL %d, Port %d", index, innerIndex)
-
-				return nil, err
-			}
-			destPorts = append(destPorts, dests...)
-		}
-
-		rules = append(rules, tailcfg.FilterRule{
-			SrcIPs:   srcIPs,
-			DstPorts: destPorts,
-		})
-	}
-
-	return rules, nil
-}
-
-func (h *Headscale) generateACLPolicySrcIP(u string) ([]string, error) {
-	return h.expandAlias(u)
-}
-
-func (h *Headscale) generateACLPolicyDestPorts(
-	d string,
-) ([]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(d, ":")
-	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
-		return nil, errInvalidPortFormat
-	}
-
-	var alias string
-	// We can have here stuff like:
-	// git-server:*
-	// 192.168.1.0/24:22
-	// tag:montreal-webserver:80,443
-	// tag:api-server:443
-	// example-host-1:*
-	if len(tokens) == expectedTokenItems {
-		alias = tokens[0]
-	} else {
-		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
-	}
-
-	expanded, err := h.expandAlias(alias)
-	if err != nil {
-		return nil, err
-	}
-	ports, err := h.expandPorts(tokens[len(tokens)-1])
-	if err != nil {
-		return nil, err
-	}
-
-	dests := []tailcfg.NetPortRange{}
-	for _, d := range expanded {
-		for _, p := range *ports {
-			pr := tailcfg.NetPortRange{
-				IP:    d,
-				Ports: p,
-			}
-			dests = append(dests, pr)
-		}
-	}
-
-	return dests, nil
-}
-
-func (h *Headscale) expandAlias(alias string) ([]string, error) {
-	if alias == "*" {
-		return []string{"*"}, nil
-	}
-
-	if strings.HasPrefix(alias, "group:") {
-		if _, ok := h.aclPolicy.Groups[alias]; !ok {
-			return nil, errInvalidGroup
-		}
-		ips := []string{}
-		for _, n := range h.aclPolicy.Groups[alias] {
-			nodes, err := h.ListMachinesInNamespace(n)
-			if err != nil {
-				return nil, errInvalidNamespace
-			}
-			for _, node := range nodes {
-				ips = append(ips, node.IPAddress)
-			}
-		}
-
-		return ips, nil
-	}
-
-	if strings.HasPrefix(alias, "tag:") {
-		if _, ok := h.aclPolicy.TagOwners[alias]; !ok {
-			return nil, errInvalidTag
-		}
-
-		// This will have HORRIBLE performance.
-		// We need to change the data model to better store tags
-		machines := []Machine{}
-		if err := h.db.Where("registered").Find(&machines).Error; err != nil {
-			return nil, err
-		}
-		ips := []string{}
-		for _, machine := range machines {
-			hostinfo := tailcfg.Hostinfo{}
-			if len(machine.HostInfo) != 0 {
-				hi, err := machine.HostInfo.MarshalJSON()
-				if err != nil {
-					return nil, err
-				}
-				err = json.Unmarshal(hi, &hostinfo)
-				if err != nil {
-					return nil, err
-				}
-
-				// FIXME: Check TagOwners allows this
-				for _, t := range hostinfo.RequestTags {
-					if alias[4:] == t {
-						ips = append(ips, machine.IPAddress)
-
-						break
-					}
-				}
-			}
-		}
-
-		return ips, nil
-	}
-
-	n, err := h.GetNamespace(alias)
-	if err == nil {
-		nodes, err := h.ListMachinesInNamespace(n.Name)
-		if err != nil {
-			return nil, err
-		}
-		ips := []string{}
-		for _, n := range nodes {
-			ips = append(ips, n.IPAddress)
-		}
-
-		return ips, nil
-	}
-
-	if h, ok := h.aclPolicy.Hosts[alias]; ok {
-		return []string{h.String()}, nil
-	}
-
-	ip, err := netaddr.ParseIP(alias)
-	if err == nil {
-		return []string{ip.String()}, nil
-	}
-
-	cidr, err := netaddr.ParseIPPrefix(alias)
-	if err == nil {
-		return []string{cidr.String()}, nil
-	}
-
-	return nil, errInvalidUserSection
-}
-
-func (h *Headscale) expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {
-	if portsStr == "*" {
-		return &[]tailcfg.PortRange{
-			{First: portRangeBegin, Last: portRangeEnd},
-		}, nil
-	}
-
-	ports := []tailcfg.PortRange{}
-	for _, portStr := range strings.Split(portsStr, ",") {
-		rang := strings.Split(portStr, "-")
-		switch len(rang) {
-		case 1:
-			port, err := strconv.ParseUint(rang[0], Base10, BitSize16)
-			if err != nil {
-				return nil, err
-			}
-			ports = append(ports, tailcfg.PortRange{
-				First: uint16(port),
-				Last:  uint16(port),
-			})
-
-		case expectedTokenItems:
-			start, err := strconv.ParseUint(rang[0], Base10, BitSize16)
-			if err != nil {
-				return nil, err
-			}
-			last, err := strconv.ParseUint(rang[1], Base10, BitSize16)
-			if err != nil {
-				return nil, err
-			}
-			ports = append(ports, tailcfg.PortRange{
-				First: uint16(start),
-				Last:  uint16(last),
-			})
-
-		default:
-			return nil, errInvalidPortFormat
-		}
-	}
-
-	return &ports, nil
-}

acls_test.go

@@ -1,165 +0,0 @@
-package headscale
-
-import (
-	"gopkg.in/check.v1"
-)
-
-func (s *Suite) TestWrongPath(c *check.C) {
-	err := app.LoadACLPolicy("asdfg")
-	c.Assert(err, check.NotNil)
-}
-
-func (s *Suite) TestBrokenHuJson(c *check.C) {
-	err := app.LoadACLPolicy("./tests/acls/broken.hujson")
-	c.Assert(err, check.NotNil)
-}
-
-func (s *Suite) TestInvalidPolicyHuson(c *check.C) {
-	err := app.LoadACLPolicy("./tests/acls/invalid.hujson")
-	c.Assert(err, check.NotNil)
-	c.Assert(err, check.Equals, errEmptyPolicy)
-}
-
-func (s *Suite) TestParseHosts(c *check.C) {
-	var hosts Hosts
-	err := hosts.UnmarshalJSON(
-		[]byte(
-			`{"example-host-1": "100.100.100.100","example-host-2": "100.100.101.100/24"}`,
-		),
-	)
-	c.Assert(hosts, check.NotNil)
-	c.Assert(err, check.IsNil)
-}
-
-func (s *Suite) TestParseInvalidCIDR(c *check.C) {
-	var hosts Hosts
-	err := hosts.UnmarshalJSON([]byte(`{"example-host-1": "100.100.100.100/42"}`))
-	c.Assert(hosts, check.IsNil)
-	c.Assert(err, check.NotNil)
-}
-
-func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
-	err := app.LoadACLPolicy("./tests/acls/acl_policy_invalid.hujson")
-	c.Assert(err, check.NotNil)
-}
-
-func (s *Suite) TestBasicRule(c *check.C) {
-	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_1.hujson")
-	c.Assert(err, check.IsNil)
-
-	rules, err := app.generateACLRules()
-	c.Assert(err, check.IsNil)
-	c.Assert(rules, check.NotNil)
-}
-
-func (s *Suite) TestPortRange(c *check.C) {
-	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
-	c.Assert(err, check.IsNil)
-
-	rules, err := app.generateACLRules()
-	c.Assert(err, check.IsNil)
-	c.Assert(rules, check.NotNil)
-
-	c.Assert(rules, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(5400))
-	c.Assert((rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500))
-}
-
-func (s *Suite) TestPortWildcard(c *check.C) {
-	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
-	c.Assert(err, check.IsNil)
-
-	rules, err := app.generateACLRules()
-	c.Assert(err, check.IsNil)
-	c.Assert(rules, check.NotNil)
-
-	c.Assert(rules, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
-	c.Assert((rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
-	c.Assert((rules)[0].SrcIPs, check.HasLen, 1)
-	c.Assert((rules)[0].SrcIPs[0], check.Equals, "*")
-}
-
-func (s *Suite) TestPortNamespace(c *check.C) {
-	namespace, err := app.CreateNamespace("testnamespace")
-	c.Assert(err, check.IsNil)
-
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine("testnamespace", "testmachine")
-	c.Assert(err, check.NotNil)
-	ip, _ := app.getAvailableIP()
-	machine := Machine{
-		ID:             0,
-		MachineKey:     "foo",
-		NodeKey:        "bar",
-		DiscoKey:       "faa",
-		Name:           "testmachine",
-		NamespaceID:    namespace.ID,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      ip.String(),
-		AuthKeyID:      uint(pak.ID),
-	}
-	app.db.Save(&machine)
-
-	err = app.LoadACLPolicy(
-		"./tests/acls/acl_policy_basic_namespace_as_user.hujson",
-	)
-	c.Assert(err, check.IsNil)
-
-	rules, err := app.generateACLRules()
-	c.Assert(err, check.IsNil)
-	c.Assert(rules, check.NotNil)
-
-	c.Assert(rules, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
-	c.Assert((rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
-	c.Assert((rules)[0].SrcIPs, check.HasLen, 1)
-	c.Assert((rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip")
-	c.Assert((rules)[0].SrcIPs[0], check.Equals, ip.String())
-}
-
-func (s *Suite) TestPortGroup(c *check.C) {
-	namespace, err := app.CreateNamespace("testnamespace")
-	c.Assert(err, check.IsNil)
-
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine("testnamespace", "testmachine")
-	c.Assert(err, check.NotNil)
-	ip, _ := app.getAvailableIP()
-	machine := Machine{
-		ID:             0,
-		MachineKey:     "foo",
-		NodeKey:        "bar",
-		DiscoKey:       "faa",
-		Name:           "testmachine",
-		NamespaceID:    namespace.ID,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      ip.String(),
-		AuthKeyID:      uint(pak.ID),
-	}
-	app.db.Save(&machine)
-
-	err = app.LoadACLPolicy("./tests/acls/acl_policy_basic_groups.hujson")
-	c.Assert(err, check.IsNil)
-
-	rules, err := app.generateACLRules()
-	c.Assert(err, check.IsNil)
-	c.Assert(rules, check.NotNil)
-
-	c.Assert(rules, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts, check.HasLen, 1)
-	c.Assert((rules)[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
-	c.Assert((rules)[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
-	c.Assert((rules)[0].SrcIPs, check.HasLen, 1)
-	c.Assert((rules)[0].SrcIPs[0], check.Not(check.Equals), "not an ip")
-	c.Assert((rules)[0].SrcIPs[0], check.Equals, ip.String())
-}

acls_types.go

@@ -1,79 +0,0 @@
-package headscale
-
-import (
-	"encoding/json"
-	"strings"
-
-	"github.com/tailscale/hujson"
-	"inet.af/netaddr"
-)
-
-// ACLPolicy represents a Tailscale ACL Policy.
-type ACLPolicy struct {
-	Groups    Groups    `json:"Groups"`
-	Hosts     Hosts     `json:"Hosts"`
-	TagOwners TagOwners `json:"TagOwners"`
-	ACLs      []ACL     `json:"ACLs"`
-	Tests     []ACLTest `json:"Tests"`
-}
-
-// ACL is a basic rule for the ACL Policy.
-type ACL struct {
-	Action string   `json:"Action"`
-	Users  []string `json:"Users"`
-	Ports  []string `json:"Ports"`
-}
-
-// Groups references a series of alias in the ACL rules.
-type Groups map[string][]string
-
-// Hosts are alias for IP addresses or subnets.
-type Hosts map[string]netaddr.IPPrefix
-
-// TagOwners specify what users (namespaces?) are allow to use certain tags.
-type TagOwners map[string][]string
-
-// ACLTest is not implemented, but should be use to check if a certain rule is allowed.
-type ACLTest struct {
-	User  string   `json:"User"`
-	Allow []string `json:"Allow"`
-	Deny  []string `json:"Deny,omitempty"`
-}
-
-// UnmarshalJSON allows to parse the Hosts directly into netaddr objects.
-func (hosts *Hosts) UnmarshalJSON(data []byte) error {
-	newHosts := Hosts{}
-	hostIPPrefixMap := make(map[string]string)
-	ast, err := hujson.Parse(data)
-	if err != nil {
-		return err
-	}
-	ast.Standardize()
-	data = ast.Pack()
-	err = json.Unmarshal(data, &hostIPPrefixMap)
-	if err != nil {
-		return err
-	}
-	for host, prefixStr := range hostIPPrefixMap {
-		if !strings.Contains(prefixStr, "/") {
-			prefixStr += "/32"
-		}
-		prefix, err := netaddr.ParseIPPrefix(prefixStr)
-		if err != nil {
-			return err
-		}
-		newHosts[host] = prefix
-	}
-	*hosts = newHosts
-
-	return nil
-}
-
-// IsZero is perhaps a bit naive here.
-func (policy ACLPolicy) IsZero() bool {
-	if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
-		return true
-	}
-
-	return false
-}

api.go

@@ -1,593 +0,0 @@
-package headscale
-
-import (
-	"encoding/binary"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/gin-gonic/gin"
-	"github.com/klauspost/compress/zstd"
-	"github.com/rs/zerolog/log"
-	"gorm.io/gorm"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-const (
-	reservedResponseHeaderSize               = 4
-	RegisterMethodAuthKey                    = "authKey"
-	RegisterMethodOIDC                       = "oidc"
-	RegisterMethodCLI                        = "cli"
-	ErrRegisterMethodCLIDoesNotSupportExpire = Error(
-		"machines registered with CLI does not support expire",
-	)
-)
-
-// KeyHandler provides the Headscale pub key
-// Listens in /key.
-func (h *Headscale) KeyHandler(ctx *gin.Context) {
-	ctx.Data(
-		http.StatusOK,
-		"text/plain; charset=utf-8",
-		[]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())),
-	)
-}
-
-// RegisterWebAPI shows a simple message in the browser to point to the CLI
-// Listens in /register.
-func (h *Headscale) RegisterWebAPI(ctx *gin.Context) {
-	machineKeyStr := ctx.Query("key")
-	if machineKeyStr == "" {
-		ctx.String(http.StatusBadRequest, "Wrong params")
-
-		return
-	}
-
-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", []byte(fmt.Sprintf(`
-	<html>
-	<body>
-	<h1>headscale</h1>
-	<p>
-		Run the command below in the headscale server to add this machine to your network:
-	</p>
-
-	<p>
-		<code>
-			<b>headscale -n NAMESPACE nodes register --key %s</b>
-		</code>
-	</p>
-
-	</body>
-	</html>
-
-	`, machineKeyStr)))
-}
-
-// RegistrationHandler handles the actual registration process of a machine
-// Endpoint /machine/:id.
-func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
-	body, _ := io.ReadAll(ctx.Request.Body)
-	machineKeyStr := ctx.Param("id")
-
-	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot parse machine key")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		ctx.String(http.StatusInternalServerError, "Sad!")
-
-		return
-	}
-	req := tailcfg.RegisterRequest{}
-	err = decode(body, &req, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot decode message")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		ctx.String(http.StatusInternalServerError, "Very sad!")
-
-		return
-	}
-
-	now := time.Now().UTC()
-	machine, err := h.GetMachineByMachineKey(machineKey)
-	if errors.Is(err, gorm.ErrRecordNotFound) {
-		log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine")
-		newMachine := Machine{
-			Expiry:     &time.Time{},
-			MachineKey: MachinePublicKeyStripPrefix(machineKey),
-			Name:       req.Hostinfo.Hostname,
-		}
-		if err := h.db.Create(&newMachine).Error; err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Could not create row")
-			machineRegistrations.WithLabelValues("unknown", "web", "error", machine.Namespace.Name).
-				Inc()
-
-			return
-		}
-		machine = &newMachine
-	}
-
-	if machine.Registered {
-		// If the NodeKey stored in headscale is the same as the key presented in a registration
-		// request, then we have a node that is either:
-		// - Trying to log out (sending a expiry in the past)
-		// - A valid, registered machine, looking for the node map
-		// - Expired machine wanting to reauthenticate
-		if machine.NodeKey == NodePublicKeyStripPrefix(req.NodeKey) {
-			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
-			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
-			if !req.Expiry.IsZero() && req.Expiry.UTC().Before(now) {
-				h.handleMachineLogOut(ctx, machineKey, *machine)
-
-				return
-			}
-
-			// If machine is not expired, and is register, we have a already accepted this machine,
-			// let it proceed with a valid registration
-			if !machine.isExpired() {
-				h.handleMachineValidRegistration(ctx, machineKey, *machine)
-
-				return
-			}
-		}
-
-		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if machine.NodeKey == NodePublicKeyStripPrefix(req.OldNodeKey) &&
-			!machine.isExpired() {
-			h.handleMachineRefreshKey(ctx, machineKey, req, *machine)
-
-			return
-		}
-
-		// The machine has expired
-		h.handleMachineExpired(ctx, machineKey, req, *machine)
-
-		return
-	}
-
-	// If the machine has AuthKey set, handle registration via PreAuthKeys
-	if req.Auth.AuthKey != "" {
-		h.handleAuthKey(ctx, machineKey, req, *machine)
-
-		return
-	}
-
-	h.handleMachineRegistrationNew(ctx, machineKey, req, *machine)
-}
-
-func (h *Headscale) getMapResponse(
-	machineKey key.MachinePublic,
-	req tailcfg.MapRequest,
-	machine *Machine,
-) ([]byte, error) {
-	log.Trace().
-		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
-		Msg("Creating Map response")
-	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Cannot convert to node")
-
-		return nil, err
-	}
-
-	peers, err := h.getValidPeers(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return nil, err
-	}
-
-	profiles := getMapResponseUserProfiles(*machine, peers)
-
-	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Failed to convert peers to Tailscale nodes")
-
-		return nil, err
-	}
-
-	dnsConfig := getMapResponseDNSConfig(
-		h.cfg.DNSConfig,
-		h.cfg.BaseDomain,
-		*machine,
-		peers,
-	)
-
-	resp := tailcfg.MapResponse{
-		KeepAlive:    false,
-		Node:         node,
-		Peers:        nodePeers,
-		DNSConfig:    dnsConfig,
-		Domain:       h.cfg.BaseDomain,
-		PacketFilter: h.aclRules,
-		DERPMap:      h.DERPMap,
-		UserProfiles: profiles,
-	}
-
-	log.Trace().
-		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
-		// Interface("payload", resp).
-		Msgf("Generated map response: %s", tailMapResponseToString(resp))
-
-	var respBody []byte
-	if req.Compress == "zstd" {
-		src, _ := json.Marshal(resp)
-
-		encoder, _ := zstd.NewWriter(nil)
-		srcCompressed := encoder.EncodeAll(src, nil)
-		respBody = h.privateKey.SealTo(machineKey, srcCompressed)
-	} else {
-		respBody, err = encode(resp, &machineKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	}
-	// declare the incoming size on the first 4 bytes
-	data := make([]byte, reservedResponseHeaderSize)
-	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
-	data = append(data, respBody...)
-
-	return data, nil
-}
-
-func (h *Headscale) getMapKeepAliveResponse(
-	machineKey key.MachinePublic,
-	mapRequest tailcfg.MapRequest,
-) ([]byte, error) {
-	mapResponse := tailcfg.MapResponse{
-		KeepAlive: true,
-	}
-	var respBody []byte
-	var err error
-	if mapRequest.Compress == "zstd" {
-		src, _ := json.Marshal(mapResponse)
-		encoder, _ := zstd.NewWriter(nil)
-		srcCompressed := encoder.EncodeAll(src, nil)
-		respBody = h.privateKey.SealTo(machineKey, srcCompressed)
-	} else {
-		respBody, err = encode(mapResponse, &machineKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	}
-	data := make([]byte, reservedResponseHeaderSize)
-	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
-	data = append(data, respBody...)
-
-	return data, nil
-}
-
-func (h *Headscale) handleMachineLogOut(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	log.Info().
-		Str("machine", machine.Name).
-		Msg("Client requested logout")
-
-	h.ExpireMachine(&machine)
-
-	resp.AuthURL = ""
-	resp.MachineAuthorized = false
-	resp.User = *machine.Namespace.toUser()
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineValidRegistration(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The machine registration is valid, respond with redirect to /map
-	log.Debug().
-		Str("machine", machine.Name).
-		Msg("Client is registered and we have the current NodeKey. All clear to /map")
-
-	resp.AuthURL = ""
-	resp.MachineAuthorized = true
-	resp.User = *machine.Namespace.toUser()
-	resp.Login = *machine.Namespace.toLogin()
-
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("update", "web", "error", machine.Namespace.Name).
-			Inc()
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	machineRegistrations.WithLabelValues("update", "web", "success", machine.Namespace.Name).
-		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineExpired(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The client has registered before, but has expired
-	log.Debug().
-		Str("machine", machine.Name).
-		Msg("Machine registration has expired. Sending a authurl to register")
-
-	if registerRequest.Auth.AuthKey != "" {
-		h.handleAuthKey(ctx, machineKey, registerRequest, machine)
-
-		return
-	}
-
-	if h.cfg.OIDC.Issuer != "" {
-		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"), machineKey.String())
-	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"), machineKey.String())
-	}
-
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("reauth", "web", "error", machine.Namespace.Name).
-			Inc()
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	machineRegistrations.WithLabelValues("reauth", "web", "success", machine.Namespace.Name).
-		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineRefreshKey(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	log.Debug().
-		Str("machine", machine.Name).
-		Msg("We have the OldNodeKey in the database. This is a key refresh")
-	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
-	h.db.Save(&machine)
-
-	resp.AuthURL = ""
-	resp.User = *machine.Namespace.toUser()
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "Extremely sad!")
-
-		return
-	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineRegistrationNew(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The machine registration is new, redirect the client to the registration URL
-	log.Debug().
-		Str("machine", machine.Name).
-		Msg("The node is sending us a new NodeKey, sending auth url")
-	if h.cfg.OIDC.Issuer != "" {
-		resp.AuthURL = fmt.Sprintf(
-			"%s/oidc/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String(),
-		)
-	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"), MachinePublicKeyStripPrefix(machineKey))
-	}
-
-	if !registerRequest.Expiry.IsZero() {
-		log.Trace().
-			Caller().
-			Str("machine", machine.Name).
-			Time("expiry", registerRequest.Expiry).
-			Msg("Non-zero expiry time requested, adding to cache")
-		h.requestedExpiryCache.Set(
-			machineKey.String(),
-			registerRequest.Expiry,
-			requestedExpiryCacheExpiration,
-		)
-	}
-
-	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
-
-	// save the NodeKey
-	h.db.Save(&machine)
-
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleAuthKey(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
-) {
-	log.Debug().
-		Str("func", "handleAuthKey").
-		Str("machine", registerRequest.Hostinfo.Hostname).
-		Msgf("Processing auth key for %s", registerRequest.Hostinfo.Hostname)
-	resp := tailcfg.RegisterResponse{}
-	pak, err := h.checkKeyValidity(registerRequest.Auth.AuthKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "handleAuthKey").
-			Str("machine", machine.Name).
-			Err(err).
-			Msg("Failed authentication via AuthKey")
-		resp.MachineAuthorized = false
-		respBody, err := encode(resp, &machineKey, h.privateKey)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "handleAuthKey").
-				Str("machine", machine.Name).
-				Err(err).
-				Msg("Cannot encode message")
-			ctx.String(http.StatusInternalServerError, "")
-			machineRegistrations.WithLabelValues("new", "authkey", "error", machine.Namespace.Name).
-				Inc()
-
-			return
-		}
-		ctx.Data(http.StatusUnauthorized, "application/json; charset=utf-8", respBody)
-		log.Error().
-			Caller().
-			Str("func", "handleAuthKey").
-			Str("machine", machine.Name).
-			Msg("Failed authentication via AuthKey")
-		machineRegistrations.WithLabelValues("new", "authkey", "error", machine.Namespace.Name).
-			Inc()
-
-		return
-	}
-
-	if machine.isRegistered() {
-		log.Trace().
-			Caller().
-			Str("machine", machine.Name).
-			Msg("machine already registered, reauthenticating")
-
-		h.RefreshMachine(&machine, registerRequest.Expiry)
-	} else {
-		log.Debug().
-			Str("func", "handleAuthKey").
-			Str("machine", machine.Name).
-			Msg("Authentication key was valid, proceeding to acquire an IP address")
-		ip, err := h.getAvailableIP()
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "handleAuthKey").
-				Str("machine", machine.Name).
-				Msg("Failed to find an available IP")
-			machineRegistrations.WithLabelValues("new", "authkey", "error", machine.Namespace.Name).
-				Inc()
-
-			return
-		}
-		log.Info().
-			Str("func", "handleAuthKey").
-			Str("machine", machine.Name).
-			Str("ip", ip.String()).
-			Msgf("Assigning %s to %s", ip, machine.Name)
-
-		machine.Expiry = &registerRequest.Expiry
-		machine.AuthKeyID = uint(pak.ID)
-		machine.IPAddress = ip.String()
-		machine.NamespaceID = pak.NamespaceID
-
-		machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
-		// we update it just in case
-		machine.Registered = true
-		machine.RegisterMethod = RegisterMethodAuthKey
-		h.db.Save(&machine)
-	}
-
-	pak.Used = true
-	h.db.Save(&pak)
-
-	resp.MachineAuthorized = true
-	resp.User = *pak.Namespace.toUser()
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "handleAuthKey").
-			Str("machine", machine.Name).
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("new", "authkey", "error", machine.Namespace.Name).
-			Inc()
-		ctx.String(http.StatusInternalServerError, "Extremely sad!")
-
-		return
-	}
-	machineRegistrations.WithLabelValues("new", "authkey", "success", machine.Namespace.Name).
-		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	log.Info().
-		Str("func", "handleAuthKey").
-		Str("machine", machine.Name).
-		Str("ip", machine.IPAddress).
-		Msg("Successfully authenticated via AuthKey")
-}

app.go

@@ -1,741 +0,0 @@
-package headscale
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"os/signal"
-	"sort"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gin-gonic/gin"
-	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
-	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/patrickmn/go-cache"
-	zerolog "github.com/philip-bui/grpc-zerolog"
-	zl "github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/soheilhy/cmux"
-	ginprometheus "github.com/zsais/go-gin-prometheus"
-	"golang.org/x/crypto/acme"
-	"golang.org/x/crypto/acme/autocert"
-	"golang.org/x/oauth2"
-	"golang.org/x/sync/errgroup"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/metadata"
-	"google.golang.org/grpc/peer"
-	"google.golang.org/grpc/reflection"
-	"google.golang.org/grpc/status"
-	"gorm.io/gorm"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
-	"tailscale.com/types/key"
-)
-
-const (
-	AuthPrefix         = "Bearer "
-	Postgres           = "postgres"
-	Sqlite             = "sqlite3"
-	updateInterval     = 5000
-	HTTPReadTimeout    = 30 * time.Second
-	privateKeyFileMode = 0o600
-
-	requestedExpiryCacheExpiration      = time.Minute * 5
-	requestedExpiryCacheCleanupInterval = time.Minute * 10
-
-	errUnsupportedDatabase                 = Error("unsupported DB")
-	errUnsupportedLetsEncryptChallengeType = Error(
-		"unknown value for Lets Encrypt challenge type",
-	)
-)
-
-// Config contains the initial Headscale configuration.
-type Config struct {
-	ServerURL                      string
-	Addr                           string
-	EphemeralNodeInactivityTimeout time.Duration
-	IPPrefix                       netaddr.IPPrefix
-	PrivateKeyPath                 string
-	BaseDomain                     string
-
-	DERP DERPConfig
-
-	DBtype string
-	DBpath string
-	DBhost string
-	DBport int
-	DBname string
-	DBuser string
-	DBpass string
-
-	TLSLetsEncryptListen        string
-	TLSLetsEncryptHostname      string
-	TLSLetsEncryptCacheDir      string
-	TLSLetsEncryptChallengeType string
-
-	TLSCertPath string
-	TLSKeyPath  string
-
-	ACMEURL   string
-	ACMEEmail string
-
-	DNSConfig *tailcfg.DNSConfig
-
-	UnixSocket string
-
-	OIDC OIDCConfig
-
-	CLI CLIConfig
-}
-
-type OIDCConfig struct {
-	Issuer       string
-	ClientID     string
-	ClientSecret string
-	MatchMap     map[string]string
-}
-
-type DERPConfig struct {
-	URLs            []url.URL
-	Paths           []string
-	AutoUpdate      bool
-	UpdateFrequency time.Duration
-}
-
-type CLIConfig struct {
-	Address  string
-	APIKey   string
-	Insecure bool
-	Timeout  time.Duration
-}
-
-// Headscale represents the base app of the service.
-type Headscale struct {
-	cfg        Config
-	db         *gorm.DB
-	dbString   string
-	dbType     string
-	dbDebug    bool
-	privateKey *key.MachinePrivate
-
-	DERPMap *tailcfg.DERPMap
-
-	aclPolicy *ACLPolicy
-	aclRules  []tailcfg.FilterRule
-
-	lastStateChange sync.Map
-
-	oidcProvider   *oidc.Provider
-	oauth2Config   *oauth2.Config
-	oidcStateCache *cache.Cache
-
-	requestedExpiryCache *cache.Cache
-}
-
-// NewHeadscale returns the Headscale app.
-func NewHeadscale(cfg Config) (*Headscale, error) {
-	privKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read or create private key: %w", err)
-	}
-
-	var dbString string
-	switch cfg.DBtype {
-	case Postgres:
-		dbString = fmt.Sprintf(
-			"host=%s port=%d dbname=%s user=%s password=%s sslmode=disable",
-			cfg.DBhost,
-			cfg.DBport,
-			cfg.DBname,
-			cfg.DBuser,
-			cfg.DBpass,
-		)
-	case Sqlite:
-		dbString = cfg.DBpath
-	default:
-		return nil, errUnsupportedDatabase
-	}
-
-	requestedExpiryCache := cache.New(
-		requestedExpiryCacheExpiration,
-		requestedExpiryCacheCleanupInterval,
-	)
-
-	app := Headscale{
-		cfg:                  cfg,
-		dbType:               cfg.DBtype,
-		dbString:             dbString,
-		privateKey:           privKey,
-		aclRules:             tailcfg.FilterAllowAll, // default allowall
-		requestedExpiryCache: requestedExpiryCache,
-	}
-
-	err = app.initDB()
-	if err != nil {
-		return nil, err
-	}
-
-	if cfg.OIDC.Issuer != "" {
-		err = app.initOIDC()
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if app.cfg.DNSConfig != nil && app.cfg.DNSConfig.Proxied { // if MagicDNS
-		magicDNSDomains := generateMagicDNSRootDomains(
-			app.cfg.IPPrefix,
-		)
-		// we might have routes already from Split DNS
-		if app.cfg.DNSConfig.Routes == nil {
-			app.cfg.DNSConfig.Routes = make(map[string][]dnstype.Resolver)
-		}
-		for _, d := range magicDNSDomains {
-			app.cfg.DNSConfig.Routes[d.WithoutTrailingDot()] = nil
-		}
-	}
-
-	return &app, nil
-}
-
-// Redirect to our TLS url.
-func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
-	target := h.cfg.ServerURL + req.URL.RequestURI()
-	http.Redirect(w, req, target, http.StatusFound)
-}
-
-// expireEphemeralNodes deletes ephemeral machine records that have not been
-// seen for longer than h.cfg.EphemeralNodeInactivityTimeout.
-func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
-	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
-	for range ticker.C {
-		h.expireEphemeralNodesWorker()
-	}
-}
-
-func (h *Headscale) expireEphemeralNodesWorker() {
-	namespaces, err := h.ListNamespaces()
-	if err != nil {
-		log.Error().Err(err).Msg("Error listing namespaces")
-
-		return
-	}
-
-	for _, namespace := range namespaces {
-		machines, err := h.ListMachinesInNamespace(namespace.Name)
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("namespace", namespace.Name).
-				Msg("Error listing machines in namespace")
-
-			return
-		}
-
-		for _, machine := range machines {
-			if machine.AuthKey != nil && machine.LastSeen != nil &&
-				machine.AuthKey.Ephemeral &&
-				time.Now().
-					After(machine.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
-				log.Info().
-					Str("machine", machine.Name).
-					Msg("Ephemeral client removed from database")
-
-				err = h.db.Unscoped().Delete(machine).Error
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("machine", machine.Name).
-						Msg("🤮 Cannot delete ephemeral machine from the database")
-				}
-			}
-		}
-
-		h.setLastStateChangeToNow(namespace.Name)
-	}
-}
-
-// WatchForKVUpdates checks the KV DB table for requests to perform tailnet upgrades
-// This is a way to communitate the CLI with the headscale server.
-func (h *Headscale) watchForKVUpdates(milliSeconds int64) {
-	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
-	for range ticker.C {
-		h.watchForKVUpdatesWorker()
-	}
-}
-
-func (h *Headscale) watchForKVUpdatesWorker() {
-	h.checkForNamespacesPendingUpdates()
-	// more functions will come here in the future
-}
-
-func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
-	req interface{},
-	info *grpc.UnaryServerInfo,
-	handler grpc.UnaryHandler) (interface{}, error) {
-	// Check if the request is coming from the on-server client.
-	// This is not secure, but it is to maintain maintainability
-	// with the "legacy" database-based client
-	// It is also neede for grpc-gateway to be able to connect to
-	// the server
-	client, _ := peer.FromContext(ctx)
-
-	log.Trace().
-		Caller().
-		Str("client_address", client.Addr.String()).
-		Msg("Client is trying to authenticate")
-
-	meta, ok := metadata.FromIncomingContext(ctx)
-	if !ok {
-		log.Error().
-			Caller().
-			Str("client_address", client.Addr.String()).
-			Msg("Retrieving metadata is failed")
-
-		return ctx, status.Errorf(
-			codes.InvalidArgument,
-			"Retrieving metadata is failed",
-		)
-	}
-
-	authHeader, ok := meta["authorization"]
-	if !ok {
-		log.Error().
-			Caller().
-			Str("client_address", client.Addr.String()).
-			Msg("Authorization token is not supplied")
-
-		return ctx, status.Errorf(
-			codes.Unauthenticated,
-			"Authorization token is not supplied",
-		)
-	}
-
-	token := authHeader[0]
-
-	if !strings.HasPrefix(token, AuthPrefix) {
-		log.Error().
-			Caller().
-			Str("client_address", client.Addr.String()).
-			Msg(`missing "Bearer " prefix in "Authorization" header`)
-
-		return ctx, status.Error(
-			codes.Unauthenticated,
-			`missing "Bearer " prefix in "Authorization" header`,
-		)
-	}
-
-	// TODO(kradalby): Implement API key backend:
-	// - Table in the DB
-	// - Key name
-	// - Encrypted
-	// - Expiry
-	//
-	// Currently all other than localhost traffic is unauthorized, this is intentional to allow
-	// us to make use of gRPC for our CLI, but not having to implement any of the remote capabilities
-	// and API key auth
-	return ctx, status.Error(
-		codes.Unauthenticated,
-		"Authentication is not implemented yet",
-	)
-
-	// if strings.TrimPrefix(token, AUTH_PREFIX) != a.Token {
-	// 	log.Error().Caller().Str("client_address", p.Addr.String()).Msg("invalid token")
-	// 	return ctx, status.Error(codes.Unauthenticated, "invalid token")
-	// }
-
-	// return handler(ctx, req)
-}
-
-func (h *Headscale) httpAuthenticationMiddleware(ctx *gin.Context) {
-	log.Trace().
-		Caller().
-		Str("client_address", ctx.ClientIP()).
-		Msg("HTTP authentication invoked")
-
-	authHeader := ctx.GetHeader("authorization")
-
-	if !strings.HasPrefix(authHeader, AuthPrefix) {
-		log.Error().
-			Caller().
-			Str("client_address", ctx.ClientIP()).
-			Msg(`missing "Bearer " prefix in "Authorization" header`)
-		ctx.AbortWithStatus(http.StatusUnauthorized)
-
-		return
-	}
-
-	ctx.AbortWithStatus(http.StatusUnauthorized)
-
-	// TODO(kradalby): Implement API key backend
-	// Currently all traffic is unauthorized, this is intentional to allow
-	// us to make use of gRPC for our CLI, but not having to implement any of the remote capabilities
-	// and API key auth
-	//
-	// if strings.TrimPrefix(authHeader, AUTH_PREFIX) != a.Token {
-	// 	log.Error().Caller().Str("client_address", c.ClientIP()).Msg("invalid token")
-	// 	c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error", "unauthorized"})
-
-	// 	return
-	// }
-
-	// c.Next()
-}
-
-// ensureUnixSocketIsAbsent will check if the given path for headscales unix socket is clear
-// and will remove it if it is not.
-func (h *Headscale) ensureUnixSocketIsAbsent() error {
-	// File does not exist, all fine
-	if _, err := os.Stat(h.cfg.UnixSocket); errors.Is(err, os.ErrNotExist) {
-		return nil
-	}
-
-	return os.Remove(h.cfg.UnixSocket)
-}
-
-// Serve launches a GIN server with the Headscale API.
-func (h *Headscale) Serve() error {
-	var err error
-
-	ctx := context.Background()
-	ctx, cancel := context.WithCancel(ctx)
-
-	defer cancel()
-
-	err = h.ensureUnixSocketIsAbsent()
-	if err != nil {
-		panic(err)
-	}
-
-	socketListener, err := net.Listen("unix", h.cfg.UnixSocket)
-	if err != nil {
-		panic(err)
-	}
-
-	// Handle common process-killing signals so we can gracefully shut down:
-	sigc := make(chan os.Signal, 1)
-	signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
-	go func(c chan os.Signal) {
-		// Wait for a SIGINT or SIGKILL:
-		sig := <-c
-		log.Printf("Caught signal %s: shutting down.", sig)
-		// Stop listening (and unlink the socket if unix type):
-		socketListener.Close()
-		// And we're done:
-		os.Exit(0)
-	}(sigc)
-
-	networkListener, err := net.Listen("tcp", h.cfg.Addr)
-	if err != nil {
-		panic(err)
-	}
-
-	// Create the cmux object that will multiplex 2 protocols on the same port.
-	// The two following listeners will be served on the same port below gracefully.
-	networkMutex := cmux.New(networkListener)
-	// Match gRPC requests here
-	grpcListener := networkMutex.MatchWithWriters(
-		cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"),
-		cmux.HTTP2MatchHeaderFieldSendSettings(
-			"content-type",
-			"application/grpc+proto",
-		),
-	)
-	// Otherwise match regular http requests.
-	httpListener := networkMutex.Match(cmux.Any())
-
-	grpcGatewayMux := runtime.NewServeMux()
-
-	// Make the grpc-gateway connect to grpc over socket
-	grpcGatewayConn, err := grpc.Dial(
-		h.cfg.UnixSocket,
-		[]grpc.DialOption{
-			grpc.WithInsecure(),
-			grpc.WithContextDialer(GrpcSocketDialer),
-		}...,
-	)
-	if err != nil {
-		return err
-	}
-
-	// Connect to the gRPC server over localhost to skip
-	// the authentication.
-	err = v1.RegisterHeadscaleServiceHandler(ctx, grpcGatewayMux, grpcGatewayConn)
-	if err != nil {
-		return err
-	}
-
-	router := gin.Default()
-
-	prometheus := ginprometheus.NewPrometheus("gin")
-	prometheus.Use(router)
-
-	router.GET(
-		"/health",
-		func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"healthy": "ok"}) },
-	)
-	router.GET("/key", h.KeyHandler)
-	router.GET("/register", h.RegisterWebAPI)
-	router.POST("/machine/:id/map", h.PollNetMapHandler)
-	router.POST("/machine/:id", h.RegistrationHandler)
-	router.GET("/oidc/register/:mkey", h.RegisterOIDC)
-	router.GET("/oidc/callback", h.OIDCCallback)
-	router.GET("/apple", h.AppleMobileConfig)
-	router.GET("/apple/:platform", h.ApplePlatformConfig)
-	router.GET("/swagger", SwaggerUI)
-	router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
-
-	api := router.Group("/api")
-	api.Use(h.httpAuthenticationMiddleware)
-	{
-		api.Any("/v1/*any", gin.WrapF(grpcGatewayMux.ServeHTTP))
-	}
-
-	router.NoRoute(stdoutHandler)
-
-	// Fetch an initial DERP Map before we start serving
-	h.DERPMap = GetDERPMap(h.cfg.DERP)
-
-	if h.cfg.DERP.AutoUpdate {
-		derpMapCancelChannel := make(chan struct{})
-		defer func() { derpMapCancelChannel <- struct{}{} }()
-		go h.scheduledDERPMapUpdateWorker(derpMapCancelChannel)
-	}
-
-	// I HATE THIS
-	go h.watchForKVUpdates(updateInterval)
-	go h.expireEphemeralNodes(updateInterval)
-
-	httpServer := &http.Server{
-		Addr:        h.cfg.Addr,
-		Handler:     router,
-		ReadTimeout: HTTPReadTimeout,
-		// Go does not handle timeouts in HTTP very well, and there is
-		// no good way to handle streaming timeouts, therefore we need to
-		// keep this at unlimited and be careful to clean up connections
-		// https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/#aboutstreaming
-		WriteTimeout: 0,
-	}
-
-	if zl.GlobalLevel() == zl.TraceLevel {
-		zerolog.RespLog = true
-	} else {
-		zerolog.RespLog = false
-	}
-
-	grpcOptions := []grpc.ServerOption{
-		grpc.UnaryInterceptor(
-			grpc_middleware.ChainUnaryServer(
-				h.grpcAuthenticationInterceptor,
-				zerolog.NewUnaryServerInterceptor(),
-			),
-		),
-	}
-
-	tlsConfig, err := h.getTLSSettings()
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to set up TLS configuration")
-
-		return err
-	}
-
-	if tlsConfig != nil {
-		httpServer.TLSConfig = tlsConfig
-
-		grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(tlsConfig)))
-	}
-
-	grpcServer := grpc.NewServer(grpcOptions...)
-
-	// Start the local gRPC server without TLS and without authentication
-	grpcSocket := grpc.NewServer(zerolog.UnaryInterceptor())
-
-	v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
-	v1.RegisterHeadscaleServiceServer(grpcSocket, newHeadscaleV1APIServer(h))
-	reflection.Register(grpcServer)
-	reflection.Register(grpcSocket)
-
-	errorGroup := new(errgroup.Group)
-
-	errorGroup.Go(func() error { return grpcSocket.Serve(socketListener) })
-
-	// TODO(kradalby): Verify if we need the same TLS setup for gRPC as HTTP
-	errorGroup.Go(func() error { return grpcServer.Serve(grpcListener) })
-
-	if tlsConfig != nil {
-		errorGroup.Go(func() error {
-			tlsl := tls.NewListener(httpListener, tlsConfig)
-
-			return httpServer.Serve(tlsl)
-		})
-	} else {
-		errorGroup.Go(func() error { return httpServer.Serve(httpListener) })
-	}
-
-	errorGroup.Go(func() error { return networkMutex.Serve() })
-
-	log.Info().
-		Msgf("listening and serving (multiplexed HTTP and gRPC) on: %s", h.cfg.Addr)
-
-	return errorGroup.Wait()
-}
-
-func (h *Headscale) getTLSSettings() (*tls.Config, error) {
-	var err error
-	if h.cfg.TLSLetsEncryptHostname != "" {
-		if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
-			log.Warn().
-				Msg("Listening with TLS but ServerURL does not start with https://")
-		}
-
-		certManager := autocert.Manager{
-			Prompt:     autocert.AcceptTOS,
-			HostPolicy: autocert.HostWhitelist(h.cfg.TLSLetsEncryptHostname),
-			Cache:      autocert.DirCache(h.cfg.TLSLetsEncryptCacheDir),
-			Client: &acme.Client{
-				DirectoryURL: h.cfg.ACMEURL,
-			},
-			Email: h.cfg.ACMEEmail,
-		}
-
-		switch h.cfg.TLSLetsEncryptChallengeType {
-		case "TLS-ALPN-01":
-			// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
-			// The RFC requires that the validation is done on port 443; in other words, headscale
-			// must be reachable on port 443.
-			return certManager.TLSConfig(), nil
-
-		case "HTTP-01":
-			// Configuration via autocert with HTTP-01. This requires listening on
-			// port 80 for the certificate validation in addition to the headscale
-			// service, which can be configured to run on any other port.
-			go func() {
-				log.Fatal().
-					Err(http.ListenAndServe(h.cfg.TLSLetsEncryptListen, certManager.HTTPHandler(http.HandlerFunc(h.redirect)))).
-					Msg("failed to set up a HTTP server")
-			}()
-
-			return certManager.TLSConfig(), nil
-
-		default:
-			return nil, errUnsupportedLetsEncryptChallengeType
-		}
-	} else if h.cfg.TLSCertPath == "" {
-		if !strings.HasPrefix(h.cfg.ServerURL, "http://") {
-			log.Warn().Msg("Listening without TLS but ServerURL does not start with http://")
-		}
-
-		return nil, err
-	} else {
-		if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
-			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
-		}
-		tlsConfig := &tls.Config{
-			ClientAuth:   tls.RequireAnyClientCert,
-			NextProtos:   []string{"http/1.1"},
-			Certificates: make([]tls.Certificate, 1),
-			MinVersion:   tls.VersionTLS12,
-		}
-		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
-
-		return tlsConfig, err
-	}
-}
-
-func (h *Headscale) setLastStateChangeToNow(namespace string) {
-	now := time.Now().UTC()
-	lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix()))
-	h.lastStateChange.Store(namespace, now)
-}
-
-func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
-	times := []time.Time{}
-
-	for _, namespace := range namespaces {
-		if wrapped, ok := h.lastStateChange.Load(namespace); ok {
-			lastChange, _ := wrapped.(time.Time)
-
-			times = append(times, lastChange)
-		}
-	}
-
-	sort.Slice(times, func(i, j int) bool {
-		return times[i].After(times[j])
-	})
-
-	log.Trace().Msgf("Latest times %#v", times)
-
-	if len(times) == 0 {
-		return time.Now().UTC()
-	} else {
-		return times[0]
-	}
-}
-
-func stdoutHandler(ctx *gin.Context) {
-	body, _ := io.ReadAll(ctx.Request.Body)
-
-	log.Trace().
-		Interface("header", ctx.Request.Header).
-		Interface("proto", ctx.Request.Proto).
-		Interface("url", ctx.Request.URL).
-		Bytes("body", body).
-		Msg("Request did not match")
-}
-
-func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
-	privateKey, err := os.ReadFile(path)
-	if errors.Is(err, os.ErrNotExist) {
-		log.Info().Str("path", path).Msg("No private key file at path, creating...")
-
-		machineKey := key.NewMachine()
-
-		machineKeyStr, err := machineKey.MarshalText()
-		if err != nil {
-			return nil, fmt.Errorf(
-				"failed to convert private key to string for saving: %w",
-				err,
-			)
-		}
-		err = os.WriteFile(path, machineKeyStr, privateKeyFileMode)
-		if err != nil {
-			return nil, fmt.Errorf(
-				"failed to save private key to disk: %w",
-				err,
-			)
-		}
-
-		return &machineKey, nil
-	} else if err != nil {
-		return nil, fmt.Errorf("failed to read private key file: %w", err)
-	}
-
-	privateKeyEnsurePrefix := PrivateKeyEnsurePrefix(string(privateKey))
-
-	var machineKey key.MachinePrivate
-	if err = machineKey.UnmarshalText([]byte(privateKeyEnsurePrefix)); err != nil {
-		log.Info().
-			Str("path", path).
-			Msg("This might be due to a legacy (headscale pre-0.12) private key. " +
-				"If the key is in WireGuard format, delete the key and restart headscale. " +
-				"A new key will automatically be generated. All Tailscale clients will have to be restarted")
-
-		return nil, fmt.Errorf("failed to parse private key: %w", err)
-	}
-
-	return &machineKey, nil
-}

app_test.go

@@ -1,65 +0,0 @@
-package headscale
-
-import (
-	"io/ioutil"
-	"os"
-	"testing"
-
-	"github.com/patrickmn/go-cache"
-	"gopkg.in/check.v1"
-	"inet.af/netaddr"
-)
-
-func Test(t *testing.T) {
-	check.TestingT(t)
-}
-
-var _ = check.Suite(&Suite{})
-
-type Suite struct{}
-
-var (
-	tmpDir string
-	app    Headscale
-)
-
-func (s *Suite) SetUpTest(c *check.C) {
-	s.ResetDB(c)
-}
-
-func (s *Suite) TearDownTest(c *check.C) {
-	os.RemoveAll(tmpDir)
-}
-
-func (s *Suite) ResetDB(c *check.C) {
-	if len(tmpDir) != 0 {
-		os.RemoveAll(tmpDir)
-	}
-	var err error
-	tmpDir, err = ioutil.TempDir("", "autoygg-client-test")
-	if err != nil {
-		c.Fatal(err)
-	}
-	cfg := Config{
-		IPPrefix: netaddr.MustParseIPPrefix("10.27.0.0/23"),
-	}
-
-	app = Headscale{
-		cfg:      cfg,
-		dbType:   "sqlite3",
-		dbString: tmpDir + "/headscale_test.db",
-		requestedExpiryCache: cache.New(
-			requestedExpiryCacheExpiration,
-			requestedExpiryCacheCleanupInterval,
-		),
-	}
-	err = app.initDB()
-	if err != nil {
-		c.Fatal(err)
-	}
-	db, err := app.openDB()
-	if err != nil {
-		c.Fatal(err)
-	}
-	app.db = db
-}

apple_mobileconfig.go

@@ -1,266 +0,0 @@
-package headscale
-
-import (
-	"bytes"
-	"net/http"
-	"text/template"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gofrs/uuid"
-	"github.com/rs/zerolog/log"
-)
-
-// AppleMobileConfig shows a simple message in the browser to point to the CLI
-// Listens in /register.
-func (h *Headscale) AppleMobileConfig(ctx *gin.Context) {
-	appleTemplate := template.Must(template.New("apple").Parse(`
-<html>
-	<body>
-		<h1>Apple configuration profiles</h1>
-		<p>
-		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
-		</p>
-		<p>
-		    The profiles will configure Tailscale.app to use {{.Url}} as its control server.
-		</p>
-
-		<h3>Caution</h3>
-		<p>You should always inspect the profile before installing it:</p>
-		<!--
-		<p><code>curl {{.Url}}/apple/ios</code></p>
-		-->
-		<p><code>curl {{.Url}}/apple/macos</code></p>
-		
-		<h2>Profiles</h2>
-
-		<!--
-		<h3>iOS</h3>
-		<p>
-		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
-		</p>
-		-->
-		
-		<h3>macOS</h3>
-		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
-		<p>
-		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
-		</p>
-
-		<ol>
-		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
-		<li>Open System Preferences and go to "Profiles"</li>
-		<li>Find and install the Headscale profile</li>
-		<li>Restart Tailscale.app and log in</li>
-		</ol>
-
-		<p>Or</p>
-		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
-		<code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
-
-		<p>Restart Tailscale.app and log in.</p>
-	
-	</body>
-</html>`))
-
-	config := map[string]interface{}{
-		"URL": h.cfg.ServerURL,
-	}
-
-	var payload bytes.Buffer
-	if err := appleTemplate.Execute(&payload, config); err != nil {
-		log.Error().
-			Str("handler", "AppleMobileConfig").
-			Err(err).
-			Msg("Could not render Apple index template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render Apple index template"),
-		)
-
-		return
-	}
-
-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
-}
-
-func (h *Headscale) ApplePlatformConfig(ctx *gin.Context) {
-	platform := ctx.Param("platform")
-
-	id, err := uuid.NewV4()
-	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Failed to create UUID"),
-		)
-
-		return
-	}
-
-	contentID, err := uuid.NewV4()
-	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Failed to create UUID"),
-		)
-
-		return
-	}
-
-	platformConfig := AppleMobilePlatformConfig{
-		UUID: contentID,
-		URL:  h.cfg.ServerURL,
-	}
-
-	var payload bytes.Buffer
-
-	switch platform {
-	case "macos":
-		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple macOS template")
-			ctx.Data(
-				http.StatusInternalServerError,
-				"text/html; charset=utf-8",
-				[]byte("Could not render Apple macOS template"),
-			)
-
-			return
-		}
-	case "ios":
-		if err := iosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple iOS template")
-			ctx.Data(
-				http.StatusInternalServerError,
-				"text/html; charset=utf-8",
-				[]byte("Could not render Apple iOS template"),
-			)
-
-			return
-		}
-	default:
-		ctx.Data(
-			http.StatusOK,
-			"text/html; charset=utf-8",
-			[]byte("Invalid platform, only ios and macos is supported"),
-		)
-
-		return
-	}
-
-	config := AppleMobileConfig{
-		UUID:    id,
-		URL:     h.cfg.ServerURL,
-		Payload: payload.String(),
-	}
-
-	var content bytes.Buffer
-	if err := commonTemplate.Execute(&content, config); err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Could not render Apple platform template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render Apple platform template"),
-		)
-
-		return
-	}
-
-	ctx.Data(
-		http.StatusOK,
-		"application/x-apple-aspen-config; charset=utf-8",
-		content.Bytes(),
-	)
-}
-
-type AppleMobileConfig struct {
-	UUID    uuid.UUID
-	URL     string
-	Payload string
-}
-
-type AppleMobilePlatformConfig struct {
-	UUID uuid.UUID
-	URL  string
-}
-
-var commonTemplate = template.Must(
-	template.New("mobileconfig").Parse(`<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-  <dict>
-    <key>PayloadUUID</key>
-    <string>{{.UUID}}</string>
-    <key>PayloadDisplayName</key>
-    <string>Headscale</string>
-    <key>PayloadDescription</key>
-    <string>Configure Tailscale login server to: {{.URL}}</string>
-    <key>PayloadIdentifier</key>
-    <string>com.github.juanfont.headscale</string>
-    <key>PayloadRemovalDisallowed</key>
-    <false/>
-    <key>PayloadType</key>
-    <string>Configuration</string>
-    <key>PayloadVersion</key>
-    <integer>1</integer>
-    <key>PayloadContent</key>
-    <array>
-    {{.Payload}}
-    </array>
-  </dict>
-</plist>`),
-)
-
-var iosTemplate = template.Must(template.New("iosTemplate").Parse(`
-    <dict>
-        <key>PayloadType</key>
-        <string>io.tailscale.ipn.ios</string>
-        <key>PayloadUUID</key>
-        <string>{{.UUID}}</string>
-        <key>PayloadIdentifier</key>
-        <string>com.github.juanfont.headscale</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-
-        <key>ControlURL</key>
-        <string>{{.URL}}</string>
-    </dict>
-`))
-
-var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
-    <dict>
-        <key>PayloadType</key>
-        <string>io.tailscale.ipn.macos</string>
-        <key>PayloadUUID</key>
-        <string>{{.UUID}}</string>
-        <key>PayloadIdentifier</key>
-        <string>com.github.juanfont.headscale</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-
-        <key>ControlURL</key>
-        <string>{{.URL}}</string>
-    </dict>
-`))

cli_test.go

@@ -1,39 +0,0 @@
-package headscale
-
-import (
-	"time"
-
-	"gopkg.in/check.v1"
-)
-
-func (s *Suite) TestRegisterMachine(c *check.C) {
-	namespace, err := app.CreateNamespace("test")
-	c.Assert(err, check.IsNil)
-
-	now := time.Now().UTC()
-
-	machine := Machine{
-		ID:          0,
-		MachineKey:  "8ce002a935f8c394e55e78fbbb410576575ff8ec5cfa2e627e4b807f1be15b0e",
-		NodeKey:     "bar",
-		DiscoKey:    "faa",
-		Name:        "testmachine",
-		NamespaceID: namespace.ID,
-		IPAddress:   "10.0.0.1",
-		Expiry:      &now,
-	}
-	app.db.Save(&machine)
-
-	_, err = app.GetMachine("test", "testmachine")
-	c.Assert(err, check.IsNil)
-
-	machineAfterRegistering, err := app.RegisterMachine(
-		"8ce002a935f8c394e55e78fbbb410576575ff8ec5cfa2e627e4b807f1be15b0e",
-		namespace.Name,
-	)
-	c.Assert(err, check.IsNil)
-	c.Assert(machineAfterRegistering.Registered, check.Equals, true)
-
-	_, err = machineAfterRegistering.GetHostInfo()
-	c.Assert(err, check.IsNil)
-}

cmd/headscale/cli/api_key.go

@@ -0,0 +1,222 @@
+package cli
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/prometheus/common/model"
+	"github.com/pterm/pterm"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+const (
+	// 90 days.
+	DefaultAPIKeyExpiry = "90d"
+)
+
+func init() {
+	rootCmd.AddCommand(apiKeysCmd)
+	apiKeysCmd.AddCommand(listAPIKeys)
+
+	createAPIKeyCmd.Flags().
+		StringP("expiration", "e", DefaultAPIKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")
+
+	apiKeysCmd.AddCommand(createAPIKeyCmd)
+
+	expireAPIKeyCmd.Flags().StringP("prefix", "p", "", "ApiKey prefix")
+	if err := expireAPIKeyCmd.MarkFlagRequired("prefix"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	apiKeysCmd.AddCommand(expireAPIKeyCmd)
+
+	deleteAPIKeyCmd.Flags().StringP("prefix", "p", "", "ApiKey prefix")
+	if err := deleteAPIKeyCmd.MarkFlagRequired("prefix"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	apiKeysCmd.AddCommand(deleteAPIKeyCmd)
+}
+
+var apiKeysCmd = &cobra.Command{
+	Use:     "apikeys",
+	Short:   "Handle the Api keys in Headscale",
+	Aliases: []string{"apikey", "api"},
+}
+
+var listAPIKeys = &cobra.Command{
+	Use:     "list",
+	Short:   "List the Api keys for headscale",
+	Aliases: []string{"ls", "show"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListApiKeysRequest{}
+
+		response, err := client.ListApiKeys(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting the list of keys: %s", err),
+				output,
+			)
+		}
+
+		if output != "" {
+			SuccessOutput(response.GetApiKeys(), "", output)
+		}
+
+		tableData := pterm.TableData{
+			{"ID", "Prefix", "Expiration", "Created"},
+		}
+		for _, key := range response.GetApiKeys() {
+			expiration := "-"
+
+			if key.GetExpiration() != nil {
+				expiration = ColourTime(key.GetExpiration().AsTime())
+			}
+
+			tableData = append(tableData, []string{
+				strconv.FormatUint(key.GetId(), util.Base10),
+				key.GetPrefix(),
+				expiration,
+				key.GetCreatedAt().AsTime().Format(HeadscaleDateTimeFormat),
+			})
+
+		}
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+		}
+	},
+}
+
+var createAPIKeyCmd = &cobra.Command{
+	Use:   "create",
+	Short: "Creates a new Api key",
+	Long: `
+Creates a new Api key, the Api key is only visible on creation
+and cannot be retrieved again.
+If you loose a key, create a new one and revoke (expire) the old one.`,
+	Aliases: []string{"c", "new"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		request := &v1.CreateApiKeyRequest{}
+
+		durationStr, _ := cmd.Flags().GetString("expiration")
+
+		duration, err := model.ParseDuration(durationStr)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Could not parse duration: %s\n", err),
+				output,
+			)
+		}
+
+		expiration := time.Now().UTC().Add(time.Duration(duration))
+
+		request.Expiration = timestamppb.New(expiration)
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.CreateApiKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot create Api Key: %s\n", err),
+				output,
+			)
+		}
+
+		SuccessOutput(response.GetApiKey(), response.GetApiKey(), output)
+	},
+}
+
+var expireAPIKeyCmd = &cobra.Command{
+	Use:     "expire",
+	Short:   "Expire an ApiKey",
+	Aliases: []string{"revoke", "exp", "e"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		prefix, err := cmd.Flags().GetString("prefix")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
+				output,
+			)
+		}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ExpireApiKeyRequest{
+			Prefix: prefix,
+		}
+
+		response, err := client.ExpireApiKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot expire Api Key: %s\n", err),
+				output,
+			)
+		}
+
+		SuccessOutput(response, "Key expired", output)
+	},
+}
+
+var deleteAPIKeyCmd = &cobra.Command{
+	Use:     "delete",
+	Short:   "Delete an ApiKey",
+	Aliases: []string{"remove", "del"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		prefix, err := cmd.Flags().GetString("prefix")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
+				output,
+			)
+		}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.DeleteApiKeyRequest{
+			Prefix: prefix,
+		}
+
+		response, err := client.DeleteApiKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot delete Api Key: %s\n", err),
+				output,
+			)
+		}
+
+		SuccessOutput(response, "Key deleted", output)
+	},
+}

cmd/headscale/cli/configtest.go

@@ -0,0 +1,22 @@
+package cli
+
+import (
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(configTestCmd)
+}
+
+var configTestCmd = &cobra.Command{
+	Use:   "configtest",
+	Short: "Test the configuration.",
+	Long:  "Run a test of the configuration and exit.",
+	Run: func(cmd *cobra.Command, args []string) {
+		_, err := newHeadscaleServerWithConfig()
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msg("Error initializing")
+		}
+	},
+}

cmd/headscale/cli/debug.go

@@ -4,14 +4,14 @@ import (
 	"fmt"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
 )
 
 const (
-	keyLength             = 64
-	errPreAuthKeyTooShort = Error("key too short, must be 64 hexadecimal characters")
+	errPreAuthKeyMalformed = Error("key is malformed. expected 64 hex characters with `nodekey` prefix")
 )
 
 // Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
@@ -27,8 +27,14 @@ func init() {
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
-	createNodeCmd.Flags().StringP("namespace", "n", "", "Namespace")
-	err = createNodeCmd.MarkFlagRequired("namespace")
+	createNodeCmd.Flags().StringP("user", "u", "", "User")
+
+	createNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	createNodeNamespaceFlag := createNodeCmd.Flags().Lookup("namespace")
+	createNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	createNodeNamespaceFlag.Hidden = true
+
+	err = createNodeCmd.MarkFlagRequired("user")
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
@@ -51,18 +57,16 @@ var debugCmd = &cobra.Command{
 
 var createNodeCmd = &cobra.Command{
 	Use:   "create-node",
-	Short: "Create a node (machine) that can be registered with `nodes register <>` command",
+	Short: "Create a node that can be registered with `nodes register <>` command",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
 
-		namespace, err := cmd.Flags().GetString("namespace")
+		user, err := cmd.Flags().GetString("user")
 		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error getting namespace: %s", err), output)
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 		}
 
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()
 
@@ -73,29 +77,24 @@ var createNodeCmd = &cobra.Command{
 				fmt.Sprintf("Error getting node from flag: %s", err),
 				output,
 			)
-
-			return
 		}
 
-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error getting key from flag: %s", err),
 				output,
 			)
-
-			return
 		}
-		if len(machineKey) != keyLength {
-			err = errPreAuthKeyTooShort
+
+		_, err = types.RegistrationIDFromString(registrationID)
+		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error: %s", err),
+				fmt.Sprintf("Failed to parse machine key from flag: %s", err),
 				output,
 			)
-
-			return
 		}
 
 		routes, err := cmd.Flags().GetStringSlice("route")
@@ -105,28 +104,24 @@ var createNodeCmd = &cobra.Command{
 				fmt.Sprintf("Error getting routes from flag: %s", err),
 				output,
 			)
-
-			return
 		}
 
-		request := &v1.DebugCreateMachineRequest{
-			Key:       machineKey,
-			Name:      name,
-			Namespace: namespace,
-			Routes:    routes,
+		request := &v1.DebugCreateNodeRequest{
+			Key:    registrationID,
+			Name:   name,
+			User:   user,
+			Routes: routes,
 		}
 
-		response, err := client.DebugCreateMachine(ctx, request)
+		response, err := client.DebugCreateNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot create machine: %s", status.Convert(err).Message()),
+				fmt.Sprintf("Cannot create node: %s", status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}
 
-		SuccessOutput(response.Machine, "Machine created", output)
+		SuccessOutput(response.GetNode(), "Node created", output)
 	},
 }

cmd/headscale/cli/dump_config.go

@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func init() {
+	rootCmd.AddCommand(dumpConfigCmd)
+}
+
+var dumpConfigCmd = &cobra.Command{
+	Use:    "dumpConfig",
+	Short:  "dump current config to /etc/headscale/config.dump.yaml, integration test only",
+	Hidden: true,
+	Args: func(cmd *cobra.Command, args []string) error {
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		err := viper.WriteConfigAs("/etc/headscale/config.dump.yaml")
+		if err != nil {
+			//nolint
+			fmt.Println("Failed to dump config")
+		}
+	},
+}

cmd/headscale/cli/generate.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"tailscale.com/types/key"
+)
+
+func init() {
+	rootCmd.AddCommand(generateCmd)
+	generateCmd.AddCommand(generatePrivateKeyCmd)
+}
+
+var generateCmd = &cobra.Command{
+	Use:     "generate",
+	Short:   "Generate commands",
+	Aliases: []string{"gen"},
+}
+
+var generatePrivateKeyCmd = &cobra.Command{
+	Use:   "private-key",
+	Short: "Generate a private key for the headscale server",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		machineKey := key.NewMachine()
+
+		machineKeyStr, err := machineKey.MarshalText()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting machine key from flag: %s", err),
+				output,
+			)
+		}
+
+		SuccessOutput(map[string]string{
+			"private_key": string(machineKeyStr),
+		},
+			string(machineKeyStr), output)
+	},
+}

cmd/headscale/cli/mockoidc.go

@@ -0,0 +1,146 @@
+package cli
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+const (
+	errMockOidcClientIDNotDefined     = Error("MOCKOIDC_CLIENT_ID not defined")
+	errMockOidcClientSecretNotDefined = Error("MOCKOIDC_CLIENT_SECRET not defined")
+	errMockOidcPortNotDefined         = Error("MOCKOIDC_PORT not defined")
+	refreshTTL                        = 60 * time.Minute
+)
+
+var accessTTL = 2 * time.Minute
+
+func init() {
+	rootCmd.AddCommand(mockOidcCmd)
+}
+
+var mockOidcCmd = &cobra.Command{
+	Use:   "mockoidc",
+	Short: "Runs a mock OIDC server for testing",
+	Long:  "This internal command runs a OpenID Connect for testing purposes",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := mockOIDC()
+		if err != nil {
+			log.Error().Err(err).Msgf("Error running mock OIDC server")
+			os.Exit(1)
+		}
+	},
+}
+
+func mockOIDC() error {
+	clientID := os.Getenv("MOCKOIDC_CLIENT_ID")
+	if clientID == "" {
+		return errMockOidcClientIDNotDefined
+	}
+	clientSecret := os.Getenv("MOCKOIDC_CLIENT_SECRET")
+	if clientSecret == "" {
+		return errMockOidcClientSecretNotDefined
+	}
+	addrStr := os.Getenv("MOCKOIDC_ADDR")
+	if addrStr == "" {
+		return errMockOidcPortNotDefined
+	}
+	portStr := os.Getenv("MOCKOIDC_PORT")
+	if portStr == "" {
+		return errMockOidcPortNotDefined
+	}
+	accessTTLOverride := os.Getenv("MOCKOIDC_ACCESS_TTL")
+	if accessTTLOverride != "" {
+		newTTL, err := time.ParseDuration(accessTTLOverride)
+		if err != nil {
+			return err
+		}
+		accessTTL = newTTL
+	}
+
+	userStr := os.Getenv("MOCKOIDC_USERS")
+	if userStr == "" {
+		return fmt.Errorf("MOCKOIDC_USERS not defined")
+	}
+
+	var users []mockoidc.MockUser
+	err := json.Unmarshal([]byte(userStr), &users)
+	if err != nil {
+		return fmt.Errorf("unmarshalling users: %w", err)
+	}
+
+	log.Info().Interface("users", users).Msg("loading users from JSON")
+
+	log.Info().Msgf("Access token TTL: %s", accessTTL)
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return err
+	}
+
+	mock, err := getMockOIDC(clientID, clientSecret, users)
+	if err != nil {
+		return err
+	}
+
+	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", addrStr, port))
+	if err != nil {
+		return err
+	}
+
+	err = mock.Start(listener, nil)
+	if err != nil {
+		return err
+	}
+	log.Info().Msgf("Mock OIDC server listening on %s", listener.Addr().String())
+	log.Info().Msgf("Issuer: %s", mock.Issuer())
+	c := make(chan struct{})
+	<-c
+
+	return nil
+}
+
+func getMockOIDC(clientID string, clientSecret string, users []mockoidc.MockUser) (*mockoidc.MockOIDC, error) {
+	keypair, err := mockoidc.NewKeypair(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	userQueue := mockoidc.UserQueue{}
+
+	for _, user := range users {
+		userQueue.Push(&user)
+	}
+
+	mock := mockoidc.MockOIDC{
+		ClientID:                      clientID,
+		ClientSecret:                  clientSecret,
+		AccessTTL:                     accessTTL,
+		RefreshTTL:                    refreshTTL,
+		CodeChallengeMethodsSupported: []string{"plain", "S256"},
+		Keypair:                       keypair,
+		SessionStore:                  mockoidc.NewSessionStore(),
+		UserQueue:                     &userQueue,
+		ErrorQueue:                    &mockoidc.ErrorQueue{},
+	}
+
+	mock.AddMiddleware(func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			log.Info().Msgf("Request: %+v", r)
+			h.ServeHTTP(w, r)
+			if r.Response != nil {
+				log.Info().Msgf("Response: %+v", r.Response)
+			}
+		})
+	})
+
+	return &mock, nil
+}

cmd/headscale/cli/namespaces.go

@@ -1,238 +0,0 @@
-package cli
-
-import (
-	"fmt"
-
-	survey "github.com/AlecAivazis/survey/v2"
-	"github.com/juanfont/headscale"
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/pterm/pterm"
-	"github.com/rs/zerolog/log"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-)
-
-func init() {
-	rootCmd.AddCommand(namespaceCmd)
-	namespaceCmd.AddCommand(createNamespaceCmd)
-	namespaceCmd.AddCommand(listNamespacesCmd)
-	namespaceCmd.AddCommand(destroyNamespaceCmd)
-	namespaceCmd.AddCommand(renameNamespaceCmd)
-}
-
-const (
-	errMissingParameter = headscale.Error("missing parameters")
-)
-
-var namespaceCmd = &cobra.Command{
-	Use:   "namespaces",
-	Short: "Manage the namespaces of Headscale",
-}
-
-var createNamespaceCmd = &cobra.Command{
-	Use:   "create NAME",
-	Short: "Creates a new namespace",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errMissingParameter
-		}
-
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		namespaceName := args[0]
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		log.Trace().Interface("client", client).Msg("Obtained gRPC client")
-
-		request := &v1.CreateNamespaceRequest{Name: namespaceName}
-
-		log.Trace().Interface("request", request).Msg("Sending CreateNamespace request")
-		response, err := client.CreateNamespace(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf(
-					"Cannot create namespace: %s",
-					status.Convert(err).Message(),
-				),
-				output,
-			)
-
-			return
-		}
-
-		SuccessOutput(response.Namespace, "Namespace created", output)
-	},
-}
-
-var destroyNamespaceCmd = &cobra.Command{
-	Use:   "destroy NAME",
-	Short: "Destroys a namespace",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errMissingParameter
-		}
-
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		namespaceName := args[0]
-
-		request := &v1.GetNamespaceRequest{
-			Name: namespaceName,
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		_, err := client.GetNamespace(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		confirm := false
-		force, _ := cmd.Flags().GetBool("force")
-		if !force {
-			prompt := &survey.Confirm{
-				Message: fmt.Sprintf(
-					"Do you want to remove the namespace '%s' and any associated preauthkeys?",
-					namespaceName,
-				),
-			}
-			err := survey.AskOne(prompt, &confirm)
-			if err != nil {
-				return
-			}
-		}
-
-		if confirm || force {
-			request := &v1.DeleteNamespaceRequest{Name: namespaceName}
-
-			response, err := client.DeleteNamespace(ctx, request)
-			if err != nil {
-				ErrorOutput(
-					err,
-					fmt.Sprintf(
-						"Cannot destroy namespace: %s",
-						status.Convert(err).Message(),
-					),
-					output,
-				)
-
-				return
-			}
-			SuccessOutput(response, "Namespace destroyed", output)
-		} else {
-			SuccessOutput(map[string]string{"Result": "Namespace not destroyed"}, "Namespace not destroyed", output)
-		}
-	},
-}
-
-var listNamespacesCmd = &cobra.Command{
-	Use:   "list",
-	Short: "List all the namespaces",
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		request := &v1.ListNamespacesRequest{}
-
-		response, err := client.ListNamespaces(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Cannot get namespaces: %s", status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response.Namespaces, "", output)
-
-			return
-		}
-
-		tableData := pterm.TableData{{"ID", "Name", "Created"}}
-		for _, namespace := range response.GetNamespaces() {
-			tableData = append(
-				tableData,
-				[]string{
-					namespace.GetId(),
-					namespace.GetName(),
-					namespace.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
-				},
-			)
-		}
-		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Failed to render pterm table: %s", err),
-				output,
-			)
-
-			return
-		}
-	},
-}
-
-var renameNamespaceCmd = &cobra.Command{
-	Use:   "rename OLD_NAME NEW_NAME",
-	Short: "Renames a namespace",
-	Args: func(cmd *cobra.Command, args []string) error {
-		expectedArguments := 2
-		if len(args) < expectedArguments {
-			return errMissingParameter
-		}
-
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		request := &v1.RenameNamespaceRequest{
-			OldName: args[0],
-			NewName: args[1],
-		}
-
-		response, err := client.RenameNamespace(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf(
-					"Cannot rename namespace: %s",
-					status.Convert(err).Message(),
-				),
-				output,
-			)
-
-			return
-		}
-
-		SuccessOutput(response.Namespace, "Namespace renamed", output)
-	},
-}

cmd/headscale/cli/policy.go

@@ -0,0 +1,121 @@
+package cli
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(policyCmd)
+	policyCmd.AddCommand(getPolicy)
+
+	setPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := setPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(setPolicy)
+
+	checkPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := checkPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(checkPolicy)
+}
+
+var policyCmd = &cobra.Command{
+	Use:   "policy",
+	Short: "Manage the Headscale ACL Policy",
+}
+
+var getPolicy = &cobra.Command{
+	Use:     "get",
+	Short:   "Print the current ACL Policy",
+	Aliases: []string{"show", "view", "fetch"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.GetPolicyRequest{}
+
+		response, err := client.GetPolicy(ctx, request)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Failed loading ACL Policy: %s", err), output)
+		}
+
+		// TODO(pallabpain): Maybe print this better?
+		// This does not pass output as we dont support yaml, json or json-line
+		// output for this command. It is HuJSON already.
+		SuccessOutput("", response.GetPolicy(), "")
+	},
+}
+
+var setPolicy = &cobra.Command{
+	Use:   "set",
+	Short: "Updates the ACL Policy",
+	Long: `
+	Updates the existing ACL Policy with the provided policy. The policy must be a valid HuJSON object.
+	This command only works when the acl.policy_mode is set to "db", and the policy will be stored in the database.`,
+	Aliases: []string{"put", "update"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
+		}
+
+		request := &v1.SetPolicyRequest{Policy: string(policyBytes)}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		if _, err := client.SetPolicy(ctx, request); err != nil {
+			ErrorOutput(err, fmt.Sprintf("Failed to set ACL Policy: %s", err), output)
+		}
+
+		SuccessOutput(nil, "Policy updated.", "")
+	},
+}
+
+var checkPolicy = &cobra.Command{
+	Use:   "check",
+	Short: "Check the Policy file for errors",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
+		}
+
+		_, err = policy.NewPolicyManager(policyBytes, nil, nil)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
+		}
+
+		SuccessOutput(nil, "Policy is valid", "")
+	},
+}

cmd/headscale/cli/preauthkeys.go

@@ -3,9 +3,11 @@ package cli
 import (
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -13,13 +15,19 @@ import (
 )
 
 const (
-	DefaultPreAuthKeyExpiry = 1 * time.Hour
+	DefaultPreAuthKeyExpiry = "1h"
 )
 
 func init() {
 	rootCmd.AddCommand(preauthkeysCmd)
-	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace")
-	err := preauthkeysCmd.MarkPersistentFlagRequired("namespace")
+	preauthkeysCmd.PersistentFlags().Uint64P("user", "u", 0, "User identifier (ID)")
+
+	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "User")
+	pakNamespaceFlag := preauthkeysCmd.PersistentFlags().Lookup("namespace")
+	pakNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	pakNamespaceFlag.Hidden = true
+
+	err := preauthkeysCmd.MarkPersistentFlagRequired("user")
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
@@ -31,33 +39,35 @@ func init() {
 	createPreAuthKeyCmd.PersistentFlags().
 		Bool("ephemeral", false, "Preauthkey for ephemeral nodes")
 	createPreAuthKeyCmd.Flags().
-		DurationP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (30m, 24h, 365d...)")
+		StringP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")
+	createPreAuthKeyCmd.Flags().
+		StringSlice("tags", []string{}, "Tags to automatically assign to node")
 }
 
 var preauthkeysCmd = &cobra.Command{
-	Use:   "preauthkeys",
-	Short: "Handle the preauthkeys in Headscale",
+	Use:     "preauthkeys",
+	Short:   "Handle the preauthkeys in Headscale",
+	Aliases: []string{"preauthkey", "authkey", "pre"},
 }
 
 var listPreAuthKeys = &cobra.Command{
-	Use:   "list",
-	Short: "List the preauthkeys for this namespace",
+	Use:     "list",
+	Short:   "List the preauthkeys for this user",
+	Aliases: []string{"ls", "show"},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
 
-		namespace, err := cmd.Flags().GetString("namespace")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error getting namespace: %s", err), output)
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 		}
 
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()
 
 		request := &v1.ListPreAuthKeysRequest{
-			Namespace: namespace,
+			User: user,
 		}
 
 		response, err := client.ListPreAuthKeys(ctx, request)
@@ -72,35 +82,44 @@ var listPreAuthKeys = &cobra.Command{
 		}
 
 		if output != "" {
-			SuccessOutput(response.PreAuthKeys, "", output)
-
-			return
+			SuccessOutput(response.GetPreAuthKeys(), "", output)
 		}
 
 		tableData := pterm.TableData{
-			{"ID", "Key", "Reusable", "Ephemeral", "Used", "Expiration", "Created"},
+			{
+				"ID",
+				"Key",
+				"Reusable",
+				"Ephemeral",
+				"Used",
+				"Expiration",
+				"Created",
+				"Tags",
+			},
 		}
-		for _, key := range response.PreAuthKeys {
+		for _, key := range response.GetPreAuthKeys() {
 			expiration := "-"
 			if key.GetExpiration() != nil {
-				expiration = key.Expiration.AsTime().Format("2006-01-02 15:04:05")
+				expiration = ColourTime(key.GetExpiration().AsTime())
 			}
 
-			var reusable string
-			if key.GetEphemeral() {
-				reusable = "N/A"
-			} else {
-				reusable = fmt.Sprintf("%v", key.GetReusable())
+			aclTags := ""
+
+			for _, tag := range key.GetAclTags() {
+				aclTags += "," + tag
 			}
 
+			aclTags = strings.TrimLeft(aclTags, ",")
+
 			tableData = append(tableData, []string{
-				key.GetId(),
+				strconv.FormatUint(key.GetId(), 10),
 				key.GetKey(),
-				reusable,
+				strconv.FormatBool(key.GetReusable()),
 				strconv.FormatBool(key.GetEphemeral()),
 				strconv.FormatBool(key.GetUsed()),
 				expiration,
 				key.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
+				aclTags,
 			})
 
 		}
@@ -111,48 +130,53 @@ var listPreAuthKeys = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }
 
 var createPreAuthKeyCmd = &cobra.Command{
-	Use:   "create",
-	Short: "Creates a new preauthkey in the specified namespace",
+	Use:     "create",
+	Short:   "Creates a new preauthkey in the specified user",
+	Aliases: []string{"c", "new"},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
 
-		namespace, err := cmd.Flags().GetString("namespace")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error getting namespace: %s", err), output)
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 		}
 
 		reusable, _ := cmd.Flags().GetBool("reusable")
 		ephemeral, _ := cmd.Flags().GetBool("ephemeral")
-
-		log.Trace().
-			Bool("reusable", reusable).
-			Bool("ephemeral", ephemeral).
-			Str("namespace", namespace).
-			Msg("Preparing to create preauthkey")
+		tags, _ := cmd.Flags().GetStringSlice("tags")
 
 		request := &v1.CreatePreAuthKeyRequest{
-			Namespace: namespace,
+			User:      user,
 			Reusable:  reusable,
 			Ephemeral: ephemeral,
+			AclTags:   tags,
 		}
 
-		duration, _ := cmd.Flags().GetDuration("expiration")
-		expiration := time.Now().UTC().Add(duration)
+		durationStr, _ := cmd.Flags().GetString("expiration")
 
-		log.Trace().Dur("expiration", duration).Msg("expiration has been set")
+		duration, err := model.ParseDuration(durationStr)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Could not parse duration: %s\n", err),
+				output,
+			)
+		}
+
+		expiration := time.Now().UTC().Add(time.Duration(duration))
+
+		log.Trace().
+			Dur("expiration", time.Duration(duration)).
+			Msg("expiration has been set")
 
 		request.Expiration = timestamppb.New(expiration)
 
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()
 
@@ -163,17 +187,16 @@ var createPreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot create Pre Auth Key: %s\n", err),
 				output,
 			)
-
-			return
 		}
 
-		SuccessOutput(response.PreAuthKey, response.PreAuthKey.Key, output)
+		SuccessOutput(response.GetPreAuthKey(), response.GetPreAuthKey().GetKey(), output)
 	},
 }
 
 var expirePreAuthKeyCmd = &cobra.Command{
-	Use:   "expire KEY",
-	Short: "Expire a preauthkey",
+	Use:     "expire KEY",
+	Short:   "Expire a preauthkey",
+	Aliases: []string{"revoke", "exp", "e"},
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 {
 			return errMissingParameter
@@ -183,20 +206,18 @@ var expirePreAuthKeyCmd = &cobra.Command{
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		namespace, err := cmd.Flags().GetString("namespace")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error getting namespace: %s", err), output)
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 		}
 
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()
 
 		request := &v1.ExpirePreAuthKeyRequest{
-			Namespace: namespace,
-			Key:       args[0],
+			User: user,
+			Key:  args[0],
 		}
 
 		response, err := client.ExpirePreAuthKey(ctx, request)
@@ -206,8 +227,6 @@ var expirePreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot expire Pre Auth Key: %s\n", err),
 				output,
 			)
-
-			return
 		}
 
 		SuccessOutput(response, "Key expired", output)

cmd/headscale/cli/pterm_style.go

@@ -0,0 +1,19 @@
+package cli
+
+import (
+	"time"
+
+	"github.com/pterm/pterm"
+)
+
+func ColourTime(date time.Time) string {
+	dateStr := date.Format("2006-01-02 15:04:05")
+
+	if date.After(time.Now()) {
+		dateStr = pterm.LightGreen(dateStr)
+	} else {
+		dateStr = pterm.LightRed(dateStr)
+	}
+
+	return dateStr
+}

cmd/headscale/cli/root.go

@@ -3,17 +3,93 @@ package cli
 import (
 	"fmt"
 	"os"
+	"runtime"
+	"slices"
 
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/tcnksm/go-latest"
 )
 
+const (
+	deprecateNamespaceMessage = "use --user"
+)
+
+var cfgFile string = ""
+
 func init() {
+	if len(os.Args) > 1 &&
+		(os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
+		return
+	}
+
+	if slices.Contains(os.Args, "policy") && slices.Contains(os.Args, "check") {
+		zerolog.SetGlobalLevel(zerolog.Disabled)
+		return
+	}
+
+	cobra.OnInitialize(initConfig)
+	rootCmd.PersistentFlags().
+		StringVarP(&cfgFile, "config", "c", "", "config file (default is /etc/headscale/config.yaml)")
 	rootCmd.PersistentFlags().
 		StringP("output", "o", "", "Output format. Empty for human-readable, 'json', 'json-line' or 'yaml'")
 	rootCmd.PersistentFlags().
 		Bool("force", false, "Disable prompts and forces the execution")
 }
 
+func initConfig() {
+	if cfgFile == "" {
+		cfgFile = os.Getenv("HEADSCALE_CONFIG")
+	}
+	if cfgFile != "" {
+		err := types.LoadConfig(cfgFile, true)
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
+		}
+	} else {
+		err := types.LoadConfig("", false)
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msgf("Error loading config")
+		}
+	}
+
+	machineOutput := HasMachineOutputFlag()
+
+	// If the user has requested a "node" readable format,
+	// then disable login so the output remains valid.
+	if machineOutput {
+		zerolog.SetGlobalLevel(zerolog.Disabled)
+	}
+
+	logFormat := viper.GetString("log.format")
+	if logFormat == types.JSONLogFormat {
+		log.Logger = log.Output(os.Stdout)
+	}
+
+	disableUpdateCheck := viper.GetBool("disable_check_updates")
+	if !disableUpdateCheck && !machineOutput {
+		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
+			types.Version != "dev" {
+			githubTag := &latest.GithubTag{
+				Owner:      "juanfont",
+				Repository: "headscale",
+			}
+			res, err := latest.Check(githubTag, types.Version)
+			if err == nil && res.Outdated {
+				//nolint
+				log.Warn().Msgf(
+					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
+					res.Current,
+					types.Version,
+				)
+			}
+		}
+	}
+}
+
 var rootCmd = &cobra.Command{
 	Use:   "headscale",
 	Short: "headscale - a Tailscale control server",

cmd/headscale/cli/routes.go

@@ -1,207 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"log"
-	"strconv"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/pterm/pterm"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-)
-
-func init() {
-	rootCmd.AddCommand(routesCmd)
-
-	listRoutesCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	err := listRoutesCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	routesCmd.AddCommand(listRoutesCmd)
-
-	enableRouteCmd.Flags().
-		StringSliceP("route", "r", []string{}, "List (or repeated flags) of routes to enable")
-	enableRouteCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	err = enableRouteCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-
-	routesCmd.AddCommand(enableRouteCmd)
-
-	nodeCmd.AddCommand(routesCmd)
-}
-
-var routesCmd = &cobra.Command{
-	Use:   "routes",
-	Short: "Manage the routes of Headscale",
-}
-
-var listRoutesCmd = &cobra.Command{
-	Use:   "list",
-	Short: "List routes advertised and enabled by a given node",
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		machineID, err := cmd.Flags().GetUint64("identifier")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting machine id from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		request := &v1.GetMachineRouteRequest{
-			MachineId: machineID,
-		}
-
-		response, err := client.GetMachineRoute(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response.Routes, "", output)
-
-			return
-		}
-
-		tableData := routesToPtables(response.Routes)
-		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
-
-			return
-		}
-
-		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Failed to render pterm table: %s", err),
-				output,
-			)
-
-			return
-		}
-	},
-}
-
-var enableRouteCmd = &cobra.Command{
-	Use:   "enable",
-	Short: "Set the enabled routes for a given node",
-	Long: `This command will take a list of routes that will _replace_ 
-the current set of routes on a given node.
-If you would like to disable a route, simply run the command again, but 
-omit the route you do not want to enable.
-	`,
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		machineID, err := cmd.Flags().GetUint64("identifier")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting machine id from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		routes, err := cmd.Flags().GetStringSlice("route")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting routes from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		request := &v1.EnableMachineRoutesRequest{
-			MachineId: machineID,
-			Routes:    routes,
-		}
-
-		response, err := client.EnableMachineRoutes(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf(
-					"Cannot register machine: %s\n",
-					status.Convert(err).Message(),
-				),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response.Routes, "", output)
-
-			return
-		}
-
-		tableData := routesToPtables(response.Routes)
-		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
-
-			return
-		}
-
-		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Failed to render pterm table: %s", err),
-				output,
-			)
-
-			return
-		}
-	},
-}
-
-// routesToPtables converts the list of routes to a nice table.
-func routesToPtables(routes *v1.Routes) pterm.TableData {
-	tableData := pterm.TableData{{"Route", "Enabled"}}
-
-	for _, route := range routes.GetAdvertisedRoutes() {
-		enabled := isStringInSlice(routes.EnabledRoutes, route)
-
-		tableData = append(tableData, []string{route, strconv.FormatBool(enabled)})
-	}
-
-	return tableData
-}
-
-func isStringInSlice(strs []string, s string) bool {
-	for _, s2 := range strs {
-		if s == s2 {
-			return true
-		}
-	}
-
-	return false
-}

cmd/headscale/cli/serve.go

@@ -1,8 +1,10 @@
 package cli
 
 import (
-	"log"
+	"errors"
+	"net/http"
 
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
 
@@ -17,14 +19,14 @@ var serveCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		h, err := getHeadscaleApp()
+		app, err := newHeadscaleServerWithConfig()
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}
 
-		err = h.Serve()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+		err = app.Serve()
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Fatal().Caller().Err(err).Msg("Headscale ran into an error and had to shut down.")
 		}
 	},
 }

cmd/headscale/cli/users.go

@@ -0,0 +1,325 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+
+	survey "github.com/AlecAivazis/survey/v2"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/pterm/pterm"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+)
+
+func usernameAndIDFlag(cmd *cobra.Command) {
+	cmd.Flags().Int64P("identifier", "i", -1, "User identifier (ID)")
+	cmd.Flags().StringP("name", "n", "", "Username")
+}
+
+// usernameAndIDFromFlag returns the username and ID from the flags of the command.
+// If both are empty, it will exit the program with an error.
+func usernameAndIDFromFlag(cmd *cobra.Command) (uint64, string) {
+	username, _ := cmd.Flags().GetString("name")
+	identifier, _ := cmd.Flags().GetInt64("identifier")
+	if username == "" && identifier < 0 {
+		err := errors.New("--name or --identifier flag is required")
+		ErrorOutput(
+			err,
+			fmt.Sprintf(
+				"Cannot rename user: %s",
+				status.Convert(err).Message(),
+			),
+			"",
+		)
+	}
+
+	return uint64(identifier), username
+}
+
+func init() {
+	rootCmd.AddCommand(userCmd)
+	userCmd.AddCommand(createUserCmd)
+	createUserCmd.Flags().StringP("display-name", "d", "", "Display name")
+	createUserCmd.Flags().StringP("email", "e", "", "Email")
+	createUserCmd.Flags().StringP("picture-url", "p", "", "Profile picture URL")
+	userCmd.AddCommand(listUsersCmd)
+	usernameAndIDFlag(listUsersCmd)
+	listUsersCmd.Flags().StringP("email", "e", "", "Email")
+	userCmd.AddCommand(destroyUserCmd)
+	usernameAndIDFlag(destroyUserCmd)
+	userCmd.AddCommand(renameUserCmd)
+	usernameAndIDFlag(renameUserCmd)
+	renameUserCmd.Flags().StringP("new-name", "r", "", "New username")
+	renameNodeCmd.MarkFlagRequired("new-name")
+}
+
+var errMissingParameter = errors.New("missing parameters")
+
+var userCmd = &cobra.Command{
+	Use:     "users",
+	Short:   "Manage the users of Headscale",
+	Aliases: []string{"user", "namespace", "namespaces", "ns"},
+}
+
+var createUserCmd = &cobra.Command{
+	Use:     "create NAME",
+	Short:   "Creates a new user",
+	Aliases: []string{"c", "new"},
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errMissingParameter
+		}
+
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		userName := args[0]
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		log.Trace().Interface("client", client).Msg("Obtained gRPC client")
+
+		request := &v1.CreateUserRequest{Name: userName}
+
+		if displayName, _ := cmd.Flags().GetString("display-name"); displayName != "" {
+			request.DisplayName = displayName
+		}
+
+		if email, _ := cmd.Flags().GetString("email"); email != "" {
+			request.Email = email
+		}
+
+		if pictureURL, _ := cmd.Flags().GetString("picture-url"); pictureURL != "" {
+			if _, err := url.Parse(pictureURL); err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Invalid Picture URL: %s",
+						err,
+					),
+					output,
+				)
+			}
+			request.PictureUrl = pictureURL
+		}
+
+		log.Trace().Interface("request", request).Msg("Sending CreateUser request")
+		response, err := client.CreateUser(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot create user: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+		}
+
+		SuccessOutput(response.GetUser(), "User created", output)
+	},
+}
+
+var destroyUserCmd = &cobra.Command{
+	Use:     "destroy --identifier ID or --name NAME",
+	Short:   "Destroys a user",
+	Aliases: []string{"delete"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		id, username := usernameAndIDFromFlag(cmd)
+		request := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
+		}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		users, err := client.ListUsers(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		if len(users.GetUsers()) != 1 {
+			err := fmt.Errorf("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		user := users.GetUsers()[0]
+
+		confirm := false
+		force, _ := cmd.Flags().GetBool("force")
+		if !force {
+			prompt := &survey.Confirm{
+				Message: fmt.Sprintf(
+					"Do you want to remove the user %q (%d) and any associated preauthkeys?",
+					user.GetName(), user.GetId(),
+				),
+			}
+			err := survey.AskOne(prompt, &confirm)
+			if err != nil {
+				return
+			}
+		}
+
+		if confirm || force {
+			request := &v1.DeleteUserRequest{Id: user.GetId()}
+
+			response, err := client.DeleteUser(ctx, request)
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Cannot destroy user: %s",
+						status.Convert(err).Message(),
+					),
+					output,
+				)
+			}
+			SuccessOutput(response, "User destroyed", output)
+		} else {
+			SuccessOutput(map[string]string{"Result": "User not destroyed"}, "User not destroyed", output)
+		}
+	},
+}
+
+var listUsersCmd = &cobra.Command{
+	Use:     "list",
+	Short:   "List all the users",
+	Aliases: []string{"ls", "show"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListUsersRequest{}
+
+		id, _ := cmd.Flags().GetInt64("identifier")
+		username, _ := cmd.Flags().GetString("name")
+		email, _ := cmd.Flags().GetString("email")
+
+		// filter by one param at most
+		switch {
+		case id > 0:
+			request.Id = uint64(id)
+			break
+		case username != "":
+			request.Name = username
+			break
+		case email != "":
+			request.Email = email
+			break
+		}
+
+		response, err := client.ListUsers(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot get users: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		if output != "" {
+			SuccessOutput(response.GetUsers(), "", output)
+		}
+
+		tableData := pterm.TableData{{"ID", "Name", "Username", "Email", "Created"}}
+		for _, user := range response.GetUsers() {
+			tableData = append(
+				tableData,
+				[]string{
+					fmt.Sprintf("%d", user.GetId()),
+					user.GetDisplayName(),
+					user.GetName(),
+					user.GetEmail(),
+					user.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
+				},
+			)
+		}
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+		}
+	},
+}
+
+var renameUserCmd = &cobra.Command{
+	Use:     "rename",
+	Short:   "Renames a user",
+	Aliases: []string{"mv"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		id, username := usernameAndIDFromFlag(cmd)
+		listReq := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
+		}
+
+		users, err := client.ListUsers(ctx, listReq)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		if len(users.GetUsers()) != 1 {
+			err := fmt.Errorf("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		newName, _ := cmd.Flags().GetString("new-name")
+
+		renameReq := &v1.RenameUserRequest{
+			OldId:   id,
+			NewName: newName,
+		}
+
+		response, err := client.RenameUser(ctx, renameReq)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot rename user: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+		}
+
+		SuccessOutput(response.GetUser(), "User renamed", output)
+	},
+}

cmd/headscale/cli/utils.go

@@ -2,321 +2,53 @@ package cli
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"net/url"
 	"os"
-	"path/filepath"
-	"regexp"
-	"strings"
-	"time"
 
-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
 	"google.golang.org/grpc"
-	"gopkg.in/yaml.v2"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+	"gopkg.in/yaml.v3"
 )
 
-func LoadConfig(path string) error {
-	viper.SetConfigName("config")
-	if path == "" {
-		viper.AddConfigPath("/etc/headscale/")
-		viper.AddConfigPath("$HOME/.headscale")
-		viper.AddConfigPath(".")
-	} else {
-		// For testing
-		viper.AddConfigPath(path)
-	}
+const (
+	HeadscaleDateTimeFormat = "2006-01-02 15:04:05"
+	SocketWritePermissions  = 0o666
+)
 
-	viper.SetEnvPrefix("headscale")
-	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
-	viper.AutomaticEnv()
-
-	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
-	viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
-
-	viper.SetDefault("ip_prefix", "100.64.0.0/10")
-
-	viper.SetDefault("log_level", "info")
-
-	viper.SetDefault("dns_config", nil)
-
-	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
-
-	viper.SetDefault("cli.insecure", false)
-	viper.SetDefault("cli.timeout", "5s")
-
-	if err := viper.ReadInConfig(); err != nil {
-		return fmt.Errorf("fatal error reading config file: %w", err)
-	}
-
-	// Collect any validation errors and return them all at once
-	var errorText string
-	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
-		((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
-		errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
-	}
-
-	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") &&
-		(!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
-		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
-		log.Warn().
-			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
-	}
-
-	if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
-		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
-	}
-
-	if !strings.HasPrefix(viper.GetString("server_url"), "http://") &&
-		!strings.HasPrefix(viper.GetString("server_url"), "https://") {
-		errorText += "Fatal config error: server_url must start with https:// or http://\n"
-	}
-	if errorText != "" {
-		//nolint
-		return errors.New(strings.TrimSuffix(errorText, "\n"))
-	} else {
-		return nil
-	}
-}
-
-func GetDERPConfig() headscale.DERPConfig {
-	urlStrs := viper.GetStringSlice("derp.urls")
-
-	urls := make([]url.URL, len(urlStrs))
-	for index, urlStr := range urlStrs {
-		urlAddr, err := url.Parse(urlStr)
-		if err != nil {
-			log.Error().
-				Str("url", urlStr).
-				Err(err).
-				Msg("Failed to parse url, ignoring...")
-		}
-
-		urls[index] = *urlAddr
-	}
-
-	paths := viper.GetStringSlice("derp.paths")
-
-	autoUpdate := viper.GetBool("derp.auto_update_enabled")
-	updateFrequency := viper.GetDuration("derp.update_frequency")
-
-	return headscale.DERPConfig{
-		URLs:            urls,
-		Paths:           paths,
-		AutoUpdate:      autoUpdate,
-		UpdateFrequency: updateFrequency,
-	}
-}
-
-func GetDNSConfig() (*tailcfg.DNSConfig, string) {
-	if viper.IsSet("dns_config") {
-		dnsConfig := &tailcfg.DNSConfig{}
-
-		if viper.IsSet("dns_config.nameservers") {
-			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
-
-			nameservers := make([]netaddr.IP, len(nameserversStr))
-			resolvers := make([]dnstype.Resolver, len(nameserversStr))
-
-			for index, nameserverStr := range nameserversStr {
-				nameserver, err := netaddr.ParseIP(nameserverStr)
-				if err != nil {
-					log.Error().
-						Str("func", "getDNSConfig").
-						Err(err).
-						Msgf("Could not parse nameserver IP: %s", nameserverStr)
-				}
-
-				nameservers[index] = nameserver
-				resolvers[index] = dnstype.Resolver{
-					Addr: nameserver.String(),
-				}
-			}
-
-			dnsConfig.Nameservers = nameservers
-			dnsConfig.Resolvers = resolvers
-		}
-
-		if viper.IsSet("dns_config.restricted_nameservers") {
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Routes = make(map[string][]dnstype.Resolver)
-				restrictedDNS := viper.GetStringMapStringSlice(
-					"dns_config.restricted_nameservers",
-				)
-				for domain, restrictedNameservers := range restrictedDNS {
-					restrictedResolvers := make(
-						[]dnstype.Resolver,
-						len(restrictedNameservers),
-					)
-					for index, nameserverStr := range restrictedNameservers {
-						nameserver, err := netaddr.ParseIP(nameserverStr)
-						if err != nil {
-							log.Error().
-								Str("func", "getDNSConfig").
-								Err(err).
-								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
-						}
-						restrictedResolvers[index] = dnstype.Resolver{
-							Addr: nameserver.String(),
-						}
-					}
-					dnsConfig.Routes[domain] = restrictedResolvers
-				}
-			} else {
-				log.Warn().
-					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
-			}
-		}
-
-		if viper.IsSet("dns_config.domains") {
-			dnsConfig.Domains = viper.GetStringSlice("dns_config.domains")
-		}
-
-		if viper.IsSet("dns_config.magic_dns") {
-			magicDNS := viper.GetBool("dns_config.magic_dns")
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Proxied = magicDNS
-			} else if magicDNS {
-				log.Warn().
-					Msg("Warning: dns_config.magic_dns is set, but no nameservers are configured. Ignoring magic_dns.")
-			}
-		}
-
-		var baseDomain string
-		if viper.IsSet("dns_config.base_domain") {
-			baseDomain = viper.GetString("dns_config.base_domain")
-		} else {
-			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
-		}
-
-		return dnsConfig, baseDomain
-	}
-
-	return nil, ""
-}
-
-func absPath(path string) string {
-	// If a relative path is provided, prefix it with the the directory where
-	// the config file was found.
-	if (path != "") && !strings.HasPrefix(path, string(os.PathSeparator)) {
-		dir, _ := filepath.Split(viper.ConfigFileUsed())
-		if dir != "" {
-			path = filepath.Join(dir, path)
-		}
-	}
-
-	return path
-}
-
-func getHeadscaleConfig() headscale.Config {
-	dnsConfig, baseDomain := GetDNSConfig()
-	derpConfig := GetDERPConfig()
-
-	return headscale.Config{
-		ServerURL:      viper.GetString("server_url"),
-		Addr:           viper.GetString("listen_addr"),
-		IPPrefix:       netaddr.MustParseIPPrefix(viper.GetString("ip_prefix")),
-		PrivateKeyPath: absPath(viper.GetString("private_key_path")),
-		BaseDomain:     baseDomain,
-
-		DERP: derpConfig,
-
-		EphemeralNodeInactivityTimeout: viper.GetDuration(
-			"ephemeral_node_inactivity_timeout",
-		),
-
-		DBtype: viper.GetString("db_type"),
-		DBpath: absPath(viper.GetString("db_path")),
-		DBhost: viper.GetString("db_host"),
-		DBport: viper.GetInt("db_port"),
-		DBname: viper.GetString("db_name"),
-		DBuser: viper.GetString("db_user"),
-		DBpass: viper.GetString("db_pass"),
-
-		TLSLetsEncryptHostname: viper.GetString("tls_letsencrypt_hostname"),
-		TLSLetsEncryptListen:   viper.GetString("tls_letsencrypt_listen"),
-		TLSLetsEncryptCacheDir: absPath(
-			viper.GetString("tls_letsencrypt_cache_dir"),
-		),
-		TLSLetsEncryptChallengeType: viper.GetString("tls_letsencrypt_challenge_type"),
-
-		TLSCertPath: absPath(viper.GetString("tls_cert_path")),
-		TLSKeyPath:  absPath(viper.GetString("tls_key_path")),
-
-		DNSConfig: dnsConfig,
-
-		ACMEEmail: viper.GetString("acme_email"),
-		ACMEURL:   viper.GetString("acme_url"),
-
-		UnixSocket: viper.GetString("unix_socket"),
-
-		OIDC: headscale.OIDCConfig{
-			Issuer:       viper.GetString("oidc.issuer"),
-			ClientID:     viper.GetString("oidc.client_id"),
-			ClientSecret: viper.GetString("oidc.client_secret"),
-		},
-
-		CLI: headscale.CLIConfig{
-			Address:  viper.GetString("cli.address"),
-			APIKey:   viper.GetString("cli.api_key"),
-			Insecure: viper.GetBool("cli.insecure"),
-			Timeout:  viper.GetDuration("cli.timeout"),
-		},
-	}
-}
-
-func getHeadscaleApp() (*headscale.Headscale, error) {
-	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
-	// to avoid races
-	minInactivityTimeout, _ := time.ParseDuration("65s")
-	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
-		// TODO: Find a better way to return this text
-		//nolint
-		err := fmt.Errorf(
-			"ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
-			viper.GetString("ephemeral_node_inactivity_timeout"),
-			minInactivityTimeout,
-		)
-
-		return nil, err
-	}
-
-	cfg := getHeadscaleConfig()
-
-	cfg.OIDC.MatchMap = loadOIDCMatchMap()
-
-	app, err := headscale.NewHeadscale(cfg)
+func newHeadscaleServerWithConfig() (*hscontrol.Headscale, error) {
+	cfg, err := types.LoadServerConfig()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf(
+			"loading configuration: %w",
+			err,
+		)
 	}
 
-	// We are doing this here, as in the future could be cool to have it also hot-reload
-
-	if viper.GetString("acl_policy_path") != "" {
-		aclPath := absPath(viper.GetString("acl_policy_path"))
-		err = app.LoadACLPolicy(aclPath)
-		if err != nil {
-			log.Error().
-				Str("path", aclPath).
-				Err(err).
-				Msg("Could not load the ACL policy")
-		}
+	app, err := hscontrol.NewHeadscale(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("creating new headscale: %w", err)
 	}
 
 	return app, nil
 }
 
-func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg := getHeadscaleConfig()
+func newHeadscaleCLIWithConfig() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
+	cfg, err := types.LoadCLIConfig()
+	if err != nil {
+		log.Fatal().
+			Err(err).
+			Caller().
+			Msgf("Failed to load configuration")
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
+	}
 
 	log.Debug().
 		Dur("timeout", cfg.CLI.Timeout).
@@ -330,7 +62,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 
 	address := cfg.CLI.Address
 
-	// If the address is not set, we assume that we are on the server hosting headscale.
+	// If the address is not set, we assume that we are on the server hosting hscontrol.
 	if address == "" {
 		log.Debug().
 			Str("socket", cfg.UnixSocket).
@@ -338,16 +70,29 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 
 		address = cfg.UnixSocket
 
+		// Try to give the user better feedback if we cannot write to the headscale
+		// socket.
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) // nolint
+		if err != nil {
+			if os.IsPermission(err) {
+				log.Fatal().
+					Err(err).
+					Str("socket", cfg.UnixSocket).
+					Msgf("Unable to read/write to headscale socket, do you have the correct permissions?")
+			}
+		}
+		socket.Close()
+
 		grpcOptions = append(
 			grpcOptions,
-			grpc.WithInsecure(),
-			grpc.WithContextDialer(headscale.GrpcSocketDialer),
+			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithContextDialer(util.GrpcSocketDialer),
 		)
 	} else {
 		// If we are not connecting to a local server, require an API key for authentication
 		apiKey := cfg.CLI.APIKey
 		if apiKey == "" {
-			log.Fatal().Msgf("HEADSCALE_CLI_API_KEY environment variable needs to be set.")
+			log.Fatal().Caller().Msgf("HEADSCALE_CLI_API_KEY environment variable needs to be set.")
 		}
 		grpcOptions = append(grpcOptions,
 			grpc.WithPerRPCCredentials(tokenAuth{
@@ -356,14 +101,28 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 		)
 
 		if cfg.CLI.Insecure {
-			grpcOptions = append(grpcOptions, grpc.WithInsecure())
+			tlsConfig := &tls.Config{
+				// turn of gosec as we are intentionally setting
+				// insecure.
+				//nolint:gosec
+				InsecureSkipVerify: true,
+			}
+
+			grpcOptions = append(grpcOptions,
+				grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
+			)
+		} else {
+			grpcOptions = append(grpcOptions,
+				grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
+			)
 		}
 	}
 
 	log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC")
 	conn, err := grpc.DialContext(ctx, address, grpcOptions...)
 	if err != nil {
-		log.Fatal().Err(err).Msgf("Could not connect: %v", err)
+		log.Fatal().Caller().Err(err).Msgf("Could not connect: %v", err)
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
 
 	client := v1.NewHeadscaleServiceClient(conn)
@@ -371,42 +130,47 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 	return ctx, client, conn, cancel
 }
 
-func SuccessOutput(result interface{}, override string, outputFormat string) {
-	var j []byte
+func output(result interface{}, override string, outputFormat string) string {
+	var jsonBytes []byte
 	var err error
 	switch outputFormat {
 	case "json":
-		j, err = json.MarshalIndent(result, "", "\t")
+		jsonBytes, err = json.MarshalIndent(result, "", "\t")
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	case "json-line":
-		j, err = json.Marshal(result)
+		jsonBytes, err = json.Marshal(result)
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	case "yaml":
-		j, err = yaml.Marshal(result)
+		jsonBytes, err = yaml.Marshal(result)
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	default:
-		//nolint
-		fmt.Println(override)
-
-		return
+		// nolint
+		return override
 	}
 
-	//nolint
-	fmt.Println(string(j))
+	return string(jsonBytes)
 }
 
+// SuccessOutput prints the result to stdout and exits with status code 0.
+func SuccessOutput(result interface{}, override string, outputFormat string) {
+	fmt.Println(output(result, override, outputFormat))
+	os.Exit(0)
+}
+
+// ErrorOutput prints an error message to stderr and exits with status code 1.
 func ErrorOutput(errResult error, override string, outputFormat string) {
 	type errOutput struct {
 		Error string `json:"error"`
 	}
 
-	SuccessOutput(errOutput{errResult.Error()}, override, outputFormat)
+	fmt.Fprintf(os.Stderr, "%s\n", output(errOutput{errResult.Error()}, override, outputFormat))
+	os.Exit(1)
 }
 
 func HasMachineOutputFlag() bool {
@@ -436,15 +200,3 @@ func (t tokenAuth) GetRequestMetadata(
 func (tokenAuth) RequireTransportSecurity() bool {
 	return true
 }
-
-// loadOIDCMatchMap is a wrapper around viper to verifies that the keys in
-// the match map is valid regex strings.
-func loadOIDCMatchMap() map[string]string {
-	strMap := viper.GetStringMapString("oidc.domain_map")
-
-	for oidcMatcher := range strMap {
-		_ = regexp.MustCompile(oidcMatcher)
-	}
-
-	return strMap
-}

cmd/headscale/cli/version.go

@@ -1,11 +1,10 @@
 package cli
 
 import (
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/spf13/cobra"
 )
 
-var Version = "dev"
-
 func init() {
 	rootCmd.AddCommand(versionCmd)
 }
@@ -16,6 +15,9 @@ var versionCmd = &cobra.Command{
 	Long:  "The version of headscale.",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		SuccessOutput(map[string]string{"version": Version}, Version, output)
+		SuccessOutput(map[string]string{
+			"version": types.Version,
+			"commit":  types.GitCommitHash,
+		}, types.Version, output)
 	},
 }

cmd/headscale/headscale.go

@@ -1,17 +1,13 @@
 package main
 
 import (
-	"fmt"
 	"os"
-	"runtime"
 	"time"
 
-	"github.com/efekarakus/termcolor"
+	"github.com/jagottsicher/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
-	"github.com/tcnksm/go-latest"
 )
 
 func main() {
@@ -38,49 +34,10 @@ func main() {
 
 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnix
 	log.Logger = log.Output(zerolog.ConsoleWriter{
-		Out:        os.Stdout,
+		Out:        os.Stderr,
 		TimeFormat: time.RFC3339,
 		NoColor:    !colors,
 	})
 
-	if err := cli.LoadConfig(""); err != nil {
-		log.Fatal().Err(err)
-	}
-
-	machineOutput := cli.HasMachineOutputFlag()
-
-	logLevel := viper.GetString("log_level")
-	level, err := zerolog.ParseLevel(logLevel)
-	if err != nil {
-		zerolog.SetGlobalLevel(zerolog.DebugLevel)
-	} else {
-		zerolog.SetGlobalLevel(level)
-	}
-
-	// If the user has requested a "machine" readable format,
-	// then disable login so the output remains valid.
-	if machineOutput {
-		zerolog.SetGlobalLevel(zerolog.Disabled)
-	}
-
-	if !viper.GetBool("disable_check_updates") && !machineOutput {
-		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
-			cli.Version != "dev" {
-			githubTag := &latest.GithubTag{
-				Owner:      "juanfont",
-				Repository: "headscale",
-			}
-			res, err := latest.Check(githubTag, cli.Version)
-			if err == nil && res.Outdated {
-				//nolint
-				fmt.Printf(
-					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
-					res.Current,
-					cli.Version,
-				)
-			}
-		}
-	}
-
 	cli.Execute()
 }

cmd/headscale/headscale_test.go

@@ -1,13 +1,13 @@
 package main
 
 import (
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
-	"github.com/juanfont/headscale/cmd/headscale/cli"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -26,8 +26,8 @@ func (s *Suite) SetUpSuite(c *check.C) {
 func (s *Suite) TearDownSuite(c *check.C) {
 }
 
-func (*Suite) TestConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+func (*Suite) TestConfigFileLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -38,33 +38,40 @@ func (*Suite) TestConfigLoading(c *check.C) {
 		c.Fatal(err)
 	}
 
+	cfgFile := filepath.Join(tmpDir, "config.yaml")
+
 	// Symlink the example config file
 	err = os.Symlink(
 		filepath.Clean(path+"/../../config-example.yaml"),
-		filepath.Join(tmpDir, "config.yaml"),
+		cfgFile,
 	)
 	if err != nil {
 		c.Fatal(err)
 	}
 
 	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
+	err = types.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)
 
 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
-	c.Assert(viper.GetStringSlice("derp.paths")[0], check.Equals, "derp-example.yaml")
-	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "db.sqlite")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
+	c.Assert(viper.GetString("database.type"), check.Equals, "sqlite")
+	c.Assert(viper.GetString("database.sqlite.path"), check.Equals, "/var/lib/headscale/db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
+	c.Assert(
+		util.GetFileMode("unix_socket_permission"),
+		check.Equals,
+		fs.FileMode(0o770),
+	)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
 }
 
-func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+func (*Suite) TestConfigLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -85,64 +92,23 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}
 
 	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 
-	dnsConfig, baseDomain := cli.GetDNSConfig()
-
-	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Proxied, check.Equals, true)
-	c.Assert(baseDomain, check.Equals, "example.com")
-}
-
-func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
-	// Populate a custom config file
-	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := ioutil.WriteFile(configFile, configYaml, 0o600)
-	if err != nil {
-		c.Fatalf("Couldn't write file %s", configFile)
-	}
-}
-
-func (*Suite) TestTLSConfigValidation(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	// defer os.RemoveAll(tmpDir)
-
-	configYaml := []byte(
-		"---\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"",
-	)
-	writeConfig(c, tmpDir, configYaml)
-
-	// Check configuration validation errors (1)
-	err = cli.LoadConfig(tmpDir)
-	c.Assert(err, check.NotNil)
-	// check.Matches can not handle multiline strings
-	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
+	// Test that config file was interpreted correctly
+	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
+	c.Assert(viper.GetString("database.type"), check.Equals, "sqlite")
+	c.Assert(viper.GetString("database.sqlite.path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
+	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
+	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*",
+		util.GetFileMode("unix_socket_permission"),
+		check.Equals,
+		fs.FileMode(0o770),
 	)
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*",
-	)
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: server_url must start with https:// or http://.*",
-	)
-
-	// Check configuration validation errors (2)
-	configYaml = []byte(
-		"---\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"",
-	)
-	writeConfig(c, tmpDir, configYaml)
-	err = cli.LoadConfig(tmpDir)
-	c.Assert(err, check.IsNil)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
+	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
 }

config-example.yaml

@@ -1,85 +1,391 @@
 ---
+# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
+#
+# - `/etc/headscale`
+# - `~/.headscale`
+# - current working directory
+
 # The url clients will connect to.
-# Typically this will be a domain.
+# Typically this will be a domain like:
+#
+# https://myheadscale.example.com:443
+#
 server_url: http://127.0.0.1:8080
 
 # Address to listen to / bind to on the server
-listen_addr: 0.0.0.0:8080
+#
+# For production:
+# listen_addr: 0.0.0.0:8080
+listen_addr: 127.0.0.1:8080
 
-# Private key file which will be
-# autogenerated if it's missing
-private_key_path: private.key
+# Address to listen to /metrics and /debug, you may want
+# to keep this endpoint private to your internal network
+metrics_listen_addr: 127.0.0.1:9090
 
+# Address to listen for gRPC.
+# gRPC is used for controlling a headscale server
+# remotely with the CLI
+# Note: Remote access _only_ works if you have
+# valid certificates.
+#
+# For production:
+# grpc_listen_addr: 0.0.0.0:50443
+grpc_listen_addr: 127.0.0.1:50443
+
+# Allow the gRPC admin interface to run in INSECURE
+# mode. This is not recommended as the traffic will
+# be unencrypted. Only enable if you know what you
+# are doing.
+grpc_allow_insecure: false
+
+# The Noise section includes specific configuration for the
+# TS2021 Noise protocol
+noise:
+  # The Noise private key is used to encrypt the traffic between headscale and
+  # Tailscale clients when using the new Noise-based protocol. A missing key
+  # will be automatically generated.
+  private_key_path: /var/lib/headscale/noise_private.key
+
+# List of IP prefixes to allocate tailaddresses from.
+# Each prefix consists of either an IPv4 or IPv6 address,
+# and the associated prefix length, delimited by a slash.
+# It must be within IP ranges supported by the Tailscale
+# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+# See below:
+# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+# Any other range is NOT supported, and it will cause unexpected issues.
+prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+
+  # Strategy used for allocation of IPs to nodes, available options:
+  # - sequential (default): assigns the next free IP from the previous given IP.
+  # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+  allocation: sequential
+
+# DERP is a relay system that Tailscale uses when a direct
+# connection cannot be established.
+# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+#
+# headscale needs a list of DERP servers that can be presented
+# to the clients.
 derp:
+  server:
+    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+    enabled: false
+
+    # Region ID to use for the embedded DERP server.
+    # The local DERP prevails if the region ID collides with other region ID coming from
+    # the regular DERP config.
+    region_id: 999
+
+    # Region code and name are displayed in the Tailscale UI to identify a DERP region
+    region_code: "headscale"
+    region_name: "Headscale Embedded DERP"
+
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+    #
+    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+    stun_listen_addr: "0.0.0.0:3478"
+
+    # Private key used to encrypt the traffic between headscale DERP and
+    # Tailscale clients. A missing key will be automatically generated.
+    private_key_path: /var/lib/headscale/derp_server_private.key
+
+    # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+    # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
+    # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
+    automatically_add_embedded_derp_region: true
+
+    # For better connection stability (especially when using an Exit-Node and DNS is not working),
+    # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+    ipv4: 1.2.3.4
+    ipv6: 2001:db8::1
+
   # List of externally available DERP maps encoded in JSON
   urls:
     - https://controlplane.tailscale.com/derpmap/default
 
   # Locally available DERP map files encoded in YAML
-  paths:
-    - derp-example.yaml
+  #
+  # This option is mostly interesting for people hosting
+  # their own DERP servers:
+  # https://tailscale.com/kb/1118/custom-derp-servers/
+  #
+  # paths:
+  #   - /etc/headscale/derp-example.yaml
+  paths: []
 
   # If enabled, a worker will be set up to periodically
   # refresh the given sources and update the derpmap
   # will be set up.
   auto_update_enabled: true
 
-  # How often should we check for updates?
+  # How often should we check for DERP updates?
   update_frequency: 24h
 
-# Disables the automatic check for updates on startup
+# Disables the automatic check for headscale updates on startup
 disable_check_updates: false
+
+# Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 
-# SQLite config
-db_type: sqlite3
-db_path: db.sqlite
+database:
+  # Database type. Available options: sqlite, postgres
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # All new development, testing and optimisations are done with SQLite in mind.
+  type: sqlite
 
-# # Postgres config
-# db_type: postgres
-# db_host: localhost
-# db_port: 5432
-# db_name: headscale
-# db_user: foo
-# db_pass: bar
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false
 
+  # GORM configuration settings.
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true
+
+    # Enable parameterized queries.
+    parameterized_queries: true
+
+    # Skip logging "record not found" errors.
+    skip_err_record_not_found: true
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
+  # SQLite config
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+
+    # Enable WAL mode for SQLite. This is recommended for production environments.
+    # https://www.sqlite.org/wal.html
+    write_ahead_log: true
+
+    # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+    # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+    # Set to 0 to disable automatic checkpointing.
+    wal_autocheckpoint: 1000
+
+  # # Postgres config
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # See database.type for more information.
+  # postgres:
+  #   # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
+  #   host: localhost
+  #   port: 5432
+  #   name: headscale
+  #   user: foo
+  #   pass: bar
+  #   max_open_conns: 10
+  #   max_idle_conns: 10
+  #   conn_max_idle_time_secs: 3600
+
+  #   # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+  #   # in the 'ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
+  #   ssl: false
+
+### TLS configuration
+#
+## Let's encrypt / ACME
+#
+# headscale supports automatically requesting and setting up
+# TLS for a domain with Let's Encrypt.
+#
+# URL to ACME directory
 acme_url: https://acme-v02.api.letsencrypt.org/directory
+
+# Email to register with ACME provider
 acme_email: ""
 
+# Domain name to request a TLS certificate for:
 tls_letsencrypt_hostname: ""
-tls_letsencrypt_listen: ":http"
-tls_letsencrypt_cache_dir: ".cache"
-tls_letsencrypt_challenge_type: HTTP-01
 
+# Path to store certificates and metadata needed by
+# letsencrypt
+# For production:
+tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+
+# Type of ACME challenge to use, currently supported types:
+# HTTP-01 or TLS-ALPN-01
+# See: docs/ref/tls.md for more information
+tls_letsencrypt_challenge_type: HTTP-01
+# When HTTP-01 challenge is chosen, letsencrypt must set up a
+# verification endpoint, and it will be listening on:
+# :http = port 80
+tls_letsencrypt_listen: ":http"
+
+## Use already defined certificates:
 tls_cert_path: ""
 tls_key_path: ""
 
-# Path to a file containg ACL policies.
-acl_policy_path: ""
+log:
+  # Output formatting for logs: text or json
+  format: text
+  level: info
 
-dns_config:
-  # Upstream DNS servers
-  nameservers:
-    - 1.1.1.1
-  domains: []
+## Policy
+# headscale supports Tailscale's ACL policies.
+# Please have a look to their KB to better
+# understand the concepts: https://tailscale.com/kb/1018/acls/
+policy:
+  # The mode can be "file" or "database" that defines
+  # where the ACL policies are stored and read from.
+  mode: file
+  # If the mode is set to "file", the path to a
+  # HuJSON file containing ACL policies.
+  path: ""
 
+## DNS
+#
+# headscale supports Tailscale's DNS configuration and MagicDNS.
+# Please have a look to their KB to better understand the concepts:
+#
+# - https://tailscale.com/kb/1054/dns/
+# - https://tailscale.com/kb/1081/magicdns/
+# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+#
+# Please note that for the DNS configuration to have any effect,
+# clients must have the `--accept-dns=true` option enabled. This is the
+# default for the Tailscale client. This option is enabled by default
+# in the Tailscale client.
+#
+# Setting _any_ of the configuration and `--accept-dns=true` on the
+# clients will integrate with the DNS manager on the client or
+# overwrite /etc/resolv.conf.
+# https://tailscale.com/kb/1235/resolv-conf
+#
+# If you want stop Headscale from managing the DNS configuration
+# all the fields under `dns` should be set to empty values.
+dns:
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
   magic_dns: true
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # This domain _must_ be different from the server_url domain.
+  # `base_domain` must be a FQDN, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.base_domain` (e.g., _myhost.example.com_).
   base_domain: example.com
 
+  # Whether to use the local DNS settings of a node (default) or override the
+  # local DNS settings and force the use of Headscale's DNS configuration.
+  override_local_dns: false
+
+  # List of DNS servers to expose to clients.
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001
+
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # "abc123" is example NextDNS ID, replace with yours.
+      # - https://dns.nextdns.io/abc123
+
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # a map of domains and which DNS server to use for each.
+    split:
+      {}
+      # foo.bar.com:
+      #   - 1.1.1.1
+      # darp.headscale.net:
+      #   - 1.1.1.1
+      #   - 8.8.8.8
+
+  # Set custom DNS search domains. With MagicDNS enabled,
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []
+
+  # Extra DNS records
+  # so far only A and AAAA records are supported (on the tailscale side)
+  # See: docs/ref/dns.md
+  extra_records: []
+  #   - name: "grafana.myvpn.example.com"
+  #     type: "A"
+  #     value: "100.64.0.3"
+  #
+  #   # you can also put it in one line
+  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+  #
+  # Alternatively, extra DNS records can be loaded from a JSON file.
+  # Headscale processes this file on each change.
+  # extra_records_path: /var/lib/headscale/extra-records.json
+
 # Unix socket used for the CLI to connect without authentication
-# Note: for local development, you probably want to change this to:
-# unix_socket: ./headscale.sock
-unix_socket: /var/run/headscale.sock
+# Note: for production you will want to set this to something like:
+unix_socket: /var/run/headscale/headscale.sock
+unix_socket_permission: "0770"
+#
 # headscale supports experimental OpenID connect support,
 # it is still being tested and might have some bugs, please
 # help us test it.
 # OpenID Connect
 # oidc:
+#   only_start_if_oidc_is_available: true
 #   issuer: "https://your-oidc.issuer.com/path"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
+#   # Alternatively, set `client_secret_path` to read the secret from the file.
+#   # It resolves environment variables, making integration to systemd's
+#   # `LoadCredential` straightforward:
+#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+#   # client_secret and client_secret_path are mutually exclusive.
 #
-#   # Domain map is used to map incomming users (by their email) to
-#   # a namespace. The key can be a string, or regex.
-#   domain_map:
-#     ".*": default-namespace
+#   # The amount of time from a node is authenticated with OpenID until it
+#   # expires and needs to reauthenticate.
+#   # Setting the value to "0" will mean no expiry.
+#   expiry: 180d
+#
+#   # Use the expiry from the token received from OpenID when the user logged
+#   # in, this will typically lead to frequent need to reauthenticate and should
+#   # only been enabled if you know what you are doing.
+#   # Note: enabling this will cause `oidc.expiry` to be ignored.
+#   use_expiry_from_token: false
+#
+#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#
+#   scope: ["openid", "profile", "email", "custom"]
+#   extra_params:
+#     domain_hint: example.com
+#
+#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   # authentication request will be rejected.
+#
+#   allowed_domains:
+#     - example.com
+#   # Note: Groups from keycloak have a leading '/'
+#   allowed_groups:
+#     - /headscale
+#   allowed_users:
+#     - alice@example.com
+#
+#   # Optional: PKCE (Proof Key for Code Exchange) configuration
+#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+#   # by preventing authorization code interception attacks
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   pkce:
+#     # Enable or disable PKCE support (default: false)
+#     enabled: false
+#     # PKCE method to use:
+#     # - plain: Use plain code verifier
+#     # - S256: Use SHA256 hashed code verifier (default, recommended)
+#     method: S256
+
+# Logtail configuration
+# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+# to instruct tailscale nodes to log their activity to a remote server.
+logtail:
+  # Enable logtail for this headscales clients.
+  # As there is currently no support for overriding the log server in headscale, this is
+  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+  enabled: false
+
+# Enabling this option makes devices prefer a random port for WireGuard traffic over the
+# default static port 41641. This option is intended as a workaround for some buggy
+# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+randomize_client_port: false

db.go

@@ -1,120 +0,0 @@
-package headscale
-
-import (
-	"errors"
-
-	"gorm.io/driver/postgres"
-	"gorm.io/driver/sqlite"
-	"gorm.io/gorm"
-	"gorm.io/gorm/logger"
-)
-
-const (
-	dbVersion        = "1"
-	errValueNotFound = Error("not found")
-)
-
-// KV is a key-value store in a psql table. For future use...
-type KV struct {
-	Key   string
-	Value string
-}
-
-func (h *Headscale) initDB() error {
-	db, err := h.openDB()
-	if err != nil {
-		return err
-	}
-	h.db = db
-
-	if h.dbType == Postgres {
-		db.Exec("create extension if not exists \"uuid-ossp\";")
-	}
-	err = db.AutoMigrate(&Machine{})
-	if err != nil {
-		return err
-	}
-	err = db.AutoMigrate(&KV{})
-	if err != nil {
-		return err
-	}
-	err = db.AutoMigrate(&Namespace{})
-	if err != nil {
-		return err
-	}
-	err = db.AutoMigrate(&PreAuthKey{})
-	if err != nil {
-		return err
-	}
-
-	err = db.AutoMigrate(&SharedMachine{})
-	if err != nil {
-		return err
-	}
-
-	err = h.setValue("db_version", dbVersion)
-
-	return err
-}
-
-func (h *Headscale) openDB() (*gorm.DB, error) {
-	var db *gorm.DB
-	var err error
-
-	var log logger.Interface
-	if h.dbDebug {
-		log = logger.Default
-	} else {
-		log = logger.Default.LogMode(logger.Silent)
-	}
-
-	switch h.dbType {
-	case Sqlite:
-		db, err = gorm.Open(sqlite.Open(h.dbString), &gorm.Config{
-			DisableForeignKeyConstraintWhenMigrating: true,
-			Logger:                                   log,
-		})
-	case Postgres:
-		db, err = gorm.Open(postgres.Open(h.dbString), &gorm.Config{
-			DisableForeignKeyConstraintWhenMigrating: true,
-			Logger:                                   log,
-		})
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return db, nil
-}
-
-// getValue returns the value for the given key in KV.
-func (h *Headscale) getValue(key string) (string, error) {
-	var row KV
-	if result := h.db.First(&row, "key = ?", key); errors.Is(
-		result.Error,
-		gorm.ErrRecordNotFound,
-	) {
-		return "", errValueNotFound
-	}
-
-	return row.Value, nil
-}
-
-// setValue sets value for the given key in KV.
-func (h *Headscale) setValue(key string, value string) error {
-	keyValue := KV{
-		Key:   key,
-		Value: value,
-	}
-
-	if _, err := h.getValue(key); err == nil {
-		h.db.Model(&keyValue).Where("key = ?", key).Update("value", value)
-
-		return nil
-	}
-
-	h.db.Create(keyValue)
-
-	return nil
-}

derp-example.yaml

@@ -12,4 +12,4 @@ regions:
         ipv6: "2604:a880:400:d1::828:b001"
         stunport: 0
         stunonly: false
-        derptestport: 0
+        derpport: 0

dns.go

@@ -1,108 +0,0 @@
-package headscale
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/fatih/set"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/dnsname"
-)
-
-const (
-	ByteSize = 8
-)
-
-// generateMagicDNSRootDomains generates a list of DNS entries to be included in `Routes` in `MapResponse`.
-// This list of reverse DNS entries instructs the OS on what subnets and domains the Tailscale embedded DNS
-// server (listening in 100.100.100.100 udp/53) should be used for.
-//
-// Tailscale.com includes in the list:
-// - the `BaseDomain` of the user
-// - the reverse DNS entry for IPv6 (0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa., see below more on IPv6)
-// - the reverse DNS entries for the IPv4 subnets covered by the user's `IPPrefix`.
-//   In the public SaaS this is [64-127].100.in-addr.arpa.
-//
-// The main purpose of this function is then generating the list of IPv4 entries. For the 100.64.0.0/10, this
-// is clear, and could be hardcoded. But we are allowing any range as `IPPrefix`, so we need to find out the
-// subnets when we have 172.16.0.0/16 (i.e., [0-255].16.172.in-addr.arpa.), or any other subnet.
-//
-// How IN-ADDR.ARPA domains work is defined in RFC1035 (section 3.5). Tailscale.com seems to adhere to this,
-// and do not make use of RFC2317 ("Classless IN-ADDR.ARPA delegation") - hence generating the entries for the next
-// class block only.
-
-// From the netmask we can find out the wildcard bits (the bits that are not set in the netmask).
-// This allows us to then calculate the subnets included in the subsequent class block and generate the entries.
-func generateMagicDNSRootDomains(
-	ipPrefix netaddr.IPPrefix,
-) []dnsname.FQDN {
-	// TODO(juanfont): we are not handing out IPv6 addresses yet
-	// and in fact this is Tailscale.com's range (note the fd7a:115c:a1e0: range in the fc00::/7 network)
-	ipv6base := dnsname.FQDN("0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.")
-	fqdns := []dnsname.FQDN{ipv6base}
-
-	// Conversion to the std lib net.IPnet, a bit easier to operate
-	netRange := ipPrefix.IPNet()
-	maskBits, _ := netRange.Mask.Size()
-
-	// lastOctet is the last IP byte covered by the mask
-	lastOctet := maskBits / ByteSize
-
-	// wildcardBits is the number of bits not under the mask in the lastOctet
-	wildcardBits := ByteSize - maskBits%ByteSize
-
-	// min is the value in the lastOctet byte of the IP
-	// max is basically 2^wildcardBits - i.e., the value when all the wildcardBits are set to 1
-	min := uint(netRange.IP[lastOctet])
-	max := (min + 1<<uint(wildcardBits)) - 1
-
-	// here we generate the base domain (e.g., 100.in-addr.arpa., 16.172.in-addr.arpa., etc.)
-	rdnsSlice := []string{}
-	for i := lastOctet - 1; i >= 0; i-- {
-		rdnsSlice = append(rdnsSlice, fmt.Sprintf("%d", netRange.IP[i]))
-	}
-	rdnsSlice = append(rdnsSlice, "in-addr.arpa.")
-	rdnsBase := strings.Join(rdnsSlice, ".")
-
-	for i := min; i <= max; i++ {
-		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%d.%s", i, rdnsBase))
-		if err != nil {
-			continue
-		}
-		fqdns = append(fqdns, fqdn)
-	}
-
-	return fqdns
-}
-
-func getMapResponseDNSConfig(
-	dnsConfigOrig *tailcfg.DNSConfig,
-	baseDomain string,
-	machine Machine,
-	peers Machines,
-) *tailcfg.DNSConfig {
-	var dnsConfig *tailcfg.DNSConfig
-	if dnsConfigOrig != nil && dnsConfigOrig.Proxied { // if MagicDNS is enabled
-		// Only inject the Search Domain of the current namespace - shared nodes should use their full FQDN
-		dnsConfig = dnsConfigOrig.Clone()
-		dnsConfig.Domains = append(
-			dnsConfig.Domains,
-			fmt.Sprintf("%s.%s", machine.Namespace.Name, baseDomain),
-		)
-
-		namespaceSet := set.New(set.ThreadSafe)
-		namespaceSet.Add(machine.Namespace)
-		for _, p := range peers {
-			namespaceSet.Add(p.Namespace)
-		}
-		for _, namespace := range namespaceSet.List() {
-			dnsRoute := fmt.Sprintf("%s.%s", namespace.(Namespace).Name, baseDomain)
-			dnsConfig.Routes[dnsRoute] = nil
-		}
-	} else {
-		dnsConfig = dnsConfigOrig
-	}
-
-	return dnsConfig
-}

dns_test.go

@@ -1,357 +0,0 @@
-package headscale
-
-import (
-	"fmt"
-
-	"gopkg.in/check.v1"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
-)
-
-func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
-	prefix := netaddr.MustParseIPPrefix("100.64.0.0/10")
-	domains := generateMagicDNSRootDomains(prefix)
-
-	found := false
-	for _, domain := range domains {
-		if domain == "64.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "100.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "127.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-}
-
-func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
-	prefix := netaddr.MustParseIPPrefix("172.16.0.0/16")
-	domains := generateMagicDNSRootDomains(prefix)
-
-	found := false
-	for _, domain := range domains {
-		if domain == "0.16.172.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "255.16.172.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-}
-
-func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
-	namespaceShared1, err := app.CreateNamespace("shared1")
-	c.Assert(err, check.IsNil)
-
-	namespaceShared2, err := app.CreateNamespace("shared2")
-	c.Assert(err, check.IsNil)
-
-	namespaceShared3, err := app.CreateNamespace("shared3")
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared1, err := app.CreatePreAuthKey(
-		namespaceShared1.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared2, err := app.CreatePreAuthKey(
-		namespaceShared2.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared3, err := app.CreatePreAuthKey(
-		namespaceShared3.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	PreAuthKey2InShared1, err := app.CreatePreAuthKey(
-		namespaceShared1.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(namespaceShared1.Name, "test_get_shared_nodes_1")
-	c.Assert(err, check.NotNil)
-
-	machineInShared1 := &Machine{
-		ID:             1,
-		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Name:           "test_get_shared_nodes_1",
-		NamespaceID:    namespaceShared1.ID,
-		Namespace:      *namespaceShared1,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.1",
-		AuthKeyID:      uint(preAuthKeyInShared1.ID),
-	}
-	app.db.Save(machineInShared1)
-
-	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Name)
-	c.Assert(err, check.IsNil)
-
-	machineInShared2 := &Machine{
-		ID:             2,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_2",
-		NamespaceID:    namespaceShared2.ID,
-		Namespace:      *namespaceShared2,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.2",
-		AuthKeyID:      uint(preAuthKeyInShared2.ID),
-	}
-	app.db.Save(machineInShared2)
-
-	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Name)
-	c.Assert(err, check.IsNil)
-
-	machineInShared3 := &Machine{
-		ID:             3,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_3",
-		NamespaceID:    namespaceShared3.ID,
-		Namespace:      *namespaceShared3,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.3",
-		AuthKeyID:      uint(preAuthKeyInShared3.ID),
-	}
-	app.db.Save(machineInShared3)
-
-	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Name)
-	c.Assert(err, check.IsNil)
-
-	machine2InShared1 := &Machine{
-		ID:             4,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_4",
-		NamespaceID:    namespaceShared1.ID,
-		Namespace:      *namespaceShared1,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.4",
-		AuthKeyID:      uint(PreAuthKey2InShared1.ID),
-	}
-	app.db.Save(machine2InShared1)
-
-	err = app.AddSharedMachineToNamespace(machineInShared2, namespaceShared1)
-	c.Assert(err, check.IsNil)
-
-	baseDomain := "foobar.headscale.net"
-	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]dnstype.Resolver),
-		Domains: []string{baseDomain},
-		Proxied: true,
-	}
-
-	peersOfMachineInShared1, err := app.getPeers(machineInShared1)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig := getMapResponseDNSConfig(
-		&dnsConfigOrig,
-		baseDomain,
-		*machineInShared1,
-		peersOfMachineInShared1,
-	)
-	c.Assert(dnsConfig, check.NotNil)
-	c.Assert(len(dnsConfig.Routes), check.Equals, 2)
-
-	domainRouteShared1 := fmt.Sprintf("%s.%s", namespaceShared1.Name, baseDomain)
-	_, ok := dnsConfig.Routes[domainRouteShared1]
-	c.Assert(ok, check.Equals, true)
-
-	domainRouteShared2 := fmt.Sprintf("%s.%s", namespaceShared2.Name, baseDomain)
-	_, ok = dnsConfig.Routes[domainRouteShared2]
-	c.Assert(ok, check.Equals, true)
-
-	domainRouteShared3 := fmt.Sprintf("%s.%s", namespaceShared3.Name, baseDomain)
-	_, ok = dnsConfig.Routes[domainRouteShared3]
-	c.Assert(ok, check.Equals, false)
-}
-
-func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
-	namespaceShared1, err := app.CreateNamespace("shared1")
-	c.Assert(err, check.IsNil)
-
-	namespaceShared2, err := app.CreateNamespace("shared2")
-	c.Assert(err, check.IsNil)
-
-	namespaceShared3, err := app.CreateNamespace("shared3")
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared1, err := app.CreatePreAuthKey(
-		namespaceShared1.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared2, err := app.CreatePreAuthKey(
-		namespaceShared2.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared3, err := app.CreatePreAuthKey(
-		namespaceShared3.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKey2InShared1, err := app.CreatePreAuthKey(
-		namespaceShared1.Name,
-		false,
-		false,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(namespaceShared1.Name, "test_get_shared_nodes_1")
-	c.Assert(err, check.NotNil)
-
-	machineInShared1 := &Machine{
-		ID:             1,
-		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Name:           "test_get_shared_nodes_1",
-		NamespaceID:    namespaceShared1.ID,
-		Namespace:      *namespaceShared1,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.1",
-		AuthKeyID:      uint(preAuthKeyInShared1.ID),
-	}
-	app.db.Save(machineInShared1)
-
-	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Name)
-	c.Assert(err, check.IsNil)
-
-	machineInShared2 := &Machine{
-		ID:             2,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_2",
-		NamespaceID:    namespaceShared2.ID,
-		Namespace:      *namespaceShared2,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.2",
-		AuthKeyID:      uint(preAuthKeyInShared2.ID),
-	}
-	app.db.Save(machineInShared2)
-
-	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Name)
-	c.Assert(err, check.IsNil)
-
-	machineInShared3 := &Machine{
-		ID:             3,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_3",
-		NamespaceID:    namespaceShared3.ID,
-		Namespace:      *namespaceShared3,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.3",
-		AuthKeyID:      uint(preAuthKeyInShared3.ID),
-	}
-	app.db.Save(machineInShared3)
-
-	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Name)
-	c.Assert(err, check.IsNil)
-
-	machine2InShared1 := &Machine{
-		ID:             4,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_4",
-		NamespaceID:    namespaceShared1.ID,
-		Namespace:      *namespaceShared1,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddress:      "100.64.0.4",
-		AuthKeyID:      uint(preAuthKey2InShared1.ID),
-	}
-	app.db.Save(machine2InShared1)
-
-	err = app.AddSharedMachineToNamespace(machineInShared2, namespaceShared1)
-	c.Assert(err, check.IsNil)
-
-	baseDomain := "foobar.headscale.net"
-	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]dnstype.Resolver),
-		Domains: []string{baseDomain},
-		Proxied: false,
-	}
-
-	peersOfMachine1Shared1, err := app.getPeers(machineInShared1)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig := getMapResponseDNSConfig(
-		&dnsConfigOrig,
-		baseDomain,
-		*machineInShared1,
-		peersOfMachine1Shared1,
-	)
-	c.Assert(dnsConfig, check.NotNil)
-	c.Assert(len(dnsConfig.Routes), check.Equals, 0)
-	c.Assert(len(dnsConfig.Domains), check.Equals, 1)
-}

docs/Configuration.md

@@ -1,74 +0,0 @@
-# Configuration reference
-
-Headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
-
-- `/etc/headscale`
-- `~/.headscale`
-- current working directory
-
-```yaml
-server_url: http://headscale.mydomain.net
-listen_addr: 0.0.0.0:8080
-ip_prefix: 100.64.0.0/10
-disable_check_updates: false
-```
-
-`server_url` is the external URL via which Headscale is reachable. `listen_addr` is the IP address and port the Headscale program should listen on. `ip_prefix` is the IP prefix (range) in which IP addresses for nodes will be allocated (default 100.64.0.0/10, e.g., 192.168.4.0/24, 10.0.0.0/8). `disable_check_updates` disables the automatic check for updates.
-
-```yaml
-log_level: debug
-```
-
-`log_level` can be used to set the Log level for Headscale, it defaults to `debug`, and the available levels are: `trace`, `debug`, `info`, `warn` and `error`.
-
-```yaml
-derp_map_path: derp.yaml
-```
-
-`derp_map_path` is the path to the [DERP](https://pkg.go.dev/tailscale.com/derp) map file. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
-
-```yaml
-ephemeral_node_inactivity_timeout: "30m"
-```
-
-`ephemeral_node_inactivity_timeout` is the timeout after which inactive ephemeral node records will be deleted from the database. The default is 30 minutes. This value must be higher than 65 seconds (the keepalive timeout for the HTTP long poll is 60 seconds, plus a few seconds to avoid race conditions).
-
-PostgresSQL
-
-```yaml
-db_host: localhost
-db_port: 5432
-db_name: headscale
-db_user: foo
-db_pass: bar
-```
-
-SQLite
-
-```yaml
-db_type: sqlite3
-db_path: db.sqlite
-```
-
-The fields starting with `db_` are used for the DB connection information.
-
-### TLS configuration
-
-Please check [`TLS.md`](TLS.md).
-
-### DNS configuration
-
-Please refer to [`DNS.md`](DNS.md).
-
-### Policy ACLs
-
-Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
-
-For instance, instead of referring to users when defining groups you must
-use namespaces (which are the equivalent to user/logins in Tailscale.com).
-
-Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
-
-### Apple devices
-
-An endpoint with information on how to connect your Apple devices (currently macOS only) is available at `/apple` on your running instance.

docs/DNS.md

@@ -1,37 +0,0 @@
-# DNS in headscale
-
-headscale supports Tailscale's DNS configuration and MagicDNS. Please have a look to their KB to better understand what this means:
-
-- https://tailscale.com/kb/1054/dns/
-- https://tailscale.com/kb/1081/magicdns/
-- https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
-
-Long story short, you can define the DNS servers you want to use in your tailnets, activate MagicDNS (so you don't have to remember the IP addresses of your nodes), define search domains, as well as predefined hosts. headscale will inject that settings into your nodes.
-
-## Configuration reference
-
-The setup is done via the `config.yaml` file, under the `dns_config` key.
-
-```yaml
-server_url: http://127.0.0.1:8001
-listen_addr: 0.0.0.0:8001
-dns_config:
-  nameservers:
-    - 1.1.1.1
-    - 8.8.8.8
-  restricted_nameservers:
-    foo.bar.com:
-      - 1.1.1.1
-    darp.headscale.net:
-      - 1.1.1.1
-      - 8.8.8.8
-  domains: []
-  magic_dns: true
-  base_domain: example.com
-```
-
-- `nameservers`: The list of DNS servers to use.
-- `domains`: Search domains to inject.
-- `magic_dns`: Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). Only works if there is at least a nameserver defined.
-- `base_domain`: Defines the base domain to create the hostnames for MagicDNS. `base_domain` must be a FQDNs, without the trailing dot. The FQDN of the hosts will be `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_).
-- `restricted_nameservers`: Split DNS (see https://tailscale.com/kb/1054/dns/), list of search domains and the DNS to query for each one.

docs/Glossary.md

@@ -1,3 +0,0 @@
-# Glossary
-
-- Namespace: Collection of Tailscale nodes that can see each other. In Tailscale.com this is called Tailnet.

docs/Running.md

@@ -1,191 +0,0 @@
-# Running headscale
-
-## Server configuration
-
-1. Download the headscale binary https://github.com/juanfont/headscale/releases, and place it somewhere in your $PATH or use the docker container
-
-   ```shell
-   docker pull headscale/headscale:x.x.x
-   ```
-
-   <!--
-    or
-    ```shell
-    docker pull ghrc.io/juanfont/headscale:x.x.x
-    ``` -->
-
-2. When running headscale in a docker container, prepare a directory to hold all configuration
-
-   ```shell
-   mkdir config
-   ```
-
-3. Get yourself a DB
-
-   a) Get a Postgres DB running in Docker:
-
-   ```shell
-   docker run --name headscale \
-     -e POSTGRES_DB=headscale \
-     -e POSTGRES_USER=foo \
-     -e POSTGRES_PASSWORD=bar \
-     -p 5432:5432 \
-     -d postgres
-   ```
-
-   or b) Prepare a SQLite DB file:
-
-   ```shell
-   touch config/db.sqlite
-   ```
-
-4. Create a headscale configuration, and a DERP map file. Refer to [tailscale sample](https://raw.githubusercontent.com/tailscale/tailscale/main/net/dnsfallback/dns-fallback-servers.json) for more guidance.
-
-   ```shell
-   cp config.yaml.[sqlite|postgres].example config/config.yaml
-
-   cp derp-example.yaml config/derp.yaml
-   ```
-
-5. Create a namespace
-
-   ```shell
-   headscale namespaces create myfirstnamespace
-   ```
-
-   or Docker:
-
-   ```shell
-   docker run \
-     -v $(pwd)/config:/etc/headscale/ \
-     -p 127.0.0.1:8080:8080 \
-     headscale/headscale:x.x.x \
-       headscale namespaces create myfirstnamespace
-   ```
-
-   or if your server is already running in Docker:
-
-   ```shell
-   docker exec <container_name> \
-     headscale namespaces create myfirstnamespace
-   ```
-
-6. Run the server
-
-   ```shell
-   headscale serve
-   ```
-
-   or Docker:
-
-   ```shell
-   docker run \
-     -v $(pwd)/config:/etc/headscale/ \
-     -p 127.0.0.1:8080:8080 \
-     headscale/headscale:x.x.x \
-       headscale serve
-   ```
-
-## Nodes configuration
-
-If you used tailscale.com before in your nodes, make sure you clear the tailscaled data folder
-
-```shell
-systemctl stop tailscaled
-rm -fr /var/lib/tailscale
-systemctl start tailscaled
-```
-
-### Adding node based on MACHINEKEY
-
-1. Add your first machine
-
-   ```shell
-   tailscale up --login-server YOUR_HEADSCALE_URL
-   ```
-
-2. Navigate to the URL returned by `tailscale up`, where you'll find your machine key.
-
-3. In the server, register your machine to a namespace with the CLI
-
-   ```shell
-   headscale -n myfirstnamespace nodes register -k YOURMACHINEKEY
-   ```
-
-   or Docker:
-
-   ```shell
-   docker run \
-     -v $(pwd)/config:/etc/headscale/ \
-     headscale/headscale:x.x.x \
-     headscale -n myfirstnamespace nodes register -k YOURMACHINEKEY
-   ```
-
-   or if your server is already running in Docker:
-
-   ```shell
-   docker exec <container_name> \
-      headscale -n myfirstnamespace nodes register -k YOURMACHINEKEY
-   ```
-
-### Alternative: adding node with AUTHKEY
-
-1. Create an authkey
-
-   ```shell
-   headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
-   ```
-
-   or Docker:
-
-   ```shell
-   docker run \
-     -v $(pwd)/config:/etc/headscale/ \
-     headscale/headscale:x.x.x \
-     headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
-   ```
-
-   or if your server is already running in Docker:
-
-   ```shell
-   docker exec <container_name> \
-      headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
-   ```
-
-2. Use the authkey on your node to register it:
-
-   ```shell
-   tailscale up --login-server YOUR_HEADSCALE_URL --authkey YOURAUTHKEY
-   ```
-
-If you create an authkey with the `--ephemeral` flag, that key will create ephemeral nodes. This implies that `--reusable` is true.
-
-Please bear in mind that all headscale commands support adding `-o json` or `-o json-line` to get nicely JSON-formatted output.
-
-## Debugging headscale running in Docker
-
-The `headscale/headscale` Docker container is based on a "distroless" image that does not contain a shell or any other debug tools. If you need to debug your application running in the Docker container, you can use the `-debug` variant, for example `headscale/headscale:x.x.x-debug`.
-
-### Running the debug Docker container
-
-To run the debug Docker container, use the exact same commands as above, but replace `headscale/headscale:x.x.x` with `headscale/headscale:x.x.x-debug` (`x.x.x` is the version of headscale). The two containers are compatible with each other, so you can alternate between them.
-
-### Executing commands in the debug container
-
-The default command in the debug container is to run `headscale`, which is located at `/bin/headscale` inside the container.
-
-Additionally, the debug container includes a minimalist Busybox shell.
-
-To launch a shell in the container, use:
-
-```
-docker run -it headscale/headscale:x.x.x-debug sh
-```
-
-You can also execute commands directly, such as `ls /bin` in this example:
-
-```
-docker run headscale/headscale:x.x.x-debug ls /bin
-```
-
-Using `docker exec` allows you to run commands in an existing container.

docs/TLS.md

@@ -1,27 +0,0 @@
-# Running the service via TLS (optional)
-
-```yaml
-tls_letsencrypt_hostname: ""
-tls_letsencrypt_listen: ":http"
-tls_letsencrypt_cache_dir: ".cache"
-tls_letsencrypt_challenge_type: HTTP-01
-```
-
-To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from. The certificate will automatically be renewed as needed.
-
-```yaml
-tls_cert_path: ""
-tls_key_path: ""
-```
-
-headscale can also be configured to expose its web service via TLS. To configure the certificate and key file manually, set the `tls_cert_path` and `tls_cert_path` configuration parameters. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
-
-## Challenge type HTTP-01
-
-The default challenge type `HTTP-01` requires that headscale is reachable on port 80 for the Let's Encrypt automated validation, in addition to whatever port is configured in `listen_addr`. By default, headscale listens on port 80 on all local IPs for Let's Encrypt automated validation.
-
-If you need to change the ip and/or port used by headscale for the Let's Encrypt validation process, set `tls_letsencrypt_listen` to the appropriate value. This can be handy if you are running headscale as a non-root user (or can't run `setcap`). Keep in mind, however, that Let's Encrypt will _only_ connect to port 80 for the validation callback, so if you change `tls_letsencrypt_listen` you will also need to configure something else (e.g. a firewall rule) to forward the traffic from port 80 to the ip:port combination specified in `tls_letsencrypt_listen`.
-
-## Challenge type TLS-ALPN-01
-
-Alternatively, `tls_letsencrypt_challenge_type` can be set to `TLS-ALPN-01`. In this configuration, headscale listens on the ip:port combination defined in `listen_addr`. Let's Encrypt will _only_ connect to port 443 for the validation callback, so if `listen_addr` is not set to port 443, something else (e.g. a firewall rule) will be required to forward the traffic from port 443 to the ip:port combination specified in `listen_addr`.

docs/about/clients.md

@@ -0,0 +1,16 @@
+# Client and operating system support
+
+We aim to support the [**last 10 releases** of the Tailscale client](https://tailscale.com/changelog#client) on all
+provided operating systems and platforms. Some platforms might require additional configuration to connect with
+headscale.
+
+| OS      | Supports headscale                                                                                    |
+| ------- | ----------------------------------------------------------------------------------------------------- |
+| Linux   | Yes                                                                                                   |
+| OpenBSD | Yes                                                                                                   |
+| FreeBSD | Yes                                                                                                   |
+| Windows | Yes (see [docs](../usage/connect/windows.md) and `/windows` on your headscale for more information)   |
+| Android | Yes (see [docs](../usage/connect/android.md) for more information)                                    |
+| macOS   | Yes (see [docs](../usage/connect/apple.md#macos) and `/apple` on your headscale for more information) |
+| iOS     | Yes (see [docs](../usage/connect/apple.md#ios) and `/apple` on your headscale for more information)   |
+| tvOS    | Yes (see [docs](../usage/connect/apple.md#tvos) and `/apple` on your headscale for more information)  |

docs/about/contributing.md

@@ -0,0 +1,3 @@
+{%
+    include-markdown "../../CONTRIBUTING.md"
+%}

docs/about/faq.md

@@ -0,0 +1,137 @@
+# Frequently Asked Questions
+
+## What is the design goal of headscale?
+
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
+
+## How can I contribute?
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Please see [Contributing](contributing.md) for more information.
+
+## Why is 'acknowledged contribution' the chosen model?
+
+Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
+
+We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
+
+## When/Why is Feature X going to be implemented?
+
+We don't know. We might be working on it. If you're interested in contributing, please post a feature request about it.
+
+Please be aware that there are a number of reasons why we might not accept specific contributions:
+
+- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
+- Given that we are reverse-engineering Tailscale to satisfy our own curiosity, we might be interested in implementing the feature ourselves.
+- You are not sending unit and integration tests with it.
+
+## Do you support Y method of deploying headscale?
+
+We currently support deploying headscale using our binaries and the DEB packages. Visit our [installation guide using
+official releases](../setup/install/official.md) for more information.
+
+In addition to that, you may use packages provided by the community or from distributions. Learn more in the
+[installation guide using community packages](../setup/install/community.md).
+
+For convenience, we also [build container images with headscale](../setup/install/container.md). But **please be aware that
+we don't officially support deploying headscale using Docker**. On our [Discord server](https://discord.gg/c84AZQhmpx)
+we have a "docker-issues" channel where you can ask for Docker-specific help to the community.
+
+## Scaling / How many clients does Headscale support?
+
+It depends. As often stated, Headscale is not enterprise software and our focus
+is homelabbers and self-hosters. Of course, we do not prevent people from using
+it in a commercial/professional setting and often get questions about scaling.
+
+Please note that when Headscale is developed, performance is not part of the
+consideration as the main audience is considered to be users with a moddest
+amount of devices. We focus on correctness and feature parity with Tailscale
+SaaS over time.
+
+To understand if you might be able to use Headscale for your usecase, I will
+describe two scenarios in an effort to explain what is the central bottleneck
+of Headscale:
+
+1. An environment with 1000 servers
+
+    - they rarely  "move" (change their endpoints)
+    - new nodes are added rarely
+
+2. An environment with 80 laptops/phones (end user devices)
+
+    - nodes move often, e.g. switching from home to office
+
+Headscale calculates a map of all nodes that need to talk to each other,
+creating this "world map" requires a lot of CPU time. When an event that
+requires changes to this map happens, the whole "world" is recalculated, and a
+new "world map" is created for every node in the network.
+
+This means that under certain conditions, Headscale can likely handle 100s
+of devices (maybe more), if there is _little to no change_ happening in the
+network. For example, in Scenario 1, the process of computing the world map is
+extremly demanding due to the size of the network, but when the map has been
+created and the nodes are not changing, the Headscale instance will likely
+return to a very low resource usage until the next time there is an event
+requiring the new map.
+
+In the case of Scenario 2, the process of computing the world map is less
+demanding due to the smaller size of the network, however, the type of nodes
+will likely change frequently, which would lead to a constant resource usage.
+
+Headscale will start to struggle when the two scenarios overlap, e.g. many nodes
+with frequent changes will cause the resource usage to remain constantly high.
+In the worst case scenario, the queue of nodes waiting for their map will grow
+to a point where Headscale never will be able to catch up, and nodes will never
+learn about the current state of the world.
+
+We expect that the performance will improve over time as we improve the code
+base, but it is not a focus. In general, we will never make the tradeoff to make
+things faster on the cost of less maintainable or readable code. We are a small
+team and have to optimise for maintainabillity.
+
+## Which database should I use?
+
+We recommend the use of SQLite as database for headscale:
+
+- SQLite is simple to setup and easy to use
+- It scales well for all of headscale's usecases
+- Development and testing happens primarily on SQLite
+- PostgreSQL is still supported, but is considered to be in "maintenance mode"
+
+The headscale project itself does not provide a tool to migrate from PostgreSQL to SQLite. Please have a look at [the
+related tools documentation](../ref/integration/tools.md) for migration tooling provided by the community.
+
+The choice of database has little to no impact on the performance of the server,
+see [Scaling / How many clients does Headscale support?](#scaling-how-many-clients-does-headscale-support) for understanding how Headscale spends its resources.
+
+## Why is my reverse proxy not working with headscale?
+
+We don't know. We don't use reverse proxies with headscale ourselves, so we don't have any experience with them. We have
+[community documentation](../ref/integration/reverse-proxy.md) on how to configure various reverse proxies, and a
+dedicated "reverse-proxy-issues" channel on our [Discord server](https://discord.gg/c84AZQhmpx) where you can ask for
+help to the community.
+
+## Can I use headscale and tailscale on the same machine?
+
+Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported.
+
+
+## Why do two nodes see each other in their status, even if an ACL allows traffic only in one direction?
+
+A frequent use case is to allow traffic only from one node to another, but not the other way around. For example, the
+workstation of an administrator should be able to connect to all nodes but the nodes themselves shouldn't be able to
+connect back to the administrator's node. Why do all nodes see the administrator's workstation in the output of
+`tailscale status`?
+
+This is essentially how Tailscale works. If traffic is allowed to flow in one direction, then both nodes see each other
+in their output of `tailscale status`. Traffic is still filtered according to the ACL, with the exception of `tailscale
+ping` which is always allowed in either direction.
+
+See also <https://tailscale.com/kb/1087/device-visibility>.

docs/about/features.md

@@ -0,0 +1,38 @@
+# Features
+
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale control server. Headscale's goal is
+to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. This page
+provides on overview of Headscale's feature and compatibility with the Tailscale control server:
+
+- [x] Full "base" support of Tailscale's features
+- [x] Node registration
+    - [x] Interactive
+    - [x] Pre authenticated key
+- [x] [DNS](../ref/dns.md)
+    - [x] [MagicDNS](https://tailscale.com/kb/1081/magicdns)
+    - [x] [Global and restricted nameservers (split DNS)](https://tailscale.com/kb/1054/dns#nameservers)
+    - [x] [search domains](https://tailscale.com/kb/1054/dns#search-domains)
+    - [x] [Extra DNS records (Headscale only)](../ref/dns.md#setting-extra-dns-records)
+- [x] [Taildrop (File Sharing)](https://tailscale.com/kb/1106/taildrop)
+- [x] [Routes](../ref/routes.md)
+    - [x] [Subnet routers](../ref/routes.md#subnet-router)
+    - [x] [Exit nodes](../ref/routes.md#exit-node)
+- [x] Dual stack (IPv4 and IPv6)
+- [x] Ephemeral nodes
+- [x] Embedded [DERP server](https://tailscale.com/kb/1232/derp-servers)
+- [x] Access control lists ([GitHub label "policy"](https://github.com/juanfont/headscale/labels/policy%20%F0%9F%93%9D))
+    - [x] ACL management via API
+    - [x] Some [Autogroups](https://tailscale.com/kb/1396/targets#autogroups), currently: `autogroup:internet`,
+      `autogroup:nonroot`
+    - [x] [Auto approvers](https://tailscale.com/kb/1337/acl-syntax#auto-approvers) for [subnet
+      routers](../ref/routes.md#automatically-approve-routes-of-a-subnet-router) and [exit
+      nodes](../ref/routes.md#automatically-approve-an-exit-node-with-auto-approvers)
+    - [x] [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh)
+* [ ] Node registration using Single-Sign-On (OpenID Connect) ([GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC))
+    - [x] Basic registration
+    - [x] Update user profile from identity provider
+    - [ ] Dynamic ACL support
+    - [ ] OIDC groups cannot be used in ACLs
+- [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))
+- [ ] [Serve](https://tailscale.com/kb/1312/serve) ([#1234](https://github.com/juanfont/headscale/issues/1921))
+- [ ] [Network flow logs](https://tailscale.com/kb/1219/network-flow-logs) ([#1687](https://github.com/juanfont/headscale/issues/1687))

docs/about/help.md

@@ -0,0 +1,5 @@
+# Getting help
+
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for announcements and community support.
+
+Please report bugs via [GitHub issues](https://github.com/juanfont/headscale/issues)

docs/about/releases.md

@@ -0,0 +1,10 @@
+# Releases
+
+All headscale releases are available on the [GitHub release page](https://github.com/juanfont/headscale/releases). Those
+releases are available as binaries for various platforms and architectures, packages for Debian based systems and source
+code archives. Container images are available on [Docker Hub](https://hub.docker.com/r/headscale/headscale) and
+[GitHub Container Registry](https://github.com/juanfont/headscale/pkgs/container/headscale).
+
+An Atom/RSS feed of headscale releases is available [here](https://github.com/juanfont/headscale/releases.atom).
+
+See the "announcements" channel on our [Discord server](https://discord.gg/c84AZQhmpx) for news about headscale.

docs/about/sponsor.md

@@ -0,0 +1,4 @@
+# Sponsor
+
+If you like to support the development of headscale, please consider a donation via
+[ko-fi.com/headscale](https://ko-fi.com/headscale). Thank you!

docs/index.md

@@ -0,0 +1,37 @@
+---
+hide:
+  - navigation
+  - toc
+---
+
+# Welcome to headscale
+
+Headscale is an open source, self-hosted implementation of the Tailscale control server.
+
+This page contains the documentation for the latest version of headscale. Please also check our [FAQ](./about/faq.md).
+
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat and community support.
+
+## Design goal
+
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
+
+## Supporting headscale
+
+Please see [Sponsor](about/sponsor.md) for more information.
+
+## Contributing
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Please see [Contributing](about/contributing.md) for more information.
+
+## About
+
+Headscale is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).

docs/logo/headscale3-dots.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2" viewBox="0 0 1280 640"><circle cx="141.023" cy="338.36" r="117.472" style="fill:#f8b5cb" transform="matrix(.997276 0 0 1.00556 10.0024 -14.823)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 0)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.43 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.851 0)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 3.36978 -10.2458)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 255.633 -10.2458)"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030" transform="matrix(-1 0 0 1 1857.19 0)"/></svg>

docs/packaging/README.md

@@ -0,0 +1,5 @@
+# Packaging
+
+We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb`, `.rpm` and `.apk`.
+
+This folder contains files we need to package with these releases.

docs/packaging/headscale.systemd.service

@@ -0,0 +1,52 @@
+[Unit]
+After=syslog.target
+After=network.target
+Description=headscale coordination server for Tailscale
+X-Restart-Triggers=/etc/headscale/config.yaml
+
+[Service]
+Type=simple
+User=headscale
+Group=headscale
+ExecStart=/usr/bin/headscale serve
+ExecReload=/usr/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=5
+
+WorkingDirectory=/var/lib/headscale
+ReadWritePaths=/var/lib/headscale /var/run
+
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=headscale
+RuntimeDirectoryMode=0750
+StateDirectory=headscale
+StateDirectoryMode=0750
+SystemCallArchitectures=native
+SystemCallFilter=@chown
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

docs/packaging/postinstall.sh

@@ -0,0 +1,88 @@
+#!/bin/sh
+# Determine OS platform
+# shellcheck source=/dev/null
+. /etc/os-release
+
+HEADSCALE_EXE="/usr/bin/headscale"
+BSD_HIER=""
+HEADSCALE_RUN_DIR="/var/run/headscale"
+HEADSCALE_HOME_DIR="/var/lib/headscale"
+HEADSCALE_USER="headscale"
+HEADSCALE_GROUP="headscale"
+HEADSCALE_SHELL="/usr/sbin/nologin"
+
+ensure_sudo() {
+	if [ "$(id -u)" = "0" ]; then
+		echo "Sudo permissions detected"
+	else
+		echo "No sudo permission detected, please run as sudo"
+		exit 1
+	fi
+}
+
+ensure_headscale_path() {
+	if [ ! -f "$HEADSCALE_EXE" ]; then
+		echo "headscale not in default path, exiting..."
+		exit 1
+	fi
+
+	printf "Found headscale %s\n" "$HEADSCALE_EXE"
+}
+
+create_headscale_user() {
+	printf "PostInstall: Adding headscale user %s\n" "$HEADSCALE_USER"
+	useradd -r -s "$HEADSCALE_SHELL" -d "$HEADSCALE_HOME_DIR" -c "headscale default user" "$HEADSCALE_USER"
+}
+
+create_headscale_group() {
+	if command -V systemctl >/dev/null 2>&1; then
+		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
+		groupadd -r "$HEADSCALE_GROUP"
+
+		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
+		usermod -a -G "$HEADSCALE_GROUP" "$HEADSCALE_USER"
+	fi
+
+	if [ "$ID" = "alpine" ]; then
+		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
+		addgroup -S "$HEADSCALE_GROUP"
+
+		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
+		addgroup "$HEADSCALE_USER" "$HEADSCALE_GROUP"
+	fi
+}
+
+create_run_dir() {
+	printf "PostInstall: Creating headscale run directory \n"
+	mkdir -p "$HEADSCALE_RUN_DIR"
+
+	printf "PostInstall: Modifying group ownership of headscale run directory \n"
+	chown "$HEADSCALE_USER":"$HEADSCALE_GROUP" "$HEADSCALE_RUN_DIR"
+}
+
+summary() {
+	echo "----------------------------------------------------------------------"
+	echo " headscale package has been successfully installed."
+	echo ""
+	echo " Please follow the next steps to start the software:"
+	echo ""
+	echo "    sudo systemctl enable headscale"
+	echo "    sudo systemctl start headscale"
+	echo ""
+	echo " Configuration settings can be adjusted here:"
+	echo "    ${BSD_HIER}/etc/headscale/config.yaml"
+	echo ""
+	echo "----------------------------------------------------------------------"
+}
+
+#
+# Main body of the script
+#
+{
+	ensure_sudo
+	ensure_headscale_path
+	create_headscale_user
+	create_headscale_group
+	create_run_dir
+	summary
+}

docs/packaging/postremove.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+# Determine OS platform
+# shellcheck source=/dev/null
+. /etc/os-release
+
+if command -V systemctl >/dev/null 2>&1; then
+	echo "Stop and disable headscale service"
+	systemctl stop headscale >/dev/null 2>&1 || true
+	systemctl disable headscale >/dev/null 2>&1 || true
+	echo "Running daemon-reload"
+	systemctl daemon-reload || true
+fi
+
+echo "Removing run directory"
+rm -rf "/var/run/headscale.sock"

docs/ref/acls.md

@@ -0,0 +1,189 @@
+Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
+
+For instance, instead of referring to users when defining groups you must
+use users (which are the equivalent to user/logins in Tailscale.com).
+
+Please check https://tailscale.com/kb/1018/acls/ for further information.
+
+When using ACL's the User borders are no longer applied. All machines
+whichever the User have the ability to communicate with other hosts as
+long as the ACL's permits this exchange.
+
+## ACLs use case example
+
+Let's build an example use case for a small business (It may be the place where
+ACL's are the most useful).
+
+We have a small company with a boss, an admin, two developers and an intern.
+
+The boss should have access to all servers but not to the user's hosts. Admin
+should also have access to all hosts except that their permissions should be
+limited to maintaining the hosts (for example purposes). The developers can do
+anything they want on dev hosts but only watch on productions hosts. Intern
+can only interact with the development servers.
+
+There's an additional server that acts as a router, connecting the VPN users
+to an internal network `10.20.0.0/16`. Developers must have access to those
+internal resources.
+
+Each user have at least a device connected to the network and we have some
+servers.
+
+- database.prod
+- database.dev
+- app-server1.prod
+- app-server1.dev
+- billing.internal
+- router.internal
+
+![ACL implementation example](../images/headscale-acl-network.png)
+
+## ACL setup
+
+ACLs have to be written in [huJSON](https://github.com/tailscale/hujson).
+
+When [registering the servers](../usage/getting-started.md#register-a-node) we
+will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
+that is registering the server should be allowed to do it. Since anyone can add
+tags to a server they can register, the check of the tags is done on headscale
+server and only valid tags are applied. A tag is valid if the user that is
+registering it is allowed to do it.
+
+To use ACLs in headscale, you must edit your `config.yaml` file. In there you will find a `policy.path` parameter. This
+will need to point to your ACL file. More info on how these policies are written can be found
+[here](https://tailscale.com/kb/1018/acls/).
+
+Please reload or restart Headscale after updating the ACL file. Headscale may be reloaded either via its systemd service
+(`sudo systemctl reload headscale`) or by sending a SIGHUP signal (`sudo kill -HUP $(pidof headscale)`) to the main
+process. Headscale logs the result of ACL policy processing after each reload.
+
+Here are the ACL's to implement the same permissions as above:
+
+```json title="acl.json"
+{
+  // groups are collections of users having a common scope. A user can be in multiple groups
+  // groups cannot be composed of groups
+  "groups": {
+    "group:boss": ["boss@"],
+    "group:dev": ["dev1@", "dev2@"],
+    "group:admin": ["admin1@"],
+    "group:intern": ["intern1@"]
+  },
+  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
+  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
+  // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
+  "tagOwners": {
+    // the administrators can add servers in production
+    "tag:prod-databases": ["group:admin"],
+    "tag:prod-app-servers": ["group:admin"],
+
+    // the boss can tag any server as internal
+    "tag:internal": ["group:boss"],
+
+    // dev can add servers for dev purposes as well as admins
+    "tag:dev-databases": ["group:admin", "group:dev"],
+    "tag:dev-app-servers": ["group:admin", "group:dev"]
+
+    // interns cannot add servers
+  },
+  // hosts should be defined using its IP addresses and a subnet mask.
+  // to define a single host, use a /32 mask. You cannot use DNS entries here,
+  // as they're prone to be hijacked by replacing their IP addresses.
+  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
+  "hosts": {
+    "postgresql.internal": "10.20.0.2/32",
+    "webservers.internal": "10.20.10.1/29"
+  },
+  "acls": [
+    // boss have access to all servers
+    {
+      "action": "accept",
+      "src": ["group:boss"],
+      "dst": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
+    // admin have only access to administrative ports of the servers, in tcp/22
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "proto": "tcp",
+      "dst": [
+        "tag:prod-databases:22",
+        "tag:prod-app-servers:22",
+        "tag:internal:22",
+        "tag:dev-databases:22",
+        "tag:dev-app-servers:22"
+      ]
+    },
+
+    // we also allow admin to ping the servers
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "proto": "icmp",
+      "dst": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
+    // developers have access to databases servers and application servers on all ports
+    // they can only view the applications servers in prod and have no access to databases servers in production
+    {
+      "action": "accept",
+      "src": ["group:dev"],
+      "dst": [
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*",
+        "tag:prod-app-servers:80,443"
+      ]
+    },
+    // developers have access to the internal network through the router.
+    // the internal network is composed of HTTPS endpoints and Postgresql
+    // database servers.
+    {
+      "action": "accept",
+      "src": ["group:dev"],
+      "dst": ["10.20.0.0/16:443,5432"]
+    },
+
+    // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to
+    // applications servers
+    {
+      "action": "accept",
+      "src": ["tag:dev-app-servers"],
+      "proto": "tcp",
+      "dst": ["tag:dev-databases:5432"]
+    },
+    {
+      "action": "accept",
+      "src": ["tag:prod-app-servers"],
+      "dst": ["tag:prod-databases:5432"]
+    },
+
+    // interns have access to dev-app-servers only in reading mode
+    {
+      "action": "accept",
+      "src": ["group:intern"],
+      "dst": ["tag:dev-app-servers:80,443"]
+    },
+
+    // We still have to allow internal users communications since nothing guarantees that each user have
+    // their own users.
+    { "action": "accept", "src": ["boss@"], "dst": ["boss@:*"] },
+    { "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },
+    { "action": "accept", "src": ["dev2@"], "dst": ["dev2@:*"] },
+    { "action": "accept", "src": ["admin1@"], "dst": ["admin1@:*"] },
+    { "action": "accept", "src": ["intern1@"], "dst": ["intern1@:*"] }
+  ]
+}
+```

docs/ref/configuration.md

@@ -0,0 +1,39 @@
+# Configuration
+
+- Headscale loads its configuration from a YAML file
+- It searches for `config.yaml` in the following paths:
+    - `/etc/headscale`
+    - `$HOME/.headscale`
+    - the current working directory
+- Use the command line flag `-c`, `--config` to load the configuration from a different path
+- Validate the configuration file with: `headscale configtest`
+
+!!! example "Get the [example configuration from the GitHub repository](https://github.com/juanfont/headscale/blob/main/config-example.yaml)"
+
+    Always select the [same GitHub tag](https://github.com/juanfont/headscale/tags) as the released version you use to
+    ensure you have the correct example configuration. The `main` branch might contain unreleased changes.
+
+    === "View on GitHub"
+
+        * Development version: <https://github.com/juanfont/headscale/blob/main/config-example.yaml>
+        * Version {{ headscale.version }}: <https://github.com/juanfont/headscale/blob/v{{ headscale.version }}/config-example.yaml>
+
+    === "Download with `wget`"
+
+        ```shell
+        # Development version
+        wget -O config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
+
+        # Version {{ headscale.version }}
+        wget -O config.yaml https://raw.githubusercontent.com/juanfont/headscale/v{{ headscale.version }}/config-example.yaml
+        ```
+
+    === "Download with `curl`"
+
+        ```shell
+        # Development version
+        curl -o config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
+
+        # Version {{ headscale.version }}
+        curl -o config.yaml https://raw.githubusercontent.com/juanfont/headscale/v{{ headscale.version }}/config-example.yaml
+        ```

docs/ref/dns.md

@@ -0,0 +1,112 @@
+# DNS
+
+Headscale supports [most DNS features](../about/features.md) from Tailscale. DNS related settings can be configured
+within `dns` section of the [configuration file](./configuration.md).
+
+## Setting extra DNS records
+
+Headscale allows to set extra DNS records which are made available via
+[MagicDNS](https://tailscale.com/kb/1081/magicdns). Extra DNS records can be configured either via static entries in the
+[configuration file](./configuration.md) or from a JSON file that Headscale continuously watches for changes:
+
+* Use the `dns.extra_records` option in the [configuration file](./configuration.md) for entries that are static and
+  don't change while Headscale is running. Those entries are processed when Headscale is starting up and changes to the
+  configuration require a restart of Headscale.
+* For dynamic DNS records that may be added, updated or removed while Headscale is running or DNS records that are
+  generated by scripts the option `dns.extra_records_path` in the [configuration file](./configuration.md) is useful.
+  Set it to the absolute path of the JSON file containing DNS records and Headscale processes this file as it detects
+  changes.
+
+An example use case is to serve multiple apps on the same host via a reverse proxy like NGINX, in this case a Prometheus
+monitoring stack. This allows to nicely access the service with "http://grafana.myvpn.example.com" instead of the
+hostname and port combination "http://hostname-in-magic-dns.myvpn.example.com:3000".
+
+!!! warning "Limitations"
+
+    Currently, [only A and AAAA records are processed by Tailscale](https://github.com/tailscale/tailscale/blob/v1.78.3/ipn/ipnlocal/local.go#L4461-L4479).
+
+
+1.  Configure extra DNS records using one of the available configuration options:
+
+    === "Static entries, via `dns.extra_records`"
+
+        ```yaml title="config.yaml"
+        dns:
+          ...
+          extra_records:
+            - name: "grafana.myvpn.example.com"
+              type: "A"
+              value: "100.64.0.3"
+
+            - name: "prometheus.myvpn.example.com"
+              type: "A"
+              value: "100.64.0.3"
+          ...
+        ```
+
+        Restart your headscale instance.
+
+    === "Dynamic entries, via `dns.extra_records_path`"
+
+        ```json title="extra-records.json"
+        [
+          {
+            "name": "grafana.myvpn.example.com",
+            "type": "A",
+            "value": "100.64.0.3"
+          },
+          {
+            "name": "prometheus.myvpn.example.com",
+            "type": "A",
+            "value": "100.64.0.3"
+          }
+        ]
+        ```
+
+        Headscale picks up changes to the above JSON file automatically.
+
+        !!! tip "Good to know"
+
+            * The `dns.extra_records_path` option in the [configuration file](./configuration.md) needs to reference the
+              JSON file containing extra DNS records.
+            * Be sure to "sort keys" and produce a stable output in case you generate the JSON file with a script.
+              Headscale uses a checksum to detect changes to the file and a stable output avoids unnecessary processing.
+
+1.  Verify that DNS records are properly set using the DNS querying tool of your choice:
+
+    === "Query with dig"
+
+        ```console
+        dig +short grafana.myvpn.example.com
+        100.64.0.3
+        ```
+
+    === "Query with drill"
+
+        ```console
+        drill -Q grafana.myvpn.example.com
+        100.64.0.3
+        ```
+
+1.  Optional: Setup the reverse proxy
+
+    The motivating example here was to be able to access internal monitoring services on the same host without
+    specifying a port, depicted as NGINX configuration snippet:
+
+    ```nginx title="nginx.conf"
+    server {
+        listen 80;
+        listen [::]:80;
+
+        server_name grafana.myvpn.example.com;
+
+        location / {
+            proxy_pass http://localhost:3000;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+    }
+    ```

docs/ref/integration/reverse-proxy.md

@@ -0,0 +1,141 @@
+# Running headscale behind a reverse proxy
+
+!!! warning "Community documentation"
+
+    This page is not actively maintained by the headscale authors and is
+    written by community members. It is _not_ verified by headscale developers.
+
+    **It might be outdated and it might miss necessary steps**.
+
+Running headscale behind a reverse proxy is useful when running multiple applications on the same server, and you want to reuse the same external IP and port - usually tcp/443 for HTTPS.
+
+### WebSockets
+
+The reverse proxy MUST be configured to support WebSockets to communicate with Tailscale clients.
+
+WebSockets support is also required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our [config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml).
+
+### Cloudflare
+
+Running headscale behind a cloudflare proxy or cloudflare tunnel is not supported and will not work as Cloudflare does not support WebSocket POSTs as required by the Tailscale protocol. See [this issue](https://github.com/juanfont/headscale/issues/1468)
+
+### TLS
+
+Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.
+
+```yaml title="config.yaml"
+server_url: https://<YOUR_SERVER_NAME> # This should be the FQDN at which headscale will be served
+listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 0.0.0.0:9090
+tls_cert_path: ""
+tls_key_path: ""
+```
+
+## nginx
+
+The following example configuration can be used in your nginx setup, substituting values as necessary. `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `http://localhost:8080`.
+
+```nginx title="nginx.conf"
+map $http_upgrade $connection_upgrade {
+    default      upgrade;
+    ''           close;
+}
+
+server {
+    listen 80;
+	listen [::]:80;
+
+	listen 443      ssl http2;
+	listen [::]:443 ssl http2;
+
+    server_name <YOUR_SERVER_NAME>;
+
+    ssl_certificate <PATH_TO_CERT>;
+    ssl_certificate_key <PATH_CERT_KEY>;
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    location / {
+        proxy_pass http://<IP:PORT>;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+}
+```
+
+## istio/envoy
+
+If you using [Istio](https://istio.io/) ingressgateway or [Envoy](https://www.envoyproxy.io/) as reverse proxy, there are some tips for you. If not set, you may see some debug log in proxy as below:
+
+```log
+Sending local reply with details upgrade_failed
+```
+
+### Envoy
+
+You need to add a new upgrade_type named `tailscale-control-protocol`. [see details](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-upgradeconfig)
+
+### Istio
+
+Same as envoy, we can use `EnvoyFilter` to add upgrade_type.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: headscale-behind-istio-ingress
+  namespace: istio-system
+spec:
+  configPatches:
+    - applyTo: NETWORK_FILTER
+      match:
+        listener:
+          filterChain:
+            filter:
+              name: envoy.filters.network.http_connection_manager
+      patch:
+        operation: MERGE
+        value:
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+            upgrade_configs:
+              - upgrade_type: tailscale-control-protocol
+```
+
+## Caddy
+
+The following Caddyfile is all that is necessary to use Caddy as a reverse proxy for headscale, in combination with the `config.yaml` specifications above to disable headscale's built in TLS. Replace values as necessary - `<YOUR_SERVER_NAME>` should be the FQDN at which headscale will be served, and `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `localhost:8080`.
+
+```none title="Caddyfile"
+<YOUR_SERVER_NAME> {
+    reverse_proxy <IP:PORT>
+}
+```
+
+Caddy v2 will [automatically](https://caddyserver.com/docs/automatic-https) provision a certificate for your domain/subdomain, force HTTPS, and proxy websockets - no further configuration is necessary.
+
+For a slightly more complex configuration which utilizes Docker containers to manage Caddy, headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.
+
+## Apache
+
+The following minimal Apache config will proxy traffic to the headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
+
+```apache title="apache.conf"
+<VirtualHost *:443>
+	ServerName <YOUR_SERVER_NAME>
+
+	ProxyPreserveHost On
+	ProxyPass / http://<IP:PORT>/ upgrade=any
+
+	SSLEngine On
+	SSLCertificateFile <PATH_TO_CERT>
+	SSLCertificateKeyFile <PATH_CERT_KEY>
+</VirtualHost>
+```

docs/ref/integration/tools.md

@@ -0,0 +1,14 @@
+# Tools related to headscale
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the headscale authors and are written by community members.
+
+This page collects third-party tools and scripts related to headscale.
+
+| Name                  | Repository Link                                                 | Description                                                          |
+| --------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------- |
+| tailscale-manager     | [Github](https://github.com/singlestore-labs/tailscale-manager) | Dynamically manage Tailscale route advertisements                    |
+| headscalebacktosqlite | [Github](https://github.com/bigbozza/headscalebacktosqlite)     | Migrate headscale from PostgreSQL back to SQLite                     |
+| headscale-pf          | [Github](https://github.com/YouSysAdmin/headscale-pf)           | Populates user groups based on user groups in Jumpcloud or Authentik |

docs/ref/integration/web-ui.md

@@ -0,0 +1,19 @@
+# Web interfaces for headscale
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the headscale authors and are written by community members.
+
+Headscale doesn't provide a built-in web interface but users may pick one from the available options.
+
+| Name                   | Repository Link                                            | Description                                                                          |
+| ---------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------ |
+| headscale-ui           | [Github](https://github.com/gurucomputing/headscale-ui)    | A web frontend for the headscale Tailscale-compatible coordination server            |
+| HeadscaleUi            | [GitHub](https://github.com/simcu/headscale-ui)            | A static headscale admin ui, no backend environment required                         |
+| Headplane              | [GitHub](https://github.com/tale/headplane)                | An advanced Tailscale inspired frontend for headscale                                |
+| headscale-admin        | [Github](https://github.com/GoodiesHQ/headscale-admin)     | Headscale-Admin is meant to be a simple, modern web interface for headscale          |
+| ouroboros              | [Github](https://github.com/yellowsink/ouroboros)          | Ouroboros is designed for users to manage their own devices, rather than for admins  |
+| unraid-headscale-admin | [Github](https://github.com/ich777/unraid-headscale-admin) | A simple headscale admin UI for Unraid, it offers Local (`docker exec`) and API Mode |
+
+You can ask for support on our [Discord server](https://discord.gg/c84AZQhmpx) in the "web-interfaces" channel.