Merge pull request #350 from restanrm/feat-oidc-login-as-namespace

Merge remote-tracking branch 'origin/main' into feat-oidc-login-as-namespace
Merge pull request #357 from kradalby/make-namespace-to-users
2026-01-14 21:23:37 +01:00 · 2022-02-25 13:22:26 +01:00 · 2022-02-25 11:28:17 +01:00 · 2022-02-25 11:01:41 +01:00 · 2022-02-25 10:39:12 +01:00 · 2022-02-25 10:37:35 +01:00
56 changed files with 3090 additions and 2743 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1,10 @@
+* @juanfont @kradalby
+
+*.md @ohdearaugustin
+*.yml @ohdearaugustin
+*.yaml @ohdearaugustin
+Dockerfile* @ohdearaugustin
+.goreleaser.yaml @ohdearaugustin
+/docs/ @ohdearaugustin
+/.github/workflows/ @ohdearaugustin
+/.github/renovate.json @ohdearaugustin
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -0,0 +1,38 @@
+{
+  "baseBranches": ["main"],
+  "username": "renovate-release",
+  "gitAuthor": "Renovate Bot <bot@renovateapp.com>",
+  "branchPrefix": "renovateaction/",
+  "onboarding": false,
+  "extends": ["config:base", ":rebaseStalePrs"],
+  "ignorePresets": [":prHourlyLimit2"],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions","regex" ],
+  "includeForks": true,
+  "repositories": ["juanfont/headscale"],
+  "platform": "github",
+  "packageRules": [
+    {
+        "matchDatasources": ["go"],
+        "groupName": "Go modules",
+        "groupSlug": "gomod",
+        "separateMajorMinor": false
+    },
+    {
+        "matchDatasources": ["docker"],
+        "groupName": "Dockerfiles",
+        "groupSlug": "dockerfiles"
+    } 
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": [
+          ".github/workflows/.*.yml$"
+      ],
+      "matchStrings": [
+        "\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"
+      ],
+      "datasourceTemplate": "golang-version",
+      "depNameTemplate": "actions/go-version"
+    }
+  ]
+}
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -4,13 +4,13 @@ on:
  push:
    branches:
      - main
-
+  workflow_dispatch:
 jobs:
  add-contributors:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
-      - uses: BobAnkh/add-contributors@master
+      - uses: BobAnkh/add-contributors@v0.2.2
        with:
          CONTRIBUTOR: "## Contributors"
          COLUMN_PER_ROW: "6"
--- a/.github/workflows/renovatebot.yml
+++ b/.github/workflows/renovatebot.yml
@@ -0,0 +1,27 @@
+---
+name: Renovate
+on:
+  schedule:
+    - cron: "* * 5,20 * *" # Every 5th and 20th of the month
+  workflow_dispatch:
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get token
+        id: get_token
+        uses: machine-learning-apps/actions-app-token@master
+        with:
+          APP_PEM: ${{ secrets.RENOVATEBOT_SECRET }}
+          APP_ID: ${{ secrets.RENOVATEBOT_APP_ID }}
+
+      - name: Checkout
+        uses: actions/checkout@v2.0.0
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v31.81.3
+        with:
+          configurationFile: .github/renovate.json
+          token: "x-access-token:${{ steps.get_token.outputs.app_token }}"
+        # env:
+        #  LOG_LEVEL: "debug"
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@@ -29,4 +29,4 @@ jobs:

      - name: Run Integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
-        run: go test -tags integration -timeout 30m
+        run: make test_integration
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -48,6 +48,7 @@ linters-settings:
      - ip
      - ok
      - c
+      - tt

  gocritic:
    disabled-checks:
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -10,15 +10,12 @@ builds:
  - id: darwin-amd64
    main: ./cmd/headscale/headscale.go
    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
    goos:
      - darwin
    goarch:
      - amd64
-    env:
-      - PKG_CONFIG_SYSROOT_DIR=/sysroot/macos/amd64
-      - PKG_CONFIG_PATH=/sysroot/macos/amd64/usr/local/lib/pkgconfig
-      - CC=o64-clang
-      - CXX=o64-clang++
    flags:
      - -mod=readonly
    ldflags:
@@ -27,46 +24,40 @@ builds:
  - id: linux-armhf
    main: ./cmd/headscale/headscale.go
    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
    goos:
      - linux
    goarch:
      - arm
    goarm:
      - "7"
-    env:
-      - CC=arm-linux-gnueabihf-gcc
-      - CXX=arm-linux-gnueabihf-g++
-      - CGO_FLAGS=--sysroot=/sysroot/linux/armhf
-      - CGO_LDFLAGS=--sysroot=/sysroot/linux/armhf
-      - PKG_CONFIG_SYSROOT_DIR=/sysroot/linux/armhf
-      - PKG_CONFIG_PATH=/sysroot/linux/armhf/opt/vc/lib/pkgconfig:/sysroot/linux/armhf/usr/lib/arm-linux-gnueabihf/pkgconfig:/sysroot/linux/armhf/usr/lib/pkgconfig:/sysroot/linux/armhf/usr/local/lib/pkgconfig
    flags:
      - -mod=readonly
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}

  - id: linux-amd64
+    mod_timestamp: "{{ .CommitTimestamp }}"
    env:
-      - CGO_ENABLED=1
+      - CGO_ENABLED=0
    goos:
      - linux
    goarch:
      - amd64
    main: ./cmd/headscale/headscale.go
-    mod_timestamp: "{{ .CommitTimestamp }}"
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}

  - id: linux-arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
    goos:
      - linux
    goarch:
      - arm64
-    env:
-      - CGO_ENABLED=1
-      - CC=aarch64-linux-gnu-gcc
    main: ./cmd/headscale/headscale.go
-    mod_timestamp: "{{ .CommitTimestamp }}"
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,43 @@
 # CHANGELOG

-**TBD (TBD):**
+**0.15.0 (2022-xx-xx):**

-**0.13.0 (2022-xx-xx):**
+**BREAKING**:
+
+- Boundaries between Namespaces has been removed and all nodes can communicate by default [#357](https://github.com/juanfont/headscale/pull/357)
+  - To limit access between nodes, use [ACLs](./docs/acls.md).
+
+**Changes**:
+
+- Fix a bug were the same IP could be assigned to multiple hosts if joined in quick succession [#346](https://github.com/juanfont/headscale/pull/346)
+
+**0.14.0 (2022-02-24):**
+
+**UPCOMING BREAKING**:
+From the **next** version (`0.15.0`), all machines will be able to communicate regardless of
+if they are in the same namespace. This means that the behaviour currently limited to ACLs
+will become default. From version `0.15.0`, all limitation of communications must be done
+with ACLs.
+
+This is a part of aligning `headscale`'s behaviour with Tailscale's upstream behaviour.
+
+**BREAKING**:
+
+- ACLs have been rewritten to align with the bevaviour Tailscale Control Panel provides. **NOTE:** This is only active if you use ACLs
+  - Namespaces are now treated as Users
+  - All machines can communicate with all machines by default
+  - Tags should now work correctly and adding a host to Headscale should now reload the rules.
+  - The documentation have a [fictional example](docs/acls.md) that should cover some use cases of the ACLs features
+
+**Features**:
+
+- Add support for configurable mTLS [docs](docs/tls.md#configuring-mutual-tls-authentication-mtls) [#297](https://github.com/juanfont/headscale/pull/297)
+
+**Changes**:
+
+- Remove dependency on CGO (switch from CGO SQLite to pure Go) [#346](https://github.com/juanfont/headscale/pull/346)
+
+**0.13.0 (2022-02-18):**

 **Features**:

@@ -10,6 +45,10 @@
 - Add API Key support
  - Enable remote control of `headscale` via CLI [docs](docs/remote-cli.md)
  - Enable HTTP API (beta, subject to change)
+- OpenID Connect users will be mapped per namespaces
+  - Each user will get its own namespace, created if it does not exist
+  - `oidc.domain_map` option has been removed
+  - `strip_email_domain` option has been added (see [config-example.yaml](./config_example.yaml))

 **Changes**:

--- a/2
+++ b/2
@@ -8,7 +8,7 @@ RUN go mod download

 COPY . .

-RUN go install -a -ldflags="-extldflags=-static" -tags netgo,sqlite_omit_load_extension ./cmd/headscale
+RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale

--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -9,7 +9,7 @@ RUN go mod download

 COPY . .

-RUN go install -a -ldflags="-extldflags=-static" -tags netgo,sqlite_omit_load_extension ./cmd/headscale
+RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale

--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -8,7 +8,7 @@ RUN go mod download

 COPY . .

-RUN go install -a -ldflags="-extldflags=-static" -tags netgo,sqlite_omit_load_extension ./cmd/headscale
+RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
 RUN test -e /go/bin/headscale

 # Debug image
--- a/4
+++ b/4
@@ -10,7 +10,7 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)


 build:
-	go build -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	GGO_ENABLED=0 go build -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go

 dev: lint test build

@@ -18,7 +18,7 @@ test:
 	@go test -coverprofile=coverage.out ./...

 test_integration:
-	go test -tags integration -timeout 30m -count=1 ./...
+	go test -failfast -tags integration -timeout 30m -count=1 ./...

 test_integration_cli:
 	go test -tags integration -v integration_cli_test.go integration_common_test.go
--- a/README.md
+++ b/README.md
@@ -2,44 +2,67 @@

 ![ci](https://github.com/juanfont/headscale/actions/workflows/test.yml/badge.svg)

-An open source, self-hosted implementation of the Tailscale coordination server.
+An open source, self-hosted implementation of the Tailscale control server.

 Join our [Discord](https://discord.gg/XcQxk2VHjx) server for a chat.

-**Note:** Always select the same GitHub tag as the released version you use to ensure you have the correct example configuration and documentation. The `main` branch might contain unreleased changes.
+**Note:** Always select the same GitHub tag as the released version you use
+to ensure you have the correct example configuration and documentation.
+The `main` branch might contain unreleased changes.

-## Overview
+## What is Tailscale

-Tailscale is [a modern VPN](https://tailscale.com/) built on top of [Wireguard](https://www.wireguard.com/). It [works like an overlay network](https://tailscale.com/blog/how-tailscale-works/) between the computers of your networks - using [NAT traversal](https://tailscale.com/blog/how-nat-traversal-works/).
+Tailscale is [a modern VPN](https://tailscale.com/) built on top of
+[Wireguard](https://www.wireguard.com/).
+It [works like an overlay network](https://tailscale.com/blog/how-tailscale-works/)
+between the computers of your networks - using
+[NAT traversal](https://tailscale.com/blog/how-nat-traversal-works/).

-Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the 'coordination/control server'.
+Everything in Tailscale is Open Source, except the GUI clients for proprietary OS
+(Windows and macOS/iOS), and the control server.

-The control server works as an exchange point of Wireguard public keys for the nodes in the Tailscale network. It also assigns the IP addresses of the clients, creates the boundaries between each user, enables sharing machines between users, and exposes the advertised routes of your nodes.
+The control server works as an exchange point of Wireguard public keys for the
+nodes in the Tailscale network. It assigns the IP addresses of the clients,
+creates the boundaries between each user, enables sharing machines between users,
+and exposes the advertised routes of your nodes.

-headscale implements this coordination server.
+A [Tailscale network (tailnet)](https://tailscale.com/kb/1136/tailnet/) is private
+network which Tailscale assigns to a user in terms of private users or an
+organisations.
+
+## Design goal
+
+`headscale` aims to implement a self-hosted, open source alternative to the Tailscale
+control server. `headscale` has a narrower scope and an instance of `headscale`
+implements a _single_ Tailnet, which is typically what a single organisation, or
+home/personal setup would use.
+
+`headscale` uses terms that maps to Tailscale's control server, consult the
+[glossary](./docs/glossary.md) for explainations.

 ## Support

-If you like `headscale` and find it useful, there is sponsorship and donation buttons available in the repo.
+If you like `headscale` and find it useful, there is a sponsorship and donation
+buttons available in the repo.

-If you would like to sponsor features, bugs or prioritisation, reach out to one of the maintainers.
+If you would like to sponsor features, bugs or prioritisation, reach out to
+one of the maintainers.

-## Status
+## Features

- [x] Base functionality (nodes can communicate with each other)
- [x] Node registration through the web flow
- [x] Network changes are relayed to the nodes
- [x] Namespaces support (~tailnets in Tailscale.com naming)
- [x] Routing (advertise & accept, including exit nodes)
- [x] Node registration via pre-auth keys (including reusable keys, and ephemeral node support)
- [x] JSON-formatted output
- [x] ACLs
- [x] Taildrop (File Sharing)
- [x] Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10)
- [x] DNS (passing DNS servers to nodes)
- [x] Single-Sign-On (via Open ID Connect)
- [x] Share nodes between namespaces
- [x] MagicDNS (see `docs/`)
+- Full "base" support of Tailscale's features
+- Configurable DNS
+  - [Split DNS](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console)
+- Node registration
+  - Single-Sign-On (via Open ID Connect)
+  - Pre authenticated key
+- Taildrop (File Sharing)
+- [Access control lists](https://tailscale.com/kb/1018/acls/)
+- [MagicDNS](https://tailscale.com/kb/1081/magicdns)
+- Support for multiple IP ranges in the tailnet
+- Dual stack (IPv4 and IPv6)
+- Routing advertising (including exit nodes)
+- Ephemeral nodes

 ## Client OS support

@@ -47,15 +70,12 @@ If you would like to sponsor features, bugs or prioritisation, reach out to one
 | ------- | ----------------------------------------------------------------------------------------------------------------- |
 | Linux   | Yes                                                                                                               |
 | OpenBSD | Yes                                                                                                               |
+| FreeBSD | Yes                                                                                                               |
 | macOS   | Yes (see `/apple` on your headscale for more information)                                                         |
 | Windows | Yes [docs](./docs/windows-client.md)                                                                              |
 | Android | [You need to compile the client yourself](https://github.com/juanfont/headscale/issues/58#issuecomment-885255270) |
 | iOS     | Not yet                                                                                                           |

-## Roadmap
-
-Suggestions/PRs welcomed!
-
 ## Running headscale

 Please have a look at the documentation under [`docs/`](docs/).
@@ -67,11 +87,15 @@ Please have a look at the documentation under [`docs/`](docs/).

 ## Contributing

-To contribute to Headscale you would need the lastest version of [Go](https://golang.org) and [Buf](https://buf.build)(Protobuf generator).
+To contribute to headscale you would need the lastest version of [Go](https://golang.org)
+and [Buf](https://buf.build)(Protobuf generator).
+
+PRs and suggestions are welcome.

 ### Code style

-To ensure we have some consistency with a growing number of contributions, this project has adopted linting and style/formatting rules:
+To ensure we have some consistency with a growing number of contributions,
+this project has adopted linting and style/formatting rules:

 The **Go** code is linted with [`golangci-lint`](https://golangci-lint.run) and
 formatted with [`golines`](https://github.com/segmentio/golines) (width 88) and
@@ -98,7 +122,8 @@ make install-protobuf-plugins

 ### Testing and building

-Some parts of the project require the generation of Go code from Protobuf (if changes are made in `proto/`) and it must be (re-)generated with:
+Some parts of the project require the generation of Go code from Protobuf
+(if changes are made in `proto/`) and it must be (re-)generated with:

 ```shell
 make generate
@@ -122,13 +147,6 @@ make build

 <table>
 <tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/juanfont>
-            <img src=https://avatars.githubusercontent.com/u/181059?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Juan Font/>
-            <br />
-            <sub style="font-size:14px"><b>Juan Font</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/kradalby>
            <img src=https://avatars.githubusercontent.com/u/98431?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Kristoffer Dalby/>
@@ -136,6 +154,13 @@ make build
            <sub style="font-size:14px"><b>Kristoffer Dalby</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/juanfont>
+            <img src=https://avatars.githubusercontent.com/u/181059?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Juan Font/>
+            <br />
+            <sub style="font-size:14px"><b>Juan Font</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/cure>
            <img src=https://avatars.githubusercontent.com/u/149135?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ward Vandewege/>
@@ -150,6 +175,22 @@ make build
            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/restanrm>
+            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
+            <br />
+            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ItalyPaleAle>
+            <img src=https://avatars.githubusercontent.com/u/43508?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Alessandro (Ale) Segala/>
+            <br />
+            <sub style="font-size:14px"><b>Alessandro (Ale) Segala</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/unreality>
            <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
@@ -157,6 +198,13 @@ make build
            <sub style="font-size:14px"><b>unreality</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/negbie>
+            <img src=https://avatars.githubusercontent.com/u/20154956?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Eugen Biegler/>
+            <br />
+            <sub style="font-size:14px"><b>Eugen Biegler</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/qbit>
            <img src=https://avatars.githubusercontent.com/u/68368?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aaron Bieber/>
@@ -164,6 +212,27 @@ make build
            <sub style="font-size:14px"><b>Aaron Bieber</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/fdelucchijr>
+            <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
+            <br />
+            <sub style="font-size:14px"><b>Fernando De Lucchi</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/hdhoang>
+            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Hoàng Đức Hiếu/>
+            <br />
+            <sub style="font-size:14px"><b>Hoàng Đức Hiếu</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/dragetd>
+            <img src=https://avatars.githubusercontent.com/u/3639577?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael G./>
+            <br />
+            <sub style="font-size:14px"><b>Michael G.</b></sub>
+        </a>
+    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -187,6 +256,20 @@ make build
            <sub style="font-size:14px"><b>Silver Bullet</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/majst01>
+            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
+            <br />
+            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/lachy-2849>
+            <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy-2849/>
+            <br />
+            <sub style="font-size:14px"><b>lachy-2849</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/t56k>
            <img src=https://avatars.githubusercontent.com/u/12165422?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=thomas/>
@@ -194,6 +277,22 @@ make build
            <sub style="font-size:14px"><b>thomas</b></sub>
        </a>
    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/aberoham>
+            <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
+            <br />
+            <sub style="font-size:14px"><b>Abraham Ingersoll</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/artemklevtsov>
+            <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
+            <br />
+            <sub style="font-size:14px"><b>Artem Klevtsov</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/awoimbee>
            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
@@ -201,6 +300,13 @@ make build
            <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/stensonb>
+            <img src=https://avatars.githubusercontent.com/u/933389?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Bryan Stenson/>
+            <br />
+            <sub style="font-size:14px"><b>Bryan Stenson</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/fkr>
            <img src=https://avatars.githubusercontent.com/u/51063?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Kronlage-Dammers/>
@@ -208,8 +314,6 @@ make build
            <sub style="font-size:14px"><b>Felix Kronlage-Dammers</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/felixonmars>
            <img src=https://avatars.githubusercontent.com/u/1006477?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Yan/>
@@ -217,6 +321,52 @@ make build
            <sub style="font-size:14px"><b>Felix Yan</b></sub>
        </a>
    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/JJGadgets>
+            <img src=https://avatars.githubusercontent.com/u/5709019?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=JJGadgets/>
+            <br />
+            <sub style="font-size:14px"><b>JJGadgets</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/madjam002>
+            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
+            <br />
+            <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/jimt>
+            <img src=https://avatars.githubusercontent.com/u/180326?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jim Tittsler/>
+            <br />
+            <sub style="font-size:14px"><b>Jim Tittsler</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/piec>
+            <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
+            <br />
+            <sub style="font-size:14px"><b>Pierre Carru</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/rcursaru>
+            <img src=https://avatars.githubusercontent.com/u/16259641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=rcursaru/>
+            <br />
+            <sub style="font-size:14px"><b>rcursaru</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ryanfowler>
+            <img src=https://avatars.githubusercontent.com/u/2668821?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ryan Fowler/>
+            <br />
+            <sub style="font-size:14px"><b>Ryan Fowler</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/shaananc>
            <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -224,6 +374,13 @@ make build
            <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/m-tanner-dev0>
+            <img src=https://avatars.githubusercontent.com/u/97977342?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tanner/>
+            <br />
+            <sub style="font-size:14px"><b>Tanner</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Teteros>
            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
@@ -261,6 +418,13 @@ make build
            <sub style="font-size:14px"><b>Zakhar Bessarab</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Bpazy>
+            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ZiYuan/>
+            <br />
+            <sub style="font-size:14px"><b>ZiYuan</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/derelm>
            <img src=https://avatars.githubusercontent.com/u/465155?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=derelm/>
@@ -268,6 +432,13 @@ make build
            <sub style="font-size:14px"><b>derelm</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/e-zk>
+            <img src=https://avatars.githubusercontent.com/u/58356365?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=e-zk/>
+            <br />
+            <sub style="font-size:14px"><b>e-zk</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ignoramous>
            <img src=https://avatars.githubusercontent.com/u/852289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ignoramous/>
@@ -275,6 +446,29 @@ make build
            <sub style="font-size:14px"><b>ignoramous</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/lion24>
+            <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lion24/>
+            <br />
+            <sub style="font-size:14px"><b>lion24</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/pernila>
+            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=pernila/>
+            <br />
+            <sub style="font-size:14px"><b>pernila</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Wakeful-Cloud>
+            <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>
+            <br />
+            <sub style="font-size:14px"><b>Wakeful-Cloud</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/xpzouying>
            <img src=https://avatars.githubusercontent.com/u/3946563?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=zy/>
--- a/acls.go
+++ b/acls.go
@@ -20,7 +20,6 @@ const (
 	errInvalidUserSection = Error("invalid user section")
 	errInvalidGroup       = Error("invalid group")
 	errInvalidTag         = Error("invalid tag")
-	errInvalidNamespace   = Error("invalid namespace")
 	errInvalidPortFormat  = Error("invalid port format")
 )

@@ -69,13 +68,17 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 	}

 	h.aclPolicy = &policy
+
+	return h.UpdateACLRules()
+}
+
+func (h *Headscale) UpdateACLRules() error {
 	rules, err := h.generateACLRules()
 	if err != nil {
 		return err
 	}
-	h.aclRules = rules
-
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
+	h.aclRules = rules

 	return nil
 }
@@ -83,16 +86,23 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}

+	if h.aclPolicy == nil {
+		return nil, errEmptyPolicy
+	}
+
+	machines, err := h.ListMachines()
+	if err != nil {
+		return nil, err
+	}
+
 	for index, acl := range h.aclPolicy.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}

-		filterRule := tailcfg.FilterRule{}
-
 		srcIPs := []string{}
 		for innerIndex, user := range acl.Users {
-			srcs, err := h.generateACLPolicySrcIP(user)
+			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, user)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, User %d", index, innerIndex)
@@ -101,11 +111,10 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 			}
 			srcIPs = append(srcIPs, srcs...)
 		}
-		filterRule.SrcIPs = srcIPs

 		destPorts := []tailcfg.NetPortRange{}
 		for innerIndex, ports := range acl.Ports {
-			dests, err := h.generateACLPolicyDestPorts(ports)
+			dests, err := h.generateACLPolicyDestPorts(machines, *h.aclPolicy, ports)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Port %d", index, innerIndex)
@@ -124,11 +133,17 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 	return rules, nil
 }

-func (h *Headscale) generateACLPolicySrcIP(u string) ([]string, error) {
-	return h.expandAlias(u)
+func (h *Headscale) generateACLPolicySrcIP(
+	machines []Machine,
+	aclPolicy ACLPolicy,
+	u string,
+) ([]string, error) {
+	return expandAlias(machines, aclPolicy, u)
 }

 func (h *Headscale) generateACLPolicyDestPorts(
+	machines []Machine,
+	aclPolicy ACLPolicy,
 	d string,
 ) ([]tailcfg.NetPortRange, error) {
 	tokens := strings.Split(d, ":")
@@ -149,11 +164,11 @@ func (h *Headscale) generateACLPolicyDestPorts(
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}

-	expanded, err := h.expandAlias(alias)
+	expanded, err := expandAlias(machines, aclPolicy, alias)
 	if err != nil {
 		return nil, err
 	}
-	ports, err := h.expandPorts(tokens[len(tokens)-1])
+	ports, err := expandPorts(tokens[len(tokens)-1])
 	if err != nil {
 		return nil, err
 	}
@@ -172,21 +187,28 @@ func (h *Headscale) generateACLPolicyDestPorts(
 	return dests, nil
 }

-func (h *Headscale) expandAlias(alias string) ([]string, error) {
+// expandalias has an input of either
+// - a namespace
+// - a group
+// - a tag
+// and transform these in IPAddresses.
+func expandAlias(
+	machines []Machine,
+	aclPolicy ACLPolicy,
+	alias string,
+) ([]string, error) {
+	ips := []string{}
 	if alias == "*" {
 		return []string{"*"}, nil
 	}

 	if strings.HasPrefix(alias, "group:") {
-		if _, ok := h.aclPolicy.Groups[alias]; !ok {
-			return nil, errInvalidGroup
+		namespaces, err := expandGroup(aclPolicy, alias)
+		if err != nil {
+			return ips, err
 		}
-		ips := []string{}
-		for _, n := range h.aclPolicy.Groups[alias] {
-			nodes, err := h.ListMachinesInNamespace(n)
-			if err != nil {
-				return nil, errInvalidNamespace
-			}
+		for _, n := range namespaces {
+			nodes := filterMachinesByNamespace(machines, n)
 			for _, node := range nodes {
 				ips = append(ips, node.IPAddresses.ToStringSlice()...)
 			}
@@ -196,35 +218,23 @@ func (h *Headscale) expandAlias(alias string) ([]string, error) {
 	}

 	if strings.HasPrefix(alias, "tag:") {
-		if _, ok := h.aclPolicy.TagOwners[alias]; !ok {
-			return nil, errInvalidTag
+		owners, err := expandTagOwners(aclPolicy, alias)
+		if err != nil {
+			return ips, err
 		}
-
-		// This will have HORRIBLE performance.
-		// We need to change the data model to better store tags
-		machines := []Machine{}
-		if err := h.db.Where("registered").Find(&machines).Error; err != nil {
-			return nil, err
-		}
-		ips := []string{}
-		for _, machine := range machines {
-			hostinfo := tailcfg.Hostinfo{}
-			if len(machine.HostInfo) != 0 {
-				hi, err := machine.HostInfo.MarshalJSON()
-				if err != nil {
-					return nil, err
+		for _, namespace := range owners {
+			machines := filterMachinesByNamespace(machines, namespace)
+			for _, machine := range machines {
+				if len(machine.HostInfo) == 0 {
+					continue
 				}
-				err = json.Unmarshal(hi, &hostinfo)
+				hi, err := machine.GetHostInfo()
 				if err != nil {
-					return nil, err
+					return ips, err
 				}
-
-				// FIXME: Check TagOwners allows this
-				for _, t := range hostinfo.RequestTags {
-					if alias[4:] == t {
+				for _, t := range hi.RequestTags {
+					if alias == t {
 						ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-
-						break
 					}
 				}
 			}
@@ -233,38 +243,82 @@ func (h *Headscale) expandAlias(alias string) ([]string, error) {
 		return ips, nil
 	}

-	n, err := h.GetNamespace(alias)
-	if err == nil {
-		nodes, err := h.ListMachinesInNamespace(n.Name)
-		if err != nil {
-			return nil, err
-		}
-		ips := []string{}
-		for _, n := range nodes {
-			ips = append(ips, n.IPAddresses.ToStringSlice()...)
-		}
-
+	// if alias is a namespace
+	nodes := filterMachinesByNamespace(machines, alias)
+	nodes, err := excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias)
+	if err != nil {
+		return ips, err
+	}
+	for _, n := range nodes {
+		ips = append(ips, n.IPAddresses.ToStringSlice()...)
+	}
+	if len(ips) > 0 {
 		return ips, nil
 	}

-	if h, ok := h.aclPolicy.Hosts[alias]; ok {
+	// if alias is an host
+	if h, ok := aclPolicy.Hosts[alias]; ok {
 		return []string{h.String()}, nil
 	}

+	// if alias is an IP
 	ip, err := netaddr.ParseIP(alias)
 	if err == nil {
 		return []string{ip.String()}, nil
 	}

+	// if alias is an CIDR
 	cidr, err := netaddr.ParseIPPrefix(alias)
 	if err == nil {
 		return []string{cidr.String()}, nil
 	}

-	return nil, errInvalidUserSection
+	return ips, errInvalidUserSection
 }

-func (h *Headscale) expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {
+// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
+// that are correctly tagged since they should not be listed as being in the namespace
+// we assume in this function that we only have nodes from 1 namespace.
+func excludeCorrectlyTaggedNodes(
+	aclPolicy ACLPolicy,
+	nodes []Machine,
+	namespace string,
+) ([]Machine, error) {
+	out := []Machine{}
+	tags := []string{}
+	for tag, ns := range aclPolicy.TagOwners {
+		if containsString(ns, namespace) {
+			tags = append(tags, tag)
+		}
+	}
+	// for each machine if tag is in tags list, don't append it.
+	for _, machine := range nodes {
+		if len(machine.HostInfo) == 0 {
+			out = append(out, machine)
+
+			continue
+		}
+		hi, err := machine.GetHostInfo()
+		if err != nil {
+			return out, err
+		}
+		found := false
+		for _, t := range hi.RequestTags {
+			if containsString(tags, t) {
+				found = true
+
+				break
+			}
+		}
+		if !found {
+			out = append(out, machine)
+		}
+	}
+
+	return out, nil
+}
+
+func expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {
 	if portsStr == "*" {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
@@ -306,3 +360,64 @@ func (h *Headscale) expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {

 	return &ports, nil
 }
+
+func filterMachinesByNamespace(machines []Machine, namespace string) []Machine {
+	out := []Machine{}
+	for _, machine := range machines {
+		if machine.Namespace.Name == namespace {
+			out = append(out, machine)
+		}
+	}
+
+	return out
+}
+
+// expandTagOwners will return a list of namespace. An owner can be either a namespace or a group
+// a group cannot be composed of groups.
+func expandTagOwners(aclPolicy ACLPolicy, tag string) ([]string, error) {
+	var owners []string
+	ows, ok := aclPolicy.TagOwners[tag]
+	if !ok {
+		return []string{}, fmt.Errorf(
+			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
+			errInvalidTag,
+			tag,
+		)
+	}
+	for _, owner := range ows {
+		if strings.HasPrefix(owner, "group:") {
+			gs, err := expandGroup(aclPolicy, owner)
+			if err != nil {
+				return []string{}, err
+			}
+			owners = append(owners, gs...)
+		} else {
+			owners = append(owners, owner)
+		}
+	}
+
+	return owners, nil
+}
+
+// expandGroup will return the list of namespace inside the group
+// after some validation.
+func expandGroup(aclPolicy ACLPolicy, group string) ([]string, error) {
+	groups, ok := aclPolicy.Groups[group]
+	if !ok {
+		return []string{}, fmt.Errorf(
+			"group %v isn't registered. %w",
+			group,
+			errInvalidGroup,
+		)
+	}
+	for _, g := range groups {
+		if strings.HasPrefix(g, "group:") {
+			return []string{}, fmt.Errorf(
+				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
+				errInvalidGroup,
+			)
+		}
+	}
+
+	return groups, nil
+}
--- a/acls_test.go
+++ b/acls_test.go
@@ -1,7 +1,14 @@
 package headscale

 import (
+	"errors"
+	"reflect"
+	"testing"
+
 	"gopkg.in/check.v1"
+	"gorm.io/datatypes"
+	"inet.af/netaddr"
+	"tailscale.com/tailcfg"
 )

 func (s *Suite) TestWrongPath(c *check.C) {
@@ -52,6 +59,245 @@ func (s *Suite) TestBasicRule(c *check.C) {
 	c.Assert(rules, check.NotNil)
 }

+// TODO(kradalby): Make tests values safe, independent and descriptive.
+func (s *Suite) TestInvalidAction(c *check.C) {
+	app.aclPolicy = &ACLPolicy{
+		ACLs: []ACL{
+			{Action: "invalidAction", Users: []string{"*"}, Ports: []string{"*:*"}},
+		},
+	}
+	err := app.UpdateACLRules()
+	c.Assert(errors.Is(err, errInvalidAction), check.Equals, true)
+}
+
+func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
+	// this ACL is wrong because the group in users sections doesn't exist
+	app.aclPolicy = &ACLPolicy{
+		Groups: Groups{
+			"group:test":  []string{"foo"},
+			"group:error": []string{"foo", "group:test"},
+		},
+		ACLs: []ACL{
+			{Action: "accept", Users: []string{"group:error"}, Ports: []string{"*:*"}},
+		},
+	}
+	err := app.UpdateACLRules()
+	c.Assert(errors.Is(err, errInvalidGroup), check.Equals, true)
+}
+
+func (s *Suite) TestInvalidTagOwners(c *check.C) {
+	// this ACL is wrong because no tagOwners own the requested tag for the server
+	app.aclPolicy = &ACLPolicy{
+		ACLs: []ACL{
+			{Action: "accept", Users: []string{"tag:foo"}, Ports: []string{"*:*"}},
+		},
+	}
+	err := app.UpdateACLRules()
+	c.Assert(errors.Is(err, errInvalidTag), check.Equals, true)
+}
+
+// this test should validate that we can expand a group in a TagOWner section and
+// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
+// the tag is matched in the Users section.
+func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
+	namespace, err := app.CreateNamespace("user1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("user1", "testmachine")
+	c.Assert(err, check.NotNil)
+	hostInfo := []byte(
+		"{\"OS\":\"centos\",\"Hostname\":\"testmachine\",\"RequestTags\":[\"tag:test\"]}",
+	)
+	machine := Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Name:           "testmachine",
+		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		NamespaceID:    namespace.ID,
+		Registered:     true,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       datatypes.JSON(hostInfo),
+	}
+	app.db.Save(&machine)
+
+	app.aclPolicy = &ACLPolicy{
+		Groups:    Groups{"group:test": []string{"user1", "user2"}},
+		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
+		ACLs: []ACL{
+			{Action: "accept", Users: []string{"tag:test"}, Ports: []string{"*:*"}},
+		},
+	}
+	err = app.UpdateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(app.aclRules, check.HasLen, 1)
+	c.Assert(app.aclRules[0].SrcIPs, check.HasLen, 1)
+	c.Assert(app.aclRules[0].SrcIPs[0], check.Equals, "100.64.0.1")
+}
+
+// this test should validate that we can expand a group in a TagOWner section and
+// match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
+// the tag is matched in the Ports section.
+func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
+	namespace, err := app.CreateNamespace("user1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("user1", "testmachine")
+	c.Assert(err, check.NotNil)
+	hostInfo := []byte(
+		"{\"OS\":\"centos\",\"Hostname\":\"testmachine\",\"RequestTags\":[\"tag:test\"]}",
+	)
+	machine := Machine{
+		ID:             1,
+		MachineKey:     "12345",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Name:           "testmachine",
+		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		NamespaceID:    namespace.ID,
+		Registered:     true,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       datatypes.JSON(hostInfo),
+	}
+	app.db.Save(&machine)
+
+	app.aclPolicy = &ACLPolicy{
+		Groups:    Groups{"group:test": []string{"user1", "user2"}},
+		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
+		ACLs: []ACL{
+			{Action: "accept", Users: []string{"*"}, Ports: []string{"tag:test:*"}},
+		},
+	}
+	err = app.UpdateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(app.aclRules, check.HasLen, 1)
+	c.Assert(app.aclRules[0].DstPorts, check.HasLen, 1)
+	c.Assert(app.aclRules[0].DstPorts[0].IP, check.Equals, "100.64.0.1")
+}
+
+// need a test with:
+// tag on a host that isn't owned by a tag owners. So the namespace
+// of the host should be valid.
+func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
+	namespace, err := app.CreateNamespace("user1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("user1", "testmachine")
+	c.Assert(err, check.NotNil)
+	hostInfo := []byte(
+		"{\"OS\":\"centos\",\"Hostname\":\"testmachine\",\"RequestTags\":[\"tag:foo\"]}",
+	)
+	machine := Machine{
+		ID:             1,
+		MachineKey:     "12345",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Name:           "testmachine",
+		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		NamespaceID:    namespace.ID,
+		Registered:     true,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       datatypes.JSON(hostInfo),
+	}
+	app.db.Save(&machine)
+
+	app.aclPolicy = &ACLPolicy{
+		TagOwners: TagOwners{"tag:test": []string{"user1"}},
+		ACLs: []ACL{
+			{Action: "accept", Users: []string{"user1"}, Ports: []string{"*:*"}},
+		},
+	}
+	err = app.UpdateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(app.aclRules, check.HasLen, 1)
+	c.Assert(app.aclRules[0].SrcIPs, check.HasLen, 1)
+	c.Assert(app.aclRules[0].SrcIPs[0], check.Equals, "100.64.0.1")
+}
+
+// tag on a host is owned by a tag owner, the tag is valid.
+// an ACL rule is matching the tag to a namespace. It should not be valid since the
+// host should be tied to the tag now.
+func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
+	namespace, err := app.CreateNamespace("user1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("user1", "webserver")
+	c.Assert(err, check.NotNil)
+	hostInfo := []byte(
+		"{\"OS\":\"centos\",\"Hostname\":\"webserver\",\"RequestTags\":[\"tag:webapp\"]}",
+	)
+	machine := Machine{
+		ID:             1,
+		MachineKey:     "12345",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Name:           "webserver",
+		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		NamespaceID:    namespace.ID,
+		Registered:     true,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       datatypes.JSON(hostInfo),
+	}
+	app.db.Save(&machine)
+	_, err = app.GetMachine("user1", "user")
+	hostInfo = []byte("{\"OS\":\"debian\",\"Hostname\":\"user\"}")
+	c.Assert(err, check.NotNil)
+	machine = Machine{
+		ID:             2,
+		MachineKey:     "56789",
+		NodeKey:        "bar2",
+		DiscoKey:       "faab",
+		Name:           "user",
+		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.2")},
+		NamespaceID:    namespace.ID,
+		Registered:     true,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       datatypes.JSON(hostInfo),
+	}
+	app.db.Save(&machine)
+
+	app.aclPolicy = &ACLPolicy{
+		TagOwners: TagOwners{"tag:webapp": []string{"user1"}},
+		ACLs: []ACL{
+			{
+				Action: "accept",
+				Users:  []string{"user1"},
+				Ports:  []string{"tag:webapp:80,443"},
+			},
+		},
+	}
+	err = app.UpdateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(app.aclRules, check.HasLen, 1)
+	c.Assert(app.aclRules[0].SrcIPs, check.HasLen, 1)
+	c.Assert(app.aclRules[0].SrcIPs[0], check.Equals, "100.64.0.2")
+	c.Assert(app.aclRules[0].DstPorts, check.HasLen, 2)
+	c.Assert(app.aclRules[0].DstPorts[0].Ports.First, check.Equals, uint16(80))
+	c.Assert(app.aclRules[0].DstPorts[0].Ports.Last, check.Equals, uint16(80))
+	c.Assert(app.aclRules[0].DstPorts[0].IP, check.Equals, "100.64.0.1")
+	c.Assert(app.aclRules[0].DstPorts[1].Ports.First, check.Equals, uint16(443))
+	c.Assert(app.aclRules[0].DstPorts[1].Ports.Last, check.Equals, uint16(443))
+	c.Assert(app.aclRules[0].DstPorts[1].IP, check.Equals, "100.64.0.1")
+}
+
 func (s *Suite) TestPortRange(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
 	c.Assert(err, check.IsNil)
@@ -94,7 +340,7 @@ func (s *Suite) TestPortNamespace(c *check.C) {
 	ips, _ := app.getAvailableIPs()
 	machine := Machine{
 		ID:             0,
-		MachineKey:     "foo",
+		MachineKey:     "12345",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Name:           "testmachine",
@@ -165,3 +411,723 @@ func (s *Suite) TestPortGroup(c *check.C) {
 	c.Assert(len(ips), check.Equals, 1)
 	c.Assert(rules[0].SrcIPs[0], check.Equals, ips[0].String())
 }
+
+func Test_expandGroup(t *testing.T) {
+	type args struct {
+		aclPolicy ACLPolicy
+		group     string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    []string
+		wantErr bool
+	}{
+		{
+			name: "simple test",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups: Groups{
+						"group:test": []string{"user1", "user2", "user3"},
+						"group:foo":  []string{"user2", "user3"},
+					},
+				},
+				group: "group:test",
+			},
+			want:    []string{"user1", "user2", "user3"},
+			wantErr: false,
+		},
+		{
+			name: "InexistantGroup",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups: Groups{
+						"group:test": []string{"user1", "user2", "user3"},
+						"group:foo":  []string{"user2", "user3"},
+					},
+				},
+				group: "group:undefined",
+			},
+			want:    []string{},
+			wantErr: true,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got, err := expandGroup(test.args.aclPolicy, test.args.group)
+			if (err != nil) != test.wantErr {
+				t.Errorf("expandGroup() error = %v, wantErr %v", err, test.wantErr)
+
+				return
+			}
+			if !reflect.DeepEqual(got, test.want) {
+				t.Errorf("expandGroup() = %v, want %v", got, test.want)
+			}
+		})
+	}
+}
+
+func Test_expandTagOwners(t *testing.T) {
+	type args struct {
+		aclPolicy ACLPolicy
+		tag       string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    []string
+		wantErr bool
+	}{
+		{
+			name: "simple tag expansion",
+			args: args{
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:test": []string{"user1"}},
+				},
+				tag: "tag:test",
+			},
+			want:    []string{"user1"},
+			wantErr: false,
+		},
+		{
+			name: "expand with tag and group",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups:    Groups{"group:foo": []string{"user1", "user2"}},
+					TagOwners: TagOwners{"tag:test": []string{"group:foo"}},
+				},
+				tag: "tag:test",
+			},
+			want:    []string{"user1", "user2"},
+			wantErr: false,
+		},
+		{
+			name: "expand with namespace and group",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups:    Groups{"group:foo": []string{"user1", "user2"}},
+					TagOwners: TagOwners{"tag:test": []string{"group:foo", "user3"}},
+				},
+				tag: "tag:test",
+			},
+			want:    []string{"user1", "user2", "user3"},
+			wantErr: false,
+		},
+		{
+			name: "invalid tag",
+			args: args{
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:foo": []string{"group:foo", "user1"}},
+				},
+				tag: "tag:test",
+			},
+			want:    []string{},
+			wantErr: true,
+		},
+		{
+			name: "invalid group",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups:    Groups{"group:bar": []string{"user1", "user2"}},
+					TagOwners: TagOwners{"tag:test": []string{"group:foo", "user2"}},
+				},
+				tag: "tag:test",
+			},
+			want:    []string{},
+			wantErr: true,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got, err := expandTagOwners(test.args.aclPolicy, test.args.tag)
+			if (err != nil) != test.wantErr {
+				t.Errorf("expandTagOwners() error = %v, wantErr %v", err, test.wantErr)
+
+				return
+			}
+			if !reflect.DeepEqual(got, test.want) {
+				t.Errorf("expandTagOwners() = %v, want %v", got, test.want)
+			}
+		})
+	}
+}
+
+func Test_expandPorts(t *testing.T) {
+	type args struct {
+		portsStr string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *[]tailcfg.PortRange
+		wantErr bool
+	}{
+		{
+			name: "wildcard",
+			args: args{portsStr: "*"},
+			want: &[]tailcfg.PortRange{
+				{First: portRangeBegin, Last: portRangeEnd},
+			},
+			wantErr: false,
+		},
+		{
+			name: "two ports",
+			args: args{portsStr: "80,443"},
+			want: &[]tailcfg.PortRange{
+				{First: 80, Last: 80},
+				{First: 443, Last: 443},
+			},
+			wantErr: false,
+		},
+		{
+			name: "a range and a port",
+			args: args{portsStr: "80-1024,443"},
+			want: &[]tailcfg.PortRange{
+				{First: 80, Last: 1024},
+				{First: 443, Last: 443},
+			},
+			wantErr: false,
+		},
+		{
+			name:    "out of bounds",
+			args:    args{portsStr: "854038"},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name:    "wrong port",
+			args:    args{portsStr: "85a38"},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name:    "wrong port in first",
+			args:    args{portsStr: "a-80"},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name:    "wrong port in last",
+			args:    args{portsStr: "80-85a38"},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name:    "wrong port format",
+			args:    args{portsStr: "80-85a38-3"},
+			want:    nil,
+			wantErr: true,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got, err := expandPorts(test.args.portsStr)
+			if (err != nil) != test.wantErr {
+				t.Errorf("expandPorts() error = %v, wantErr %v", err, test.wantErr)
+
+				return
+			}
+			if !reflect.DeepEqual(got, test.want) {
+				t.Errorf("expandPorts() = %v, want %v", got, test.want)
+			}
+		})
+	}
+}
+
+func Test_listMachinesInNamespace(t *testing.T) {
+	type args struct {
+		machines  []Machine
+		namespace string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []Machine
+	}{
+		{
+			name: "1 machine in namespace",
+			args: args{
+				machines: []Machine{
+					{Namespace: Namespace{Name: "joe"}},
+				},
+				namespace: "joe",
+			},
+			want: []Machine{
+				{Namespace: Namespace{Name: "joe"}},
+			},
+		},
+		{
+			name: "3 machines, 2 in namespace",
+			args: args{
+				machines: []Machine{
+					{ID: 1, Namespace: Namespace{Name: "joe"}},
+					{ID: 2, Namespace: Namespace{Name: "marc"}},
+					{ID: 3, Namespace: Namespace{Name: "marc"}},
+				},
+				namespace: "marc",
+			},
+			want: []Machine{
+				{ID: 2, Namespace: Namespace{Name: "marc"}},
+				{ID: 3, Namespace: Namespace{Name: "marc"}},
+			},
+		},
+		{
+			name: "5 machines, 0 in namespace",
+			args: args{
+				machines: []Machine{
+					{ID: 1, Namespace: Namespace{Name: "joe"}},
+					{ID: 2, Namespace: Namespace{Name: "marc"}},
+					{ID: 3, Namespace: Namespace{Name: "marc"}},
+					{ID: 4, Namespace: Namespace{Name: "marc"}},
+					{ID: 5, Namespace: Namespace{Name: "marc"}},
+				},
+				namespace: "mickael",
+			},
+			want: []Machine{},
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if got := filterMachinesByNamespace(test.args.machines, test.args.namespace); !reflect.DeepEqual(
+				got,
+				test.want,
+			) {
+				t.Errorf("listMachinesInNamespace() = %v, want %v", got, test.want)
+			}
+		})
+	}
+}
+
+// nolint
+func Test_expandAlias(t *testing.T) {
+	type args struct {
+		machines  []Machine
+		aclPolicy ACLPolicy
+		alias     string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    []string
+		wantErr bool
+	}{
+		{
+			name: "wildcard",
+			args: args{
+				alias: "*",
+				machines: []Machine{
+					{IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.1")}},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.78.84.227"),
+						},
+					},
+				},
+				aclPolicy: ACLPolicy{},
+			},
+			want:    []string{"*"},
+			wantErr: false,
+		},
+		{
+			name: "simple group",
+			args: args{
+				alias: "group:accountant",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					Groups: Groups{"group:accountant": []string{"joe", "marc"}},
+				},
+			},
+			want:    []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"},
+			wantErr: false,
+		},
+		{
+			name: "wrong group",
+			args: args{
+				alias: "group:hr",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					Groups: Groups{"group:accountant": []string{"joe", "marc"}},
+				},
+			},
+			want:    []string{},
+			wantErr: true,
+		},
+		{
+			name: "simple ipaddress",
+			args: args{
+				alias:     "10.0.0.3",
+				machines:  []Machine{},
+				aclPolicy: ACLPolicy{},
+			},
+			want:    []string{"10.0.0.3"},
+			wantErr: false,
+		},
+		{
+			name: "private network",
+			args: args{
+				alias:    "homeNetwork",
+				machines: []Machine{},
+				aclPolicy: ACLPolicy{
+					Hosts: Hosts{
+						"homeNetwork": netaddr.MustParseIPPrefix("192.168.1.0/24"),
+					},
+				},
+			},
+			want:    []string{"192.168.1.0/24"},
+			wantErr: false,
+		},
+		{
+			name: "simple host",
+			args: args{
+				alias:     "10.0.0.1",
+				machines:  []Machine{},
+				aclPolicy: ACLPolicy{},
+			},
+			want:    []string{"10.0.0.1"},
+			wantErr: false,
+		},
+		{
+			name: "simple CIDR",
+			args: args{
+				alias:     "10.0.0.0/16",
+				machines:  []Machine{},
+				aclPolicy: ACLPolicy{},
+			},
+			want:    []string{"10.0.0.0/16"},
+			wantErr: false,
+		},
+		{
+			name: "simple tag",
+			args: args{
+				alias: "tag:hr-webserver",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:hr-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:hr-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:hr-webserver": []string{"joe"}},
+				},
+			},
+			want:    []string{"100.64.0.1", "100.64.0.2"},
+			wantErr: false,
+		},
+		{
+			name: "No tag defined",
+			args: args{
+				alias: "tag:hr-webserver",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					Groups: Groups{"group:accountant": []string{"joe", "marc"}},
+					TagOwners: TagOwners{
+						"tag:accountant-webserver": []string{"group:accountant"},
+					},
+				},
+			},
+			want:    []string{},
+			wantErr: true,
+		},
+		{
+			name: "list host in namespace without correctly tagged servers",
+			args: args{
+				alias: "joe",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:accountant-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:accountant-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
+				},
+			},
+			want:    []string{"100.64.0.4"},
+			wantErr: false,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got, err := expandAlias(
+				test.args.machines,
+				test.args.aclPolicy,
+				test.args.alias,
+			)
+			if (err != nil) != test.wantErr {
+				t.Errorf("expandAlias() error = %v, wantErr %v", err, test.wantErr)
+
+				return
+			}
+			if !reflect.DeepEqual(got, test.want) {
+				t.Errorf("expandAlias() = %v, want %v", got, test.want)
+			}
+		})
+	}
+}
+
+func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
+	type args struct {
+		aclPolicy ACLPolicy
+		nodes     []Machine
+		namespace string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    []Machine
+		wantErr bool
+	}{
+		{
+			name: "exclude nodes with valid tags",
+			args: args{
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
+				},
+				nodes: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:accountant-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"foo\",\"RequestTags\":[\"tag:accountant-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				namespace: "joe",
+			},
+			want: []Machine{
+				{
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
+					Namespace:   Namespace{Name: "joe"},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "all nodes have invalid tags, don't exclude them",
+			args: args{
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
+				},
+				nodes: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"hr-web1\",\"RequestTags\":[\"tag:hr-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: []byte(
+							"{\"OS\":\"centos\",\"Hostname\":\"hr-web2\",\"RequestTags\":[\"tag:hr-webserver\"]}",
+						),
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				namespace: "joe",
+			},
+			want: []Machine{
+				{
+					IPAddresses: MachineAddresses{
+						netaddr.MustParseIP("100.64.0.1"),
+					},
+					Namespace: Namespace{Name: "joe"},
+					HostInfo: []byte(
+						"{\"OS\":\"centos\",\"Hostname\":\"hr-web1\",\"RequestTags\":[\"tag:hr-webserver\"]}",
+					),
+				},
+				{
+					IPAddresses: MachineAddresses{
+						netaddr.MustParseIP("100.64.0.2"),
+					},
+					Namespace: Namespace{Name: "joe"},
+					HostInfo: []byte(
+						"{\"OS\":\"centos\",\"Hostname\":\"hr-web2\",\"RequestTags\":[\"tag:hr-webserver\"]}",
+					),
+				},
+				{
+					IPAddresses: MachineAddresses{
+						netaddr.MustParseIP("100.64.0.4"),
+					},
+					Namespace: Namespace{Name: "joe"},
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got, err := excludeCorrectlyTaggedNodes(
+				test.args.aclPolicy,
+				test.args.nodes,
+				test.args.namespace,
+			)
+			if (err != nil) != test.wantErr {
+				t.Errorf(
+					"excludeCorrectlyTaggedNodes() error = %v, wantErr %v",
+					err,
+					test.wantErr,
+				)
+
+				return
+			}
+			if !reflect.DeepEqual(got, test.want) {
+				t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)
+			}
+		})
+	}
+}
--- a/api.go
+++ b/api.go
@@ -261,7 +261,16 @@ func (h *Headscale) getMapResponse(

 	var respBody []byte
 	if req.Compress == "zstd" {
-		src, _ := json.Marshal(resp)
+		src, err := json.Marshal(resp)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "getMapResponse").
+				Err(err).
+				Msg("Failed to marshal response for the client")
+
+			return nil, err
+		}

 		encoder, _ := zstd.NewWriter(nil)
 		srcCompressed := encoder.EncodeAll(src, nil)
@@ -290,7 +299,16 @@ func (h *Headscale) getMapKeepAliveResponse(
 	var respBody []byte
 	var err error
 	if mapRequest.Compress == "zstd" {
-		src, _ := json.Marshal(mapResponse)
+		src, err := json.Marshal(mapResponse)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "getMapKeepAliveResponse").
+				Err(err).
+				Msg("Failed to marshal keepalive response for the client")
+
+			return nil, err
+		}
 		encoder, _ := zstd.NewWriter(nil)
 		srcCompressed := encoder.EncodeAll(src, nil)
 		respBody = h.privateKey.SealTo(machineKey, srcCompressed)
@@ -556,6 +574,9 @@ func (h *Headscale) handleAuthKey(
 			Str("func", "handleAuthKey").
 			Str("machine", machine.Name).
 			Msg("Authentication key was valid, proceeding to acquire IP addresses")
+
+		h.ipAllocationMutex.Lock()
+
 		ips, err := h.getAvailableIPs()
 		if err != nil {
 			log.Error().
@@ -584,6 +605,8 @@ func (h *Headscale) handleAuthKey(
 		machine.Registered = true
 		machine.RegisterMethod = RegisterMethodAuthKey
 		h.db.Save(&machine)
+
+		h.ipAllocationMutex.Unlock()
 	}

 	pak.Used = true
--- a/app.go
+++ b/app.go
@@ -62,6 +62,10 @@ const (
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
+
+	DisabledClientAuth = "disabled"
+	RelaxedClientAuth  = "relaxed"
+	EnforcedClientAuth = "enforced"
 )

 // Config contains the initial Headscale configuration.
@@ -90,8 +94,9 @@ type Config struct {
 	TLSLetsEncryptCacheDir      string
 	TLSLetsEncryptChallengeType string

-	TLSCertPath string
-	TLSKeyPath  string
+	TLSCertPath       string
+	TLSKeyPath        string
+	TLSClientAuthMode tls.ClientAuthType

 	ACMEURL   string
 	ACMEEmail string
@@ -107,10 +112,10 @@ type Config struct {
 }

 type OIDCConfig struct {
-	Issuer       string
-	ClientID     string
-	ClientSecret string
-	MatchMap     map[string]string
+	Issuer           string
+	ClientID         string
+	ClientSecret     string
+	StripEmaildomain bool
 }

 type DERPConfig struct {
@@ -148,6 +153,29 @@ type Headscale struct {
 	oidcStateCache *cache.Cache

 	requestedExpiryCache *cache.Cache
+
+	ipAllocationMutex sync.Mutex
+}
+
+// Look up the TLS constant relative to user-supplied TLS client
+// authentication mode. If an unknown mode is supplied, the default
+// value, tls.RequireAnyClientCert, is returned. The returned boolean
+// indicates if the supplied mode was valid.
+func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
+	switch mode {
+	case DisabledClientAuth:
+		// Client cert is _not_ required.
+		return tls.NoClientCert, true
+	case RelaxedClientAuth:
+		// Client cert required, but _not verified_.
+		return tls.RequireAnyClientCert, true
+	case EnforcedClientAuth:
+		// Client cert is _required and verified_.
+		return tls.RequireAndVerifyClientCert, true
+	default:
+		// Return the default when an unknown value is supplied.
+		return tls.RequireAnyClientCert, false
+	}
 }

 // NewHeadscale returns the Headscale app.
@@ -676,12 +704,18 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
 			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
 		}
+
+		log.Info().Msg(fmt.Sprintf(
+			"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
+			h.cfg.TLSClientAuthMode))
+
 		tlsConfig := &tls.Config{
-			ClientAuth:   tls.RequireAnyClientCert,
+			ClientAuth:   h.cfg.TLSClientAuthMode,
 			NextProtos:   []string{"http/1.1"},
 			Certificates: make([]tls.Certificate, 1),
 			MinVersion:   tls.VersionTLS12,
 		}
+
 		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)

 		return tlsConfig, err
--- a/app_test.go
+++ b/app_test.go
@@ -65,3 +65,20 @@ func (s *Suite) ResetDB(c *check.C) {
 	}
 	app.db = db
 }
+
+// Enusre an error is returned when an invalid auth mode
+// is supplied.
+func (s *Suite) TestInvalidClientAuthMode(c *check.C) {
+	_, isValid := LookupTLSClientAuthMode("invalid")
+	c.Assert(isValid, check.Equals, false)
+}
+
+// Ensure that all client auth modes return a nil error.
+func (s *Suite) TestAuthModes(c *check.C) {
+	modes := []string{"disabled", "relaxed", "enforced"}
+
+	for _, v := range modes {
+		_, isValid := LookupTLSClientAuthMode(v)
+		c.Assert(isValid, check.Equals, true)
+	}
+}
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -46,30 +46,6 @@ func init() {
 		log.Fatalf(err.Error())
 	}
 	nodeCmd.AddCommand(deleteNodeCmd)
-
-	shareMachineCmd.Flags().StringP("namespace", "n", "", "Namespace")
-	err = shareMachineCmd.MarkFlagRequired("namespace")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	shareMachineCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	err = shareMachineCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	nodeCmd.AddCommand(shareMachineCmd)
-
-	unshareMachineCmd.Flags().StringP("namespace", "n", "", "Namespace")
-	err = unshareMachineCmd.MarkFlagRequired("namespace")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	unshareMachineCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	err = unshareMachineCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	nodeCmd.AddCommand(unshareMachineCmd)
 }

 var nodeCmd = &cobra.Command{
@@ -317,139 +293,6 @@ var deleteNodeCmd = &cobra.Command{
 	},
 }

-func sharingWorker(
-	cmd *cobra.Command,
-) (string, *v1.Machine, *v1.Namespace, error) {
-	output, _ := cmd.Flags().GetString("output")
-	namespaceStr, err := cmd.Flags().GetString("namespace")
-	if err != nil {
-		ErrorOutput(err, fmt.Sprintf("Error getting namespace: %s", err), output)
-
-		return "", nil, nil, err
-	}
-
-	ctx, client, conn, cancel := getHeadscaleCLIClient()
-	defer cancel()
-	defer conn.Close()
-
-	identifier, err := cmd.Flags().GetUint64("identifier")
-	if err != nil {
-		ErrorOutput(err, fmt.Sprintf("Error converting ID to integer: %s", err), output)
-
-		return "", nil, nil, err
-	}
-
-	machineRequest := &v1.GetMachineRequest{
-		MachineId: identifier,
-	}
-
-	machineResponse, err := client.GetMachine(ctx, machineRequest)
-	if err != nil {
-		ErrorOutput(
-			err,
-			fmt.Sprintf("Error getting node node: %s", status.Convert(err).Message()),
-			output,
-		)
-
-		return "", nil, nil, err
-	}
-
-	namespaceRequest := &v1.GetNamespaceRequest{
-		Name: namespaceStr,
-	}
-
-	namespaceResponse, err := client.GetNamespace(ctx, namespaceRequest)
-	if err != nil {
-		ErrorOutput(
-			err,
-			fmt.Sprintf("Error getting node node: %s", status.Convert(err).Message()),
-			output,
-		)
-
-		return "", nil, nil, err
-	}
-
-	return output, machineResponse.GetMachine(), namespaceResponse.GetNamespace(), nil
-}
-
-var shareMachineCmd = &cobra.Command{
-	Use:   "share",
-	Short: "Shares a node from the current namespace to the specified one",
-	Run: func(cmd *cobra.Command, args []string) {
-		output, machine, namespace, err := sharingWorker(cmd)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Failed to fetch namespace or machine: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		request := &v1.ShareMachineRequest{
-			MachineId: machine.Id,
-			Namespace: namespace.Name,
-		}
-
-		response, err := client.ShareMachine(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error sharing node: %s", status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		SuccessOutput(response.Machine, "Node shared", output)
-	},
-}
-
-var unshareMachineCmd = &cobra.Command{
-	Use:   "unshare",
-	Short: "Unshares a node from the specified namespace",
-	Run: func(cmd *cobra.Command, args []string) {
-		output, machine, namespace, err := sharingWorker(cmd)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Failed to fetch namespace or machine: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		request := &v1.UnshareMachineRequest{
-			MachineId: machine.Id,
-			Namespace: namespace.Name,
-		}
-
-		response, err := client.UnshareMachine(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error unsharing node: %s", status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		SuccessOutput(response.Machine, "Node unshared", output)
-	},
-}
-
 func nodesToPtables(
 	currentNamespace string,
 	machines []*v1.Machine,
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -10,7 +10,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -50,6 +49,7 @@ func LoadConfig(path string) error {

 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
 	viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
+	viper.SetDefault("tls_client_auth_mode", "relaxed")

 	viper.SetDefault("log_level", "info")

@@ -64,6 +64,8 @@ func LoadConfig(path string) error {
 	viper.SetDefault("cli.timeout", "5s")
 	viper.SetDefault("cli.insecure", false)

+	viper.SetDefault("oidc.strip_email_domain", true)
+
 	if err := viper.ReadInConfig(); err != nil {
 		return fmt.Errorf("fatal error reading config file: %w", err)
 	}
@@ -92,6 +94,20 @@ func LoadConfig(path string) error {
 		!strings.HasPrefix(viper.GetString("server_url"), "https://") {
 		errorText += "Fatal config error: server_url must start with https:// or http://\n"
 	}
+
+	_, authModeValid := headscale.LookupTLSClientAuthMode(
+		viper.GetString("tls_client_auth_mode"),
+	)
+
+	if !authModeValid {
+		errorText += fmt.Sprintf(
+			"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
+			viper.GetString("tls_client_auth_mode"),
+			headscale.DisabledClientAuth,
+			headscale.RelaxedClientAuth,
+			headscale.EnforcedClientAuth)
+	}
+
 	if errorText != "" {
 		//nolint
 		return errors.New(strings.TrimSuffix(errorText, "\n"))
@@ -281,6 +297,10 @@ func getHeadscaleConfig() headscale.Config {
 			Msgf("'ip_prefixes' not configured, falling back to default: %v", prefixes)
 	}

+	tlsClientAuthMode, _ := headscale.LookupTLSClientAuthMode(
+		viper.GetString("tls_client_auth_mode"),
+	)
+
 	return headscale.Config{
 		ServerURL:         viper.GetString("server_url"),
 		Addr:              viper.GetString("listen_addr"),
@@ -312,8 +332,9 @@ func getHeadscaleConfig() headscale.Config {
 		),
 		TLSLetsEncryptChallengeType: viper.GetString("tls_letsencrypt_challenge_type"),

-		TLSCertPath: absPath(viper.GetString("tls_cert_path")),
-		TLSKeyPath:  absPath(viper.GetString("tls_key_path")),
+		TLSCertPath:       absPath(viper.GetString("tls_cert_path")),
+		TLSKeyPath:        absPath(viper.GetString("tls_key_path")),
+		TLSClientAuthMode: tlsClientAuthMode,

 		DNSConfig: dnsConfig,

@@ -324,9 +345,10 @@ func getHeadscaleConfig() headscale.Config {
 		UnixSocketPermission: GetFileMode("unix_socket_permission"),

 		OIDC: headscale.OIDCConfig{
-			Issuer:       viper.GetString("oidc.issuer"),
-			ClientID:     viper.GetString("oidc.client_id"),
-			ClientSecret: viper.GetString("oidc.client_secret"),
+			Issuer:           viper.GetString("oidc.issuer"),
+			ClientID:         viper.GetString("oidc.client_id"),
+			ClientSecret:     viper.GetString("oidc.client_secret"),
+			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
 		},

 		CLI: headscale.CLIConfig{
@@ -356,8 +378,6 @@ func getHeadscaleApp() (*headscale.Headscale, error) {

 	cfg := getHeadscaleConfig()

-	cfg.OIDC.MatchMap = loadOIDCMatchMap()
-
 	app, err := headscale.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err
@@ -514,18 +534,6 @@ func (tokenAuth) RequireTransportSecurity() bool {
 	return true
 }

-// loadOIDCMatchMap is a wrapper around viper to verifies that the keys in
-// the match map is valid regex strings.
-func loadOIDCMatchMap() map[string]string {
-	strMap := viper.GetStringMapString("oidc.domain_map")
-
-	for oidcMatcher := range strMap {
-		_ = regexp.MustCompile(oidcMatcher)
-	}
-
-	return strMap
-}
-
 func GetFileMode(key string) fs.FileMode {
 	modeStr := viper.GetString(key)

--- a/config-example.yaml
+++ b/config-example.yaml
@@ -105,6 +105,13 @@ acme_email: ""
 # Domain name to request a TLS certificate for:
 tls_letsencrypt_hostname: ""

+# Client (Tailscale/Browser) authentication mode (mTLS)
+# Acceptable values:
+# - disabled: client authentication disabled
+# - relaxed: client certificate is required but not verified
+# - enforced: client certificate is required and verified
+tls_client_auth_mode: relaxed
+
 # Path to store certificates and metadata needed by
 # letsencrypt
 tls_letsencrypt_cache_dir: /var/lib/headscale/cache
@@ -180,7 +187,9 @@ unix_socket_permission: "0770"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
 #
-#   # Domain map is used to map incomming users (by their email) to
-#   # a namespace. The key can be a string, or regex.
-#   domain_map:
-#     ".*": default-namespace
+#   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+#   This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
+#   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+#   namespace: `first-name.last-name.example.com`
+#
+#   strip_email_domain: true
--- a/db.go
+++ b/db.go
@@ -2,9 +2,10 @@ package headscale

 import (
 	"errors"
+	"time"

+	"github.com/glebarez/sqlite"
 	"gorm.io/driver/postgres"
-	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 )
@@ -53,10 +54,7 @@ func (h *Headscale) initDB() error {
 		return err
 	}

-	err = db.AutoMigrate(&SharedMachine{})
-	if err != nil {
-		return err
-	}
+	_ = db.Migrator().DropTable("shared_machines")

 	err = db.AutoMigrate(&APIKey{})
 	if err != nil {
@@ -81,10 +79,24 @@ func (h *Headscale) openDB() (*gorm.DB, error) {

 	switch h.dbType {
 	case Sqlite:
-		db, err = gorm.Open(sqlite.Open(h.dbString), &gorm.Config{
-			DisableForeignKeyConstraintWhenMigrating: true,
-			Logger:                                   log,
-		})
+		db, err = gorm.Open(
+			sqlite.Open(h.dbString+"?_synchronous=1&_journal_mode=WAL"),
+			&gorm.Config{
+				DisableForeignKeyConstraintWhenMigrating: true,
+				Logger:                                   log,
+			},
+		)
+
+		db.Exec("PRAGMA foreign_keys=ON")
+
+		// The pure Go SQLite library does not handle locking in
+		// the same way as the C based one and we cant use the gorm
+		// connection pool as of 2022/02/23.
+		sqlDB, _ := db.DB()
+		sqlDB.SetMaxIdleConns(1)
+		sqlDB.SetMaxOpenConns(1)
+		sqlDB.SetConnMaxIdleTime(time.Hour)
+
 	case Postgres:
 		db, err = gorm.Open(postgres.Open(h.dbString), &gorm.Config{
 			DisableForeignKeyConstraintWhenMigrating: true,
--- a/dns.go
+++ b/dns.go
@@ -163,7 +163,11 @@ func getMapResponseDNSConfig(
 		dnsConfig = dnsConfigOrig.Clone()
 		dnsConfig.Domains = append(
 			dnsConfig.Domains,
-			fmt.Sprintf("%s.%s", machine.Namespace.Name, baseDomain),
+			fmt.Sprintf(
+				"%s.%s",
+				machine.Namespace.Name,
+				baseDomain,
+			),
 		)

 		namespaceSet := set.New(set.ThreadSafe)
@@ -171,8 +175,14 @@ func getMapResponseDNSConfig(
 		for _, p := range peers {
 			namespaceSet.Add(p.Namespace)
 		}
-		for _, namespace := range namespaceSet.List() {
-			dnsRoute := fmt.Sprintf("%s.%s", namespace.(Namespace).Name, baseDomain)
+		for _, ns := range namespaceSet.List() {
+			namespace, ok := ns.(Namespace)
+			if !ok {
+				dnsConfig = dnsConfigOrig
+
+				continue
+			}
+			dnsRoute := fmt.Sprintf("%v.%v", namespace.Name, baseDomain)
 			dnsConfig.Routes[dnsRoute] = nil
 		}
 	} else {
--- a/dns_test.go
+++ b/dns_test.go
@@ -225,9 +225,6 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 	}
 	app.db.Save(machine2InShared1)

-	err = app.AddSharedMachineToNamespace(machineInShared2, namespaceShared1)
-	c.Assert(err, check.IsNil)
-
 	baseDomain := "foobar.headscale.net"
 	dnsConfigOrig := tailcfg.DNSConfig{
 		Routes:  make(map[string][]dnstype.Resolver),
@@ -245,7 +242,8 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		peersOfMachineInShared1,
 	)
 	c.Assert(dnsConfig, check.NotNil)
-	c.Assert(len(dnsConfig.Routes), check.Equals, 2)
+
+	c.Assert(len(dnsConfig.Routes), check.Equals, 3)

 	domainRouteShared1 := fmt.Sprintf("%s.%s", namespaceShared1.Name, baseDomain)
 	_, ok := dnsConfig.Routes[domainRouteShared1]
@@ -257,7 +255,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {

 	domainRouteShared3 := fmt.Sprintf("%s.%s", namespaceShared3.Name, baseDomain)
 	_, ok = dnsConfig.Routes[domainRouteShared3]
-	c.Assert(ok, check.Equals, false)
+	c.Assert(ok, check.Equals, true)
 }

 func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
@@ -374,9 +372,6 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 	}
 	app.db.Save(machine2InShared1)

-	err = app.AddSharedMachineToNamespace(machineInShared2, namespaceShared1)
-	c.Assert(err, check.IsNil)
-
 	baseDomain := "foobar.headscale.net"
 	dnsConfigOrig := tailcfg.DNSConfig{
 		Routes:  make(map[string][]dnstype.Resolver),
--- a/docs/README.md
+++ b/docs/README.md
@@ -10,7 +10,7 @@ please ask on [Discord](https://discord.gg/XcQxk2VHjx) instead of opening an Iss
 ### How-to

 - [Running headscale on Linux](running-headscale-linux.md)
- [Control headscale remotly](remote-cli.md)
+- [Control headscale remotely](remote-cli.md)
 - [Using a Windows client with headscale](windows-client.md)

 ### References
@@ -39,6 +39,14 @@ use namespaces (which are the equivalent to user/logins in Tailscale.com).

 Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.

+When using ACL's the Namespace borders are no longer applied. All machines
+whichever the Namespace have the ability to communicate with other hosts as
+long as the ACL's permits this exchange.
+
+The [ACLs](acls.md) document should help understand a fictional case of setting
+up ACLs in a small company. All concepts presented in this document could be
+applied outside of business oriented usage.
+
 ### Apple devices

 An endpoint with information on how to connect your Apple devices (currently macOS only) is available at `/apple` on your running instance.
--- a/docs/acls.md
+++ b/docs/acls.md
@@ -0,0 +1,141 @@
+# ACLs use case example
+
+Let's build an example use case for a small business (It may be the place where
+ACL's are the most useful).
+
+We have a small company with a boss, an admin, two developers and an intern.
+
+The boss should have access to all servers but not to the users hosts. Admin
+should also have access to all hosts except that their permissions should be
+limited to maintaining the hosts (for example purposes). The developers can do
+anything they want on dev hosts, but only watch on productions hosts. Intern
+can only interact with the development servers.
+
+Each user have at least a device connected to the network and we have some
+servers.
+
+- database.prod
+- database.dev
+- app-server1.prod
+- app-server1.dev
+- billing.internal
+
+## Setup of the network
+
+Let's create the namespaces. Each user should have his own namespace. The users
+here are represented as namespaces.
+
+```bash
+headscale namespaces create boss
+headscale namespaces create admin1
+headscale namespaces create dev1
+headscale namespaces create dev2
+headscale namespaces create intern1
+```
+
+We don't need to create namespaces for the servers because the servers will be
+tagged. When registering the servers we will need to add the flag
+`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
+registering the server should be allowed to do it. Since anyone can add tags to
+a server they can register, the check of the tags is done on headscale server
+and only valid tags are applied. A tag is valid if the namespace that is
+registering it is allowed to do it.
+
+Here are the ACL's to implement the same permissions as above:
+
+```json
+{
+  // groups are collections of users having a common scope. A user can be in multiple groups
+  // groups cannot be composed of groups
+  "groups": {
+    "group:boss": ["boss"],
+    "group:dev": ["dev1", "dev2"],
+    "group:admin": ["admin1"],
+    "group:intern": ["intern1"]
+  },
+  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
+  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
+  // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
+  "tagOwners": {
+    // the administrators can add servers in production
+    "tag:prod-databases": ["group:admin"],
+    "tag:prod-app-servers": ["group:admin"],
+
+    // the boss can tag any server as internal
+    "tag:internal": ["group:boss"],
+
+    // dev can add servers for dev purposes as well as admins
+    "tag:dev-databases": ["group:admin", "group:dev"],
+    "tag:dev-app-servers": ["group:admin", "group:dev"]
+
+    // interns cannot add servers
+  },
+  "acls": [
+    // boss have access to all servers
+    {
+      "action": "accept",
+      "users": ["group:boss"],
+      "ports": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
+    // admin have only access to administrative ports of the servers
+    {
+      "action": "accept",
+      "users": ["group:admin"],
+      "ports": [
+        "tag:prod-databases:22",
+        "tag:prod-app-servers:22",
+        "tag:internal:22",
+        "tag:dev-databases:22",
+        "tag:dev-app-servers:22"
+      ]
+    },
+
+    // developers have access to databases servers and application servers on all ports
+    // they can only view the applications servers in prod and have no access to databases servers in production
+    {
+      "action": "accept",
+      "users": ["group:dev"],
+      "ports": [
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*",
+        "tag:prod-app-servers:80,443"
+      ]
+    },
+
+    // servers should be able to talk to database. Database should not be able to initiate connections to
+    // applications servers
+    {
+      "action": "accept",
+      "users": ["tag:dev-app-servers"],
+      "ports": ["tag:dev-databases:5432"]
+    },
+    {
+      "action": "accept",
+      "users": ["tag:prod-app-servers"],
+      "ports": ["tag:prod-databases:5432"]
+    },
+
+    // interns have access to dev-app-servers only in reading mode
+    {
+      "action": "accept",
+      "users": ["group:intern"],
+      "ports": ["tag:dev-app-servers:80,443"]
+    },
+
+    // We still have to allow internal namespaces communications since nothing guarantees that each user have
+    // their own namespaces.
+    { "action": "accept", "users": ["boss"], "ports": ["boss:*"] },
+    { "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] },
+    { "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] },
+    { "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] },
+    { "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] }
+  ]
+}
+```
--- a/docs/glossary.md
+++ b/docs/glossary.md
@@ -1,3 +1,6 @@
 # Glossary

- Namespace: Collection of Tailscale nodes that can see each other. In Tailscale.com this is called Tailnet.
+| Term      | Description                                                                                                           |
+| --------- | --------------------------------------------------------------------------------------------------------------------- |
+| Machine   | A machine is a single entity connected to `headscale`, typically an installation of Tailscale. Also known as **Node** |
+| Namespace | A namespace is a logical grouping of machines "owned" by the same entity, in Tailscale, this is typically a User      |
--- a/docs/tls.md
+++ b/docs/tls.md
@@ -29,3 +29,17 @@ headscale can also be configured to expose its web service via TLS. To configure
 tls_cert_path: ""
 tls_key_path: ""
 ```
+
+### Configuring Mutual TLS Authentication (mTLS)
+
+mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale, using TLS certificates. This can be configured by applying one of the following values to the `tls_client_auth_mode` setting in the configuration file.
+
+| Value               | Behavior                                                   |
+| ------------------- | ---------------------------------------------------------- |
+| `disabled`          | Disable mTLS.                                              |
+| `relaxed` (default) | A client certificate is required, but it is not verified.  |
+| `enforced`          | Requires clients to supply a certificate that is verified. |
+
+```yaml
+tls_client_auth_mode: ""
+```
--- a/gen/go/headscale/v1/apikey.pb.go
+++ b/gen/go/headscale/v1/apikey.pb.go
@@ -7,12 +7,11 @@
 package v1

 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )

 const (
--- a/gen/go/headscale/v1/device.pb.go
+++ b/gen/go/headscale/v1/device.pb.go
@@ -7,12 +7,11 @@
 package v1

 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )

 const (
--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -7,11 +7,10 @@
 package v1

 import (
-	reflect "reflect"
-
 	_ "google.golang.org/genproto/googleapis/api/annotations"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
 )

 const (
@@ -37,7 +36,7 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76,
 	0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19,
 	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69,
-	0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xcb, 0x15, 0x0a, 0x10, 0x48, 0x65,
+	0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xa3, 0x13, 0x0a, 0x10, 0x48, 0x65,
 	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x77,
 	0x0a, 0x0c, 0x47, 0x65, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x21,
 	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
@@ -152,68 +151,50 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52,
 	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x12,
 	0x0f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x12, 0x8d, 0x01, 0x0a, 0x0c, 0x53, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
-	0x2e, 0x53, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x53, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x36, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x30,
-	0x22, 0x2e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x73,
-	0x68, 0x61, 0x72, 0x65, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d,
-	0x12, 0x95, 0x01, 0x0a, 0x0e, 0x55, 0x6e, 0x73, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x12, 0x23, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x55, 0x6e, 0x73, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x6e, 0x73, 0x68, 0x61, 0x72, 0x65, 0x4d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x38,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x32, 0x22, 0x30, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x75, 0x6e, 0x73, 0x68, 0x61, 0x72, 0x65, 0x2f, 0x7b, 0x6e, 0x61,
-	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d, 0x12, 0x8b, 0x01, 0x0a, 0x0f, 0x47, 0x65, 0x74,
-	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x24, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x97, 0x01, 0x0a, 0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c,
-	0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x28,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x22, 0x23, 0x2f, 0x61, 0x70,
-	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73,
-	0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79,
-	0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x22,
-	0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x3a,
-	0x01, 0x2a, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b,
-	0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65,
-	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x1a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65,
-	0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x3a, 0x01, 0x2a, 0x12, 0x6a, 0x0a, 0x0b, 0x4c,
-	0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70,
-	0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
-	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75,
-	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f,
-	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x12, 0x8b, 0x01, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68,
+	0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x97,
+	0x01, 0x0a, 0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x28, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68,
+	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x29, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75,
+	0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x25, 0x22, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64,
+	0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61,
+	0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70,
+	0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74,
+	0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x3a, 0x01, 0x2a, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78,
+	0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65,
+	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70,
+	0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,
+	0x3a, 0x01, 0x2a, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65,
+	0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12,
+	0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x42,
+	0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75,
+	0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
 }

 var file_headscale_v1_headscale_proto_goTypes = []interface{}{
@@ -231,34 +212,30 @@ var file_headscale_v1_headscale_proto_goTypes = []interface{}{
 	(*DeleteMachineRequest)(nil),        // 11: headscale.v1.DeleteMachineRequest
 	(*ExpireMachineRequest)(nil),        // 12: headscale.v1.ExpireMachineRequest
 	(*ListMachinesRequest)(nil),         // 13: headscale.v1.ListMachinesRequest
-	(*ShareMachineRequest)(nil),         // 14: headscale.v1.ShareMachineRequest
-	(*UnshareMachineRequest)(nil),       // 15: headscale.v1.UnshareMachineRequest
-	(*GetMachineRouteRequest)(nil),      // 16: headscale.v1.GetMachineRouteRequest
-	(*EnableMachineRoutesRequest)(nil),  // 17: headscale.v1.EnableMachineRoutesRequest
-	(*CreateApiKeyRequest)(nil),         // 18: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),         // 19: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),          // 20: headscale.v1.ListApiKeysRequest
-	(*GetNamespaceResponse)(nil),        // 21: headscale.v1.GetNamespaceResponse
-	(*CreateNamespaceResponse)(nil),     // 22: headscale.v1.CreateNamespaceResponse
-	(*RenameNamespaceResponse)(nil),     // 23: headscale.v1.RenameNamespaceResponse
-	(*DeleteNamespaceResponse)(nil),     // 24: headscale.v1.DeleteNamespaceResponse
-	(*ListNamespacesResponse)(nil),      // 25: headscale.v1.ListNamespacesResponse
-	(*CreatePreAuthKeyResponse)(nil),    // 26: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil),    // 27: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),     // 28: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateMachineResponse)(nil),  // 29: headscale.v1.DebugCreateMachineResponse
-	(*GetMachineResponse)(nil),          // 30: headscale.v1.GetMachineResponse
-	(*RegisterMachineResponse)(nil),     // 31: headscale.v1.RegisterMachineResponse
-	(*DeleteMachineResponse)(nil),       // 32: headscale.v1.DeleteMachineResponse
-	(*ExpireMachineResponse)(nil),       // 33: headscale.v1.ExpireMachineResponse
-	(*ListMachinesResponse)(nil),        // 34: headscale.v1.ListMachinesResponse
-	(*ShareMachineResponse)(nil),        // 35: headscale.v1.ShareMachineResponse
-	(*UnshareMachineResponse)(nil),      // 36: headscale.v1.UnshareMachineResponse
-	(*GetMachineRouteResponse)(nil),     // 37: headscale.v1.GetMachineRouteResponse
-	(*EnableMachineRoutesResponse)(nil), // 38: headscale.v1.EnableMachineRoutesResponse
-	(*CreateApiKeyResponse)(nil),        // 39: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),        // 40: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),         // 41: headscale.v1.ListApiKeysResponse
+	(*GetMachineRouteRequest)(nil),      // 14: headscale.v1.GetMachineRouteRequest
+	(*EnableMachineRoutesRequest)(nil),  // 15: headscale.v1.EnableMachineRoutesRequest
+	(*CreateApiKeyRequest)(nil),         // 16: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),         // 17: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),          // 18: headscale.v1.ListApiKeysRequest
+	(*GetNamespaceResponse)(nil),        // 19: headscale.v1.GetNamespaceResponse
+	(*CreateNamespaceResponse)(nil),     // 20: headscale.v1.CreateNamespaceResponse
+	(*RenameNamespaceResponse)(nil),     // 21: headscale.v1.RenameNamespaceResponse
+	(*DeleteNamespaceResponse)(nil),     // 22: headscale.v1.DeleteNamespaceResponse
+	(*ListNamespacesResponse)(nil),      // 23: headscale.v1.ListNamespacesResponse
+	(*CreatePreAuthKeyResponse)(nil),    // 24: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil),    // 25: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),     // 26: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateMachineResponse)(nil),  // 27: headscale.v1.DebugCreateMachineResponse
+	(*GetMachineResponse)(nil),          // 28: headscale.v1.GetMachineResponse
+	(*RegisterMachineResponse)(nil),     // 29: headscale.v1.RegisterMachineResponse
+	(*DeleteMachineResponse)(nil),       // 30: headscale.v1.DeleteMachineResponse
+	(*ExpireMachineResponse)(nil),       // 31: headscale.v1.ExpireMachineResponse
+	(*ListMachinesResponse)(nil),        // 32: headscale.v1.ListMachinesResponse
+	(*GetMachineRouteResponse)(nil),     // 33: headscale.v1.GetMachineRouteResponse
+	(*EnableMachineRoutesResponse)(nil), // 34: headscale.v1.EnableMachineRoutesResponse
+	(*CreateApiKeyResponse)(nil),        // 35: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),        // 36: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),         // 37: headscale.v1.ListApiKeysResponse
 }
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	0,  // 0: headscale.v1.HeadscaleService.GetNamespace:input_type -> headscale.v1.GetNamespaceRequest
@@ -275,36 +252,32 @@ var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	11, // 11: headscale.v1.HeadscaleService.DeleteMachine:input_type -> headscale.v1.DeleteMachineRequest
 	12, // 12: headscale.v1.HeadscaleService.ExpireMachine:input_type -> headscale.v1.ExpireMachineRequest
 	13, // 13: headscale.v1.HeadscaleService.ListMachines:input_type -> headscale.v1.ListMachinesRequest
-	14, // 14: headscale.v1.HeadscaleService.ShareMachine:input_type -> headscale.v1.ShareMachineRequest
-	15, // 15: headscale.v1.HeadscaleService.UnshareMachine:input_type -> headscale.v1.UnshareMachineRequest
-	16, // 16: headscale.v1.HeadscaleService.GetMachineRoute:input_type -> headscale.v1.GetMachineRouteRequest
-	17, // 17: headscale.v1.HeadscaleService.EnableMachineRoutes:input_type -> headscale.v1.EnableMachineRoutesRequest
-	18, // 18: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
-	19, // 19: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
-	20, // 20: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
-	21, // 21: headscale.v1.HeadscaleService.GetNamespace:output_type -> headscale.v1.GetNamespaceResponse
-	22, // 22: headscale.v1.HeadscaleService.CreateNamespace:output_type -> headscale.v1.CreateNamespaceResponse
-	23, // 23: headscale.v1.HeadscaleService.RenameNamespace:output_type -> headscale.v1.RenameNamespaceResponse
-	24, // 24: headscale.v1.HeadscaleService.DeleteNamespace:output_type -> headscale.v1.DeleteNamespaceResponse
-	25, // 25: headscale.v1.HeadscaleService.ListNamespaces:output_type -> headscale.v1.ListNamespacesResponse
-	26, // 26: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
-	27, // 27: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
-	28, // 28: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	29, // 29: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
-	30, // 30: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
-	31, // 31: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
-	32, // 32: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
-	33, // 33: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
-	34, // 34: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
-	35, // 35: headscale.v1.HeadscaleService.ShareMachine:output_type -> headscale.v1.ShareMachineResponse
-	36, // 36: headscale.v1.HeadscaleService.UnshareMachine:output_type -> headscale.v1.UnshareMachineResponse
-	37, // 37: headscale.v1.HeadscaleService.GetMachineRoute:output_type -> headscale.v1.GetMachineRouteResponse
-	38, // 38: headscale.v1.HeadscaleService.EnableMachineRoutes:output_type -> headscale.v1.EnableMachineRoutesResponse
-	39, // 39: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
-	40, // 40: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
-	41, // 41: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
-	21, // [21:42] is the sub-list for method output_type
-	0,  // [0:21] is the sub-list for method input_type
+	14, // 14: headscale.v1.HeadscaleService.GetMachineRoute:input_type -> headscale.v1.GetMachineRouteRequest
+	15, // 15: headscale.v1.HeadscaleService.EnableMachineRoutes:input_type -> headscale.v1.EnableMachineRoutesRequest
+	16, // 16: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
+	17, // 17: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
+	18, // 18: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
+	19, // 19: headscale.v1.HeadscaleService.GetNamespace:output_type -> headscale.v1.GetNamespaceResponse
+	20, // 20: headscale.v1.HeadscaleService.CreateNamespace:output_type -> headscale.v1.CreateNamespaceResponse
+	21, // 21: headscale.v1.HeadscaleService.RenameNamespace:output_type -> headscale.v1.RenameNamespaceResponse
+	22, // 22: headscale.v1.HeadscaleService.DeleteNamespace:output_type -> headscale.v1.DeleteNamespaceResponse
+	23, // 23: headscale.v1.HeadscaleService.ListNamespaces:output_type -> headscale.v1.ListNamespacesResponse
+	24, // 24: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
+	25, // 25: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
+	26, // 26: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
+	27, // 27: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
+	28, // 28: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
+	29, // 29: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
+	30, // 30: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
+	31, // 31: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
+	32, // 32: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
+	33, // 33: headscale.v1.HeadscaleService.GetMachineRoute:output_type -> headscale.v1.GetMachineRouteResponse
+	34, // 34: headscale.v1.HeadscaleService.EnableMachineRoutes:output_type -> headscale.v1.EnableMachineRoutesResponse
+	35, // 35: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
+	36, // 36: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
+	37, // 37: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
+	19, // [19:38] is the sub-list for method output_type
+	0,  // [0:19] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
--- a/gen/go/headscale/v1/headscale.pb.gw.go
+++ b/gen/go/headscale/v1/headscale.pb.gw.go
@@ -625,150 +625,6 @@ func local_request_HeadscaleService_ListMachines_0(ctx context.Context, marshale

 }

-func request_HeadscaleService_ShareMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
-	var protoReq ShareMachineRequest
-	var metadata runtime.ServerMetadata
-
-	var (
-		val string
-		ok  bool
-		err error
-		_   = err
-	)
-
-	val, ok = pathParams["machine_id"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
-	}
-
-	protoReq.MachineId, err = runtime.Uint64(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
-	}
-
-	val, ok = pathParams["namespace"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "namespace")
-	}
-
-	protoReq.Namespace, err = runtime.String(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "namespace", err)
-	}
-
-	msg, err := client.ShareMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
-	return msg, metadata, err
-
-}
-
-func local_request_HeadscaleService_ShareMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
-	var protoReq ShareMachineRequest
-	var metadata runtime.ServerMetadata
-
-	var (
-		val string
-		ok  bool
-		err error
-		_   = err
-	)
-
-	val, ok = pathParams["machine_id"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
-	}
-
-	protoReq.MachineId, err = runtime.Uint64(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
-	}
-
-	val, ok = pathParams["namespace"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "namespace")
-	}
-
-	protoReq.Namespace, err = runtime.String(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "namespace", err)
-	}
-
-	msg, err := server.ShareMachine(ctx, &protoReq)
-	return msg, metadata, err
-
-}
-
-func request_HeadscaleService_UnshareMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
-	var protoReq UnshareMachineRequest
-	var metadata runtime.ServerMetadata
-
-	var (
-		val string
-		ok  bool
-		err error
-		_   = err
-	)
-
-	val, ok = pathParams["machine_id"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
-	}
-
-	protoReq.MachineId, err = runtime.Uint64(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
-	}
-
-	val, ok = pathParams["namespace"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "namespace")
-	}
-
-	protoReq.Namespace, err = runtime.String(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "namespace", err)
-	}
-
-	msg, err := client.UnshareMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
-	return msg, metadata, err
-
-}
-
-func local_request_HeadscaleService_UnshareMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
-	var protoReq UnshareMachineRequest
-	var metadata runtime.ServerMetadata
-
-	var (
-		val string
-		ok  bool
-		err error
-		_   = err
-	)
-
-	val, ok = pathParams["machine_id"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
-	}
-
-	protoReq.MachineId, err = runtime.Uint64(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
-	}
-
-	val, ok = pathParams["namespace"]
-	if !ok {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "namespace")
-	}
-
-	protoReq.Namespace, err = runtime.String(val)
-	if err != nil {
-		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "namespace", err)
-	}
-
-	msg, err := server.UnshareMachine(ctx, &protoReq)
-	return msg, metadata, err
-
-}
-
 func request_HeadscaleService_GetMachineRoute_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq GetMachineRouteRequest
 	var metadata runtime.ServerMetadata
@@ -1305,52 +1161,6 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser

 	})

-	mux.Handle("POST", pattern_HeadscaleService_ShareMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
-		ctx, cancel := context.WithCancel(req.Context())
-		defer cancel()
-		var stream runtime.ServerTransportStream
-		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
-		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
-		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/ShareMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/share/{namespace}"))
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		resp, md, err := local_request_HeadscaleService_ShareMachine_0(rctx, inboundMarshaler, server, req, pathParams)
-		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
-		ctx = runtime.NewServerMetadataContext(ctx, md)
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-
-		forward_HeadscaleService_ShareMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
-
-	})
-
-	mux.Handle("POST", pattern_HeadscaleService_UnshareMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
-		ctx, cancel := context.WithCancel(req.Context())
-		defer cancel()
-		var stream runtime.ServerTransportStream
-		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
-		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
-		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/UnshareMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/unshare/{namespace}"))
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		resp, md, err := local_request_HeadscaleService_UnshareMachine_0(rctx, inboundMarshaler, server, req, pathParams)
-		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
-		ctx = runtime.NewServerMetadataContext(ctx, md)
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-
-		forward_HeadscaleService_UnshareMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
-
-	})
-
 	mux.Handle("GET", pattern_HeadscaleService_GetMachineRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1787,46 +1597,6 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser

 	})

-	mux.Handle("POST", pattern_HeadscaleService_ShareMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
-		ctx, cancel := context.WithCancel(req.Context())
-		defer cancel()
-		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
-		rctx, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/ShareMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/share/{namespace}"))
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		resp, md, err := request_HeadscaleService_ShareMachine_0(rctx, inboundMarshaler, client, req, pathParams)
-		ctx = runtime.NewServerMetadataContext(ctx, md)
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-
-		forward_HeadscaleService_ShareMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
-
-	})
-
-	mux.Handle("POST", pattern_HeadscaleService_UnshareMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
-		ctx, cancel := context.WithCancel(req.Context())
-		defer cancel()
-		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
-		rctx, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/UnshareMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/unshare/{namespace}"))
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-		resp, md, err := request_HeadscaleService_UnshareMachine_0(rctx, inboundMarshaler, client, req, pathParams)
-		ctx = runtime.NewServerMetadataContext(ctx, md)
-		if err != nil {
-			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
-			return
-		}
-
-		forward_HeadscaleService_UnshareMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
-
-	})
-
 	mux.Handle("GET", pattern_HeadscaleService_GetMachineRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1959,10 +1729,6 @@ var (

 	pattern_HeadscaleService_ListMachines_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "machine"}, ""))

-	pattern_HeadscaleService_ShareMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4, 1, 0, 4, 1, 5, 5}, []string{"api", "v1", "machine", "machine_id", "share", "namespace"}, ""))
-
-	pattern_HeadscaleService_UnshareMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4, 1, 0, 4, 1, 5, 5}, []string{"api", "v1", "machine", "machine_id", "unshare", "namespace"}, ""))
-
 	pattern_HeadscaleService_GetMachineRoute_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "routes"}, ""))

 	pattern_HeadscaleService_EnableMachineRoutes_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "routes"}, ""))
@@ -2003,10 +1769,6 @@ var (

 	forward_HeadscaleService_ListMachines_0 = runtime.ForwardResponseMessage

-	forward_HeadscaleService_ShareMachine_0 = runtime.ForwardResponseMessage
-
-	forward_HeadscaleService_UnshareMachine_0 = runtime.ForwardResponseMessage
-
 	forward_HeadscaleService_GetMachineRoute_0 = runtime.ForwardResponseMessage

 	forward_HeadscaleService_EnableMachineRoutes_0 = runtime.ForwardResponseMessage
--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -1,10 +1,13 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             (unknown)
+// source: headscale/v1/headscale.proto

 package v1

 import (
 	context "context"
-
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -36,8 +39,6 @@ type HeadscaleServiceClient interface {
 	DeleteMachine(ctx context.Context, in *DeleteMachineRequest, opts ...grpc.CallOption) (*DeleteMachineResponse, error)
 	ExpireMachine(ctx context.Context, in *ExpireMachineRequest, opts ...grpc.CallOption) (*ExpireMachineResponse, error)
 	ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error)
-	ShareMachine(ctx context.Context, in *ShareMachineRequest, opts ...grpc.CallOption) (*ShareMachineResponse, error)
-	UnshareMachine(ctx context.Context, in *UnshareMachineRequest, opts ...grpc.CallOption) (*UnshareMachineResponse, error)
 	// --- Route start ---
 	GetMachineRoute(ctx context.Context, in *GetMachineRouteRequest, opts ...grpc.CallOption) (*GetMachineRouteResponse, error)
 	EnableMachineRoutes(ctx context.Context, in *EnableMachineRoutesRequest, opts ...grpc.CallOption) (*EnableMachineRoutesResponse, error)
@@ -181,24 +182,6 @@ func (c *headscaleServiceClient) ListMachines(ctx context.Context, in *ListMachi
 	return out, nil
 }

-func (c *headscaleServiceClient) ShareMachine(ctx context.Context, in *ShareMachineRequest, opts ...grpc.CallOption) (*ShareMachineResponse, error) {
-	out := new(ShareMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ShareMachine", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *headscaleServiceClient) UnshareMachine(ctx context.Context, in *UnshareMachineRequest, opts ...grpc.CallOption) (*UnshareMachineResponse, error) {
-	out := new(UnshareMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/UnshareMachine", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *headscaleServiceClient) GetMachineRoute(ctx context.Context, in *GetMachineRouteRequest, opts ...grpc.CallOption) (*GetMachineRouteResponse, error) {
 	out := new(GetMachineRouteResponse)
 	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachineRoute", in, out, opts...)
@@ -265,8 +248,6 @@ type HeadscaleServiceServer interface {
 	DeleteMachine(context.Context, *DeleteMachineRequest) (*DeleteMachineResponse, error)
 	ExpireMachine(context.Context, *ExpireMachineRequest) (*ExpireMachineResponse, error)
 	ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error)
-	ShareMachine(context.Context, *ShareMachineRequest) (*ShareMachineResponse, error)
-	UnshareMachine(context.Context, *UnshareMachineRequest) (*UnshareMachineResponse, error)
 	// --- Route start ---
 	GetMachineRoute(context.Context, *GetMachineRouteRequest) (*GetMachineRouteResponse, error)
 	EnableMachineRoutes(context.Context, *EnableMachineRoutesRequest) (*EnableMachineRoutesResponse, error)
@@ -323,12 +304,6 @@ func (UnimplementedHeadscaleServiceServer) ExpireMachine(context.Context, *Expir
 func (UnimplementedHeadscaleServiceServer) ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListMachines not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) ShareMachine(context.Context, *ShareMachineRequest) (*ShareMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method ShareMachine not implemented")
-}
-func (UnimplementedHeadscaleServiceServer) UnshareMachine(context.Context, *UnshareMachineRequest) (*UnshareMachineResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UnshareMachine not implemented")
-}
 func (UnimplementedHeadscaleServiceServer) GetMachineRoute(context.Context, *GetMachineRouteRequest) (*GetMachineRouteResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetMachineRoute not implemented")
 }
@@ -609,42 +584,6 @@ func _HeadscaleService_ListMachines_Handler(srv interface{}, ctx context.Context
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_ShareMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(ShareMachineRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).ShareMachine(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ShareMachine",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).ShareMachine(ctx, req.(*ShareMachineRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _HeadscaleService_UnshareMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(UnshareMachineRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).UnshareMachine(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/UnshareMachine",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).UnshareMachine(ctx, req.(*UnshareMachineRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _HeadscaleService_GetMachineRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetMachineRouteRequest)
 	if err := dec(in); err != nil {
@@ -798,14 +737,6 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "ListMachines",
 			Handler:    _HeadscaleService_ListMachines_Handler,
 		},
-		{
-			MethodName: "ShareMachine",
-			Handler:    _HeadscaleService_ShareMachine_Handler,
-		},
-		{
-			MethodName: "UnshareMachine",
-			Handler:    _HeadscaleService_UnshareMachine_Handler,
-		},
 		{
 			MethodName: "GetMachineRoute",
 			Handler:    _HeadscaleService_GetMachineRoute_Handler,
--- a/gen/go/headscale/v1/machine.pb.go
+++ b/gen/go/headscale/v1/machine.pb.go
@@ -7,12 +7,11 @@
 package v1

 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )

 const (
@@ -694,210 +693,6 @@ func (x *ListMachinesResponse) GetMachines() []*Machine {
 	return nil
 }

-type ShareMachineRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
-	Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
-}
-
-func (x *ShareMachineRequest) Reset() {
-	*x = ShareMachineRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *ShareMachineRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ShareMachineRequest) ProtoMessage() {}
-
-func (x *ShareMachineRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ShareMachineRequest.ProtoReflect.Descriptor instead.
-func (*ShareMachineRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{11}
-}
-
-func (x *ShareMachineRequest) GetMachineId() uint64 {
-	if x != nil {
-		return x.MachineId
-	}
-	return 0
-}
-
-func (x *ShareMachineRequest) GetNamespace() string {
-	if x != nil {
-		return x.Namespace
-	}
-	return ""
-}
-
-type ShareMachineResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Machine *Machine `protobuf:"bytes,1,opt,name=machine,proto3" json:"machine,omitempty"`
-}
-
-func (x *ShareMachineResponse) Reset() {
-	*x = ShareMachineResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *ShareMachineResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*ShareMachineResponse) ProtoMessage() {}
-
-func (x *ShareMachineResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use ShareMachineResponse.ProtoReflect.Descriptor instead.
-func (*ShareMachineResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{12}
-}
-
-func (x *ShareMachineResponse) GetMachine() *Machine {
-	if x != nil {
-		return x.Machine
-	}
-	return nil
-}
-
-type UnshareMachineRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
-	Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
-}
-
-func (x *UnshareMachineRequest) Reset() {
-	*x = UnshareMachineRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[13]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *UnshareMachineRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*UnshareMachineRequest) ProtoMessage() {}
-
-func (x *UnshareMachineRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[13]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use UnshareMachineRequest.ProtoReflect.Descriptor instead.
-func (*UnshareMachineRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{13}
-}
-
-func (x *UnshareMachineRequest) GetMachineId() uint64 {
-	if x != nil {
-		return x.MachineId
-	}
-	return 0
-}
-
-func (x *UnshareMachineRequest) GetNamespace() string {
-	if x != nil {
-		return x.Namespace
-	}
-	return ""
-}
-
-type UnshareMachineResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Machine *Machine `protobuf:"bytes,1,opt,name=machine,proto3" json:"machine,omitempty"`
-}
-
-func (x *UnshareMachineResponse) Reset() {
-	*x = UnshareMachineResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[14]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *UnshareMachineResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*UnshareMachineResponse) ProtoMessage() {}
-
-func (x *UnshareMachineResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[14]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use UnshareMachineResponse.ProtoReflect.Descriptor instead.
-func (*UnshareMachineResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{14}
-}
-
-func (x *UnshareMachineResponse) GetMachine() *Machine {
-	if x != nil {
-		return x.Machine
-	}
-	return nil
-}
-
 type DebugCreateMachineRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -912,7 +707,7 @@ type DebugCreateMachineRequest struct {
 func (x *DebugCreateMachineRequest) Reset() {
 	*x = DebugCreateMachineRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[15]
+		mi := &file_headscale_v1_machine_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -925,7 +720,7 @@ func (x *DebugCreateMachineRequest) String() string {
 func (*DebugCreateMachineRequest) ProtoMessage() {}

 func (x *DebugCreateMachineRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[15]
+	mi := &file_headscale_v1_machine_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -938,7 +733,7 @@ func (x *DebugCreateMachineRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DebugCreateMachineRequest.ProtoReflect.Descriptor instead.
 func (*DebugCreateMachineRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{15}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{11}
 }

 func (x *DebugCreateMachineRequest) GetNamespace() string {
@@ -980,7 +775,7 @@ type DebugCreateMachineResponse struct {
 func (x *DebugCreateMachineResponse) Reset() {
 	*x = DebugCreateMachineResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[16]
+		mi := &file_headscale_v1_machine_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -993,7 +788,7 @@ func (x *DebugCreateMachineResponse) String() string {
 func (*DebugCreateMachineResponse) ProtoMessage() {}

 func (x *DebugCreateMachineResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[16]
+	mi := &file_headscale_v1_machine_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -1006,7 +801,7 @@ func (x *DebugCreateMachineResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DebugCreateMachineResponse.ProtoReflect.Descriptor instead.
 func (*DebugCreateMachineResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{16}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{12}
 }

 func (x *DebugCreateMachineResponse) GetMachine() *Machine {
@@ -1105,51 +900,31 @@ var file_headscale_v1_machine_proto_rawDesc = []byte{
 	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x31, 0x0a, 0x08, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64,
 	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x08, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x52, 0x0a, 0x13, 0x53, 0x68,
-	0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64,
-	0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x47,
-	0x0a, 0x14, 0x53, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07,
-	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x54, 0x0a, 0x15, 0x55, 0x6e, 0x73, 0x68, 0x61,
-	0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12,
-	0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x49, 0x0a,
-	0x16, 0x55, 0x6e, 0x73, 0x68, 0x61, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
-	0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x77, 0x0a, 0x19, 0x44, 0x65, 0x62, 0x75,
-	0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
-	0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
-	0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65,
-	0x73, 0x22, 0x4d, 0x0a, 0x1a, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
-	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x2a, 0x82, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x65, 0x74,
-	0x68, 0x6f, 0x64, 0x12, 0x1f, 0x0a, 0x1b, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f,
-	0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49,
-	0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
-	0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4b, 0x45, 0x59,
-	0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d,
-	0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x43, 0x4c, 0x49, 0x10, 0x02, 0x12, 0x18, 0x0a, 0x14, 0x52,
-	0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x4f,
-	0x49, 0x44, 0x43, 0x10, 0x03, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
-	0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31,
-	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x52, 0x08, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x77, 0x0a, 0x19, 0x44, 0x65,
+	0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73,
+	0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65,
+	0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72,
+	0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75,
+	0x74, 0x65, 0x73, 0x22, 0x4d, 0x0a, 0x1a, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61,
+	0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x2a, 0x82, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d,
+	0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1f, 0x0a, 0x1b, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45,
+	0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
+	0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54,
+	0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4b,
+	0x45, 0x59, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
+	0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x43, 0x4c, 0x49, 0x10, 0x02, 0x12, 0x18, 0x0a,
+	0x14, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44,
+	0x5f, 0x4f, 0x49, 0x44, 0x43, 0x10, 0x03, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75,
+	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f,
+	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -1165,7 +940,7 @@ func file_headscale_v1_machine_proto_rawDescGZIP() []byte {
 }

 var file_headscale_v1_machine_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_headscale_v1_machine_proto_msgTypes = make([]protoimpl.MessageInfo, 17)
+var file_headscale_v1_machine_proto_msgTypes = make([]protoimpl.MessageInfo, 13)
 var file_headscale_v1_machine_proto_goTypes = []interface{}{
 	(RegisterMethod)(0),                // 0: headscale.v1.RegisterMethod
 	(*Machine)(nil),                    // 1: headscale.v1.Machine
@@ -1179,36 +954,30 @@ var file_headscale_v1_machine_proto_goTypes = []interface{}{
 	(*ExpireMachineResponse)(nil),      // 9: headscale.v1.ExpireMachineResponse
 	(*ListMachinesRequest)(nil),        // 10: headscale.v1.ListMachinesRequest
 	(*ListMachinesResponse)(nil),       // 11: headscale.v1.ListMachinesResponse
-	(*ShareMachineRequest)(nil),        // 12: headscale.v1.ShareMachineRequest
-	(*ShareMachineResponse)(nil),       // 13: headscale.v1.ShareMachineResponse
-	(*UnshareMachineRequest)(nil),      // 14: headscale.v1.UnshareMachineRequest
-	(*UnshareMachineResponse)(nil),     // 15: headscale.v1.UnshareMachineResponse
-	(*DebugCreateMachineRequest)(nil),  // 16: headscale.v1.DebugCreateMachineRequest
-	(*DebugCreateMachineResponse)(nil), // 17: headscale.v1.DebugCreateMachineResponse
-	(*Namespace)(nil),                  // 18: headscale.v1.Namespace
-	(*timestamppb.Timestamp)(nil),      // 19: google.protobuf.Timestamp
-	(*PreAuthKey)(nil),                 // 20: headscale.v1.PreAuthKey
+	(*DebugCreateMachineRequest)(nil),  // 12: headscale.v1.DebugCreateMachineRequest
+	(*DebugCreateMachineResponse)(nil), // 13: headscale.v1.DebugCreateMachineResponse
+	(*Namespace)(nil),                  // 14: headscale.v1.Namespace
+	(*timestamppb.Timestamp)(nil),      // 15: google.protobuf.Timestamp
+	(*PreAuthKey)(nil),                 // 16: headscale.v1.PreAuthKey
 }
 var file_headscale_v1_machine_proto_depIdxs = []int32{
-	18, // 0: headscale.v1.Machine.namespace:type_name -> headscale.v1.Namespace
+	14, // 0: headscale.v1.Machine.namespace:type_name -> headscale.v1.Namespace
 	0,  // 1: headscale.v1.Machine.register_method:type_name -> headscale.v1.RegisterMethod
-	19, // 2: headscale.v1.Machine.last_seen:type_name -> google.protobuf.Timestamp
-	19, // 3: headscale.v1.Machine.last_successful_update:type_name -> google.protobuf.Timestamp
-	19, // 4: headscale.v1.Machine.expiry:type_name -> google.protobuf.Timestamp
-	20, // 5: headscale.v1.Machine.pre_auth_key:type_name -> headscale.v1.PreAuthKey
-	19, // 6: headscale.v1.Machine.created_at:type_name -> google.protobuf.Timestamp
+	15, // 2: headscale.v1.Machine.last_seen:type_name -> google.protobuf.Timestamp
+	15, // 3: headscale.v1.Machine.last_successful_update:type_name -> google.protobuf.Timestamp
+	15, // 4: headscale.v1.Machine.expiry:type_name -> google.protobuf.Timestamp
+	16, // 5: headscale.v1.Machine.pre_auth_key:type_name -> headscale.v1.PreAuthKey
+	15, // 6: headscale.v1.Machine.created_at:type_name -> google.protobuf.Timestamp
 	1,  // 7: headscale.v1.RegisterMachineResponse.machine:type_name -> headscale.v1.Machine
 	1,  // 8: headscale.v1.GetMachineResponse.machine:type_name -> headscale.v1.Machine
 	1,  // 9: headscale.v1.ExpireMachineResponse.machine:type_name -> headscale.v1.Machine
 	1,  // 10: headscale.v1.ListMachinesResponse.machines:type_name -> headscale.v1.Machine
-	1,  // 11: headscale.v1.ShareMachineResponse.machine:type_name -> headscale.v1.Machine
-	1,  // 12: headscale.v1.UnshareMachineResponse.machine:type_name -> headscale.v1.Machine
-	1,  // 13: headscale.v1.DebugCreateMachineResponse.machine:type_name -> headscale.v1.Machine
-	14, // [14:14] is the sub-list for method output_type
-	14, // [14:14] is the sub-list for method input_type
-	14, // [14:14] is the sub-list for extension type_name
-	14, // [14:14] is the sub-list for extension extendee
-	0,  // [0:14] is the sub-list for field type_name
+	1,  // 11: headscale.v1.DebugCreateMachineResponse.machine:type_name -> headscale.v1.Machine
+	12, // [12:12] is the sub-list for method output_type
+	12, // [12:12] is the sub-list for method input_type
+	12, // [12:12] is the sub-list for extension type_name
+	12, // [12:12] is the sub-list for extension extendee
+	0,  // [0:12] is the sub-list for field type_name
 }

 func init() { file_headscale_v1_machine_proto_init() }
@@ -1352,54 +1121,6 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ShareMachineRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_machine_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ShareMachineResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_machine_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UnshareMachineRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_machine_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UnshareMachineResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_machine_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DebugCreateMachineRequest); i {
 			case 0:
 				return &v.state
@@ -1411,7 +1132,7 @@ func file_headscale_v1_machine_proto_init() {
 				return nil
 			}
 		}
-		file_headscale_v1_machine_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} {
+		file_headscale_v1_machine_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DebugCreateMachineResponse); i {
 			case 0:
 				return &v.state
@@ -1430,7 +1151,7 @@ func file_headscale_v1_machine_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_headscale_v1_machine_proto_rawDesc,
 			NumEnums:      1,
-			NumMessages:   17,
+			NumMessages:   13,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/gen/go/headscale/v1/namespace.pb.go
+++ b/gen/go/headscale/v1/namespace.pb.go
@@ -7,12 +7,11 @@
 package v1

 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )

 const (
--- a/gen/go/headscale/v1/preauthkey.pb.go
+++ b/gen/go/headscale/v1/preauthkey.pb.go
@@ -7,12 +7,11 @@
 package v1

 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )

 const (
--- a/gen/go/headscale/v1/routes.pb.go
+++ b/gen/go/headscale/v1/routes.pb.go
@@ -7,11 +7,10 @@
 package v1

 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
 )

 const (
--- a/gen/openapiv2/headscale/v1/headscale.swagger.json
+++ b/gen/openapiv2/headscale/v1/headscale.swagger.json
@@ -181,6 +181,20 @@
            }
          }
        },
+        "parameters": [
+          {
+            "name": "namespace",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          },
+          {
+            "name": "key",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
        "tags": [
          "HeadscaleService"
        ]
@@ -324,37 +338,6 @@
            }
          }
        },
-        "parameters": [
-          {
-            "name": "machineId",
-            "in": "path",
-            "required": true,
-            "type": "string",
-            "format": "uint64"
-          }
-        ],
-        "tags": [
-          "HeadscaleService"
-        ]
-      }
-    },
-    "/api/v1/machine/{machineId}/share/{namespace}": {
-      "post": {
-        "operationId": "HeadscaleService_ShareMachine",
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1ShareMachineResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/rpcStatus"
-            }
-          }
-        },
        "parameters": [
          {
            "name": "machineId",
@@ -364,47 +347,14 @@
            "format": "uint64"
          },
          {
-            "name": "namespace",
-            "in": "path",
-            "required": true,
-            "type": "string"
-          }
-        ],
-        "tags": [
-          "HeadscaleService"
-        ]
-      }
-    },
-    "/api/v1/machine/{machineId}/unshare/{namespace}": {
-      "post": {
-        "operationId": "HeadscaleService_UnshareMachine",
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1UnshareMachineResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/rpcStatus"
-            }
-          }
-        },
-        "parameters": [
-          {
-            "name": "machineId",
-            "in": "path",
-            "required": true,
-            "type": "string",
-            "format": "uint64"
-          },
-          {
-            "name": "namespace",
-            "in": "path",
-            "required": true,
-            "type": "string"
+            "name": "routes",
+            "in": "query",
+            "required": false,
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi"
          }
        ],
        "tags": [
@@ -1050,22 +1000,6 @@
          }
        }
      }
-    },
-    "v1ShareMachineResponse": {
-      "type": "object",
-      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
-        }
-      }
-    },
-    "v1UnshareMachineResponse": {
-      "type": "object",
-      "properties": {
-        "machine": {
-          "$ref": "#/definitions/v1Machine"
-        }
-      }
    }
  }
 }
--- a/go.mod
+++ b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/fatih/set v0.2.1
 	github.com/gin-gonic/gin v1.7.7
+	github.com/glebarez/sqlite v1.3.5
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.3
@@ -19,14 +20,13 @@ require (
 	github.com/prometheus/client_golang v1.12.1
 	github.com/pterm/pterm v0.12.36
 	github.com/rs/zerolog v1.26.1
-	github.com/soheilhy/cmux v0.1.5
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/viper v1.10.1
 	github.com/stretchr/testify v1.7.0
 	github.com/tailscale/hujson v0.0.0-20211215203138-ffd971c5f362
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	github.com/zsais/go-gin-prometheus v0.1.0
-	golang.org/x/crypto v0.0.0-20220210151621-f4118a5b28e2
+	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	google.golang.org/genproto v0.0.0-20220210181026-6fee9acbd336
@@ -36,9 +36,8 @@ require (
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/datatypes v1.0.5
-	gorm.io/driver/postgres v1.2.3
-	gorm.io/driver/sqlite v1.2.6
-	gorm.io/gorm v1.22.5
+	gorm.io/driver/postgres v1.3.1
+	gorm.io/gorm v1.23.1
 	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
 	tailscale.com v1.20.4
 )
@@ -58,8 +57,8 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/glebarez/go-sqlite v1.14.7 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
 	github.com/go-playground/validator/v10 v10.10.0 // indirect
@@ -70,6 +69,7 @@ require (
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.0 // indirect
 	github.com/hashicorp/go-version v1.4.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -112,6 +112,7 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
@@ -136,6 +137,12 @@ require (
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
-	gorm.io/driver/mysql v1.2.3 // indirect
+	gorm.io/driver/mysql v1.3.2 // indirect
+	gorm.io/driver/sqlite v1.3.1 // indirect
+	gorm.io/driver/sqlserver v1.3.1 // indirect
+	modernc.org/libc v1.14.3 // indirect
+	modernc.org/mathutil v1.4.1 // indirect
+	modernc.org/memory v1.0.5 // indirect
+	modernc.org/sqlite v1.14.5 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/grpcv1.go
+++ b/grpcv1.go
@@ -232,15 +232,6 @@ func (api headscaleV1APIServer) ListMachines(
 			return nil, err
 		}

-		sharedMachines, err := api.h.ListSharedMachinesInNamespace(
-			request.GetNamespace(),
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		machines = append(machines, sharedMachines...)
-
 		response := make([]*v1.Machine, len(machines))
 		for index, machine := range machines {
 			response[index] = machine.toProto()
@@ -262,50 +253,6 @@ func (api headscaleV1APIServer) ListMachines(
 	return &v1.ListMachinesResponse{Machines: response}, nil
 }

-func (api headscaleV1APIServer) ShareMachine(
-	ctx context.Context,
-	request *v1.ShareMachineRequest,
-) (*v1.ShareMachineResponse, error) {
-	destinationNamespace, err := api.h.GetNamespace(request.GetNamespace())
-	if err != nil {
-		return nil, err
-	}
-
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
-	if err != nil {
-		return nil, err
-	}
-
-	err = api.h.AddSharedMachineToNamespace(machine, destinationNamespace)
-	if err != nil {
-		return nil, err
-	}
-
-	return &v1.ShareMachineResponse{Machine: machine.toProto()}, nil
-}
-
-func (api headscaleV1APIServer) UnshareMachine(
-	ctx context.Context,
-	request *v1.UnshareMachineRequest,
-) (*v1.UnshareMachineResponse, error) {
-	destinationNamespace, err := api.h.GetNamespace(request.GetNamespace())
-	if err != nil {
-		return nil, err
-	}
-
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
-	if err != nil {
-		return nil, err
-	}
-
-	err = api.h.RemoveSharedMachineFromNamespace(machine, destinationNamespace)
-	if err != nil {
-		return nil, err
-	}
-
-	return &v1.UnshareMachineResponse{Machine: machine.toProto()}, nil
-}
-
 func (api headscaleV1APIServer) GetMachineRoute(
 	ctx context.Context,
 	request *v1.GetMachineRouteRequest,
--- a/integration_cli_test.go
+++ b/integration_cli_test.go
@@ -529,7 +529,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	namespace, err := s.createNamespace("machine-namespace")
 	assert.Nil(s.T(), err)

-	sharedNamespace, err := s.createNamespace("shared-namespace")
+	secondNamespace, err := s.createNamespace("other-namespace")
 	assert.Nil(s.T(), err)

 	// Randomly generated machine keys
@@ -589,7 +589,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {

 	assert.Len(s.T(), machines, len(machineKeys))

-	// Test list all nodes after added shared
+	// Test list all nodes after added seconds
 	listAllResult, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
@@ -627,14 +627,14 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.True(s.T(), listAll[3].Registered)
 	assert.True(s.T(), listAll[4].Registered)

-	sharedMachineKeys := []string{
+	otherNamespaceMachineKeys := []string{
 		"b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
 		"dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
 	}
-	sharedMachines := make([]*v1.Machine, len(sharedMachineKeys))
+	otherNamespaceMachines := make([]*v1.Machine, len(otherNamespaceMachineKeys))
 	assert.Nil(s.T(), err)

-	for index, machineKey := range sharedMachineKeys {
+	for index, machineKey := range otherNamespaceMachineKeys {
 		_, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
@@ -642,9 +642,9 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 				"debug",
 				"create-node",
 				"--name",
-				fmt.Sprintf("shared-machine-%d", index+1),
+				fmt.Sprintf("otherNamespace-machine-%d", index+1),
 				"--namespace",
-				sharedNamespace.Name,
+				secondNamespace.Name,
 				"--key",
 				machineKey,
 				"--output",
@@ -660,7 +660,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 				"headscale",
 				"nodes",
 				"--namespace",
-				sharedNamespace.Name,
+				secondNamespace.Name,
 				"register",
 				"--key",
 				machineKey,
@@ -675,13 +675,13 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 		err = json.Unmarshal([]byte(machineResult), &machine)
 		assert.Nil(s.T(), err)

-		sharedMachines[index] = &machine
+		otherNamespaceMachines[index] = &machine
 	}

-	assert.Len(s.T(), sharedMachines, len(sharedMachineKeys))
+	assert.Len(s.T(), otherNamespaceMachines, len(otherNamespaceMachineKeys))

-	// Test list all nodes after added shared
-	listAllWithSharedResult, err := ExecuteCommand(
+	// Test list all nodes after added otherNamespace
+	listAllWithotherNamespaceResult, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -694,31 +694,34 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	)
 	assert.Nil(s.T(), err)

-	var listAllWithShared []v1.Machine
-	err = json.Unmarshal([]byte(listAllWithSharedResult), &listAllWithShared)
+	var listAllWithotherNamespace []v1.Machine
+	err = json.Unmarshal(
+		[]byte(listAllWithotherNamespaceResult),
+		&listAllWithotherNamespace,
+	)
 	assert.Nil(s.T(), err)

-	// All nodes, machines + shared
-	assert.Len(s.T(), listAllWithShared, 7)
+	// All nodes, machines + otherNamespace
+	assert.Len(s.T(), listAllWithotherNamespace, 7)

-	assert.Equal(s.T(), uint64(6), listAllWithShared[5].Id)
-	assert.Equal(s.T(), uint64(7), listAllWithShared[6].Id)
+	assert.Equal(s.T(), uint64(6), listAllWithotherNamespace[5].Id)
+	assert.Equal(s.T(), uint64(7), listAllWithotherNamespace[6].Id)

-	assert.Equal(s.T(), "shared-machine-1", listAllWithShared[5].Name)
-	assert.Equal(s.T(), "shared-machine-2", listAllWithShared[6].Name)
+	assert.Equal(s.T(), "otherNamespace-machine-1", listAllWithotherNamespace[5].Name)
+	assert.Equal(s.T(), "otherNamespace-machine-2", listAllWithotherNamespace[6].Name)

-	assert.True(s.T(), listAllWithShared[5].Registered)
-	assert.True(s.T(), listAllWithShared[6].Registered)
+	assert.True(s.T(), listAllWithotherNamespace[5].Registered)
+	assert.True(s.T(), listAllWithotherNamespace[6].Registered)

-	// Test list all nodes after added shared
-	listOnlySharedMachineNamespaceResult, err := ExecuteCommand(
+	// Test list all nodes after added otherNamespace
+	listOnlyotherNamespaceMachineNamespaceResult, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
 			"nodes",
 			"list",
 			"--namespace",
-			sharedNamespace.Name,
+			secondNamespace.Name,
 			"--output",
 			"json",
 		},
@@ -726,23 +729,31 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	)
 	assert.Nil(s.T(), err)

-	var listOnlySharedMachineNamespace []v1.Machine
+	var listOnlyotherNamespaceMachineNamespace []v1.Machine
 	err = json.Unmarshal(
-		[]byte(listOnlySharedMachineNamespaceResult),
-		&listOnlySharedMachineNamespace,
+		[]byte(listOnlyotherNamespaceMachineNamespaceResult),
+		&listOnlyotherNamespaceMachineNamespace,
 	)
 	assert.Nil(s.T(), err)

-	assert.Len(s.T(), listOnlySharedMachineNamespace, 2)
+	assert.Len(s.T(), listOnlyotherNamespaceMachineNamespace, 2)

-	assert.Equal(s.T(), uint64(6), listOnlySharedMachineNamespace[0].Id)
-	assert.Equal(s.T(), uint64(7), listOnlySharedMachineNamespace[1].Id)
+	assert.Equal(s.T(), uint64(6), listOnlyotherNamespaceMachineNamespace[0].Id)
+	assert.Equal(s.T(), uint64(7), listOnlyotherNamespaceMachineNamespace[1].Id)

-	assert.Equal(s.T(), "shared-machine-1", listOnlySharedMachineNamespace[0].Name)
-	assert.Equal(s.T(), "shared-machine-2", listOnlySharedMachineNamespace[1].Name)
+	assert.Equal(
+		s.T(),
+		"otherNamespace-machine-1",
+		listOnlyotherNamespaceMachineNamespace[0].Name,
+	)
+	assert.Equal(
+		s.T(),
+		"otherNamespace-machine-2",
+		listOnlyotherNamespaceMachineNamespace[1].Name,
+	)

-	assert.True(s.T(), listOnlySharedMachineNamespace[0].Registered)
-	assert.True(s.T(), listOnlySharedMachineNamespace[1].Registered)
+	assert.True(s.T(), listOnlyotherNamespaceMachineNamespace[0].Registered)
+	assert.True(s.T(), listOnlyotherNamespaceMachineNamespace[1].Registered)

 	// Delete a machines
 	_, err = ExecuteCommand(
@@ -786,120 +797,6 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Nil(s.T(), err)

 	assert.Len(s.T(), listOnlyMachineNamespaceAfterDelete, 4)
-
-	// test: share node
-
-	shareMachineResult, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"share",
-			"--namespace",
-			namespace.Name,
-			"--identifier",
-			"7",
-			"--output",
-			"json",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var shareMachine v1.Machine
-	err = json.Unmarshal([]byte(shareMachineResult), &shareMachine)
-	assert.Nil(s.T(), err)
-
-	assert.Equal(s.T(), uint64(7), shareMachine.Id)
-
-	assert.Equal(s.T(), "shared-machine-2", shareMachine.Name)
-
-	assert.True(s.T(), shareMachine.Registered)
-
-	// Test: list main namespace after machine has been shared
-	listOnlyMachineNamespaceAfterShareResult, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"list",
-			"--namespace",
-			namespace.Name,
-			"--output",
-			"json",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var listOnlyMachineNamespaceAfterShare []v1.Machine
-	err = json.Unmarshal(
-		[]byte(listOnlyMachineNamespaceAfterShareResult),
-		&listOnlyMachineNamespaceAfterShare,
-	)
-	assert.Nil(s.T(), err)
-
-	assert.Len(s.T(), listOnlyMachineNamespaceAfterShare, 5)
-
-	assert.Equal(s.T(), uint64(7), listOnlyMachineNamespaceAfterShare[4].Id)
-
-	assert.Equal(s.T(), "shared-machine-2", listOnlyMachineNamespaceAfterShare[4].Name)
-
-	assert.True(s.T(), listOnlyMachineNamespaceAfterShare[4].Registered)
-
-	// test: unshare node
-
-	unshareMachineResult, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"unshare",
-			"--namespace",
-			namespace.Name,
-			"--identifier",
-			"7",
-			"--output",
-			"json",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var unshareMachine v1.Machine
-	err = json.Unmarshal([]byte(unshareMachineResult), &unshareMachine)
-	assert.Nil(s.T(), err)
-
-	assert.Equal(s.T(), uint64(7), unshareMachine.Id)
-
-	assert.Equal(s.T(), "shared-machine-2", unshareMachine.Name)
-
-	assert.True(s.T(), unshareMachine.Registered)
-
-	// Test: list main namespace after machine has been shared
-	listOnlyMachineNamespaceAfterUnshareResult, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"list",
-			"--namespace",
-			namespace.Name,
-			"--output",
-			"json",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var listOnlyMachineNamespaceAfterUnshare []v1.Machine
-	err = json.Unmarshal(
-		[]byte(listOnlyMachineNamespaceAfterUnshareResult),
-		&listOnlyMachineNamespaceAfterUnshare,
-	)
-	assert.Nil(s.T(), err)
-
-	assert.Len(s.T(), listOnlyMachineNamespaceAfterUnshare, 4)
 }

 func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
--- a/integration_test.go
+++ b/integration_test.go
@@ -15,6 +15,7 @@ import (
 	"os"
 	"path"
 	"strings"
+	"sync"
 	"testing"
 	"time"

@@ -44,17 +45,19 @@ type IntegrationTestSuite struct {
 	headscale dockertest.Resource

 	namespaces map[string]TestNamespace
+
+	joinWaitGroup sync.WaitGroup
 }

 func TestIntegrationTestSuite(t *testing.T) {
 	s := new(IntegrationTestSuite)

 	s.namespaces = map[string]TestNamespace{
-		"main": {
-			count:      20,
+		"thisspace": {
+			count:      15,
 			tailscales: make(map[string]dockertest.Resource),
 		},
-		"shared": {
+		"otherspace": {
 			count:      5,
 			tailscales: make(map[string]dockertest.Resource),
 		},
@@ -118,7 +121,7 @@ func (s *IntegrationTestSuite) saveLog(
 		return err
 	}

-	fmt.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
+	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)

 	err = ioutil.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stdout.log"),
@@ -141,6 +144,34 @@ func (s *IntegrationTestSuite) saveLog(
 	return nil
 }

+func (s *IntegrationTestSuite) Join(
+	endpoint, key, hostname string,
+	tailscale dockertest.Resource,
+) {
+	defer s.joinWaitGroup.Done()
+
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		endpoint,
+		"--authkey",
+		key,
+		"--hostname",
+		hostname,
+	}
+
+	log.Println("Join command:", command)
+	log.Printf("Running join command for %s\n", hostname)
+	_, err := ExecuteCommand(
+		&tailscale,
+		command,
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+	log.Printf("%s joined\n", hostname)
+}
+
 func (s *IntegrationTestSuite) tailscaleContainer(
 	namespace, identifier, version string,
 ) (string, *dockertest.Resource) {
@@ -178,7 +209,7 @@ func (s *IntegrationTestSuite) tailscaleContainer(
 	if err != nil {
 		log.Fatalf("Could not start resource: %s", err)
 	}
-	fmt.Printf("Created %s container\n", hostname)
+	log.Printf("Created %s container\n", hostname)

 	return hostname, pts
 }
@@ -221,15 +252,15 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		Cmd:      []string{"headscale", "serve"},
 	}

-	fmt.Println("Creating headscale container")
+	log.Println("Creating headscale container")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
 		log.Fatalf("Could not start resource: %s", err)
 	}
-	fmt.Println("Created headscale container")
+	log.Println("Created headscale container")

-	fmt.Println("Creating tailscale containers")
+	log.Println("Creating tailscale containers")
 	for namespace, scales := range s.namespaces {
 		for i := 0; i < scales.count; i++ {
 			version := tailscaleVersions[i%len(tailscaleVersions)]
@@ -243,7 +274,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		}
 	}

-	fmt.Println("Waiting for headscale to be ready")
+	log.Println("Waiting for headscale to be ready")
 	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))

 	if err := s.pool.Retry(func() error {
@@ -266,19 +297,19 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		// https://github.com/stretchr/testify/issues/849
 		return // fmt.Errorf("Could not connect to headscale: %s", err)
 	}
-	fmt.Println("headscale container is ready")
+	log.Println("headscale container is ready")

 	for namespace, scales := range s.namespaces {
-		fmt.Printf("Creating headscale namespace: %s\n", namespace)
+		log.Printf("Creating headscale namespace: %s\n", namespace)
 		result, err := ExecuteCommand(
 			&s.headscale,
 			[]string{"headscale", "namespaces", "create", namespace},
 			[]string{},
 		)
-		fmt.Println("headscale create namespace result: ", result)
+		log.Println("headscale create namespace result: ", result)
 		assert.Nil(s.T(), err)

-		fmt.Printf("Creating pre auth key for %s\n", namespace)
+		log.Printf("Creating pre auth key for %s\n", namespace)
 		preAuthResult, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
@@ -304,33 +335,16 @@ func (s *IntegrationTestSuite) SetupSuite() {

 		headscaleEndpoint := "http://headscale:8080"

-		fmt.Printf(
+		log.Printf(
 			"Joining tailscale containers to headscale at %s\n",
 			headscaleEndpoint,
 		)
 		for hostname, tailscale := range scales.tailscales {
-			command := []string{
-				"tailscale",
-				"up",
-				"-login-server",
-				headscaleEndpoint,
-				"--authkey",
-				preAuthKey.Key,
-				"--hostname",
-				hostname,
-			}
-
-			fmt.Println("Join command:", command)
-			fmt.Printf("Running join command for %s\n", hostname)
-			result, err := ExecuteCommand(
-				&tailscale,
-				command,
-				[]string{},
-			)
-			fmt.Println("tailscale result: ", result)
-			assert.Nil(s.T(), err)
-			fmt.Printf("%s joined\n", hostname)
+			s.joinWaitGroup.Add(1)
+			go s.Join(headscaleEndpoint, preAuthKey.Key, hostname, tailscale)
 		}
+
+		s.joinWaitGroup.Wait()
 	}

 	// The nodes need a bit of time to get their updated maps from headscale
@@ -350,7 +364,7 @@ func (s *IntegrationTestSuite) HandleStats(

 func (s *IntegrationTestSuite) TestListNodes() {
 	for namespace, scales := range s.namespaces {
-		fmt.Println("Listing nodes")
+		log.Println("Listing nodes")
 		result, err := ExecuteCommand(
 			&s.headscale,
 			[]string{"headscale", "--namespace", namespace, "nodes", "list"},
@@ -358,7 +372,7 @@ func (s *IntegrationTestSuite) TestListNodes() {
 		)
 		assert.Nil(s.T(), err)

-		fmt.Printf("List nodes: \n%s\n", result)
+		log.Printf("List nodes: \n%s\n", result)

 		// Chck that the correct count of host is present in node list
 		lines := strings.Split(result, "\n")
@@ -381,7 +395,7 @@ func (s *IntegrationTestSuite) TestGetIpAddresses() {
 				s.T().Run(hostname, func(t *testing.T) {
 					assert.NotNil(t, ip)

-					fmt.Printf("IP for %s: %s\n", hostname, ip)
+					log.Printf("IP for %s: %s\n", hostname, ip)

 					// c.Assert(ip.Valid(), check.IsTrue)
 					assert.True(t, ip.Is4() || ip.Is6())
@@ -410,7 +424,7 @@ func (s *IntegrationTestSuite) TestGetIpAddresses() {
 //			s.T().Run(hostname, func(t *testing.T) {
 //				command := []string{"tailscale", "status", "--json"}
 //
-//				fmt.Printf("Getting status for %s\n", hostname)
+//				log.Printf("Getting status for %s\n", hostname)
 //				result, err := ExecuteCommand(
 //					&tailscale,
 //					command,
@@ -452,6 +466,7 @@ func getIPsfromIPNstate(status ipnstate.Status) []netaddr.IP {
 	return ips
 }

+// TODO: Adopt test for cross communication between namespaces
 func (s *IntegrationTestSuite) TestPingAllPeersByAddress() {
 	for _, scales := range s.namespaces {
 		ips, err := getIPs(scales.tailscales)
@@ -476,7 +491,7 @@ func (s *IntegrationTestSuite) TestPingAllPeersByAddress() {
 								ip.String(),
 							}

-							fmt.Printf(
+							log.Printf(
 								"Pinging from %s to %s (%s)\n",
 								hostname,
 								peername,
@@ -488,7 +503,7 @@ func (s *IntegrationTestSuite) TestPingAllPeersByAddress() {
 								[]string{},
 							)
 							assert.Nil(t, err)
-							fmt.Printf("Result for %s: %s\n", hostname, result)
+							log.Printf("Result for %s: %s\n", hostname, result)
 							assert.Contains(t, result, "pong")
 						})
 				}
@@ -497,111 +512,6 @@ func (s *IntegrationTestSuite) TestPingAllPeersByAddress() {
 	}
 }

-func (s *IntegrationTestSuite) TestSharedNodes() {
-	main := s.namespaces["main"]
-	shared := s.namespaces["shared"]
-
-	result, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"list",
-			"--output",
-			"json",
-			"--namespace",
-			"shared",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var machineList []v1.Machine
-	err = json.Unmarshal([]byte(result), &machineList)
-	assert.Nil(s.T(), err)
-
-	for _, machine := range machineList {
-		result, err := ExecuteCommand(
-			&s.headscale,
-			[]string{
-				"headscale",
-				"nodes",
-				"share",
-				"--identifier", fmt.Sprint(machine.Id),
-				"--namespace", "main",
-			},
-			[]string{},
-		)
-		assert.Nil(s.T(), err)
-
-		fmt.Println("Shared node with result: ", result)
-	}
-
-	result, err = ExecuteCommand(
-		&s.headscale,
-		[]string{"headscale", "nodes", "list", "--namespace", "main"},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-	fmt.Println("Nodelist after sharing", result)
-
-	// Chck that the correct count of host is present in node list
-	lines := strings.Split(result, "\n")
-	assert.Equal(s.T(), len(main.tailscales)+len(shared.tailscales), len(lines)-2)
-
-	for hostname := range main.tailscales {
-		assert.Contains(s.T(), result, hostname)
-	}
-
-	for hostname := range shared.tailscales {
-		assert.Contains(s.T(), result, hostname)
-	}
-
-	// TODO(juanfont): We have to find out why do we need to wait
-	time.Sleep(100 * time.Second) // Wait for the nodes to receive updates
-
-	sharedIps, err := getIPs(shared.tailscales)
-	assert.Nil(s.T(), err)
-
-	for hostname, tailscale := range main.tailscales {
-		for peername, peerIPs := range sharedIps {
-			for i, ip := range peerIPs {
-				// We currently cant ping ourselves, so skip that.
-				if peername == hostname {
-					continue
-				}
-				s.T().
-					Run(fmt.Sprintf("%s-%s-%d", hostname, peername, i), func(t *testing.T) {
-						// We are only interested in "direct ping" which means what we
-						// might need a couple of more attempts before reaching the node.
-						command := []string{
-							"tailscale", "ping",
-							"--timeout=15s",
-							"--c=20",
-							"--until-direct=true",
-							ip.String(),
-						}
-
-						fmt.Printf(
-							"Pinging from %s to %s (%s)\n",
-							hostname,
-							peername,
-							ip,
-						)
-						result, err := ExecuteCommand(
-							&tailscale,
-							command,
-							[]string{},
-						)
-						assert.Nil(t, err)
-						fmt.Printf("Result for %s: %s\n", hostname, result)
-						assert.Contains(t, result, "pong")
-					})
-			}
-		}
-	}
-}
-
 func (s *IntegrationTestSuite) TestTailDrop() {
 	for _, scales := range s.namespaces {
 		ips, err := getIPs(scales.tailscales)
@@ -616,6 +526,7 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 				}
 				time.Sleep(sleepInverval)
 			}
+
 			return
 		}

@@ -638,7 +549,7 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 						fmt.Sprintf("%s:", peername),
 					}
 					retry(10, 1*time.Second, func() error {
-						fmt.Printf(
+						log.Printf(
 							"Sending file from %s to %s\n",
 							hostname,
 							peername,
@@ -677,7 +588,7 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 						"ls",
 						fmt.Sprintf("/tmp/file_from_%s", peername),
 					}
-					fmt.Printf(
+					log.Printf(
 						"Checking file in %s (%s) from %s (%s)\n",
 						hostname,
 						ips[hostname],
@@ -690,7 +601,7 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 						[]string{},
 					)
 					assert.Nil(t, err)
-					fmt.Printf("Result for %s: %s\n", peername, result)
+					log.Printf("Result for %s: %s\n", peername, result)
 					assert.Equal(
 						t,
 						fmt.Sprintf("/tmp/file_from_%s\n", peername),
@@ -720,7 +631,7 @@ func (s *IntegrationTestSuite) TestPingAllPeersByHostname() {
 						fmt.Sprintf("%s.%s.headscale.net", peername, namespace),
 					}

-					fmt.Printf(
+					log.Printf(
 						"Pinging using hostname from %s to %s\n",
 						hostname,
 						peername,
@@ -731,7 +642,7 @@ func (s *IntegrationTestSuite) TestPingAllPeersByHostname() {
 						[]string{},
 					)
 					assert.Nil(t, err)
-					fmt.Printf("Result for %s: %s\n", hostname, result)
+					log.Printf("Result for %s: %s\n", hostname, result)
 					assert.Contains(t, result, "pong")
 				})
 			}
@@ -754,7 +665,7 @@ func (s *IntegrationTestSuite) TestMagicDNS() {
 						fmt.Sprintf("%s.%s.headscale.net", peername, namespace),
 					}

-					fmt.Printf(
+					log.Printf(
 						"Resolving name %s from %s\n",
 						peername,
 						hostname,
@@ -765,7 +676,7 @@ func (s *IntegrationTestSuite) TestMagicDNS() {
 						[]string{},
 					)
 					assert.Nil(t, err)
-					fmt.Printf("Result for %s: %s\n", hostname, result)
+					log.Printf("Result for %s: %s\n", hostname, result)

 					for _, ip := range ips {
 						assert.Contains(t, result, ip.String())
--- a/machine.go
+++ b/machine.go
@@ -3,7 +3,6 @@ package headscale
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"sort"
 	"strconv"
@@ -25,6 +24,11 @@ const (
 	errMachineAlreadyRegistered   = Error("machine already registered")
 	errMachineRouteIsNotAvailable = Error("route is not available on machine")
 	errMachineAddressesInvalid    = Error("failed to parse machine addresses")
+	errHostnameTooLong            = Error("Hostname too long")
+)
+
+const (
+	maxHostnameLength = 255
 )

 // Machine is a Headscale client.
@@ -119,15 +123,99 @@ func (machine Machine) isExpired() bool {
 	return time.Now().UTC().After(*machine.Expiry)
 }

-func (h *Headscale) getDirectPeers(machine *Machine) (Machines, error) {
+func containsAddresses(inputs []string, addrs []string) bool {
+	for _, addr := range addrs {
+		if containsString(inputs, addr) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// matchSourceAndDestinationWithRule.
+func matchSourceAndDestinationWithRule(
+	ruleSources []string,
+	ruleDestinations []string,
+	source []string,
+	destination []string,
+) bool {
+	return containsAddresses(ruleSources, source) &&
+		containsAddresses(ruleDestinations, destination)
+}
+
+// getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine.
+func getFilteredByACLPeers(
+	machines []Machine,
+	rules []tailcfg.FilterRule,
+	machine *Machine,
+) Machines {
+	log.Trace().
+		Caller().
+		Str("machine", machine.Name).
+		Msg("Finding peers filtered by ACLs")
+
+	peers := make(map[uint64]Machine)
+	// Aclfilter peers here. We are itering through machines in all namespaces and search through the computed aclRules
+	// for match between rule SrcIPs and DstPorts. If the rule is a match we allow the machine to be viewable.
+	for _, peer := range machines {
+		if peer.ID == machine.ID {
+			continue
+		}
+		for _, rule := range rules {
+			var dst []string
+			for _, d := range rule.DstPorts {
+				dst = append(dst, d.IP)
+			}
+			if matchSourceAndDestinationWithRule(
+				rule.SrcIPs,
+				dst,
+				machine.IPAddresses.ToStringSlice(),
+				peer.IPAddresses.ToStringSlice(),
+			) || // match source and destination
+				matchSourceAndDestinationWithRule(
+					rule.SrcIPs,
+					dst,
+					machine.IPAddresses.ToStringSlice(),
+					[]string{"*"},
+				) || // match source and all destination
+				matchSourceAndDestinationWithRule(
+					rule.SrcIPs,
+					dst,
+					peer.IPAddresses.ToStringSlice(),
+					machine.IPAddresses.ToStringSlice(),
+				) { // match return path
+				peers[peer.ID] = peer
+			}
+		}
+	}
+
+	authorizedPeers := make([]Machine, 0, len(peers))
+	for _, m := range peers {
+		authorizedPeers = append(authorizedPeers, m)
+	}
+	sort.Slice(
+		authorizedPeers,
+		func(i, j int) bool { return authorizedPeers[i].ID < authorizedPeers[j].ID },
+	)
+
+	log.Trace().
+		Caller().
+		Str("machine", machine.Name).
+		Msgf("Found some machines: %v", machines)
+
+	return authorizedPeers
+}
+
+func (h *Headscale) ListPeers(machine *Machine) (Machines, error) {
 	log.Trace().
 		Caller().
 		Str("machine", machine.Name).
 		Msg("Finding direct peers")

 	machines := Machines{}
-	if err := h.db.Preload("Namespace").Where("namespace_id = ? AND machine_key <> ? AND registered",
-		machine.NamespaceID, machine.MachineKey).Find(&machines).Error; err != nil {
+	if err := h.db.Preload("AuthKey").Preload("AuthKey.Namespace").Preload("Namespace").Where("machine_key <> ? AND registered",
+		machine.MachineKey).Find(&machines).Error; err != nil {
 		log.Error().Err(err).Msg("Error accessing db")

 		return Machines{}, err
@@ -138,109 +226,40 @@ func (h *Headscale) getDirectPeers(machine *Machine) (Machines, error) {
 	log.Trace().
 		Caller().
 		Str("machine", machine.Name).
-		Msgf("Found direct machines: %s", machines.String())
+		Msgf("Found peers: %s", machines.String())

 	return machines, nil
 }

-// getShared fetches machines that are shared to the `Namespace` of the machine we are getting peers for.
-func (h *Headscale) getShared(machine *Machine) (Machines, error) {
-	log.Trace().
-		Caller().
-		Str("machine", machine.Name).
-		Msg("Finding shared peers")
+func (h *Headscale) getPeers(machine *Machine) (Machines, error) {
+	var peers Machines
+	var err error

-	sharedMachines := []SharedMachine{}
-	if err := h.db.Preload("Namespace").Preload("Machine").Preload("Machine.Namespace").Where("namespace_id = ?",
-		machine.NamespaceID).Find(&sharedMachines).Error; err != nil {
-		return Machines{}, err
-	}
-
-	peers := make(Machines, 0)
-	for _, sharedMachine := range sharedMachines {
-		peers = append(peers, sharedMachine.Machine)
-	}
-
-	sort.Slice(peers, func(i, j int) bool { return peers[i].ID < peers[j].ID })
-
-	log.Trace().
-		Caller().
-		Str("machine", machine.Name).
-		Msgf("Found shared peers: %s", peers.String())
-
-	return peers, nil
-}
-
-// getSharedTo fetches the machines of the namespaces this machine is shared in.
-func (h *Headscale) getSharedTo(machine *Machine) (Machines, error) {
-	log.Trace().
-		Caller().
-		Str("machine", machine.Name).
-		Msg("Finding peers in namespaces this machine is shared with")
-
-	sharedMachines := []SharedMachine{}
-	if err := h.db.Preload("Namespace").Preload("Machine").Preload("Machine.Namespace").Where("machine_id = ?",
-		machine.ID).Find(&sharedMachines).Error; err != nil {
-		return Machines{}, err
-	}
-
-	peers := make(Machines, 0)
-	for _, sharedMachine := range sharedMachines {
-		namespaceMachines, err := h.ListMachinesInNamespace(
-			sharedMachine.Namespace.Name,
-		)
+	// If ACLs rules are defined, filter visible host list with the ACLs
+	// else use the classic namespace scope
+	if h.aclPolicy != nil {
+		var machines []Machine
+		machines, err = h.ListMachines()
 		if err != nil {
+			log.Error().Err(err).Msg("Error retrieving list of machines")
+
+			return Machines{}, err
+		}
+		peers = getFilteredByACLPeers(machines, h.aclRules, machine)
+	} else {
+		peers, err = h.ListPeers(machine)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Cannot fetch peers")
+
 			return Machines{}, err
 		}
-		peers = append(peers, namespaceMachines...)
 	}

 	sort.Slice(peers, func(i, j int) bool { return peers[i].ID < peers[j].ID })

-	log.Trace().
-		Caller().
-		Str("machine", machine.Name).
-		Msgf("Found peers we are shared with: %s", peers.String())
-
-	return peers, nil
-}
-
-func (h *Headscale) getPeers(machine *Machine) (Machines, error) {
-	direct, err := h.getDirectPeers(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return Machines{}, err
-	}
-
-	shared, err := h.getShared(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return Machines{}, err
-	}
-
-	sharedTo, err := h.getSharedTo(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return Machines{}, err
-	}
-
-	peers := append(direct, shared...)
-	peers = append(peers, sharedTo...)
-
-	sort.Slice(peers, func(i, j int) bool { return peers[i].ID < peers[j].ID })
-
 	log.Trace().
 		Caller().
 		Str("machine", machine.Name).
@@ -347,11 +366,6 @@ func (h *Headscale) RefreshMachine(machine *Machine, expiry time.Time) {

 // DeleteMachine softs deletes a Machine from the database.
 func (h *Headscale) DeleteMachine(machine *Machine) error {
-	err := h.RemoveSharedMachineFromAllNamespaces(machine)
-	if err != nil && errors.Is(err, errMachineNotShared) {
-		return err
-	}
-
 	machine.Registered = false
 	h.db.Save(&machine) // we mark it as unregistered, just in case
 	if err := h.db.Delete(&machine).Error; err != nil {
@@ -371,11 +385,6 @@ func (h *Headscale) TouchMachine(machine *Machine) error {

 // HardDeleteMachine hard deletes a Machine from the database.
 func (h *Headscale) HardDeleteMachine(machine *Machine) error {
-	err := h.RemoveSharedMachineFromAllNamespaces(machine)
-	if err != nil && errors.Is(err, errMachineNotShared) {
-		return err
-	}
-
 	if err := h.db.Unscoped().Delete(&machine).Error; err != nil {
 		return err
 	}
@@ -407,17 +416,9 @@ func (h *Headscale) isOutdated(machine *Machine) bool {
 		return true
 	}

-	sharedMachines, _ := h.getShared(machine)
-
 	namespaceSet := set.New(set.ThreadSafe)
 	namespaceSet.Add(machine.Namespace.Name)

-	// Check if any of our shared namespaces has updates that we have
-	// not propagated.
-	for _, sharedMachine := range sharedMachines {
-		namespaceSet.Add(sharedMachine.Namespace.Name)
-	}
-
 	namespaces := make([]string, namespaceSet.Size())
 	for index, namespace := range namespaceSet.List() {
 		if name, ok := namespace.(string); ok {
@@ -532,6 +533,8 @@ func (machine Machine) toNode(
 		[]netaddr.IPPrefix{},
 		addrs...) // we append the node own IP, as it is required by the clients

+	// TODO(kradalby): Needs investigation, We probably dont need this condition
+	// now that we dont have shared nodes
 	if includeRoutes {
 		routesStr := []string{}
 		if len(machine.EnabledRoutes) != 0 {
@@ -600,6 +603,13 @@ func (machine Machine) toNode(
 			machine.Namespace.Name,
 			baseDomain,
 		)
+		if len(hostname) > maxHostnameLength {
+			return nil, fmt.Errorf(
+				"hostname %q is too long it cannot except 255 ASCII chars: %w",
+				hostname,
+				errHostnameTooLong,
+			)
+		}
 	} else {
 		hostname = machine.Name
 	}
@@ -740,6 +750,9 @@ func (h *Headscale) RegisterMachine(
 		return nil, err
 	}

+	h.ipAllocationMutex.Lock()
+	defer h.ipAllocationMutex.Unlock()
+
 	ips, err := h.getAvailableIPs()
 	if err != nil {
 		log.Error().
--- a/machine_test.go
+++ b/machine_test.go
@@ -1,11 +1,15 @@
 package headscale

 import (
+	"fmt"
+	"reflect"
 	"strconv"
+	"testing"
 	"time"

 	"gopkg.in/check.v1"
 	"inet.af/netaddr"
+	"tailscale.com/tailcfg"
 )

 func (s *Suite) TestGetMachine(c *check.C) {
@@ -114,7 +118,7 @@ func (s *Suite) TestHardDeleteMachine(c *check.C) {
 	c.Assert(err, check.NotNil)
 }

-func (s *Suite) TestGetDirectPeers(c *check.C) {
+func (s *Suite) TestListPeers(c *check.C) {
 	namespace, err := app.CreateNamespace("test")
 	c.Assert(err, check.IsNil)

@@ -145,7 +149,7 @@ func (s *Suite) TestGetDirectPeers(c *check.C) {
 	_, err = machine0ByID.GetHostInfo()
 	c.Assert(err, check.IsNil)

-	peersOfMachine0, err := app.getDirectPeers(machine0ByID)
+	peersOfMachine0, err := app.ListPeers(machine0ByID)
 	c.Assert(err, check.IsNil)

 	c.Assert(len(peersOfMachine0), check.Equals, 9)
@@ -154,6 +158,89 @@ func (s *Suite) TestGetDirectPeers(c *check.C) {
 	c.Assert(peersOfMachine0[8].Name, check.Equals, "testmachine10")
 }

+func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
+	type base struct {
+		namespace *Namespace
+		key       *PreAuthKey
+	}
+
+	stor := make([]base, 0)
+
+	for _, name := range []string{"test", "admin"} {
+		namespace, err := app.CreateNamespace(name)
+		c.Assert(err, check.IsNil)
+		pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+		c.Assert(err, check.IsNil)
+		stor = append(stor, base{namespace, pak})
+	}
+
+	_, err := app.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	for index := 0; index <= 10; index++ {
+		machine := Machine{
+			ID:         uint64(index),
+			MachineKey: "foo" + strconv.Itoa(index),
+			NodeKey:    "bar" + strconv.Itoa(index),
+			DiscoKey:   "faa" + strconv.Itoa(index),
+			IPAddresses: MachineAddresses{
+				netaddr.MustParseIP(fmt.Sprintf("100.64.0.%v", strconv.Itoa(index+1))),
+			},
+			Name:           "testmachine" + strconv.Itoa(index),
+			NamespaceID:    stor[index%2].namespace.ID,
+			Registered:     true,
+			RegisterMethod: RegisterMethodAuthKey,
+			AuthKeyID:      uint(stor[index%2].key.ID),
+		}
+		app.db.Save(&machine)
+	}
+
+	app.aclPolicy = &ACLPolicy{
+		Groups: map[string][]string{
+			"group:test": {"admin"},
+		},
+		Hosts:     map[string]netaddr.IPPrefix{},
+		TagOwners: map[string][]string{},
+		ACLs: []ACL{
+			{Action: "accept", Users: []string{"admin"}, Ports: []string{"*:*"}},
+			{Action: "accept", Users: []string{"test"}, Ports: []string{"test:*"}},
+		},
+		Tests: []ACLTest{},
+	}
+
+	err = app.UpdateACLRules()
+	c.Assert(err, check.IsNil)
+
+	adminMachine, err := app.GetMachineByID(1)
+	c.Logf("Machine(%v), namespace: %v", adminMachine.Name, adminMachine.Namespace)
+	c.Assert(err, check.IsNil)
+
+	testMachine, err := app.GetMachineByID(2)
+	c.Logf("Machine(%v), namespace: %v", testMachine.Name, testMachine.Namespace)
+	c.Assert(err, check.IsNil)
+
+	_, err = testMachine.GetHostInfo()
+	c.Assert(err, check.IsNil)
+
+	machines, err := app.ListMachines()
+	c.Assert(err, check.IsNil)
+
+	peersOfTestMachine := getFilteredByACLPeers(machines, app.aclRules, testMachine)
+	peersOfAdminMachine := getFilteredByACLPeers(machines, app.aclRules, adminMachine)
+
+	c.Log(peersOfTestMachine)
+	c.Assert(len(peersOfTestMachine), check.Equals, 4)
+	c.Assert(peersOfTestMachine[0].Name, check.Equals, "testmachine4")
+	c.Assert(peersOfTestMachine[1].Name, check.Equals, "testmachine6")
+	c.Assert(peersOfTestMachine[3].Name, check.Equals, "testmachine10")
+
+	c.Log(peersOfAdminMachine)
+	c.Assert(len(peersOfAdminMachine), check.Equals, 9)
+	c.Assert(peersOfAdminMachine[0].Name, check.Equals, "testmachine2")
+	c.Assert(peersOfAdminMachine[2].Name, check.Equals, "testmachine4")
+	c.Assert(peersOfAdminMachine[5].Name, check.Equals, "testmachine7")
+}
+
 func (s *Suite) TestExpireMachine(c *check.C) {
 	namespace, err := app.CreateNamespace("test")
 	c.Assert(err, check.IsNil)
@@ -208,3 +295,178 @@ func (s *Suite) TestSerdeAddressStrignSlice(c *check.C) {
 		c.Assert(deserialized[i], check.Equals, input[i])
 	}
 }
+
+func Test_getFilteredByACLPeers(t *testing.T) {
+	type args struct {
+		machines []Machine
+		rules    []tailcfg.FilterRule
+		machine  *Machine
+	}
+	tests := []struct {
+		name string
+		args args
+		want Machines
+	}{
+		{
+			name: "all hosts can talk to each other",
+			args: args{
+				machines: []Machine{ // list of all machines in the database
+					{
+						ID: 1,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						ID: 2,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						ID: 3,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				rules: []tailcfg.FilterRule{ // list of all ACLRules registered
+					{
+						SrcIPs: []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"},
+						DstPorts: []tailcfg.NetPortRange{
+							{IP: "*"},
+						},
+					},
+				},
+				machine: &Machine{ // current machine
+					ID:          1,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+					Namespace:   Namespace{Name: "joe"},
+				},
+			},
+			want: Machines{
+				{
+					ID:          2,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.2")},
+					Namespace:   Namespace{Name: "marc"},
+				},
+				{
+					ID:          3,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.3")},
+					Namespace:   Namespace{Name: "mickael"},
+				},
+			},
+		},
+		{
+			name: "One host can talk to another, but not all hosts",
+			args: args{
+				machines: []Machine{ // list of all machines in the database
+					{
+						ID: 1,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						ID: 2,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						ID: 3,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				rules: []tailcfg.FilterRule{ // list of all ACLRules registered
+					{
+						SrcIPs: []string{"100.64.0.1", "100.64.0.2", "100.64.0.3"},
+						DstPorts: []tailcfg.NetPortRange{
+							{IP: "100.64.0.2"},
+						},
+					},
+				},
+				machine: &Machine{ // current machine
+					ID:          1,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+					Namespace:   Namespace{Name: "joe"},
+				},
+			},
+			want: Machines{
+				{
+					ID:          2,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.2")},
+					Namespace:   Namespace{Name: "marc"},
+				},
+			},
+		},
+		{
+			name: "host cannot directly talk to destination, but return path is authorized",
+			args: args{
+				machines: []Machine{ // list of all machines in the database
+					{
+						ID: 1,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+					{
+						ID: 2,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						ID: 3,
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				rules: []tailcfg.FilterRule{ // list of all ACLRules registered
+					{
+						SrcIPs: []string{"100.64.0.3"},
+						DstPorts: []tailcfg.NetPortRange{
+							{IP: "100.64.0.2"},
+						},
+					},
+				},
+				machine: &Machine{ // current machine
+					ID:          1,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.2")},
+					Namespace:   Namespace{Name: "marc"},
+				},
+			},
+			want: Machines{
+				{
+					ID:          3,
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.3")},
+					Namespace:   Namespace{Name: "mickael"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := getFilteredByACLPeers(
+				tt.args.machines,
+				tt.args.rules,
+				tt.args.machine,
+			)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("getFilteredByACLPeers() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/namespaces.go
+++ b/namespaces.go
@@ -2,7 +2,10 @@ package headscale

 import (
 	"errors"
+	"fmt"
+	"regexp"
 	"strconv"
+	"strings"
 	"time"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
@@ -16,8 +19,16 @@ const (
 	errNamespaceExists          = Error("Namespace already exists")
 	errNamespaceNotFound        = Error("Namespace not found")
 	errNamespaceNotEmptyOfNodes = Error("Namespace not empty: node(s) found")
+	errInvalidNamespaceName     = Error("Invalid namespace name")
 )

+const (
+	// value related to RFC 1123 and 952.
+	labelHostnameLength = 63
+)
+
+var invalidCharsInNamespaceRegex = regexp.MustCompile("[^a-z0-9-.]+")
+
 // Namespace is the way Headscale implements the concept of users in Tailscale
 //
 // At the end of the day, users in Tailscale are some kind of 'bubbles' or namespaces
@@ -30,6 +41,10 @@ type Namespace struct {
 // CreateNamespace creates a new Namespace. Returns error if could not be created
 // or another namespace already exists.
 func (h *Headscale) CreateNamespace(name string) (*Namespace, error) {
+	err := CheckNamespaceName(name)
+	if err != nil {
+		return nil, err
+	}
 	namespace := Namespace{}
 	if err := h.db.Where("name = ?", name).First(&namespace).Error; err == nil {
 		return nil, errNamespaceExists
@@ -84,10 +99,15 @@ func (h *Headscale) DestroyNamespace(name string) error {
 // RenameNamespace renames a Namespace. Returns error if the Namespace does
 // not exist or if another Namespace exists with the new name.
 func (h *Headscale) RenameNamespace(oldName, newName string) error {
+	var err error
 	oldNamespace, err := h.GetNamespace(oldName)
 	if err != nil {
 		return err
 	}
+	err = CheckNamespaceName(newName)
+	if err != nil {
+		return err
+	}
 	_, err = h.GetNamespace(newName)
 	if err == nil {
 		return errNamespaceExists
@@ -130,6 +150,10 @@ func (h *Headscale) ListNamespaces() ([]Namespace, error) {

 // ListMachinesInNamespace gets all the nodes in a given namespace.
 func (h *Headscale) ListMachinesInNamespace(name string) ([]Machine, error) {
+	err := CheckNamespaceName(name)
+	if err != nil {
+		return nil, err
+	}
 	namespace, err := h.GetNamespace(name)
 	if err != nil {
 		return nil, err
@@ -143,33 +167,12 @@ func (h *Headscale) ListMachinesInNamespace(name string) ([]Machine, error) {
 	return machines, nil
 }

-// ListSharedMachinesInNamespace returns all the machines that are shared to the specified namespace.
-func (h *Headscale) ListSharedMachinesInNamespace(name string) ([]Machine, error) {
-	namespace, err := h.GetNamespace(name)
-	if err != nil {
-		return nil, err
-	}
-	sharedMachines := []SharedMachine{}
-	if err := h.db.Preload("Namespace").Where(&SharedMachine{NamespaceID: namespace.ID}).Find(&sharedMachines).Error; err != nil {
-		return nil, err
-	}
-
-	machines := []Machine{}
-	for _, sharedMachine := range sharedMachines {
-		machine, err := h.GetMachineByID(
-			sharedMachine.MachineID,
-		) // otherwise not everything comes filled
-		if err != nil {
-			return nil, err
-		}
-		machines = append(machines, *machine)
-	}
-
-	return machines, nil
-}
-
 // SetMachineNamespace assigns a Machine to a namespace.
 func (h *Headscale) SetMachineNamespace(machine *Machine, namespaceName string) error {
+	err := CheckNamespaceName(namespaceName)
+	if err != nil {
+		return err
+	}
 	namespace, err := h.GetNamespace(namespaceName)
 	if err != nil {
 		return err
@@ -233,3 +236,55 @@ func (n *Namespace) toProto() *v1.Namespace {
 		CreatedAt: timestamppb.New(n.CreatedAt),
 	}
 }
+
+// NormalizeNamespaceName will replace forbidden chars in namespace
+// it can also return an error if the namespace doesn't respect RFC 952 and 1123.
+func NormalizeNamespaceName(name string, stripEmailDomain bool) (string, error) {
+	name = strings.ToLower(name)
+	name = strings.ReplaceAll(name, "'", "")
+	atIdx := strings.Index(name, "@")
+	if stripEmailDomain && atIdx > 0 {
+		name = name[:atIdx]
+	} else {
+		name = strings.ReplaceAll(name, "@", ".")
+	}
+	name = invalidCharsInNamespaceRegex.ReplaceAllString(name, "-")
+
+	for _, elt := range strings.Split(name, ".") {
+		if len(elt) > labelHostnameLength {
+			return "", fmt.Errorf(
+				"label %v is more than 63 chars: %w",
+				elt,
+				errInvalidNamespaceName,
+			)
+		}
+	}
+
+	return name, nil
+}
+
+func CheckNamespaceName(name string) error {
+	if len(name) > labelHostnameLength {
+		return fmt.Errorf(
+			"Namespace must not be over 63 chars. %v doesn't comply with this rule: %w",
+			name,
+			errInvalidNamespaceName,
+		)
+	}
+	if strings.ToLower(name) != name {
+		return fmt.Errorf(
+			"Namespace name should be lowercase. %v doesn't comply with this rule: %w",
+			name,
+			errInvalidNamespaceName,
+		)
+	}
+	if invalidCharsInNamespaceRegex.MatchString(name) {
+		return fmt.Errorf(
+			"Namespace name should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
+			name,
+			errInvalidNamespaceName,
+		)
+	}
+
+	return nil
+}
--- a/namespaces_test.go
+++ b/namespaces_test.go
@@ -1,7 +1,8 @@
 package headscale

 import (
-	"github.com/rs/zerolog/log"
+	"testing"
+
 	"gopkg.in/check.v1"
 	"gorm.io/gorm"
 	"inet.af/netaddr"
@@ -72,23 +73,23 @@ func (s *Suite) TestRenameNamespace(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(namespaces), check.Equals, 1)

-	err = app.RenameNamespace("test", "test_renamed")
+	err = app.RenameNamespace("test", "test-renamed")
 	c.Assert(err, check.IsNil)

 	_, err = app.GetNamespace("test")
 	c.Assert(err, check.Equals, errNamespaceNotFound)

-	_, err = app.GetNamespace("test_renamed")
+	_, err = app.GetNamespace("test-renamed")
 	c.Assert(err, check.IsNil)

-	err = app.RenameNamespace("test_does_not_exit", "test")
+	err = app.RenameNamespace("test-does-not-exit", "test")
 	c.Assert(err, check.Equals, errNamespaceNotFound)

 	namespaceTest2, err := app.CreateNamespace("test2")
 	c.Assert(err, check.IsNil)
 	c.Assert(namespaceTest2.Name, check.Equals, "test2")

-	err = app.RenameNamespace("test2", "test_renamed")
+	err = app.RenameNamespace("test2", "test-renamed")
 	c.Assert(err, check.Equals, errNamespaceExists)
 }

@@ -206,8 +207,6 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	}
 	app.db.Save(machine2InShared1)

-	err = app.AddSharedMachineToNamespace(machineInShared2, namespaceShared1)
-	c.Assert(err, check.IsNil)
 	peersOfMachine1InShared1, err := app.getPeers(machineInShared1)
 	c.Assert(err, check.IsNil)

@@ -216,8 +215,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 		peersOfMachine1InShared1,
 	)

-	log.Trace().Msgf("userProfiles %#v", userProfiles)
-	c.Assert(len(userProfiles), check.Equals, 2)
+	c.Assert(len(userProfiles), check.Equals, 3)

 	found := false
 	for _, userProfiles := range userProfiles {
@@ -239,3 +237,143 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	}
 	c.Assert(found, check.Equals, true)
 }
+
+func TestNormalizeNamespaceName(t *testing.T) {
+	type args struct {
+		name             string
+		stripEmailDomain bool
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "normalize simple name",
+			args: args{
+				name:             "normalize-simple.name",
+				stripEmailDomain: false,
+			},
+			want:    "normalize-simple.name",
+			wantErr: false,
+		},
+		{
+			name: "normalize an email",
+			args: args{
+				name:             "foo.bar@example.com",
+				stripEmailDomain: false,
+			},
+			want:    "foo.bar.example.com",
+			wantErr: false,
+		},
+		{
+			name: "normalize an email domain should be removed",
+			args: args{
+				name:             "foo.bar@example.com",
+				stripEmailDomain: true,
+			},
+			want:    "foo.bar",
+			wantErr: false,
+		},
+		{
+			name: "strip enabled no email passed as argument",
+			args: args{
+				name:             "not-email-and-strip-enabled",
+				stripEmailDomain: true,
+			},
+			want:    "not-email-and-strip-enabled",
+			wantErr: false,
+		},
+		{
+			name: "normalize complex email",
+			args: args{
+				name:             "foo.bar+complex-email@example.com",
+				stripEmailDomain: false,
+			},
+			want:    "foo.bar-complex-email.example.com",
+			wantErr: false,
+		},
+		{
+			name: "namespace name with space",
+			args: args{
+				name:             "name space",
+				stripEmailDomain: false,
+			},
+			want:    "name-space",
+			wantErr: false,
+		},
+		{
+			name: "namespace with quote",
+			args: args{
+				name:             "Jamie's iPhone 5",
+				stripEmailDomain: false,
+			},
+			want:    "jamies-iphone-5",
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := NormalizeNamespaceName(tt.args.name, tt.args.stripEmailDomain)
+			if (err != nil) != tt.wantErr {
+				t.Errorf(
+					"NormalizeNamespaceName() error = %v, wantErr %v",
+					err,
+					tt.wantErr,
+				)
+
+				return
+			}
+			if got != tt.want {
+				t.Errorf("NormalizeNamespaceName() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCheckNamespaceName(t *testing.T) {
+	type args struct {
+		name string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name:    "valid: namespace",
+			args:    args{name: "valid-namespace"},
+			wantErr: false,
+		},
+		{
+			name:    "invalid: capitalized namespace",
+			args:    args{name: "Invalid-CapItaLIzed-namespace"},
+			wantErr: true,
+		},
+		{
+			name:    "invalid: email as namespace",
+			args:    args{name: "foo.bar@example.com"},
+			wantErr: true,
+		},
+		{
+			name:    "invalid: chars in namespace name",
+			args:    args{name: "super-namespace+name"},
+			wantErr: true,
+		},
+		{
+			name: "invalid: too long name for namespace",
+			args: args{
+				name: "super-long-namespace-name-that-should-be-a-little-more-than-63-chars",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := CheckNamespaceName(tt.args.name); (err != nil) != tt.wantErr {
+				t.Errorf("CheckNamespaceName() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/oidc.go
+++ b/oidc.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"html/template"
 	"net/http"
-	"regexp"
 	"strings"
 	"time"

@@ -282,109 +281,92 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {

 	now := time.Now().UTC()

-	if namespaceName, ok := h.getNamespaceFromEmail(claims.Email); ok {
-		// register the machine if it's new
-		if !machine.Registered {
-			log.Debug().Msg("Registering new machine after successful callback")
-
-			namespace, err := h.GetNamespace(namespaceName)
-			if errors.Is(err, gorm.ErrRecordNotFound) {
-				namespace, err = h.CreateNamespace(namespaceName)
-
-				if err != nil {
-					log.Error().
-						Err(err).
-						Caller().
-						Msgf("could not create new namespace '%s'", namespaceName)
-					ctx.String(
-						http.StatusInternalServerError,
-						"could not create new namespace",
-					)
-
-					return
-				}
-			} else if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Str("namespace", namespaceName).
-					Msg("could not find or create namespace")
-				ctx.String(
-					http.StatusInternalServerError,
-					"could not find or create namespace",
-				)
-
-				return
-			}
-
-			ips, err := h.getAvailableIPs()
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("could not get an IP from the pool")
-				ctx.String(
-					http.StatusInternalServerError,
-					"could not get an IP from the pool",
-				)
-
-				return
-			}
-
-			machine.IPAddresses = ips
-			machine.NamespaceID = namespace.ID
-			machine.Registered = true
-			machine.RegisterMethod = RegisterMethodOIDC
-			machine.LastSuccessfulUpdate = &now
-			machine.Expiry = &requestedTime
-			h.db.Save(&machine)
-		}
-
-		var content bytes.Buffer
-		if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
-			User: claims.Email,
-			Verb: "Authenticated",
-		}); err != nil {
-			log.Error().
-				Str("func", "OIDCCallback").
-				Str("type", "authenticate").
-				Err(err).
-				Msg("Could not render OIDC callback template")
-			ctx.Data(
-				http.StatusInternalServerError,
-				"text/html; charset=utf-8",
-				[]byte("Could not render OIDC callback template"),
-			)
-		}
-
-		ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
+	namespaceName, err := NormalizeNamespaceName(
+		claims.Email,
+		h.cfg.OIDC.StripEmaildomain,
+	)
+	if err != nil {
+		log.Error().Err(err).Caller().Msgf("couldn't normalize email")
+		ctx.String(
+			http.StatusInternalServerError,
+			"couldn't normalize email",
+		)

 		return
 	}
+	// register the machine if it's new
+	if !machine.Registered {
+		log.Debug().Msg("Registering new machine after successful callback")

-	log.Error().
-		Caller().
-		Str("email", claims.Email).
-		Str("username", claims.Username).
-		Str("machine", machine.Name).
-		Msg("Email could not be mapped to a namespace")
-	ctx.String(
-		http.StatusBadRequest,
-		"email from claim could not be mapped to a namespace",
-	)
-}
+		namespace, err := h.GetNamespace(namespaceName)
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			namespace, err = h.CreateNamespace(namespaceName)

-// getNamespaceFromEmail passes the users email through a list of "matchers"
-// and iterates through them until it matches and returns a namespace.
-// If no match is found, an empty string will be returned.
-// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.
-func (h *Headscale) getNamespaceFromEmail(email string) (string, bool) {
-	for match, namespace := range h.cfg.OIDC.MatchMap {
-		regex := regexp.MustCompile(match)
-		if regex.MatchString(email) {
-			return namespace, true
+			if err != nil {
+				log.Error().
+					Err(err).
+					Caller().
+					Msgf("could not create new namespace '%s'", namespaceName)
+				ctx.String(
+					http.StatusInternalServerError,
+					"could not create new namespace",
+				)
+
+				return
+			}
+		} else if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Str("namespace", namespaceName).
+				Msg("could not find or create namespace")
+			ctx.String(
+				http.StatusInternalServerError,
+				"could not find or create namespace",
+			)
+
+			return
 		}
+
+		ips, err := h.getAvailableIPs()
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("could not get an IP from the pool")
+			ctx.String(
+				http.StatusInternalServerError,
+				"could not get an IP from the pool",
+			)
+
+			return
+		}
+
+		machine.IPAddresses = ips
+		machine.NamespaceID = namespace.ID
+		machine.Registered = true
+		machine.RegisterMethod = RegisterMethodOIDC
+		machine.LastSuccessfulUpdate = &now
+		machine.Expiry = &requestedTime
+		h.db.Save(&machine)
 	}

-	return "", false
+	var content bytes.Buffer
+	if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
+		User: claims.Email,
+		Verb: "Authenticated",
+	}); err != nil {
+		log.Error().
+			Str("func", "OIDCCallback").
+			Str("type", "authenticate").
+			Err(err).
+			Msg("Could not render OIDC callback template")
+		ctx.Data(
+			http.StatusInternalServerError,
+			"text/html; charset=utf-8",
+			[]byte("Could not render OIDC callback template"),
+		)
+	}
+
+	ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
 }
--- a/oidc_test.go
+++ b/oidc_test.go
@@ -1,180 +0,0 @@
-package headscale
-
-import (
-	"sync"
-	"testing"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/patrickmn/go-cache"
-	"golang.org/x/oauth2"
-	"gorm.io/gorm"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-func TestHeadscale_getNamespaceFromEmail(t *testing.T) {
-	type fields struct {
-		cfg             Config
-		db              *gorm.DB
-		dbString        string
-		dbType          string
-		dbDebug         bool
-		privateKey      *key.MachinePrivate
-		aclPolicy       *ACLPolicy
-		aclRules        []tailcfg.FilterRule
-		lastStateChange sync.Map
-		oidcProvider    *oidc.Provider
-		oauth2Config    *oauth2.Config
-		oidcStateCache  *cache.Cache
-	}
-	type args struct {
-		email string
-	}
-	tests := []struct {
-		name   string
-		fields fields
-		args   args
-		want   string
-		want1  bool
-	}{
-		{
-			name: "match all",
-			fields: fields{
-				cfg: Config{
-					OIDC: OIDCConfig{
-						MatchMap: map[string]string{
-							".*": "space",
-						},
-					},
-				},
-			},
-			args: args{
-				email: "test@example.no",
-			},
-			want:  "space",
-			want1: true,
-		},
-		{
-			name: "match user",
-			fields: fields{
-				cfg: Config{
-					OIDC: OIDCConfig{
-						MatchMap: map[string]string{
-							"specific@user\\.no": "user-namespace",
-						},
-					},
-				},
-			},
-			args: args{
-				email: "specific@user.no",
-			},
-			want:  "user-namespace",
-			want1: true,
-		},
-		{
-			name: "match domain",
-			fields: fields{
-				cfg: Config{
-					OIDC: OIDCConfig{
-						MatchMap: map[string]string{
-							".*@example\\.no": "example",
-						},
-					},
-				},
-			},
-			args: args{
-				email: "test@example.no",
-			},
-			want:  "example",
-			want1: true,
-		},
-		{
-			name: "multi match domain",
-			fields: fields{
-				cfg: Config{
-					OIDC: OIDCConfig{
-						MatchMap: map[string]string{
-							".*@example\\.no": "exammple",
-							".*@gmail\\.com":  "gmail",
-						},
-					},
-				},
-			},
-			args: args{
-				email: "someuser@gmail.com",
-			},
-			want:  "gmail",
-			want1: true,
-		},
-		{
-			name: "no match domain",
-			fields: fields{
-				cfg: Config{
-					OIDC: OIDCConfig{
-						MatchMap: map[string]string{
-							".*@dontknow.no": "never",
-						},
-					},
-				},
-			},
-			args: args{
-				email: "test@wedontknow.no",
-			},
-			want:  "",
-			want1: false,
-		},
-		{
-			name: "multi no match domain",
-			fields: fields{
-				cfg: Config{
-					OIDC: OIDCConfig{
-						MatchMap: map[string]string{
-							".*@dontknow.no":   "never",
-							".*@wedontknow.no": "other",
-							".*\\.no":          "stuffy",
-						},
-					},
-				},
-			},
-			args: args{
-				email: "tasy@nonofthem.com",
-			},
-			want:  "",
-			want1: false,
-		},
-	}
-	//nolint
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			app := &Headscale{
-				cfg:             test.fields.cfg,
-				db:              test.fields.db,
-				dbString:        test.fields.dbString,
-				dbType:          test.fields.dbType,
-				dbDebug:         test.fields.dbDebug,
-				privateKey:      test.fields.privateKey,
-				aclPolicy:       test.fields.aclPolicy,
-				aclRules:        test.fields.aclRules,
-				lastStateChange: test.fields.lastStateChange,
-				oidcProvider:    test.fields.oidcProvider,
-				oauth2Config:    test.fields.oauth2Config,
-				oidcStateCache:  test.fields.oidcStateCache,
-			}
-			got, got1 := app.getNamespaceFromEmail(test.args.email)
-			if got != test.want {
-				t.Errorf(
-					"Headscale.getNamespaceFromEmail() got = %v, want %v",
-					got,
-					test.want,
-				)
-			}
-			if got1 != test.want1 {
-				t.Errorf(
-					"Headscale.getNamespaceFromEmail() got1 = %v, want %v",
-					got1,
-					test.want1,
-				)
-			}
-		})
-	}
-}
--- a/poll.go
+++ b/poll.go
@@ -85,12 +85,26 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 		Str("machine", machine.Name).
 		Msg("Found machine in database")

-	hostinfo, _ := json.Marshal(req.Hostinfo)
+	hostinfo, err := json.Marshal(req.Hostinfo)
+	if err != nil {
+		return
+	}
 	machine.Name = req.Hostinfo.Hostname
 	machine.HostInfo = datatypes.JSON(hostinfo)
 	machine.DiscoKey = DiscoPublicKeyStripPrefix(req.DiscoKey)
 	now := time.Now().UTC()

+	// update ACLRules with peer informations (to update server tags if necessary)
+	if h.aclPolicy != nil {
+		err = h.UpdateACLRules()
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "handleAuthKey").
+				Str("machine", machine.Name).
+				Err(err)
+		}
+	}
 	// From Tailscale client:
 	//
 	// ReadOnly is whether the client just wants to fetch the MapResponse,
@@ -100,7 +114,17 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 	// The intended use is for clients to discover the DERP map at start-up
 	// before their first real endpoint update.
 	if !req.ReadOnly {
-		endpoints, _ := json.Marshal(req.Endpoints)
+		endpoints, err := json.Marshal(req.Endpoints)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "PollNetMapHandler").
+				Err(err).
+				Msg("Failed to mashal requested endpoints for the client")
+			ctx.String(http.StatusInternalServerError, ":(")
+
+			return
+		}
 		machine.Endpoints = datatypes.JSON(endpoints)
 		machine.LastSeen = &now
 	}
--- a/proto/headscale/v1/headscale.proto
+++ b/proto/headscale/v1/headscale.proto
@@ -104,18 +104,6 @@ service HeadscaleService {
            get: "/api/v1/machine"
        };
    }
-
-    rpc ShareMachine(ShareMachineRequest) returns (ShareMachineResponse) {
-        option (google.api.http) = {
-            post: "/api/v1/machine/{machine_id}/share/{namespace}"
-        };
-    }
-
-    rpc UnshareMachine(UnshareMachineRequest) returns (UnshareMachineResponse) {
-        option (google.api.http) = {
-            post: "/api/v1/machine/{machine_id}/unshare/{namespace}"
-        };
-    }
    // --- Machine end ---

    // --- Route start ---
--- a/proto/headscale/v1/machine.proto
+++ b/proto/headscale/v1/machine.proto
@@ -80,24 +80,6 @@ message ListMachinesResponse {
    repeated Machine machines = 1;
 }

-message ShareMachineRequest {
-    uint64 machine_id = 1;
-    string namespace  = 2;
-}
-
-message ShareMachineResponse {
-    Machine machine = 1;
-}
-
-message UnshareMachineRequest {
-    uint64 machine_id = 1;
-    string namespace  = 2;
-}
-
-message UnshareMachineResponse {
-    Machine machine = 1;
-}
-
 message DebugCreateMachineRequest {
    string namespace       = 1;
    string          key    = 2;
--- a/sharing.go
+++ b/sharing.go
@@ -1,81 +0,0 @@
-package headscale
-
-import "gorm.io/gorm"
-
-const (
-	errSameNamespace        = Error("Destination namespace same as origin")
-	errMachineAlreadyShared = Error("Node already shared to this namespace")
-	errMachineNotShared     = Error("Machine not shared to this namespace")
-)
-
-// SharedMachine is a join table to support sharing nodes between namespaces.
-type SharedMachine struct {
-	gorm.Model
-	MachineID   uint64
-	Machine     Machine
-	NamespaceID uint
-	Namespace   Namespace
-}
-
-// AddSharedMachineToNamespace adds a machine as a shared node to a namespace.
-func (h *Headscale) AddSharedMachineToNamespace(
-	machine *Machine,
-	namespace *Namespace,
-) error {
-	if machine.NamespaceID == namespace.ID {
-		return errSameNamespace
-	}
-
-	sharedMachines := []SharedMachine{}
-	if err := h.db.Where("machine_id = ? AND namespace_id = ?", machine.ID, namespace.ID).Find(&sharedMachines).Error; err != nil {
-		return err
-	}
-	if len(sharedMachines) > 0 {
-		return errMachineAlreadyShared
-	}
-
-	sharedMachine := SharedMachine{
-		MachineID:   machine.ID,
-		Machine:     *machine,
-		NamespaceID: namespace.ID,
-		Namespace:   *namespace,
-	}
-	h.db.Save(&sharedMachine)
-
-	return nil
-}
-
-// RemoveSharedMachineFromNamespace removes a shared machine from a namespace.
-func (h *Headscale) RemoveSharedMachineFromNamespace(
-	machine *Machine,
-	namespace *Namespace,
-) error {
-	if machine.NamespaceID == namespace.ID {
-		// Can't unshare from primary namespace
-		return errMachineNotShared
-	}
-
-	sharedMachine := SharedMachine{}
-	result := h.db.Where("machine_id = ? AND namespace_id = ?", machine.ID, namespace.ID).
-		Unscoped().
-		Delete(&sharedMachine)
-	if result.Error != nil {
-		return result.Error
-	}
-
-	if result.RowsAffected == 0 {
-		return errMachineNotShared
-	}
-
-	return nil
-}
-
-// RemoveSharedMachineFromAllNamespaces removes a machine as a shared node from all namespaces.
-func (h *Headscale) RemoveSharedMachineFromAllNamespaces(machine *Machine) error {
-	sharedMachine := SharedMachine{}
-	if result := h.db.Where("machine_id = ?", machine.ID).Unscoped().Delete(&sharedMachine); result.Error != nil {
-		return result.Error
-	}
-
-	return nil
-}
--- a/sharing_test.go
+++ b/sharing_test.go
@@ -1,341 +0,0 @@
-package headscale
-
-import (
-	"gopkg.in/check.v1"
-	"inet.af/netaddr"
-)
-
-func CreateNodeNamespace(
-	c *check.C,
-	namespaceName, node, key, ip string,
-) (*Namespace, *Machine) {
-	namespace, err := app.CreateNamespace(namespaceName)
-	c.Assert(err, check.IsNil)
-
-	pak1, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(namespace.Name, node)
-	c.Assert(err, check.NotNil)
-
-	machine := &Machine{
-		ID:             0,
-		MachineKey:     key,
-		NodeKey:        key,
-		DiscoKey:       key,
-		Name:           node,
-		NamespaceID:    namespace.ID,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.1")},
-		AuthKeyID:      uint(pak1.ID),
-	}
-	app.db.Save(machine)
-
-	_, err = app.GetMachine(namespace.Name, machine.Name)
-	c.Assert(err, check.IsNil)
-
-	return namespace, machine
-}
-
-func (s *Suite) TestBasicSharedNodesInNamespace(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_get_shared_nodes_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-	_, machine2 := CreateNodeNamespace(
-		c,
-		"shared2",
-		"test_get_shared_nodes_2",
-		"dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		"100.64.0.2",
-	)
-
-	peersOfMachine1BeforeShared, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShared), check.Equals, 0)
-
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1AfterShared, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1AfterShared), check.Equals, 1)
-	c.Assert(peersOfMachine1AfterShared[0].ID, check.Equals, machine2.ID)
-}
-
-func (s *Suite) TestSameNamespace(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_get_shared_nodes_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-
-	peersOfMachine1BeforeShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 0)
-
-	err = app.AddSharedMachineToNamespace(machine1, namespace1)
-	c.Assert(err, check.Equals, errSameNamespace)
-}
-
-func (s *Suite) TestUnshare(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_unshare_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-	_, machine2 := CreateNodeNamespace(
-		c,
-		"shared2",
-		"test_unshare_2",
-		"dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		"100.64.0.2",
-	)
-
-	peersOfMachine1BeforeShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 0)
-
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1BeforeShare, err = app.getShared(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 1)
-
-	err = app.RemoveSharedMachineFromNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1BeforeShare, err = app.getShared(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 0)
-
-	err = app.RemoveSharedMachineFromNamespace(machine2, namespace1)
-	c.Assert(err, check.Equals, errMachineNotShared)
-
-	err = app.RemoveSharedMachineFromNamespace(machine1, namespace1)
-	c.Assert(err, check.Equals, errMachineNotShared)
-}
-
-func (s *Suite) TestAlreadyShared(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_get_shared_nodes_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-	_, machine2 := CreateNodeNamespace(
-		c,
-		"shared2",
-		"test_get_shared_nodes_2",
-		"dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		"100.64.0.2",
-	)
-
-	peersOfMachine1BeforeShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 0)
-
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.Equals, errMachineAlreadyShared)
-}
-
-func (s *Suite) TestDoNotIncludeRoutesOnShared(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_get_shared_nodes_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-	_, machine2 := CreateNodeNamespace(
-		c,
-		"shared2",
-		"test_get_shared_nodes_2",
-		"dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		"100.64.0.2",
-	)
-
-	peersOfMachine1BeforeShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 0)
-
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1AfterShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1AfterShare), check.Equals, 1)
-	c.Assert(peersOfMachine1AfterShare[0].Name, check.Equals, "test_get_shared_nodes_2")
-}
-
-func (s *Suite) TestComplexSharingAcrossNamespaces(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_get_shared_nodes_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-	_, machine2 := CreateNodeNamespace(
-		c,
-		"shared2",
-		"test_get_shared_nodes_2",
-		"dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		"100.64.0.2",
-	)
-	_, machine3 := CreateNodeNamespace(
-		c,
-		"shared3",
-		"test_get_shared_nodes_3",
-		"6e704bee83eb93db6fc2c417d7882964cd3f8cc87082cbb645982e34020c76c8",
-		"100.64.0.3",
-	)
-
-	pak4, err := app.CreatePreAuthKey(namespace1.Name, false, false, nil)
-	c.Assert(err, check.IsNil)
-
-	machine4 := &Machine{
-		ID:             4,
-		MachineKey:     "4c3e07c3ecd40e9c945bb6797557c451850691c0409740578325e17009dd298f",
-		NodeKey:        "4c3e07c3ecd40e9c945bb6797557c451850691c0409740578325e17009dd298f",
-		DiscoKey:       "4c3e07c3ecd40e9c945bb6797557c451850691c0409740578325e17009dd298f",
-		Name:           "test_get_shared_nodes_4",
-		NamespaceID:    namespace1.ID,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.4")},
-		AuthKeyID:      uint(pak4.ID),
-	}
-	app.db.Save(machine4)
-
-	_, err = app.GetMachine(namespace1.Name, machine4.Name)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1BeforeShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 1) // node1 can see node4
-	c.Assert(peersOfMachine1BeforeShare[0].Name, check.Equals, machine4.Name)
-
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1AfterShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(
-		len(peersOfMachine1AfterShare),
-		check.Equals,
-		2,
-	) // node1 can see node2 (shared) and node4 (same namespace)
-	c.Assert(peersOfMachine1AfterShare[0].Name, check.Equals, machine2.Name)
-	c.Assert(peersOfMachine1AfterShare[1].Name, check.Equals, machine4.Name)
-
-	sharedOfMachine1, err := app.getShared(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(sharedOfMachine1), check.Equals, 1) // node1 can see node2 as shared
-	c.Assert(sharedOfMachine1[0].Name, check.Equals, machine2.Name)
-
-	peersOfMachine3, err := app.getPeers(machine3)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine3), check.Equals, 0) // node3 is alone
-
-	peersOfMachine2, err := app.getPeers(machine2)
-	c.Assert(err, check.IsNil)
-	c.Assert(
-		len(peersOfMachine2),
-		check.Equals,
-		2,
-	) // node2 should see node1 (sharedTo) and node4 (sharedTo), as is shared in namespace1
-	c.Assert(peersOfMachine2[0].Name, check.Equals, machine1.Name)
-	c.Assert(peersOfMachine2[1].Name, check.Equals, machine4.Name)
-}
-
-func (s *Suite) TestDeleteSharedMachine(c *check.C) {
-	namespace1, machine1 := CreateNodeNamespace(
-		c,
-		"shared1",
-		"test_get_shared_nodes_1",
-		"686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		"100.64.0.1",
-	)
-	_, machine2 := CreateNodeNamespace(
-		c,
-		"shared2",
-		"test_get_shared_nodes_2",
-		"dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		"100.64.0.2",
-	)
-	_, machine3 := CreateNodeNamespace(
-		c,
-		"shared3",
-		"test_get_shared_nodes_3",
-		"6e704bee83eb93db6fc2c417d7882964cd3f8cc87082cbb645982e34020c76c8",
-		"100.64.0.3",
-	)
-
-	pak4n1, err := app.CreatePreAuthKey(namespace1.Name, false, false, nil)
-	c.Assert(err, check.IsNil)
-	machine4 := &Machine{
-		ID:             4,
-		MachineKey:     "4c3e07c3ecd40e9c945bb6797557c451850691c0409740578325e17009dd298f",
-		NodeKey:        "4c3e07c3ecd40e9c945bb6797557c451850691c0409740578325e17009dd298f",
-		DiscoKey:       "4c3e07c3ecd40e9c945bb6797557c451850691c0409740578325e17009dd298f",
-		Name:           "test_get_shared_nodes_4",
-		NamespaceID:    namespace1.ID,
-		Registered:     true,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.4")},
-		AuthKeyID:      uint(pak4n1.ID),
-	}
-	app.db.Save(machine4)
-
-	_, err = app.GetMachine(namespace1.Name, machine4.Name)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1BeforeShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1BeforeShare), check.Equals, 1) // nodes 1 and 4
-	c.Assert(peersOfMachine1BeforeShare[0].Name, check.Equals, machine4.Name)
-
-	err = app.AddSharedMachineToNamespace(machine2, namespace1)
-	c.Assert(err, check.IsNil)
-
-	peersOfMachine1AfterShare, err := app.getPeers(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine1AfterShare), check.Equals, 2) // nodes 1, 2, 4
-	c.Assert(peersOfMachine1AfterShare[0].Name, check.Equals, machine2.Name)
-	c.Assert(peersOfMachine1AfterShare[1].Name, check.Equals, machine4.Name)
-
-	sharedOfMachine1, err := app.getShared(machine1)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(sharedOfMachine1), check.Equals, 1) // nodes 1, 2, 4
-	c.Assert(sharedOfMachine1[0].Name, check.Equals, machine2.Name)
-
-	peersOfMachine3, err := app.getPeers(machine3)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(peersOfMachine3), check.Equals, 0) // node 3 is alone
-
-	sharedMachinesInNamespace1, err := app.ListSharedMachinesInNamespace(
-		namespace1.Name,
-	)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(sharedMachinesInNamespace1), check.Equals, 1)
-
-	err = app.DeleteMachine(machine2)
-	c.Assert(err, check.IsNil)
-
-	sharedMachinesInNamespace1, err = app.ListSharedMachinesInNamespace(namespace1.Name)
-	c.Assert(err, check.IsNil)
-	c.Assert(len(sharedMachinesInNamespace1), check.Equals, 0)
-}
--- a/utils.go
+++ b/utils.go
@@ -157,9 +157,6 @@ func GetIPPrefixEndpoints(na netaddr.IPPrefix) (network, broadcast netaddr.IP) {
 	return
 }

-// TODO: Is this concurrency safe?
-// What would happen if multiple hosts were to register at the same time?
-// Would we attempt to assign the same addresses to multiple nodes?
 func (h *Headscale) getAvailableIP(ipPrefix netaddr.IPPrefix) (*netaddr.IP, error) {
 	usedIps, err := h.getUsedIPs()
 	if err != nil {
@@ -179,7 +176,7 @@ func (h *Headscale) getAvailableIP(ipPrefix netaddr.IPPrefix) (*netaddr.IP, erro
 		switch {
 		case ip.Compare(ipPrefixBroadcastAddress) == 0:
 			fallthrough
-		case containsIPs(usedIps, ip):
+		case usedIps.Contains(ip):
 			fallthrough
 		case ip.IsZero() || ip.IsLoopback():
 			ip = ip.Next()
@@ -192,29 +189,51 @@ func (h *Headscale) getAvailableIP(ipPrefix netaddr.IPPrefix) (*netaddr.IP, erro
 	}
 }

-func (h *Headscale) getUsedIPs() ([]netaddr.IP, error) {
+func (h *Headscale) getUsedIPs() (*netaddr.IPSet, error) {
 	// FIXME: This really deserves a better data model,
 	// but this was quick to get running and it should be enough
 	// to begin experimenting with a dual stack tailnet.
 	var addressesSlices []string
 	h.db.Model(&Machine{}).Pluck("ip_addresses", &addressesSlices)

-	ips := make([]netaddr.IP, 0, len(h.cfg.IPPrefixes)*len(addressesSlices))
+	log.Trace().
+		Strs("addresses", addressesSlices).
+		Msg("Got allocated ip addresses from databases")
+
+	var ips netaddr.IPSetBuilder
 	for _, slice := range addressesSlices {
-		var a MachineAddresses
-		err := a.Scan(slice)
+		var machineAddresses MachineAddresses
+		err := machineAddresses.Scan(slice)
 		if err != nil {
-			return nil, fmt.Errorf("failed to read ip from database: %w", err)
+			return &netaddr.IPSet{}, fmt.Errorf(
+				"failed to read ip from database: %w",
+				err,
+			)
+		}
+
+		for _, ip := range machineAddresses {
+			ips.Add(ip)
 		}
-		ips = append(ips, a...)
 	}

-	return ips, nil
+	log.Trace().
+		Interface("addresses", ips).
+		Msg("Parsed ip addresses that has been allocated from databases")
+
+	ipSet, err := ips.IPSet()
+	if err != nil {
+		return &netaddr.IPSet{}, fmt.Errorf(
+			"failed to build IP Set: %w",
+			err,
+		)
+	}
+
+	return ipSet, nil
 }

-func containsIPs(ips []netaddr.IP, ip netaddr.IP) bool {
-	for _, v := range ips {
-		if v == ip {
+func containsString(ss []string, s string) bool {
+	for _, v := range ss {
+		if v == s {
 			return true
 		}
 	}
--- a/utils_test.go
+++ b/utils_test.go
@@ -20,7 +20,7 @@ func (s *Suite) TestGetUsedIps(c *check.C) {
 	ips, err := app.getAvailableIPs()
 	c.Assert(err, check.IsNil)

-	namespace, err := app.CreateNamespace("test_ip")
+	namespace, err := app.CreateNamespace("test-ip")
 	c.Assert(err, check.IsNil)

 	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
@@ -48,9 +48,12 @@ func (s *Suite) TestGetUsedIps(c *check.C) {
 	c.Assert(err, check.IsNil)

 	expected := netaddr.MustParseIP("10.27.0.1")
+	expectedIPSetBuilder := netaddr.IPSetBuilder{}
+	expectedIPSetBuilder.Add(expected)
+	expectedIPSet, _ := expectedIPSetBuilder.IPSet()

-	c.Assert(len(usedIps), check.Equals, 1)
-	c.Assert(usedIps[0], check.Equals, expected)
+	c.Assert(usedIps.Equal(expectedIPSet), check.Equals, true)
+	c.Assert(usedIps.Contains(expected), check.Equals, true)

 	machine1, err := app.GetMachineByID(0)
 	c.Assert(err, check.IsNil)
@@ -64,6 +67,8 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 	c.Assert(err, check.IsNil)

 	for index := 1; index <= 350; index++ {
+		app.ipAllocationMutex.Lock()
+
 		ips, err := app.getAvailableIPs()
 		c.Assert(err, check.IsNil)

@@ -86,17 +91,30 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 			IPAddresses:    ips,
 		}
 		app.db.Save(&machine)
+
+		app.ipAllocationMutex.Unlock()
 	}

 	usedIps, err := app.getUsedIPs()
-
 	c.Assert(err, check.IsNil)

-	c.Assert(len(usedIps), check.Equals, 350)
+	expected0 := netaddr.MustParseIP("10.27.0.1")
+	expected9 := netaddr.MustParseIP("10.27.0.10")
+	expected300 := netaddr.MustParseIP("10.27.0.45")

-	c.Assert(usedIps[0], check.Equals, netaddr.MustParseIP("10.27.0.1"))
-	c.Assert(usedIps[9], check.Equals, netaddr.MustParseIP("10.27.0.10"))
-	c.Assert(usedIps[300], check.Equals, netaddr.MustParseIP("10.27.1.45"))
+	notExpectedIPSetBuilder := netaddr.IPSetBuilder{}
+	notExpectedIPSetBuilder.Add(expected0)
+	notExpectedIPSetBuilder.Add(expected9)
+	notExpectedIPSetBuilder.Add(expected300)
+	notExpectedIPSet, err := notExpectedIPSetBuilder.IPSet()
+	c.Assert(err, check.IsNil)
+
+	// We actually expect it to be a lot larger
+	c.Assert(usedIps.Equal(notExpectedIPSet), check.Equals, false)
+
+	c.Assert(usedIps.Contains(expected0), check.Equals, true)
+	c.Assert(usedIps.Contains(expected9), check.Equals, true)
+	c.Assert(usedIps.Contains(expected300), check.Equals, true)

 	// Check that we can read back the IPs
 	machine1, err := app.GetMachineByID(1)
@@ -142,7 +160,7 @@ func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
 	c.Assert(len(ips), check.Equals, 1)
 	c.Assert(ips[0].String(), check.Equals, expected.String())

-	namespace, err := app.CreateNamespace("test_ip")
+	namespace, err := app.CreateNamespace("test-ip")
 	c.Assert(err, check.IsNil)

 	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
Author	SHA1	Message	Date
Kristoffer Dalby	b1bd17f316	Merge pull request #350 from restanrm/feat-oidc-login-as-namespace	2022-02-25 13:22:26 +01:00
Adrien Raffin-Caboisse	b39faa124a	Merge remote-tracking branch 'origin/main' into feat-oidc-login-as-namespace	2022-02-25 11:28:17 +01:00
Kristoffer Dalby	8689a39c96	Merge pull request #357 from kradalby/make-namespace-to-users Remove boundaries between Namespaces	2022-02-25 11:01:41 +01:00
Kristoffer Dalby	bae8ed3e70	Merge branch 'main' into make-namespace-to-users	2022-02-25 10:39:12 +01:00
Kristoffer Dalby	08c7076667	Merge pull request #346 from kradalby/integration-test-concurrent-join Fix ip allocation bug, make integration tests faster	2022-02-25 10:37:35 +01:00
Kristoffer Dalby	91b50550ee	Update readme and glossary to reflect features and goals	2022-02-25 10:34:35 +01:00
Kristoffer Dalby	2c7064462a	Update changelog	2022-02-25 10:30:58 +01:00
Kristoffer Dalby	d9e7f37280	Uncomment previous test and update them for no boundries	2022-02-25 10:27:27 +01:00
Kristoffer Dalby	e03b3d558f	Remove boundries between namespaces	2022-02-25 10:26:34 +01:00
Kristoffer Dalby	2fd36dd254	Resolve merge	2022-02-25 09:08:15 +00:00
Kristoffer Dalby	381598663d	Merge pull request #347 from kradalby/remove-shared Remove the concept of "shared nodes"	2022-02-25 10:06:58 +01:00
Kristoffer Dalby	6d699d3c29	Update changelog	2022-02-25 08:44:16 +00:00
Kristoffer Dalby	ebe59a5a27	Fix utils tests, use ipset datastructure	2022-02-25 08:28:22 +00:00
Kristoffer Dalby	eda0a9f88a	Lock allocation of IP address current logic is not safe as it will allow an IP that isnt persisted to the DB to be given out multiple times if machines joins in quick succession. This adds a lock around the "get ip" and machine registration and save to DB so we ensure thiis isnt happning. Currently this had to be done three places, which is silly, and outlined in #294.	2022-02-24 13:18:18 +00:00
Adrien Raffin-Caboisse	47e8442d91	Update CHANGELOG.md Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>	2022-02-24 13:34:48 +01:00
Adrien Raffin-Caboisse	f9ce32fe1a	Update CHANGELOG.md Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>	2022-02-24 13:34:36 +01:00
Kristoffer Dalby	189e883f91	Resolve merge	2022-02-24 11:41:54 +00:00
Kristoffer Dalby	aa506503e2	Merge branch 'main' into feat-oidc-login-as-namespace	2022-02-24 11:40:34 +00:00
Kristoffer Dalby	9c2c09fce7	Merge branch 'main' into remove-shared	2022-02-24 11:39:44 +00:00
Kristoffer Dalby	5596a0acef	Merge pull request #297 from arch4ngel/configurable-mtls Configurable mtls	2022-02-24 11:32:02 +00:00
Kristoffer Dalby	9687e6768d	Remove retry from integration tests	2022-02-24 11:29:53 +00:00
Kristoffer Dalby	fb85c78e8a	Fail integration tests fast	2022-02-24 11:28:34 +00:00
Kristoffer Dalby	8c33907655	Sort lint	2022-02-24 11:10:40 +00:00
Kristoffer Dalby	afb67b6e75	Merge branch 'main' into configurable-mtls	2022-02-24 11:09:05 +00:00
Kristoffer Dalby	69f220fe5c	Merge branch 'main' into feat-oidc-login-as-namespace	2022-02-24 11:01:32 +00:00
Kristoffer Dalby	c46dfd761c	Merge pull request #349 from kradalby/remove-cgo	2022-02-24 10:11:15 +00:00
Adrien Raffin-Caboisse	95453cba75	Merge branch 'main' into feat-oidc-login-as-namespace	2022-02-23 17:56:45 +01:00
Kristoffer Dalby	ed2175706c	Merge branch 'remove-cgo' of github.com:kradalby/headscale into remove-cgo	2022-02-23 16:23:53 +00:00
Kristoffer Dalby	686e45cf27	Set all anti-cgo options and add comment	2022-02-23 16:15:20 +00:00
Adrien Raffin-Caboisse	ae6a20e4d9	fix: add valid test identified by linter	2022-02-23 14:28:25 +01:00
Adrien Raffin-Caboisse	046116656b	chore: update formatting	2022-02-23 14:22:21 +01:00
Adrien Raffin-Caboisse	972bef1194	feat: add length error if hostname too long	2022-02-23 14:21:46 +01:00
Adrien Raffin-Caboisse	4f1f235a2e	feat: add strip_email_domain to normalization of namespace	2022-02-23 14:03:07 +01:00
Adrien Raffin-Caboisse	7e4709c13f	fix(namespace): remove name validation for destroy and get	2022-02-23 13:35:57 +01:00
Adrien Raffin-Caboisse	cef0a2b0b3	fix(namespaces_test): fix missing namespace name	2022-02-23 11:40:48 +01:00
Adrien Raffin-Caboisse	fcdbe7c510	fix(utils_test): fix namespace name	2022-02-23 11:38:20 +01:00
Adrien Raffin-Caboisse	995731a29c	fix(namespace): checknamespace name before actions I keep the check server side because it's better from a security point of view.	2022-02-23 11:32:16 +01:00
Adrien Raffin-Caboisse	45727dbb21	feat(namespace): add check function for namespace	2022-02-23 11:32:14 +01:00
Kristoffer Dalby	f0a73632e0	Merge branch 'main' into remove-cgo	2022-02-23 09:01:38 +00:00
Kristoffer Dalby	823cc493f0	Merge branch 'main' into configurable-mtls	2022-02-23 07:29:31 +00:00
Juan Font	a86b33f1ff	Merge pull request #345 from juanfont/update-contributors docs(README): update contributors	2022-02-22 23:46:54 +01:00
Juan Font	28c2bbeb27	Merge branch 'main' into update-contributors	2022-02-22 23:35:34 +01:00
github-actions[bot]	d4761da27c	docs(README): update contributors	2022-02-22 22:34:27 +00:00
Juan Font	b0c7ebeb7d	Merge pull request #351 from pernila/patch-1 Added FreeBSD to the supported clients	2022-02-22 23:33:58 +01:00
Juan Font	5f375d69b5	Merge branch 'main' into update-contributors	2022-02-22 23:32:02 +01:00
Juan Font	9eb705a4fb	Merge branch 'main' into patch-1	2022-02-22 23:31:29 +01:00
Juan Font	1b87396a8c	Merge pull request #333 from ohdearaugustin/topic/renovatebot Topic/renovatebot	2022-02-22 23:30:46 +01:00
Juan Font	bb14bcd4d2	Merge branch 'main' into topic/renovatebot	2022-02-22 23:29:08 +01:00
pernila	48c866b058	Added FreeBSD to the supported clients Added FreeBSD to the supported clients Now in ports: https://www.freshports.org/security/headscale/	2022-02-22 23:06:35 +02:00
Adrien Raffin-Caboisse	fe0b43eaaf	chore: update changelog	2022-02-22 21:20:59 +01:00
Adrien Raffin-Caboisse	afd4a3706e	chore: update formating	2022-02-22 21:05:39 +01:00
Adrien Raffin-Caboisse	717250adb3	feat: removing matchmap from headscale	2022-02-22 20:58:08 +01:00
Kristoffer Dalby	67f5c32b49	Only allow one connection to sqlite	2022-02-22 19:04:52 +00:00
Adrien Raffin-Caboisse	0191ea93ff	feat(oidc): bind email to namespace	2022-02-22 19:59:15 +01:00
Adrien Raffin-Caboisse	92ffac625e	feat(namespace): add normalization function for namespace	2022-02-22 19:59:12 +01:00
Kristoffer Dalby	bfbcea35a0	Remove dependency on CGO This commit changes the SQLite dependency to one that does not depend on CGO. It uses a C-to-Go translated sqlite library that is Pure go.	2022-02-22 16:51:54 +00:00
Kristoffer Dalby	638a84adb9	Merge branch 'main' into integration-test-concurrent-join	2022-02-22 16:49:32 +00:00
Kristoffer Dalby	ec58979ce0	Merge branch 'main' into remove-shared	2022-02-22 16:48:14 +00:00
Kristoffer Dalby	7e6e093f17	Merge branch 'integration-test-concurrent-join' of github.com:kradalby/headscale into integration-test-concurrent-join	2022-02-22 16:19:28 +00:00
Kristoffer Dalby	4962335860	Remove dependency on CGO This commit changes the SQLite dependency to one that does not depend on CGO. It uses a C-to-Go translated sqlite library that is Pure go.	2022-02-22 16:18:25 +00:00
Kristoffer Dalby	a37339fa54	Merge pull request #348 from restanrm/remove-comment fix(machine): remove comment	2022-02-22 14:06:12 +00:00
Kristoffer Dalby	f7eeb979fb	Add timeout	2022-02-22 13:46:59 +00:00
Adrien Raffin-Caboisse	f2f8d834e8	fix(machine): remove comment After some more tests in tailscale I couldn't replicate the behavior described in there. When adding a rule, allowing A to talk to B the reverse connection was instantly added to B to allow communication to B. The previous assumption was probably wrong.	2022-02-22 11:26:21 +01:00
Kristoffer Dalby	fe2f75d13d	Allow integration test to retry	2022-02-22 07:40:56 +00:00
Kristoffer Dalby	52db6188df	Merge branch 'main' into update-contributors	2022-02-21 23:38:56 +00:00
Kristoffer Dalby	8dca40535f	Test if we can join headscale in parallell to speed up	2022-02-21 23:16:39 +00:00
Kristoffer Dalby	f4c302f1fb	Uncomment tests that will failed in transition period	2022-02-21 23:10:20 +00:00
Kristoffer Dalby	4ca8181dcb	Remove sharing from integration tests	2022-02-21 23:04:10 +00:00
Kristoffer Dalby	24a8e198a1	Remove sharing references across the code	2022-02-21 23:01:35 +00:00
Kristoffer Dalby	9411ec47c3	Remove sharing class and tests	2022-02-21 22:53:30 +00:00
Kristoffer Dalby	1e8f4dbdff	Drop shared node table	2022-02-21 22:52:55 +00:00
Kristoffer Dalby	9399754489	Remove protobuf share/unshare generated go	2022-02-21 22:48:27 +00:00
Kristoffer Dalby	9d1752acbc	Remove protobuf share/unshare	2022-02-21 22:48:14 +00:00
Kristoffer Dalby	6da2a19d10	Remove grpc share/unshare functions	2022-02-21 22:45:04 +00:00
Kristoffer Dalby	9ceac5c0fc	Remove CLI and tests for Shared node	2022-02-21 22:44:08 +00:00
Kristoffer Dalby	f562ad579a	Merge branch 'main' into configurable-mtls	2022-02-21 21:44:49 +00:00
github-actions[bot]	bbadeb567a	docs(README): update contributors	2022-02-21 21:41:48 +00:00
Kristoffer Dalby	69cdfbb56f	Merge pull request #320 from restanrm/feat-improve-acls-usage Improvements on the ACLs and bug fixing	2022-02-21 21:41:15 +00:00
Adrien Raffin-Caboisse	d971f0f0e6	fix(acls_test): fix comment in go code	2022-02-21 21:48:05 +01:00
Adrien Raffin-Caboisse	650108c7c7	chore(fmt): apply fmt	2022-02-21 21:46:40 +01:00
Adrien Raffin-Caboisse	baae266db0	Update acls_test.go Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>	2022-02-21 20:25:41 +01:00
Adrien Raffin-Caboisse	50af44bc2f	fix: add error checking in acl and poll If aclPolicy is not defined, in updateAclPolicy, return an error.	2022-02-21 20:06:31 +01:00
Justin Angel	b5a59d4e7a	updating changelog and docs	2022-02-21 10:20:11 -05:00
Adrien Raffin-Caboisse	211fe4034a	chore(linter): ignore tt var as it's generated code (vscode)	2022-02-21 16:10:20 +01:00
Justin Angel	daa75da277	Linting and updating tests	2022-02-21 10:09:23 -05:00
Adrien Raffin-Caboisse	25550f8866	chore(format): run prettier on repo	2022-02-21 16:06:20 +01:00
Adrien Raffin-Caboisse	4bbe0051f6	chore(machines): apply lint	2022-02-21 10:02:59 +01:00
Adrien Raffin-Caboisse	5ab62378ae	tests(machines): test all combinations of peer filtering	2022-02-21 09:58:19 +01:00
Adrien Raffin-Caboisse	f006860136	feat(machines): untie dependency with class for filter func The dependency to the `headscale` struct makes tests harder to do. This change allow to easily add some tests for this quite sensible function.	2022-02-21 09:58:19 +01:00
Adrien Raffin-Caboisse	9c6ce02554	fix(machines): use ListAllMachines function added a simple filter to remove the current node	2022-02-21 09:58:19 +01:00
Adrien Raffin-Caboisse	960412a335	fix(machines): simplify complex if check This should fix the performance issue with computation of `dst` variable. It's also easier to read now.	2022-02-21 09:58:19 +01:00
Kristoffer Dalby	ecb3ee6bfa	Merge branch 'main' into feat-improve-acls-usage	2022-02-21 08:51:21 +00:00
Adrien Raffin-Caboisse	5242025ab3	fix(machines): renaming following review comments	2022-02-20 23:50:08 +01:00
Adrien Raffin-Caboisse	b3d0fb7a93	fix(machine): revert modifications Using h.ListAllMachines also listed the current machine in the result. It's unnecessary (I don't know if it's harmful). Breaking the check with the `matchSourceAndDestinationWithRule` broke the tests. We have a specificity with the '*' destination that isn't symetrical. I need to think of a better way to do this. It too hard to read.	2022-02-20 23:47:04 +01:00
Adrien Raffin-Caboisse	5e167cc00a	fix(tests): fix naming issues related to code review	2022-02-20 23:00:31 +01:00
Adrien Raffin-Caboisse	d00251c63e	fix(acls,machines): apply code review suggestions	2022-02-20 21:26:20 +01:00
Adrien Raffin-Caboisse	4f9ece14c5	Apply suggestions from code review on changelog Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>	2022-02-20 20:47:12 +01:00
Kristoffer Dalby	7bf2a91dd0	Merge branch 'main' into configurable-mtls	2022-02-20 14:33:23 +00:00
Justin Angel	385dd9cc34	refactoring	2022-02-20 09:06:14 -05:00
Kristoffer Dalby	602291df61	Merge pull request #338 from juanfont/update-contributors	2022-02-19 23:13:08 +00:00
github-actions[bot]	5245f1accc	docs(README): update contributors	2022-02-19 22:48:26 +00:00
Kristoffer Dalby	91babb5130	Merge pull request #336 from ohdearaugustin/topic/fix-contributors-action	2022-02-19 21:08:53 +00:00
ohdearaugustin	8798efd353	contributor: set specific version	2022-02-19 21:36:08 +01:00
Kristoffer Dalby	66a12004e7	Merge branch 'main' into topic/renovatebot	2022-02-19 19:34:30 +00:00
Kristoffer Dalby	74621e2750	Merge pull request #332 from e-zk/main Fix spelling error	2022-02-19 19:34:24 +00:00
Kristoffer Dalby	74c3c6bb60	Merge branch 'main' into main	2022-02-19 19:32:34 +00:00
Kristoffer Dalby	84b98e716a	Merge pull request #334 from ohdearaugustin/topic/renovatebot-codeowner CODEOWNER: add renovate config ohdearaugustin	2022-02-19 19:32:21 +00:00
ohdearaugustin	e9f13b6031	CODEOWNER: add renovate config ohdearaugustin	2022-02-19 20:28:08 +01:00
ohdearaugustin	fe6d47030f	renovatebot: configure	2022-02-19 20:15:53 +01:00
ohdearaugustin	a19550adbf	prettier: renovatebot.yml	2022-02-19 19:49:12 +01:00
ohdearaugustin	3db88d27de	github/workflows: init renovatebot	2022-02-19 19:49:12 +01:00
e-zk	a6b7bc5939	Fix spelling error	2022-02-20 03:14:51 +10:00
Kristoffer Dalby	7d5e6d3f0f	Merge pull request #330 from kradalby/codeowners Add ohdearaugustin to CODEOWNERS for config and docs	2022-02-18 20:12:29 +00:00
Kristoffer Dalby	7a90c2fba1	Merge branch 'main' into codeowners	2022-02-18 20:11:33 +00:00
Kristoffer Dalby	5cf215a44b	Merge pull request #325 from juanfont/kradalby-patch-4 Update changelog for 0.13.0	2022-02-18 20:11:03 +00:00
Kristoffer Dalby	7916fa8b45	Add ohdearaugustin to CODEOWNERS for config and docs	2022-02-18 19:57:03 +00:00
Kristoffer Dalby	5fbef07627	Update changelog for 0.13.0	2022-02-18 18:54:27 +00:00
Kristoffer Dalby	21df798f07	Merge branch 'main' into feat-improve-acls-usage	2022-02-18 17:19:19 +00:00
Adrien Raffin-Caboisse	f073d8f43c	chore(lint): ignore linting on test_expandalias This is a false positive on the way the function is built. Small tests cases are all inside this functions, making it big.	2022-02-17 09:32:55 +01:00
Adrien Raffin-Caboisse	5f642eef76	chore(lint): more lint fixing	2022-02-17 09:32:54 +01:00
Adrien Raffin-Caboisse	d8c4c3163b	chore(fmt): apply make fmt command	2022-02-17 09:32:54 +01:00
Adrien Raffin-Caboisse	9cedbbafd4	chore(all): update some files for linter	2022-02-17 09:32:51 +01:00
Adrien Raffin-Caboisse	aceaba60f1	docs(changelog): bump changelog	2022-02-17 09:30:09 +01:00
Adrien Raffin-Caboisse	7b5ba9f781	docs(acl): add configuration example to explain acls	2022-02-17 09:30:09 +01:00
Adrien Raffin	de59946447	feat(acls): rewrite functions to be testable Rewrite some function to get rid of the dependency on Headscale object. This allows us to write succinct test that are more easy to review and implement. The improvements of the tests allowed to write the removal of the tagged hosts from the namespace as specified here: https://tailscale.com/kb/1068/acl-tags/	2022-02-17 09:30:09 +01:00
Adrien Raffin	97eac3b938	feat(acl): update frequently the aclRules This call should be done quite at each modification of a server resources like RequestTags. When a server changes it's tag we should rebuild the ACL rules. When a server is added to headscale we also should update the ACLRules.	2022-02-17 09:30:08 +01:00
Adrien Raffin	fb45138fc1	feat(acls): check acl owners and add bunch of tests	2022-02-17 09:30:08 +01:00
Adrien Raffin	e9949b4c70	feat(acls): simplify updating rules	2022-02-17 09:30:08 +01:00
Adrien Raffin	e482dfeed4	feat(machine): add ACLFilter if ACL's are enabled. This commit change the default behaviour and remove the notion of namespaces between the hosts. It allows all namespaces to be only filtered by the ACLs. This behavior is closer to tailsnet.	2022-02-17 09:30:05 +01:00
Jamie Greeff	9b7d657cbe	Return all peers instead of peers in same namespace	2022-02-17 09:27:59 +01:00
Justin Angel	1b2fff4337	Merge branch 'main' into configurable-mtls	2022-02-02 11:54:49 -05:00
Justin Angel	af25aa75d9	Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls	2022-01-31 10:27:57 -05:00
Justin Angel	da5250ea32	linting again	2022-01-31 10:27:43 -05:00
Kristoffer Dalby	168b1bd579	Merge branch 'main' into configurable-mtls	2022-01-31 12:28:00 +00:00
Justin Angel	9de5c7f8b8	updating default	2022-01-31 07:22:17 -05:00
Justin Angel	52db80ab0d	Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls	2022-01-31 07:19:14 -05:00
Justin Angel	0c3fd16113	refining and adding tests	2022-01-31 07:18:50 -05:00
Justin Angel	310e7b15c7	making alternatives constants	2022-01-30 10:46:57 -05:00
Justin Angel	d44b2a7c01	adding default for tls_client_auth_mode	2022-01-30 07:26:28 -05:00
Kristoffer Dalby	0609c97459	Merge branch 'main' into configurable-mtls	2022-01-29 20:15:58 +00:00
Justin Angel	c98a559b4d	linting/formatting	2022-01-29 14:15:33 -05:00
Justin Angel	5935b13b67	refining	2022-01-29 13:35:08 -05:00
Justin Angel	9e619fc020	Making client authentication mode configurable	2022-01-29 12:59:31 -05:00