Update config.go

Fix socket location in config.go
Revert "Revert unix_socket to default value"
2026-04-17 06:19:51 +02:00 · 2023-05-10 12:16:07 +02:00 · 2023-05-10 12:16:07 +02:00 · 2023-05-10 12:16:07 +02:00 · 2023-05-10 10:26:21 +02:00 · 2023-05-10 09:49:13 +02:00
120 changed files with 3790 additions and 1693 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,19 +6,24 @@ labels: ["bug"]
 assignees: ""
 ---
-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. -->
+<!--
 Before posting a bug report, discuss the behaviour you are expecting with the Discord community
 to make sure that it is truly a bug.
 The issue tracker is not the place to ask for support or how to set up Headscale.
-**Bug description**
+Bug reports without the sufficient information will be closed.
 Headscale is a multinational community across the globe. Our language is English.
 All bug reports needs to be in English.
 -->
 ## Bug description
 <!-- A clear and concise description of what the bug is. Describe the expected bahavior
  and how it is currently different. If you are unsure if it is a bug, consider discussing
  it on our Discord server first. -->
-**To Reproduce**
+## Environment
 <!-- Steps to reproduce the behavior. -->
 **Context info**
 <!-- Please add relevant information about your system. For example:
 - Version of headscale used
@@ -28,3 +33,20 @@ assignees: ""
 - The relevant config parameters you used
 - Log output
 -->
 - OS:
 - Headscale version:
 - Tailscale version:
 <!--
 We do not support running Headscale in a container nor behind a (reverse) proxy.
 If either of these are true for your environment, ask the community in Discord
 instead of filing a bug report.
 -->
 - [ ] Headscale is behind a (reverse) proxy
 - [ ] Headscale runs in a container
 ## To Reproduce
 <!-- Steps to reproduce the behavior. -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -6,12 +6,21 @@ labels: ["enhancement"]
 assignees: ""
 ---
-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the feature request in this language. -->
+<!--
 We typically have a clear roadmap for what we want to improve and reserve the right
 to close feature requests that does not fit in the roadmap, or fit with the scope
 of the project, or we actually want to implement ourselves.
-**Feature request**
+Headscale is a multinational community across the globe. Our language is English.
 All bug reports needs to be in English.
 -->
-<!-- A clear and precise description of what new or changed feature you want. -->
+## Why
-<!-- Please include the reason, why you would need the feature. E.g. what problem
+<!-- Include the reason, why you would need the feature. E.g. what problem
  does it solve? Or which workflow is currently frustrating and will be improved by
  this? -->
 ## Description
 <!-- A clear and precise description of what new or changed feature you want. -->
--- a/.github/ISSUE_TEMPLATE/other_issue.md
+++ b/.github/ISSUE_TEMPLATE/other_issue.md
@@ -1,30 +0,0 @@
 ---
 name: "Other issue"
 about: "Report a different issue"
 title: ""
 labels: ["bug"]
 assignees: ""
 ---
 <!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. -->
 <!-- If you have a question, please consider using our Discord for asking questions -->
 **Issue description**
 <!-- Please add your issue description. -->
 **To Reproduce**
 <!-- Steps to reproduce the behavior. -->
 **Context info**
 <!-- Please add relevant information about your system. For example:
 - Version of headscale used
 - Version of tailscale client
 - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
 - Kernel version
 - The relevant config parameters you used
 - Log output
 -->
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,3 +1,15 @@
 <!--
 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.
 This model has been chosen to reduce the risk of burnout by limiting the
 maintenance overhead of reviewing and validating third-party code.
 Headscale is open to code contributions for bug fixes without discussion.
 If you find mistakes in the documentation, please submit a fix to the documentation.
 -->
 <!-- Please tick if the following things apply. You… -->
 - [ ] read the [CONTRIBUTING guidelines](README.md#contributing)
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -6,31 +6,27 @@
  "onboarding": false,
  "extends": ["config:base", ":rebaseStalePrs"],
  "ignorePresets": [":prHourlyLimit2"],
-  "enabledManagers": ["dockerfile", "gomod", "github-actions","regex" ],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions", "regex"],
  "includeForks": true,
  "repositories": ["juanfont/headscale"],
  "platform": "github",
  "packageRules": [
    {
-        "matchDatasources": ["go"],
+      "matchDatasources": ["go"],
-        "groupName": "Go modules",
+      "groupName": "Go modules",
-        "groupSlug": "gomod",
+      "groupSlug": "gomod",
-        "separateMajorMinor": false
+      "separateMajorMinor": false
    },
    {
-        "matchDatasources": ["docker"],
+      "matchDatasources": ["docker"],
-        "groupName": "Dockerfiles",
+      "groupName": "Dockerfiles",
-        "groupSlug": "dockerfiles"
+      "groupSlug": "dockerfiles"
-    } 
+    }
  ],
  "regexManagers": [
    {
-      "fileMatch": [
+      "fileMatch": [".github/workflows/.*.yml$"],
-          ".github/workflows/.*.yml$"
+      "matchStrings": ["\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"],
      ],
      "matchStrings": [
        "\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"
      ],
      "datasourceTemplate": "golang-version",
      "depNameTemplate": "actions/go-version"
    }
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -0,0 +1,45 @@
 name: Build documentation
 on:
  push:
    branches:
      - main
  workflow_dispatch:
 permissions:
  contents: read
  pages: write
  id-token: write
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Install python
        uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - name: Setup cache
        uses: actions/cache@v2
        with:
          key: ${{ github.ref }}
          path: .cache
      - name: Setup dependencies
        run: pip install mkdocs-material pillow cairosvg mkdocs-minify-plugin
      - name: Build docs
        run: mkdocs build --strict
      - name: Upload artifact
        uses: actions/upload-pages-artifact@v1
        with:
          path: ./site
  deploy:
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v1
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,6 +19,6 @@ jobs:
      - uses: cachix/install-nix-action@v16
      - name: Run goreleaser
-        run: nix develop --command -- goreleaser release --rm-dist
+        run: nix develop --command -- goreleaser release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test-integration-derp.yml
+++ b/.github/workflows/test-integration-derp.yml
@@ -1,35 +0,0 @@
 name: Integration Test DERP
 on: [pull_request]
 jobs:
  integration-test-derp:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Set Swap Space
        uses: pierotofy/set-swap-space@master
        with:
          swap-size-gb: 10
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml
      - uses: cachix/install-nix-action@v16
        if: steps.changed-files.outputs.any_changed == 'true'
      - name: Run Embedded DERP server integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
        run: nix develop --command -- make test_integration_derp
--- a/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
@@ -0,0 +1,63 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 name: Integration Test v2 - TestACLDevice1CanAccessDevice2
 on: [pull_request]
 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml
      - uses: cachix/install-nix-action@v18
        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
              --tty --rm \
              --volume ~/.cache/hs-integration-go:/go \
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestACLDevice1CanAccessDevice2$"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
+++ b/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
@@ -0,0 +1,63 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 name: Integration Test v2 - TestACLNamedHostsCanReach
 on: [pull_request]
 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml
      - uses: cachix/install-nix-action@v18
        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
              --tty --rm \
              --volume ~/.cache/hs-integration-go:/go \
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestACLNamedHostsCanReach$"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
@@ -0,0 +1,63 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 name: Integration Test v2 - TestACLNamedHostsCanReachBySubnet
 on: [pull_request]
 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml
      - uses: cachix/install-nix-action@v18
        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
              --tty --rm \
              --volume ~/.cache/hs-integration-go:/go \
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestACLNamedHostsCanReachBySubnet$"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
+++ b/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
+++ b/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
@@ -0,0 +1,63 @@
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 name: Integration Test v2 - TestDERPServerScenario
 on: [pull_request]
 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml
      - uses: cachix/install-nix-action@v18
        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
        run: |
            nix develop --command -- docker run \
              --tty --rm \
              --volume ~/.cache/hs-integration-go:/go \
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestDERPServerScenario$"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
+++ b/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestEphemeral.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestExpireNode.yaml
+++ b/.github/workflows/test-integration-v2-TestExpireNode.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestHeadscale.yaml
+++ b/.github/workflows/test-integration-v2-TestHeadscale.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
+++ b/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTaildrop.yaml
+++ b/.github/workflows/test-integration-v2-TestTaildrop.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
+++ b/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestUserCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestUserCommand.yaml
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 ignored/
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -12,7 +14,7 @@
 *.out
 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
 dist/
 /headscale
@@ -35,3 +37,7 @@ result
 .direnv/
 integration_test/etc/config.dump.yaml
 # MkDocs
 .cache
 /site
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -2,6 +2,7 @@
 before:
  hooks:
    - go mod tidy -compat=1.20
    - go mod vendor
 release:
  prerelease: auto
@@ -31,19 +32,16 @@ builds:
 archives:
  - id: golang-cross
-    builds:
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
      - darwin_amd64
      - darwin_arm64
      - freebsd_amd64
      - linux_386
      - linux_amd64
      - linux_arm64
      - linux_arm_5
      - linux_arm_6
      - linux_arm_7
    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    format: binary
 source:
  enabled: true
  name_template: "{{ .ProjectName }}_{{ .Version }}"
  format: tar.gz
  files:
    - "vendor/"
 nfpms:
  # Configure nFPM for .deb and .rpm releases
  #
@@ -65,7 +63,7 @@ nfpms:
    bindir: /usr/bin
    formats:
      - deb
-      - rpm
+      # - rpm
    contents:
      - src: ./config-example.yaml
        dst: /etc/headscale/config.yaml
@@ -73,7 +71,7 @@ nfpms:
        file_info:
          mode: 0644
      - src: ./docs/packaging/headscale.systemd.service
-        dst: /etc/systemd/system/headscale.service
+        dst: /usr/lib/systemd/system/headscale.service
      - dst: /var/lib/headscale
        type: dir
      - dst: /var/run/headscale
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,31 @@
 # CHANGELOG
-## 0.22.0 (2023-XX-XX)
+## 0.23.0 (2023-XX-XX)
 ### Changes
- Add `.deb` and `.rpm` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+- Add environment flags to enable pprof (profiling) [#1382](https://github.com/juanfont/headscale/pull/1382)
  - Profiles are continously generated in our integration tests.
 - Fix systemd service file location in `.deb` packages [#1391](https://github.com/juanfont/headscale/pull/1391)
 - Improvements on Noise implementation [#1379](https://github.com/juanfont/headscale/pull/1379)
 - Replace node filter logic, ensuring nodes with access can see eachother [#1381](https://github.com/juanfont/headscale/pull/1381)
 ## 0.22.1 (2023-04-20)
 ### Changes
 - Fix issue where systemd could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
 - Disable (or delete) both exit routes at the same time [#1428](https://github.com/juanfont/headscale/pull/1428)
 ## 0.22.0 (2023-04-20)
 ### Changes
 - Add `.deb` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
 - Update and simplify the documentation to use new `.deb` packages [#1349](https://github.com/juanfont/headscale/pull/1349)
 - Add 32-bit Arm platforms to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
 - Fix longstanding bug that would prevent "\*" from working properly in ACLs (issue [#699](https://github.com/juanfont/headscale/issues/699)) [#1279](https://github.com/juanfont/headscale/pull/1279)
 - Fix issue where IPv6 could not be used in, or while using ACLs (part of [#809](https://github.com/juanfont/headscale/issues/809)) [#1339](https://github.com/juanfont/headscale/pull/1339)
 - Target Go 1.20 and Tailscale 1.38 for Headscale [#1323](https://github.com/juanfont/headscale/pull/1323)
 ## 0.21.0 (2023-03-20)
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -1,19 +1,16 @@
-FROM ubuntu:latest
+FROM ubuntu:22.04
 ARG TAILSCALE_VERSION=*
 ARG TAILSCALE_CHANNEL=stable
 RUN apt-get update \
-    && apt-get install -y gnupg curl ssh \
+    && apt-get install -y gnupg curl ssh dnsutils ca-certificates \
-    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
+    && adduser --shell=/bin/bash ssh-it-user
 # Tailscale is deliberately split into a second stage so we can cash utils as a seperate layer.
 RUN curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
    && apt-get update \
-    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
+    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 RUN adduser --shell=/bin/bash ssh-it-user
 ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
 RUN chmod 644 /usr/local/share/ca-certificates/server.crt
 RUN update-ca-certificates
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -1,7 +1,7 @@
 FROM golang:latest
 RUN apt-get update \
-    && apt-get install -y ca-certificates dnsutils git iptables ssh \
+    && apt-get install -y dnsutils git iptables ssh ca-certificates \
    && rm -rf /var/lib/apt/lists/*
 RUN useradd --shell=/bin/bash --create-home ssh-it-user
@@ -10,15 +10,8 @@ RUN git clone https://github.com/tailscale/tailscale.git
 WORKDIR /go/tailscale
-RUN git checkout main
+RUN git checkout main \
-
+    && sh build_dist.sh tailscale.com/cmd/tailscale \
-RUN sh build_dist.sh tailscale.com/cmd/tailscale
+    && sh build_dist.sh tailscale.com/cmd/tailscaled \
-RUN sh build_dist.sh tailscale.com/cmd/tailscaled
+    && cp tailscale /usr/local/bin/ \
-
+    && cp tailscaled /usr/local/bin/
 RUN cp tailscale /usr/local/bin/
 RUN cp tailscaled /usr/local/bin/
 ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
 RUN chmod 644 /usr/local/share/ca-certificates/server.crt
 RUN update-ca-certificates
--- a/29
+++ b/29
@@ -36,17 +36,7 @@ test_integration_cli:
 		-v ~/.cache/hs-integration-go:/go \
 		-v $$PWD:$$PWD -w $$PWD \
 		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
+		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
 test_integration_derp:
 	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
 	docker network create headscale-test || true
 	docker run -t --rm \
 		--network headscale-test \
 		-v ~/.cache/hs-integration-go:/go \
 		-v $$PWD:$$PWD -w $$PWD \
 		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
 		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
 test_integration_v2_general:
 	docker run \
@@ -56,13 +46,7 @@ test_integration_v2_general:
 		-v $$PWD:$$PWD -w $$PWD/integration \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		golang:1 \
-		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8
+		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast ./... -timeout 120m -parallel 8
 coverprofile_func:
 	go tool cover -func=coverage.out
 coverprofile_html:
 	go tool cover -html=coverage.out
 lint:
 	golangci-lint run --fix --timeout 10m
@@ -80,11 +64,4 @@ compress: build
 generate:
 	rm -rf gen
-	go run github.com/bufbuild/buf/cmd/buf generate proto
+	buf generate proto
 install-protobuf-plugins:
 	go install \
 		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
 		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
 		google.golang.org/protobuf/cmd/protoc-gen-go \
 		google.golang.org/grpc/cmd/protoc-gen-go-grpc
--- a/README.md
+++ b/README.md
@@ -32,22 +32,18 @@ organisation.
 ## Design goal
-`headscale` aims to implement a self-hosted, open source alternative to the Tailscale
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale
-control server. `headscale` has a narrower scope and an instance of `headscale`
+control server.
-implements a _single_ Tailnet, which is typically what a single organisation, or
+Headscale's goal is to provide self-hosters and hobbyists with an open-source
-home/personal setup would use.
+server they can use for their projects and labs.
 It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
 open-source organisation.
-`headscale` uses terms that maps to Tailscale's control server, consult the
+## Supporting Headscale
 [glossary](./docs/glossary.md) for explainations.
 ## Support
 If you like `headscale` and find it useful, there is a sponsorship and donation
 buttons available in the repo.
 If you would like to sponsor features, bugs or prioritisation, reach out to
 one of the maintainers.
 ## Features
 - Full "base" support of Tailscale's features
@@ -79,7 +75,10 @@ one of the maintainers.
 ## Running headscale
-Please have a look at the documentation under [`docs/`](docs/).
+**Please note that we do not support nor encourage the use of reverse proxies
 and container to run Headscale.**
 Please have a look at the [`documentation`](https://headscale.net/).
 ## Graphical Control Panels
@@ -97,11 +96,23 @@ These are community projects not directly affiliated with the Headscale project.
 ## Disclaimer
-1. We have nothing to do with Tailscale, or Tailscale Inc.
+1. This project is not associated with Tailscale Inc.
 2. The purpose of Headscale is maintaining a working, self-hosted Tailscale control panel.
 ## Contributing
 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.
 This model has been chosen to reduce the risk of burnout by limiting the
 maintenance overhead of reviewing and validating third-party code.
 Headscale is open to code contributions for bug fixes without discussion.
 If you find mistakes in the documentation, please submit a fix to the documentation.
 ### Requirements
 To contribute to headscale you would need the lastest version of [Go](https://golang.org)
 and [Buf](https://buf.build)(Protobuf generator).
@@ -109,8 +120,6 @@ We recommend using [Nix](https://nixos.org/) to setup a development environment.
 be done with `nix develop`, which will install the tools and give you a shell.
 This guarantees that you will have the same dev env as `headscale` maintainers.
 PRs and suggestions are welcome.
 ### Code style
 To ensure we have some consistency with a growing number of contributions,
@@ -188,13 +197,6 @@ make build
            <sub style="font-size:14px"><b>Juan Font</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/restanrm>
            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
            <br />
            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/cure>
            <img src=https://avatars.githubusercontent.com/u/149135?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ward Vandewege/>
@@ -216,8 +218,6 @@ make build
            <sub style="font-size:14px"><b>Benjamin Roberts</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/reynico>
            <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
@@ -225,6 +225,8 @@ make build
            <sub style="font-size:14px"><b>Nico</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/evenh>
            <img src=https://avatars.githubusercontent.com/u/2701536?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Even Holthe/>
@@ -260,6 +262,13 @@ make build
            <sub style="font-size:14px"><b>unreality</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/mpldr>
            <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
            <br />
            <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -270,10 +279,10 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/mpldr>
+        <a href=https://github.com/restanrm>
-            <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
+            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
            <br />
-            <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
+            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -350,6 +359,13 @@ make build
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/majst01>
            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
            <br />
            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/fdelucchijr>
            <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
@@ -364,13 +380,6 @@ make build
            <sub style="font-size:14px"><b>Orville Q. Song</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/majst01>
            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
            <br />
            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/hdhoang>
            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hdhoang/>
@@ -385,6 +394,15 @@ make build
            <sub style="font-size:14px"><b>bravechamp</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/bravechamp>
            <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
            <br />
            <sub style="font-size:14px"><b>bravechamp</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/deonthomasgy>
            <img src=https://avatars.githubusercontent.com/u/150036?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Deon Thomas/>
@@ -392,8 +410,6 @@ make build
            <sub style="font-size:14px"><b>Deon Thomas</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/madjam002>
            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
@@ -429,6 +445,8 @@ make build
            <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/samson4649>
            <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
@@ -436,8 +454,6 @@ make build
            <sub style="font-size:14px"><b>Samuel Lock</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/kevin1sMe>
            <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
@@ -473,6 +489,8 @@ make build
            <sub style="font-size:14px"><b>dbevacqua</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/joshuataylor>
            <img src=https://avatars.githubusercontent.com/u/225131?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Josh Taylor/>
@@ -480,8 +498,6 @@ make build
            <sub style="font-size:14px"><b>Josh Taylor</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/CNLHC>
            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
@@ -517,6 +533,8 @@ make build
            <sub style="font-size:14px"><b>Steven Honson</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ratsclub>
            <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
@@ -524,15 +542,6 @@ make build
            <sub style="font-size:14px"><b>Victor Freire</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/lachy2849>
            <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy2849/>
            <br />
            <sub style="font-size:14px"><b>lachy2849</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/t56k>
            <img src=https://avatars.githubusercontent.com/u/12165422?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=thomas/>
@@ -540,6 +549,13 @@ make build
            <sub style="font-size:14px"><b>thomas</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/linsomniac>
            <img src=https://avatars.githubusercontent.com/u/466380?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sean Reifschneider/>
            <br />
            <sub style="font-size:14px"><b>Sean Reifschneider</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/aberoham>
            <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -561,6 +577,8 @@ make build
            <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/theryecatcher>
            <img src=https://avatars.githubusercontent.com/u/16442416?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anoop Sundaresh/>
@@ -568,8 +586,6 @@ make build
            <sub style="font-size:14px"><b>Anoop Sundaresh</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/apognu>
            <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -577,6 +593,13 @@ make build
            <sub style="font-size:14px"><b>Antoine POPINEAU</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/tony1661>
            <img src=https://avatars.githubusercontent.com/u/5287266?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antonio Fernandez/>
            <br />
            <sub style="font-size:14px"><b>Antonio Fernandez</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/aofei>
            <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
@@ -591,13 +614,6 @@ make build
            <sub style="font-size:14px"><b>Arnar</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/awoimbee>
            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
            <br />
            <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/avirut>
            <img src=https://avatars.githubusercontent.com/u/27095602?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Avirut Mehta/>
@@ -605,6 +621,8 @@ make build
            <sub style="font-size:14px"><b>Avirut Mehta</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/stensonb>
            <img src=https://avatars.githubusercontent.com/u/933389?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Bryan Stenson/>
@@ -612,8 +630,6 @@ make build
            <sub style="font-size:14px"><b>Bryan Stenson</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/yangchuansheng>
            <img src=https://avatars.githubusercontent.com/u/15308462?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt= Carson Yang/>
@@ -649,6 +665,15 @@ make build
            <sub style="font-size:14px"><b>Felix Yan</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/gabe565>
            <img src=https://avatars.githubusercontent.com/u/7717888?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Gabe Cook/>
            <br />
            <sub style="font-size:14px"><b>Gabe Cook</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/JJGadgets>
            <img src=https://avatars.githubusercontent.com/u/5709019?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=JJGadgets/>
@@ -656,8 +681,6 @@ make build
            <sub style="font-size:14px"><b>JJGadgets</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/hrtkpf>
            <img src=https://avatars.githubusercontent.com/u/42646788?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hrtkpf/>
@@ -686,6 +709,8 @@ make build
            <sub style="font-size:14px"><b>John Axel Eriksson</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ShadowJonathan>
            <img src=https://avatars.githubusercontent.com/u/22740616?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan de Jong/>
@@ -693,6 +718,20 @@ make build
            <sub style="font-size:14px"><b>Jonathan de Jong</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/JulienFloris>
            <img src=https://avatars.githubusercontent.com/u/20380255?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Julien Zweverink/>
            <br />
            <sub style="font-size:14px"><b>Julien Zweverink</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/win-t>
            <img src=https://avatars.githubusercontent.com/u/1589120?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Kurnia D Win/>
            <br />
            <sub style="font-size:14px"><b>Kurnia D Win</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/foxtrot>
            <img src=https://avatars.githubusercontent.com/u/4153572?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Marc/>
@@ -700,8 +739,6 @@ make build
            <sub style="font-size:14px"><b>Marc</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/magf>
            <img src=https://avatars.githubusercontent.com/u/11992737?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Maxim Gajdaj/>
@@ -716,6 +753,8 @@ make build
            <sub style="font-size:14px"><b>Michael Savage</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/piec>
            <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -744,8 +783,6 @@ make build
            <sub style="font-size:14px"><b>rcursaru</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/renovate-bot>
            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
@@ -760,13 +797,8 @@ make build
            <sub style="font-size:14px"><b>Ryan Fowler</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+</tr>
-        <a href=https://github.com/linsomniac>
+<tr>
            <img src=https://avatars.githubusercontent.com/u/466380?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sean Reifschneider/>
            <br />
            <sub style="font-size:14px"><b>Sean Reifschneider</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/shaananc>
            <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -788,8 +820,6 @@ make build
            <sub style="font-size:14px"><b>sophware</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/m-tanner-dev0>
            <img src=https://avatars.githubusercontent.com/u/97977342?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tanner/>
@@ -804,6 +834,15 @@ make build
            <sub style="font-size:14px"><b>Teteros</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Teteros>
            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
            <br />
            <sub style="font-size:14px"><b>Teteros</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/gitter-badger>
            <img src=https://avatars.githubusercontent.com/u/8518239?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=The Gitter Badger/>
@@ -832,8 +871,6 @@ make build
            <sub style="font-size:14px"><b>Tjerk Woudsma</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/y0ngb1n>
            <img src=https://avatars.githubusercontent.com/u/25719408?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yang Bin/>
@@ -848,6 +885,8 @@ make build
            <sub style="font-size:14px"><b>Yujie Xia</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/newellz2>
            <img src=https://avatars.githubusercontent.com/u/52436542?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zachary Newell/>
@@ -876,8 +915,6 @@ make build
            <sub style="font-size:14px"><b>Ziyuan Han</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/caelansar>
            <img src=https://avatars.githubusercontent.com/u/31852257?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=caelansar/>
@@ -892,6 +929,8 @@ make build
            <sub style="font-size:14px"><b>derelm</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/dnaq>
            <img src=https://avatars.githubusercontent.com/u/1299717?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=dnaq/>
@@ -920,8 +959,6 @@ make build
            <sub style="font-size:14px"><b>jimyag</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/magichuihui>
            <img src=https://avatars.githubusercontent.com/u/10866198?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=suhelen/>
@@ -936,6 +973,8 @@ make build
            <sub style="font-size:14px"><b>sharkonet</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ma6174>
            <img src=https://avatars.githubusercontent.com/u/1449133?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ma6174/>
@@ -951,10 +990,17 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/pernila>
+        <a href=https://github.com/nicholas-yap>
-            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=pernila/>
+            <img src=https://avatars.githubusercontent.com/u/38109533?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=nicholas-yap/>
            <br />
-            <sub style="font-size:14px"><b>pernila</b></sub>
+            <sub style="font-size:14px"><b>nicholas-yap</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pernila>
            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tommi Pernila/>
            <br />
            <sub style="font-size:14px"><b>Tommi Pernila</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -964,8 +1010,6 @@ make build
            <sub style="font-size:14px"><b>phpmalik</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Wakeful-Cloud>
            <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>
@@ -973,6 +1017,8 @@ make build
            <sub style="font-size:14px"><b>Wakeful-Cloud</b></sub>
        </a>
    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/xpzouying>
            <img src=https://avatars.githubusercontent.com/u/3946563?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=zy/>
--- a/acls.go
+++ b/acls.go
@@ -127,21 +127,14 @@ func (h *Headscale) UpdateACLRules() error {
 		return errEmptyPolicy
 	}
-	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
+	rules, err := h.aclPolicy.generateFilterRules(machines, h.cfg.OIDC.StripEmaildomain)
 	if err != nil {
 		return err
 	}
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules
 	// Precompute a map of which sources can reach each destination, this is
 	// to provide quicker lookup when we calculate the peerlist for the map
 	// response to nodes.
 	aclPeerCacheMap := generateACLPeerCacheMap(rules)
 	h.aclPeerCacheMapRW.Lock()
 	h.aclPeerCacheMap = aclPeerCacheMap
 	h.aclPeerCacheMapRW.Unlock()
 	if featureEnableSSH() {
 		sshRules, err := h.generateSSHRules()
 		if err != nil {
@@ -159,91 +152,28 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }
-// generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
+// generateFilterRules takes a set of machines and an ACLPolicy and generates a
-// of which Sources ("*" and IPs) can access destinations. This is to speed up the
+// set of Tailscale compatible FilterRules used to allow traffic on clients.
-// process of generating MapResponses when deciding which Peers to inform nodes about.
+func (pol *ACLPolicy) generateFilterRules(
 func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string]map[string]struct{} {
 	aclCachePeerMap := make(map[string]map[string]struct{})
 	for _, rule := range rules {
 		for _, srcIP := range rule.SrcIPs {
 			for _, ip := range expandACLPeerAddr(srcIP) {
 				if data, ok := aclCachePeerMap[ip]; ok {
 					for _, dstPort := range rule.DstPorts {
 						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
 							data[dstIP] = struct{}{}
 						}
 					}
 				} else {
 					dstPortsMap := make(map[string]struct{}, len(rule.DstPorts))
 					for _, dstPort := range rule.DstPorts {
 						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
 							dstPortsMap[dstIP] = struct{}{}
 						}
 					}
 					aclCachePeerMap[ip] = dstPortsMap
 				}
 			}
 		}
 	}
 	log.Trace().Interface("ACL Cache Map", aclCachePeerMap).Msg("ACL Peer Cache Map generated")
 	return aclCachePeerMap
 }
 // expandACLPeerAddr takes a "tailcfg.FilterRule" "IP" and expands it into
 // something our cache logic can look up, which is "*" or single IP addresses.
 // This is probably quite inefficient, but it is a result of
 // "make it work, then make it fast", and a lot of the ACL stuff does not
 // work, but people have tried to make it fast.
 func expandACLPeerAddr(srcIP string) []string {
 	if ip, err := netip.ParseAddr(srcIP); err == nil {
 		return []string{ip.String()}
 	}
 	if cidr, err := netip.ParsePrefix(srcIP); err == nil {
 		addrs := []string{}
 		ipRange := netipx.RangeOfPrefix(cidr)
 		from := ipRange.From()
 		too := ipRange.To()
 		if from == too {
 			return []string{from.String()}
 		}
 		for from != too && from.Less(too) {
 			addrs = append(addrs, from.String())
 			from = from.Next()
 		}
 		addrs = append(addrs, too.String()) // Add the last IP address in the range
 		return addrs
 	}
 	// probably "*" or other string based "IP"
 	return []string{srcIP}
 }
 func generateACLRules(
 	machines []Machine,
-	aclPolicy ACLPolicy,
+	stripEmailDomain bool,
 	stripEmaildomain bool,
 ) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
-	for index, acl := range aclPolicy.ACLs {
+	for index, acl := range pol.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}
 		srcIPs := []string{}
-		for innerIndex, src := range acl.Sources {
+		for srcIndex, src := range acl.Sources {
-			srcs, err := generateACLPolicySrc(machines, aclPolicy, src, stripEmaildomain)
+			srcs, err := pol.getIPsFromSource(src, machines, stripEmailDomain)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
+					Interface("src", src).
 					Int("ACL index", index).
 					Int("Src index", srcIndex).
 					Msgf("Error parsing ACL")
 				return nil, err
 			}
@@ -259,17 +189,19 @@ func generateACLRules(
 		}
 		destPorts := []tailcfg.NetPortRange{}
-		for innerIndex, dest := range acl.Destinations {
+		for destIndex, dest := range acl.Destinations {
-			dests, err := generateACLPolicyDest(
+			dests, err := pol.getNetPortRangeFromDestination(
 				machines,
 				aclPolicy,
 				dest,
 				machines,
 				needsWildcard,
-				stripEmaildomain,
+				stripEmailDomain,
 			)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)
+					Interface("dest", dest).
 					Int("ACL index", index).
 					Int("dest index", destIndex).
 					Msgf("Error parsing ACL")
 				return nil, err
 			}
@@ -340,22 +272,41 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
 		for innerIndex, rawSrc := range sshACL.Sources {
-			expandedSrcs, err := expandAlias(
+			if isWildcard(rawSrc) {
 				machines,
 				*h.aclPolicy,
 				rawSrc,
 				h.cfg.OIDC.StripEmaildomain,
 			)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
 				return nil, err
 			}
 			for _, expandedSrc := range expandedSrcs {
 				principals = append(principals, &tailcfg.SSHPrincipal{
-					NodeIP: expandedSrc,
+					Any: true,
 				})
 			} else if isGroup(rawSrc) {
 				users, err := h.aclPolicy.getUsersInGroup(rawSrc, h.cfg.OIDC.StripEmaildomain)
 				if err != nil {
 					log.Error().
 						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
 					return nil, err
 				}
 				for _, user := range users {
 					principals = append(principals, &tailcfg.SSHPrincipal{
 						UserLogin: user,
 					})
 				}
 			} else {
 				expandedSrcs, err := h.aclPolicy.expandAlias(
 					machines,
 					rawSrc,
 					h.cfg.OIDC.StripEmaildomain,
 				)
 				if err != nil {
 					log.Error().
 						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
 					return nil, err
 				}
 				for _, expandedSrc := range expandedSrcs.Prefixes() {
 					principals = append(principals, &tailcfg.SSHPrincipal{
 						NodeIP: expandedSrc.Addr().String(),
 					})
 				}
 			}
 		}
@@ -364,10 +315,9 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 			userMap[user] = "="
 		}
 		rules = append(rules, &tailcfg.SSHRule{
-			RuleExpires: nil,
+			Principals: principals,
-			Principals:  principals,
+			SSHUsers:   userMap,
-			SSHUsers:    userMap,
+			Action:     &action,
 			Action:      &action,
 		})
 	}
@@ -391,31 +341,69 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }
-func generateACLPolicySrc(
+// getIPsFromSource returns a set of Source IPs that would be associated
-	machines []Machine,
+// with the given src alias.
-	aclPolicy ACLPolicy,
+func (pol *ACLPolicy) getIPsFromSource(
 	src string,
 	machines []Machine,
 	stripEmaildomain bool,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
+	ipSet, err := pol.expandAlias(machines, src, stripEmaildomain)
 	if err != nil {
 		return []string{}, err
 	}
 	prefixes := []string{}
 	for _, prefix := range ipSet.Prefixes() {
 		prefixes = append(prefixes, prefix.String())
 	}
 	return prefixes, nil
 }
-func generateACLPolicyDest(
+// getNetPortRangeFromDestination returns a set of tailcfg.NetPortRange
-	machines []Machine,
+// which are associated with the dest alias.
-	aclPolicy ACLPolicy,
+func (pol *ACLPolicy) getNetPortRangeFromDestination(
 	dest string,
 	machines []Machine,
 	needsWildcard bool,
 	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(dest, ":")
+	var tokens []string
 	log.Trace().Str("destination", dest).Msg("generating policy destination")
 	// Check if there is a IPv4/6:Port combination, IPv6 has more than
 	// three ":".
 	tokens = strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
-		return nil, errInvalidPortFormat
+		port := tokens[len(tokens)-1]
 		maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
 		log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
 		if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() {
 			log.Trace().Err(err).Msg("trying to parse as IPv6")
 			return nil, fmt.Errorf(
 				"failed to parse destination, tokens %v: %w",
 				tokens,
 				errInvalidPortFormat,
 			)
 		} else {
 			tokens = []string{maybeIPv6Str, port}
 		}
 	}
 	log.Trace().Strs("tokens", tokens).Msg("generating policy destination")
 	var alias string
 	// We can have here stuff like:
 	// git-server:*
 	// 192.168.1.0/24:22
 	// fd7a:115c:a1e0::2:22
 	// fd7a:115c:a1e0::2/128:22
 	// tag:montreal-webserver:80,443
 	// tag:api-server:443
 	// example-host-1:*
@@ -425,9 +413,8 @@ func generateACLPolicyDest(
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}
-	expanded, err := expandAlias(
+	expanded, err := pol.expandAlias(
 		machines,
 		aclPolicy,
 		alias,
 		stripEmaildomain,
 	)
@@ -440,11 +427,11 @@ func generateACLPolicyDest(
 	}
 	dests := []tailcfg.NetPortRange{}
-	for _, d := range expanded {
+	for _, dest := range expanded.Prefixes() {
-		for _, p := range *ports {
+		for _, port := range *ports {
 			pr := tailcfg.NetPortRange{
-				IP:    d,
+				IP:    dest.String(),
-				Ports: p,
+				Ports: port,
 			}
 			dests = append(dests, pr)
 		}
@@ -508,115 +495,67 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - a group
 // - a tag
 // - a host
 // - an ip
 // - a cidr
 // and transform these in IPAddresses.
-func expandAlias(
+func (pol *ACLPolicy) expandAlias(
-	machines []Machine,
+	machines Machines,
 	aclPolicy ACLPolicy,
 	alias string,
 	stripEmailDomain bool,
-) ([]string, error) {
+) (*netipx.IPSet, error) {
-	ips := []string{}
+	if isWildcard(alias) {
-	if alias == "*" {
+		return parseIPSet("*", nil)
 		return []string{"*"}, nil
 	}
 	build := netipx.IPSetBuilder{}
 	log.Debug().
 		Str("alias", alias).
 		Msg("Expanding")
-	if strings.HasPrefix(alias, "group:") {
+	// if alias is a group
-		users, err := expandGroup(aclPolicy, alias, stripEmailDomain)
+	if isGroup(alias) {
-		if err != nil {
+		return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
 			return ips, err
 		}
 		for _, n := range users {
 			nodes := filterMachinesByUser(machines, n)
 			for _, node := range nodes {
 				ips = append(ips, node.IPAddresses.ToStringSlice()...)
 			}
 		}
 		return ips, nil
 	}
-	if strings.HasPrefix(alias, "tag:") {
+	// if alias is a tag
-		// check for forced tags
+	if isTag(alias) {
-		for _, machine := range machines {
+		return pol.getIPsFromTag(alias, machines, stripEmailDomain)
 			if contains(machine.ForcedTags, alias) {
 				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
 			}
 		}
 		// find tag owners
 		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
 		if err != nil {
 			if errors.Is(err, errInvalidTag) {
 				if len(ips) == 0 {
 					return ips, fmt.Errorf(
 						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
 						errInvalidTag,
 						alias,
 					)
 				}
 				return ips, nil
 			} else {
 				return ips, err
 			}
 		}
 		// filter out machines per tag owner
 		for _, user := range owners {
 			machines := filterMachinesByUser(machines, user)
 			for _, machine := range machines {
 				hi := machine.GetHostInfo()
 				if contains(hi.RequestTags, alias) {
 					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
 				}
 			}
 		}
 		return ips, nil
 	}
 	// if alias is a user
-	nodes := filterMachinesByUser(machines, alias)
+	if ips, err := pol.getIPsForUser(alias, machines, stripEmailDomain); ips != nil {
-	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
+		return ips, err
 	for _, n := range nodes {
 		ips = append(ips, n.IPAddresses.ToStringSlice()...)
 	}
 	if len(ips) > 0 {
 		return ips, nil
 	}
 	// if alias is an host
-	if h, ok := aclPolicy.Hosts[alias]; ok {
+	// Note, this is recursive.
-		return []string{h.String()}, nil
+	if h, ok := pol.Hosts[alias]; ok {
 		log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
 		return pol.expandAlias(machines, h.String(), stripEmailDomain)
 	}
 	// if alias is an IP
-	ip, err := netip.ParseAddr(alias)
+	if ip, err := netip.ParseAddr(alias); err == nil {
-	if err == nil {
+		return pol.getIPsFromSingleIP(ip, machines)
 		return []string{ip.String()}, nil
 	}
-	// if alias is an CIDR
+	// if alias is an IP Prefix (CIDR)
-	cidr, err := netip.ParsePrefix(alias)
+	if prefix, err := netip.ParsePrefix(alias); err == nil {
-	if err == nil {
+		return pol.getIPsFromIPPrefix(prefix, machines)
 		return []string{cidr.String()}, nil
 	}
 	log.Warn().Msgf("No IPs found with the alias %v", alias)
-	return ips, nil
+	return build.IPSet()
 }
 // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
 // that are correctly tagged since they should not be listed as being in the user
 // we assume in this function that we only have nodes from 1 user.
 func excludeCorrectlyTaggedNodes(
-	aclPolicy ACLPolicy,
+	aclPolicy *ACLPolicy,
 	nodes []Machine,
 	user string,
 	stripEmailDomain bool,
@@ -624,7 +563,7 @@ func excludeCorrectlyTaggedNodes(
 	out := []Machine{}
 	tags := []string{}
 	for tag := range aclPolicy.TagOwners {
-		owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain)
+		owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
 		ns := append(owners, user)
 		if contains(ns, user) {
 			tags = append(tags, tag)
@@ -654,7 +593,7 @@ func excludeCorrectlyTaggedNodes(
 }
 func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
-	if portsStr == "*" {
+	if isWildcard(portsStr) {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
@@ -666,6 +605,7 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err
 	ports := []tailcfg.PortRange{}
 	for _, portStr := range strings.Split(portsStr, ",") {
 		log.Trace().Msgf("parsing portstring: %s", portStr)
 		rang := strings.Split(portStr, "-")
 		switch len(rang) {
 		case 1:
@@ -711,15 +651,15 @@ func filterMachinesByUser(machines []Machine, user string) []Machine {
 	return out
 }
-// expandTagOwners will return a list of user. An owner can be either a user or a group
+// getTagOwners will return a list of user. An owner can be either a user or a group
 // a group cannot be composed of groups.
-func expandTagOwners(
+func getTagOwners(
-	aclPolicy ACLPolicy,
+	pol *ACLPolicy,
 	tag string,
 	stripEmailDomain bool,
 ) ([]string, error) {
 	var owners []string
-	ows, ok := aclPolicy.TagOwners[tag]
+	ows, ok := pol.TagOwners[tag]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
@@ -728,8 +668,8 @@ func expandTagOwners(
 		)
 	}
 	for _, owner := range ows {
-		if strings.HasPrefix(owner, "group:") {
+		if isGroup(owner) {
-			gs, err := expandGroup(aclPolicy, owner, stripEmailDomain)
+			gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
 			if err != nil {
 				return []string{}, err
 			}
@@ -742,15 +682,15 @@ func expandTagOwners(
 	return owners, nil
 }
-// expandGroup will return the list of user inside the group
+// getUsersInGroup will return the list of user inside the group
 // after some validation.
-func expandGroup(
+func (pol *ACLPolicy) getUsersInGroup(
 	aclPolicy ACLPolicy,
 	group string,
 	stripEmailDomain bool,
 ) ([]string, error) {
-	outGroups := []string{}
+	users := []string{}
-	aclGroups, ok := aclPolicy.Groups[group]
+	log.Trace().Caller().Interface("pol", pol).Msg("test")
 	aclGroups, ok := pol.Groups[group]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"group %v isn't registered. %w",
@@ -759,7 +699,7 @@ func expandGroup(
 		)
 	}
 	for _, group := range aclGroups {
-		if strings.HasPrefix(group, "group:") {
+		if isGroup(group) {
 			return []string{}, fmt.Errorf(
 				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
 				errInvalidGroup,
@@ -773,8 +713,151 @@ func expandGroup(
 				errInvalidGroup,
 			)
 		}
-		outGroups = append(outGroups, grp)
+		users = append(users, grp)
 	}
-	return outGroups, nil
+	return users, nil
 }
 func (pol *ACLPolicy) getIPsFromGroup(
 	group string,
 	machines Machines,
 	stripEmailDomain bool,
 ) (*netipx.IPSet, error) {
 	build := netipx.IPSetBuilder{}
 	users, err := pol.getUsersInGroup(group, stripEmailDomain)
 	if err != nil {
 		return &netipx.IPSet{}, err
 	}
 	for _, user := range users {
 		filteredMachines := filterMachinesByUser(machines, user)
 		for _, machine := range filteredMachines {
 			machine.IPAddresses.AppendToIPSet(&build)
 		}
 	}
 	return build.IPSet()
 }
 func (pol *ACLPolicy) getIPsFromTag(
 	alias string,
 	machines Machines,
 	stripEmailDomain bool,
 ) (*netipx.IPSet, error) {
 	build := netipx.IPSetBuilder{}
 	// check for forced tags
 	for _, machine := range machines {
 		if contains(machine.ForcedTags, alias) {
 			machine.IPAddresses.AppendToIPSet(&build)
 		}
 	}
 	// find tag owners
 	owners, err := getTagOwners(pol, alias, stripEmailDomain)
 	if err != nil {
 		if errors.Is(err, errInvalidTag) {
 			ipSet, _ := build.IPSet()
 			if len(ipSet.Prefixes()) == 0 {
 				return ipSet, fmt.Errorf(
 					"%w. %v isn't owned by a TagOwner and no forced tags are defined",
 					errInvalidTag,
 					alias,
 				)
 			}
 			return build.IPSet()
 		} else {
 			return nil, err
 		}
 	}
 	// filter out machines per tag owner
 	for _, user := range owners {
 		machines := filterMachinesByUser(machines, user)
 		for _, machine := range machines {
 			hi := machine.GetHostInfo()
 			if contains(hi.RequestTags, alias) {
 				machine.IPAddresses.AppendToIPSet(&build)
 			}
 		}
 	}
 	return build.IPSet()
 }
 func (pol *ACLPolicy) getIPsForUser(
 	user string,
 	machines Machines,
 	stripEmailDomain bool,
 ) (*netipx.IPSet, error) {
 	build := netipx.IPSetBuilder{}
 	filteredMachines := filterMachinesByUser(machines, user)
 	filteredMachines = excludeCorrectlyTaggedNodes(pol, filteredMachines, user, stripEmailDomain)
 	// shortcurcuit if we have no machines to get ips from.
 	if len(filteredMachines) == 0 {
 		return nil, nil //nolint
 	}
 	for _, machine := range filteredMachines {
 		machine.IPAddresses.AppendToIPSet(&build)
 	}
 	return build.IPSet()
 }
 func (pol *ACLPolicy) getIPsFromSingleIP(
 	ip netip.Addr,
 	machines Machines,
 ) (*netipx.IPSet, error) {
 	log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
 	matches := machines.FilterByIP(ip)
 	build := netipx.IPSetBuilder{}
 	build.Add(ip)
 	for _, machine := range matches {
 		machine.IPAddresses.AppendToIPSet(&build)
 	}
 	return build.IPSet()
 }
 func (pol *ACLPolicy) getIPsFromIPPrefix(
 	prefix netip.Prefix,
 	machines Machines,
 ) (*netipx.IPSet, error) {
 	log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
 	build := netipx.IPSetBuilder{}
 	build.AddPrefix(prefix)
 	// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
 	// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
 	for _, machine := range machines {
 		for _, ip := range machine.IPAddresses {
 			// log.Trace().
 			// 	Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
 			if prefix.Contains(ip) {
 				machine.IPAddresses.AppendToIPSet(&build)
 			}
 		}
 	}
 	return build.IPSet()
 }
 func isWildcard(str string) bool {
 	return str == "*"
 }
 func isGroup(str string) bool {
 	return strings.HasPrefix(str, "group:")
 }
 func isTag(str string) bool {
 	return strings.HasPrefix(str, "tag:")
 }
--- a/acls_test.go
+++ b/acls_test.go
--- a/acls_types.go
+++ b/acls_types.go
@@ -111,8 +111,8 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
 }
 // IsZero is perhaps a bit naive here.
-func (policy ACLPolicy) IsZero() bool {
+func (pol ACLPolicy) IsZero() bool {
-	if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
+	if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
 		return true
 	}
--- a/app.go
+++ b/app.go
@@ -84,11 +84,9 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer
-	aclPolicy         *ACLPolicy
+	aclPolicy *ACLPolicy
-	aclRules          []tailcfg.FilterRule
+	aclRules  []tailcfg.FilterRule
-	aclPeerCacheMapRW sync.RWMutex
+	sshPolicy *tailcfg.SSHPolicy
 	aclPeerCacheMap   map[string]map[string]struct{}
 	sshPolicy         *tailcfg.SSHPolicy
 	lastStateChange *xsync.MapOf[string, time.Time]
@@ -820,7 +818,6 @@ func (h *Headscale) Serve() error {
 				// And we're done:
 				cancel()
 				os.Exit(0)
 			}
 		}
 	}
--- a/cmd/build-docker-img/main.go
+++ b/cmd/build-docker-img/main.go
@@ -0,0 +1,47 @@
 package main
 import (
 	"log"
 	"github.com/juanfont/headscale/integration"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/ory/dockertest/v3"
 )
 func main() {
 	log.Printf("creating docker pool")
 	pool, err := dockertest.NewPool("")
 	if err != nil {
 		log.Fatalf("could not connect to docker: %s", err)
 	}
 	log.Printf("creating docker network")
 	network, err := pool.CreateNetwork("docker-integration-net")
 	if err != nil {
 		log.Fatalf("failed to create or get network: %s", err)
 	}
 	for _, version := range integration.TailscaleVersions {
 		log.Printf("creating container image for Tailscale (%s)", version)
 		tsClient, err := tsic.New(
 			pool,
 			version,
 			network,
 		)
 		if err != nil {
 			log.Fatalf("failed to create tailscale node: %s", err)
 		}
 		err = tsClient.Shutdown()
 		if err != nil {
 			log.Fatalf("failed to shut down container: %s", err)
 		}
 	}
 	network.Close()
 	err = pool.RemoveNetwork(network)
 	if err != nil {
 		log.Fatalf("failed to remove network: %s", err)
 	}
 }
--- a/cmd/gh-action-integration-generator/main.go
+++ b/cmd/gh-action-integration-generator/main.go
@@ -76,6 +76,12 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
      - uses: actions/upload-artifact@v3
        if: always() && steps.changed-files.outputs.any_changed == 'true'
        with:
          name: pprof
          path: "control_logs/*.pprof.tar"
 `),
 	)
 )
--- a/cmd/headscale/headscale.go
+++ b/cmd/headscale/headscale.go
@@ -6,11 +6,25 @@ import (
 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
 	"github.com/pkg/profile"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )
 func main() {
 	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
 		if profilePath, ok := os.LookupEnv("HEADSCALE_PROFILING_PATH"); ok {
 			err := os.MkdirAll(profilePath, os.ModePerm)
 			if err != nil {
 				log.Fatal().Err(err).Msg("failed to create profiling directory")
 			}
 			defer profile.Start(profile.ProfilePath(profilePath)).Stop()
 		} else {
 			defer profile.Start().Stop()
 		}
 	}
 	var colors bool
 	switch l := termcolor.SupportLevel(os.Stderr); l {
 	case termcolor.Level16M:
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -58,11 +58,12 @@ noise:
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
-# While this looks like it can take arbitrary values, it
+# It must be within IP ranges supported by the Tailscale
-# needs to be within IP ranges supported by the Tailscale
+# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
-# client.
+# See below:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
--- a/config.go
+++ b/config.go
@@ -16,6 +16,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
 	"go4.org/netipx"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 )
@@ -515,6 +516,29 @@ func GetHeadscaleConfig() (*Config, error) {
 		if err != nil {
 			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
 		}
 		if prefix.Addr().Is4() {
 			builder := netipx.IPSetBuilder{}
 			builder.AddPrefix(tsaddr.CGNATRange())
 			ipSet, _ := builder.IPSet()
 			if !ipSet.ContainsPrefix(prefix) {
 				log.Warn().
 					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
 						prefixInConfig, tsaddr.CGNATRange())
 			}
 		}
 		if prefix.Addr().Is6() {
 			builder := netipx.IPSetBuilder{}
 			builder.AddPrefix(tsaddr.TailscaleULARange())
 			ipSet, _ := builder.IPSet()
 			if !ipSet.ContainsPrefix(prefix) {
 				log.Warn().
 					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
 						prefixInConfig, tsaddr.TailscaleULARange())
 			}
 		}
 		parsedPrefixes = append(parsedPrefixes, prefix)
 	}
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,56 +0,0 @@
 # headscale documentation
 This page contains the official and community contributed documentation for `headscale`.
 If you are having trouble with following the documentation or get unexpected results,
 please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue.
 ## Official documentation
 ### How-to
 - [Running headscale on Linux](running-headscale-linux.md)
 - [Control headscale remotely](remote-cli.md)
 - [Using a Windows client with headscale](windows-client.md)
 - [Configuring OIDC](oidc.md)
 ### References
 - [Configuration](../config-example.yaml)
 - [Glossary](glossary.md)
 - [TLS](tls.md)
 ## Community documentation
 Community documentation is not actively maintained by the headscale authors and is
 written by community members. It is _not_ verified by `headscale` developers.
 **It might be outdated and it might miss necessary steps**.
 - [Running headscale in a container](running-headscale-container.md)
 - [Running headscale on OpenBSD](running-headscale-openbsd.md)
 - [Running headscale behind a reverse proxy](reverse-proxy.md)
 - [Set Custom DNS records](dns-records.md)
 ## Misc
 ### Policy ACLs
 Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
 For instance, instead of referring to users when defining groups you must
 use users (which are the equivalent to user/logins in Tailscale.com).
 Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
 When using ACL's the User borders are no longer applied. All machines
 whichever the User have the ability to communicate with other hosts as
 long as the ACL's permits this exchange.
 The [ACLs](acls.md) document should help understand a fictional case of setting
 up ACLs in a small company. All concepts presented in this document could be
 applied outside of business oriented usage.
 ### Apple devices
 An endpoint with information on how to connect your Apple devices (currently macOS only) is available at `/apple` on your running instance.
--- a/docs/acls.md
+++ b/docs/acls.md
@@ -1,4 +1,15 @@
-# ACLs use case example
+Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
 For instance, instead of referring to users when defining groups you must
 use users (which are the equivalent to user/logins in Tailscale.com).
 Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
 When using ACL's the User borders are no longer applied. All machines
 whichever the User have the ability to communicate with other hosts as
 long as the ACL's permits this exchange.
 ## ACLs use case example
 Let's build an example use case for a small business (It may be the place where
 ACL's are the most useful).
--- a/docs/dns-records.md
+++ b/docs/dns-records.md
@@ -1,5 +1,12 @@
 # Setting custom DNS records
 !!! warning "Community documentation"
    This page is not actively maintained by the headscale authors and is
    written by community members. It is _not_ verified by `headscale` developers.
    **It might be outdated and it might miss necessary steps**.
 ## Goal
 This documentation has the goal of showing how a user can set custom DNS records with `headscale`s magic dns.
--- a/docs/exit-node.md
+++ b/docs/exit-node.md
@@ -14,6 +14,8 @@ If the node is already registered, it can advertise exit capabilities like this:
 $ sudo tailscale set --advertise-exit-node
 ```
 To use a node as an exit node, IP forwarding must be enabled on the node. Check the official [Tailscale documentation](https://tailscale.com/kb/1019/subnets/?tab=linux#enable-ip-forwarding) for how to enable IP fowarding.
 ## On the control server
 ```console
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -0,0 +1,53 @@
 ---
 hide:
  - navigation
 ---
 # Frequently Asked Questions
 ## What is the design goal of headscale?
 `headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
 control server.
 `headscale`'s goal is to provide self-hosters and hobbyists with an open-source
 server they can use for their projects and labs.
 It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
 open-source organisation.
 ## How can I contribute?
 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.
 Headscale is open to code contributions for bug fixes without discussion.
 If you find mistakes in the documentation, please also submit a fix to the documentation.
 ## Why is 'acknowledged contribution' the chosen model?
 Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
 We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
 ## When/Why is Feature X going to be implemented?
 We don't know. We might be working on it. If you want to help, please send us a PR.
 Please be aware that there are a number of reasons why we might not accept specific contributions:
 - It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
 - Given that we are reverse-engineering Tailscale to satify our own curiosity, we might be interested in implementing the feature ourselves.
 - You are not sending unit and integration tests with it.
 ## Do you support Y method of deploying Headscale?
 We currently support deploying `headscale` using our binaries and the DEB packages. Both can be found in the
 [GitHub releases page](https://github.com/juanfont/headscale/releases).
 In addition to that, there are semi-official RPM packages by the Fedora infra team https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/
 For convenience, we also build Docker images with `headscale`. But **please be aware that we don't officially support deploying `headscale` using Docker**. We have a [Discord channel](https://discord.com/channels/896711691637780480/1070619770942148618) where you can ask for Docker-specific help to the community.
 ## Why is my reverse proxy not working with Headscale?
 We don't know. We don't use reverse proxies with `headscale` ourselves, so we don't have any experience with them. We have [community documentation](https://headscale.net/reverse-proxy/) on how to configure various reverse proxies, and a dedicated [Discord channel](https://discord.com/channels/896711691637780480/1070619818346164324) where you can ask for help to the community.
--- a/docs/iOS-client.md
+++ b/docs/iOS-client.md
@@ -12,6 +12,11 @@ Ensure that the installed version is at least 1.38.1, as that is the first relea
 ## Configuring the headscale URL
 !!! info "Apple devices"
    An endpoint with information on how to connect your Apple devices
    (currently macOS only) is available at `/apple` on your running instance.
 Ensure that the tailscale app is logged out before proceeding.
 Go to iOS settings, scroll down past game center and tv provider to the tailscale app and select it. The headscale URL can be entered into the _"ALTERNATE COORDINATION SERVER URL"_ box.
--- a/docs/index.md
+++ b/docs/index.md
@@ -0,0 +1,43 @@
 ---
 hide:
  - navigation
  - toc
 ---
 # headscale
 `headscale` is an open source, self-hosted implementation of the Tailscale control server.
 This page contains the documentation for the latest version of headscale. Please also check our [FAQ](/faq/).
 Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat and community support.
 ## Design goal
 Headscale aims to implement a self-hosted, open source alternative to the Tailscale
 control server.
 Headscale's goal is to provide self-hosters and hobbyists with an open-source
 server they can use for their projects and labs.
 It implements a narrower scope, a single Tailnet, suitable for a personal use, or a small
 open-source organisation.
 ## Supporting headscale
 If you like `headscale` and find it useful, there is a sponsorship and donation
 buttons available in the repo.
 ## Contributing
 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.
 This model has been chosen to reduce the risk of burnout by limiting the
 maintenance overhead of reviewing and validating third-party code.
 Headscale is open to code contributions for bug fixes without discussion.
 If you find mistakes in the documentation, please submit a fix to the documentation.
 ## About
 `headscale` is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).
--- a/docs/packaging/headscale.systemd.service
+++ b/docs/packaging/headscale.systemd.service
@@ -16,7 +16,7 @@ WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
-CapabilityBoundingSet=CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
 LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true
--- a/docs/packaging/postinstall.sh
+++ b/docs/packaging/postinstall.sh
@@ -64,6 +64,7 @@ summary() {
 	echo ""
 	echo " Please follow the next steps to start the software:"
 	echo ""
 	echo "    sudo systemctl enable headscale"
 	echo "    sudo systemctl start headscale"
 	echo ""
 	echo " Configuration settings can be adjusted here:"
--- a/docs/reverse-proxy.md
+++ b/docs/reverse-proxy.md
@@ -1,5 +1,12 @@
 # Running headscale behind a reverse proxy
 !!! warning "Community documentation"
    This page is not actively maintained by the headscale authors and is
    written by community members. It is _not_ verified by `headscale` developers.
    **It might be outdated and it might miss necessary steps**.
 Running headscale behind a reverse proxy is useful when running multiple applications on the same server, and you want to reuse the same external IP and port - usually tcp/443 for HTTPS.
 ### WebSockets
--- a/docs/running-headscale-container.md
+++ b/docs/running-headscale-container.md
@@ -1,7 +1,11 @@
 # Running headscale in a container
-**Note:** the container documentation is maintained by the _community_ and there is no guarentee
+!!! warning "Community documentation"
-it is up to date, or working.
+
    This page is not actively maintained by the headscale authors and is
    written by community members. It is _not_ verified by `headscale` developers.
    **It might be outdated and it might miss necessary steps**.
 ## Goal
@@ -24,7 +28,7 @@ cd ./headscale
 touch ./config/db.sqlite
 ```
-3. **(Strongly Recommended)** Download a copy of the [example configuration](../config-example.yaml) from the [headscale repository](https://github.com/juanfont/headscale/).
+3. **(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
 Using wget:
--- a/docs/running-headscale-linux-manual.md
+++ b/docs/running-headscale-linux-manual.md
@@ -0,0 +1,198 @@
 # Running headscale on Linux
 ## Note: Outdated and "advanced"
 This documentation is considered the "legacy"/advanced/manual version of the documentation, you most likely do not
 want to use this documentation and rather look at the distro specific documentation (TODO LINK)[].
 ## Goal
 This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
 In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
 describing how to make `headscale` run properly in a server environment.
 ## Configure and run `headscale`
 1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
 ```shell
 wget --output-document=/usr/local/bin/headscale \
   https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
 ```
 2. Make `headscale` executable:
 ```shell
 chmod +x /usr/local/bin/headscale
 ```
 3. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
 ```shell
 # Directory for configuration
 mkdir -p /etc/headscale
 # Directory for Database, and other variable data (like certificates)
 mkdir -p /var/lib/headscale
 # or if you create a headscale user:
 useradd \
 	--create-home \
 	--home-dir /var/lib/headscale/ \
 	--system \
 	--user-group \
 	--shell /usr/bin/nologin \
 	headscale
 ```
 4. Create an empty SQLite database:
 ```shell
 touch /var/lib/headscale/db.sqlite
 ```
 5. Create a `headscale` configuration:
 ```shell
 touch /etc/headscale/config.yaml
 ```
 **(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
 6. Start the headscale server:
 ```shell
 headscale serve
 ```
 This command will start `headscale` in the current terminal session.
 ---
 To continue the tutorial, open a new terminal and let it run in the background.
 Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
 To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
 7. Verify `headscale` is running:
 Verify `headscale` is available:
 ```shell
 curl http://127.0.0.1:9090/metrics
 ```
 8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
 ```shell
 headscale users create myfirstuser
 ```
 ### Register a machine (normal login)
 On a client machine, execute the `tailscale` login command:
 ```shell
 tailscale up --login-server YOUR_HEADSCALE_URL
 ```
 Register the machine:
 ```shell
 headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
 ```
 ### Register machine using a pre authenticated key
 Generate a key using the command line:
 ```shell
 headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
 ```
 This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
 ```shell
 tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
 ```
 ## Running `headscale` in the background with SystemD
 :warning: **Deprecated**: This part is very outdated and you should use the [pre-packaged Headscale for this](./running-headscale-linux.md
 This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
 This should work on most modern Linux distributions.
 1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
 ```systemd
 [Unit]
 Description=headscale controller
 After=syslog.target
 After=network.target
 [Service]
 Type=simple
 User=headscale
 Group=headscale
 ExecStart=/usr/local/bin/headscale serve
 Restart=always
 RestartSec=5
 # Optional security enhancements
 NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectSystem=strict
 ProtectHome=yes
 WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run/headscale
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 RuntimeDirectory=headscale
 [Install]
 WantedBy=multi-user.target
 ```
 Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
 ```shell
 usermod -a -G headscale current_user
 ```
 or run all headscale commands as the headscale user:
 ```shell
 su - headscale
 ```
 2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
 ```yaml
 unix_socket: /var/run/headscale/headscale.sock
 ```
 3. Reload SystemD to load the new configuration file:
 ```shell
 systemctl daemon-reload
 ```
 4. Enable and start the new `headscale` service:
 ```shell
 systemctl enable --now headscale
 ```
 5. Verify the headscale service:
 ```shell
 systemctl status headscale
 ```
 Verify `headscale` is available:
 ```shell
 curl http://127.0.0.1:9090/metrics
 ```
 `headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-linux.md
+++ b/docs/running-headscale-linux.md
@@ -1,84 +1,65 @@
 # Running headscale on Linux
 ## Requirements
 - Ubuntu 20.04 or newer, Debian 11 or newer.
 ## Goal
-This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
+Get Headscale up and running.
 In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
 describing how to make `headscale` run properly in a server environment.
-## Configure and run `headscale`
+This includes running Headscale with SystemD.
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+## Migrating from manual install
 If you are migrating from the old manual install, the best thing would be to remove
 the files installed by following [the guide in reverse](./running-headscale-linux-manual.md).
 You should _not_ delete the database (`/var/headscale/db.sqlite`) and the
 configuration (`/etc/headscale/config.yaml`).
 ## Installation
 1. Download the lastest Headscale package for your platform (`.deb` for Ubuntu and Debian) from [Headscale's releases page](https://github.com/juanfont/headscale/releases):
 ```shell
-wget --output-document=/usr/local/bin/headscale \
+wget --output-document=headscale.deb \
-   https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+  https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>.deb
 ```
-2. Make `headscale` executable:
+2. Install Headscale:
 ```shell
-chmod +x /usr/local/bin/headscale
+sudo dpkg --install headscale.deb
 ```
-3. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+3. Enable Headscale service, this will start Headscale at boot:
 ```shell
-# Directory for configuration
+sudo systemctl enable headscale
 mkdir -p /etc/headscale
 # Directory for Database, and other variable data (like certificates)
 mkdir -p /var/lib/headscale
 # or if you create a headscale user:
 useradd \
 	--create-home \
 	--home-dir /var/lib/headscale/ \
 	--system \
 	--user-group \
 	--shell /usr/bin/nologin \
 	headscale
 ```
-4. Create an empty SQLite database:
+4. Configure Headscale by editing the configuration file:
 ```shell
-touch /var/lib/headscale/db.sqlite
+nano /etc/headscale/config.yaml
 ```
-5. Create a `headscale` configuration:
+5. Start Headscale:
 ```shell
-touch /etc/headscale/config.yaml
+sudo systemctl start headscale
 ```
-It is **strongly recommended** to copy and modify the [example configuration](../config-example.yaml)
+6. Check that Headscale is running as intended:
 from the [headscale repository](../)
 6. Start the headscale server:
 ```shell
-headscale serve
+systemctl status headscale
 ```
-This command will start `headscale` in the current terminal session.
+## Using Headscale
---
+### Create a user
 To continue the tutorial, open a new terminal and let it run in the background.
 Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
 To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
 7. Verify `headscale` is running:
 Verify `headscale` is available:
 ```shell
 curl http://127.0.0.1:9090/metrics
 ```
 8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
 ```shell
 headscale users create myfirstuser
@@ -86,16 +67,16 @@ headscale users create myfirstuser
 ### Register a machine (normal login)
-On a client machine, execute the `tailscale` login command:
+On a client machine, run the `tailscale` login command:
 ```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
+tailscale up --login-server <YOUR_HEADSCALE_URL>
 ```
 Register the machine:
 ```shell
-headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
+headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
 ```
 ### Register machine using a pre authenticated key
@@ -106,87 +87,9 @@ Generate a key using the command line:
 headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
 ```
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+This will return a pre-authenticated key that is used to
 connect a node to `headscale` during the `tailscale` command:
 ```shell
 tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
 ```
 ## Running `headscale` in the background with SystemD
 This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
 This should work on most modern Linux distributions.
 1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
 ```systemd
 [Unit]
 Description=headscale controller
 After=syslog.target
 After=network.target
 [Service]
 Type=simple
 User=headscale
 Group=headscale
 ExecStart=/usr/local/bin/headscale serve
 Restart=always
 RestartSec=5
 # Optional security enhancements
 NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectSystem=strict
 ProtectHome=yes
 WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run/headscale
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 RuntimeDirectory=headscale
 [Install]
 WantedBy=multi-user.target
 ```
 Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
 ```shell
 usermod -a -G headscale current_user
 ```
 or run all headscale commands as the headscale user:
 ```shell
 su - headscale
 ```
 2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
 ```yaml
 unix_socket: /var/run/headscale/headscale.sock
 ```
 3. Reload SystemD to load the new configuration file:
 ```shell
 systemctl daemon-reload
 ```
 4. Enable and start the new `headscale` service:
 ```shell
 systemctl enable --now headscale
 ```
 5. Verify the headscale service:
 ```shell
 systemctl status headscale
 ```
 Verify `headscale` is available:
 ```shell
 curl http://127.0.0.1:9090/metrics
 ```
 `headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-openbsd.md
+++ b/docs/running-headscale-openbsd.md
@@ -1,5 +1,12 @@
 # Running headscale on OpenBSD
 !!! warning "Community documentation"
    This page is not actively maintained by the headscale authors and is
    written by community members. It is _not_ verified by `headscale` developers.
    **It might be outdated and it might miss necessary steps**.
 ## Goal
 This documentation has the goal of showing a user how-to install and run `headscale` on OpenBSD 7.1.
@@ -87,8 +94,7 @@ touch /var/lib/headscale/db.sqlite
 touch /etc/headscale/config.yaml
 ```
-It is **strongly recommended** to copy and modify the [example configuration](../config-example.yaml)
+**(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
 from the [headscale repository](../)
 4. Start the headscale server:
--- a/docs/examples/README.md
+++ b/docs/examples/README.md
--- a/docs/examples/kustomize/.gitignore
+++ b/docs/examples/kustomize/.gitignore
--- a/docs/examples/kustomize/README.md
+++ b/docs/examples/kustomize/README.md
--- a/docs/examples/kustomize/base/configmap.yaml
+++ b/docs/examples/kustomize/base/configmap.yaml
--- a/docs/examples/kustomize/base/ingress.yaml
+++ b/docs/examples/kustomize/base/ingress.yaml
--- a/docs/examples/kustomize/base/kustomization.yaml
+++ b/docs/examples/kustomize/base/kustomization.yaml
--- a/docs/examples/kustomize/base/service.yaml
+++ b/docs/examples/kustomize/base/service.yaml
--- a/docs/examples/kustomize/headscale.bash
+++ b/docs/examples/kustomize/headscale.bash
--- a/docs/examples/kustomize/init.bash
+++ b/docs/examples/kustomize/init.bash
--- a/docs/examples/kustomize/install-cert-manager.bash
+++ b/docs/examples/kustomize/install-cert-manager.bash
--- a/docs/examples/kustomize/postgres/deployment.yaml
+++ b/docs/examples/kustomize/postgres/deployment.yaml
--- a/docs/examples/kustomize/postgres/kustomization.yaml
+++ b/docs/examples/kustomize/postgres/kustomization.yaml
--- a/docs/examples/kustomize/postgres/postgres-service.yaml
+++ b/docs/examples/kustomize/postgres/postgres-service.yaml
--- a/docs/examples/kustomize/postgres/postgres-statefulset.yaml
+++ b/docs/examples/kustomize/postgres/postgres-statefulset.yaml
--- a/docs/examples/kustomize/production-tls/ingress-patch.yaml
+++ b/docs/examples/kustomize/production-tls/ingress-patch.yaml
--- a/docs/examples/kustomize/production-tls/kustomization.yaml
+++ b/docs/examples/kustomize/production-tls/kustomization.yaml
--- a/docs/examples/kustomize/production-tls/production-issuer.yaml
+++ b/docs/examples/kustomize/production-tls/production-issuer.yaml
--- a/docs/examples/kustomize/sqlite/kustomization.yaml
+++ b/docs/examples/kustomize/sqlite/kustomization.yaml
--- a/docs/examples/kustomize/sqlite/statefulset.yaml
+++ b/docs/examples/kustomize/sqlite/statefulset.yaml
--- a/docs/examples/kustomize/staging-tls/ingress-patch.yaml
+++ b/docs/examples/kustomize/staging-tls/ingress-patch.yaml
--- a/docs/examples/kustomize/staging-tls/kustomization.yaml
+++ b/docs/examples/kustomize/staging-tls/kustomization.yaml
--- a/docs/examples/kustomize/staging-tls/staging-issuer.yaml
+++ b/docs/examples/kustomize/staging-tls/staging-issuer.yaml
--- a/flake.lock
+++ b/flake.lock
@@ -1,12 +1,15 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1680776469,
+        "lastModified": 1681202837,
-        "narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=",
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
@@ -17,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1680789907,
+        "lastModified": 1681753173,
-        "narHash": "sha256-0AOMkabjbOauxspnqfzqgLKhB2gSh3sLkz1p/jIckcs=",
+        "narHash": "sha256-MrGmzZWLUqh2VstoikKLFFIELXm/lsf/G9U9zR96VD4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9de84cd029054adc54fdc6442e121fbc5ac33baf",
+        "rev": "0a4206a51b386e5cda731e8ac78d76ad924c7125",
        "type": "github"
      },
      "original": {
@@ -36,6 +39,21 @@
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -36,7 +36,7 @@
            # When updating go.mod or go.sum, a new sha will need to be calculated,
            # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-+JxS4Q6rTpdBwms2nkVDY/Kluv2qu2T0BaOIjfeX85M=";
+            vendorSha256 = "sha256-cmDNYWYTgQp6CPgpL4d3TbkpAe7rhNAF+o8njJsgL7E=";
            ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
          };
@@ -99,6 +99,11 @@
            goreleaser
            nfpm
            gotestsum
            gotests
            # 'dot' is needed for pprof graphs
            # go tool pprof -http=: <source>
            graphviz
            # Protobuf dependencies
            protobuf
@@ -129,6 +134,14 @@
          shellHook = ''
            export GOFLAGS=-tags="ts2019"
            export PATH="$PWD/result/bin:$PATH"
            mkdir -p ./ignored
            export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
            export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
            export HEADSCALE_DB_PATH="./ignored/db.sqlite"
            export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
            export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
          '';
        };
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,6 @@ go 1.20
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/davecgh/go-spew v1.1.1
@@ -12,6 +11,7 @@ require (
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/glebarez/sqlite v1.7.0
 	github.com/gofrs/uuid/v5 v5.0.0
 	github.com/google/go-cmp v0.5.9
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
@@ -20,6 +20,7 @@ require (
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/pkg/profile v1.7.0
 	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/common v0.42.0
 	github.com/pterm/pterm v0.12.58
@@ -64,6 +65,7 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/glebarez/go-sqlite v1.20.3 // indirect
@@ -72,9 +74,9 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.3 // indirect
@@ -141,6 +143,7 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gotest.tools/v3 v3.4.0 // indirect
 	modernc.org/libc v1.22.2 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -74,8 +74,6 @@ github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkU
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 h1:POmUHfxXdeyM8Aomg4tKDcwATCFuW+cYLkj6pwsw9pc=
 github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029/go.mod h1:Rpr5n9cGHYdM3S3IK8ROSUUUYjQOu+MSUCZDcJbYWi8=
 github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
 github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -129,6 +127,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -238,7 +238,9 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -272,6 +274,7 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -384,6 +387,8 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -669,6 +674,7 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -894,7 +900,8 @@ gorm.io/driver/postgres v1.4.8/go.mod h1:O9MruWGNLUBUWVYfWuBClpf3HeGjOoybY0SNmCs
 gorm.io/gorm v1.24.2/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
 gorm.io/gorm v1.24.6 h1:wy98aq9oFEetsc4CAbKD2SoBCdMzsbSIvSUUFJuHi5s=
 gorm.io/gorm v1.24.6/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
-gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I=
+gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/integration/acl_test.go
+++ b/integration/acl_test.go
@@ -12,16 +12,47 @@ import (
 	"github.com/stretchr/testify/assert"
 )
-const numberOfTestClients = 2
+var veryLargeDestination = []string{
 	"0.0.0.0/5:*",
 	"8.0.0.0/7:*",
 	"11.0.0.0/8:*",
 	"12.0.0.0/6:*",
 	"16.0.0.0/4:*",
 	"32.0.0.0/3:*",
 	"64.0.0.0/2:*",
 	"128.0.0.0/3:*",
 	"160.0.0.0/5:*",
 	"168.0.0.0/6:*",
 	"172.0.0.0/12:*",
 	"172.32.0.0/11:*",
 	"172.64.0.0/10:*",
 	"172.128.0.0/9:*",
 	"173.0.0.0/8:*",
 	"174.0.0.0/7:*",
 	"176.0.0.0/4:*",
 	"192.0.0.0/9:*",
 	"192.128.0.0/11:*",
 	"192.160.0.0/13:*",
 	"192.169.0.0/16:*",
 	"192.170.0.0/15:*",
 	"192.172.0.0/14:*",
 	"192.176.0.0/12:*",
 	"192.192.0.0/10:*",
 	"193.0.0.0/8:*",
 	"194.0.0.0/7:*",
 	"196.0.0.0/6:*",
 	"200.0.0.0/5:*",
 	"208.0.0.0/4:*",
 }
-func aclScenario(t *testing.T, policy headscale.ACLPolicy) *Scenario {
+func aclScenario(t *testing.T, policy *headscale.ACLPolicy, clientsPerUser int) *Scenario {
 	t.Helper()
 	scenario, err := NewScenario()
 	assert.NoError(t, err)
 	spec := map[string]int{
-		"user1": numberOfTestClients,
+		"user1": clientsPerUser,
-		"user2": numberOfTestClients,
+		"user2": clientsPerUser,
 	}
 	err = scenario.CreateHeadscaleEnv(spec,
@@ -29,18 +60,15 @@ func aclScenario(t *testing.T, policy headscale.ACLPolicy) *Scenario {
 			tsic.WithDockerEntrypoint([]string{
 				"/bin/bash",
 				"-c",
-				"/bin/sleep 3 ; update-ca-certificates ; python3 -m http.server 80 & tailscaled --tun=tsdev",
+				"/bin/sleep 3 ; update-ca-certificates ; python3 -m http.server --bind :: 80 & tailscaled --tun=tsdev",
 			}),
 			tsic.WithDockerWorkdir("/"),
 		},
-		hsic.WithACLPolicy(&policy),
+		hsic.WithACLPolicy(policy),
 		hsic.WithTestName("acl"),
 	)
 	assert.NoError(t, err)
 	// allClients, err := scenario.ListTailscaleClients()
 	// assert.NoError(t, err)
 	err = scenario.WaitForTailscaleSync()
 	assert.NoError(t, err)
@@ -181,6 +209,34 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 				"user2": 3, // ns1 + ns2 (return path)
 			},
 		},
 		"very-large-destination-prefix-1372": {
 			users: map[string]int{
 				"user1": 2,
 				"user2": 2,
 			},
 			policy: headscale.ACLPolicy{
 				ACLs: []headscale.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"user1"},
 						Destinations: append([]string{"user1:*"}, veryLargeDestination...),
 					},
 					{
 						Action:       "accept",
 						Sources:      []string{"user2"},
 						Destinations: append([]string{"user2:*"}, veryLargeDestination...),
 					},
 					{
 						Action:       "accept",
 						Sources:      []string{"user1"},
 						Destinations: append([]string{"user2:*"}, veryLargeDestination...),
 					},
 				},
 			}, want: map[string]int{
 				"user1": 3, // ns1 + ns2
 				"user2": 3, // ns1 + ns2 (return path)
 			},
 		},
 	}
 	for name, testCase := range tests {
@@ -193,7 +249,6 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 			err = scenario.CreateHeadscaleEnv(spec,
 				[]tsic.Option{},
 				hsic.WithACLPolicy(&testCase.policy),
 				// hsic.WithTestName(fmt.Sprintf("aclinnetmap%s", name)),
 			)
 			assert.NoError(t, err)
@@ -203,9 +258,6 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 			err = scenario.WaitForTailscaleSync()
 			assert.NoError(t, err)
 			// allHostnames, err := scenario.ListTailscaleClientsFQDNs()
 			// assert.NoError(t, err)
 			for _, client := range allClients {
 				status, err := client.Status()
 				assert.NoError(t, err)
@@ -230,7 +282,7 @@ func TestACLAllowUser80Dst(t *testing.T) {
 	IntegrationSkip(t)
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			ACLs: []headscale.ACL{
 				{
 					Action:       "accept",
@@ -239,6 +291,7 @@ func TestACLAllowUser80Dst(t *testing.T) {
 				},
 			},
 		},
 		1,
 	)
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -285,7 +338,7 @@ func TestACLDenyAllPort80(t *testing.T) {
 	IntegrationSkip(t)
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			Groups: map[string][]string{
 				"group:integration-acl-test": {"user1", "user2"},
 			},
@@ -297,6 +350,7 @@ func TestACLDenyAllPort80(t *testing.T) {
 				},
 			},
 		},
 		4,
 	)
 	allClients, err := scenario.ListTailscaleClients()
@@ -333,7 +387,7 @@ func TestACLAllowUserDst(t *testing.T) {
 	IntegrationSkip(t)
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			ACLs: []headscale.ACL{
 				{
 					Action:       "accept",
@@ -342,6 +396,7 @@ func TestACLAllowUserDst(t *testing.T) {
 				},
 			},
 		},
 		2,
 	)
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -390,7 +445,7 @@ func TestACLAllowStarDst(t *testing.T) {
 	IntegrationSkip(t)
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			ACLs: []headscale.ACL{
 				{
 					Action:       "accept",
@@ -399,6 +454,7 @@ func TestACLAllowStarDst(t *testing.T) {
 				},
 			},
 		},
 		2,
 	)
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -441,155 +497,6 @@ func TestACLAllowStarDst(t *testing.T) {
 	assert.NoError(t, err)
 }
 // This test aims to cover cases where individual hosts are allowed and denied
 // access based on their assigned hostname
 // https://github.com/juanfont/headscale/issues/941
 //	ACL = [{
 //			"DstPorts": [{
 //				"Bits": null,
 //				"IP": "100.64.0.3/32",
 //				"Ports": {
 //					"First": 0,
 //					"Last": 65535
 //				}
 //			}],
 //			"SrcIPs": ["*"]
 //		}, {
 //
 //			"DstPorts": [{
 //				"Bits": null,
 //				"IP": "100.64.0.2/32",
 //				"Ports": {
 //					"First": 0,
 //					"Last": 65535
 //				}
 //			}],
 //			"SrcIPs": ["100.64.0.1/32"]
 //		}]
 //
 //	ACL Cache Map= {
 //		"*": {
 //			"100.64.0.3/32": {}
 //		},
 //		"100.64.0.1/32": {
 //			"100.64.0.2/32": {}
 //		}
 //	}
 func TestACLNamedHostsCanReach(t *testing.T) {
 	IntegrationSkip(t)
 	scenario := aclScenario(t,
 		headscale.ACLPolicy{
 			Hosts: headscale.Hosts{
 				"test1": netip.MustParsePrefix("100.64.0.1/32"),
 				"test2": netip.MustParsePrefix("100.64.0.2/32"),
 				"test3": netip.MustParsePrefix("100.64.0.3/32"),
 			},
 			ACLs: []headscale.ACL{
 				// Everyone can curl test3
 				{
 					Action:       "accept",
 					Sources:      []string{"*"},
 					Destinations: []string{"test3:*"},
 				},
 				// test1 can curl test2
 				{
 					Action:       "accept",
 					Sources:      []string{"test1"},
 					Destinations: []string{"test2:*"},
 				},
 			},
 		},
 	)
 	// Since user/users dont matter here, we basically expect that some clients
 	// will be assigned these ips and that we can pick them up for our own use.
 	test1ip := netip.MustParseAddr("100.64.0.1")
 	test1, err := scenario.FindTailscaleClientByIP(test1ip)
 	assert.NoError(t, err)
 	test1fqdn, err := test1.FQDN()
 	assert.NoError(t, err)
 	test1ipURL := fmt.Sprintf("http://%s/etc/hostname", test1ip.String())
 	test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
 	test2ip := netip.MustParseAddr("100.64.0.2")
 	test2, err := scenario.FindTailscaleClientByIP(test2ip)
 	assert.NoError(t, err)
 	test2fqdn, err := test2.FQDN()
 	assert.NoError(t, err)
 	test2ipURL := fmt.Sprintf("http://%s/etc/hostname", test2ip.String())
 	test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
 	test3ip := netip.MustParseAddr("100.64.0.3")
 	test3, err := scenario.FindTailscaleClientByIP(test3ip)
 	assert.NoError(t, err)
 	test3fqdn, err := test3.FQDN()
 	assert.NoError(t, err)
 	test3ipURL := fmt.Sprintf("http://%s/etc/hostname", test3ip.String())
 	test3fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test3fqdn)
 	// test1 can query test3
 	result, err := test1.Curl(test3ipURL)
 	assert.Len(t, result, 13)
 	assert.NoError(t, err)
 	result, err = test1.Curl(test3fqdnURL)
 	assert.Len(t, result, 13)
 	assert.NoError(t, err)
 	// test2 can query test3
 	result, err = test2.Curl(test3ipURL)
 	assert.Len(t, result, 13)
 	assert.NoError(t, err)
 	result, err = test2.Curl(test3fqdnURL)
 	assert.Len(t, result, 13)
 	assert.NoError(t, err)
 	// test3 cannot query test1
 	result, err = test3.Curl(test1ipURL)
 	assert.Empty(t, result)
 	assert.Error(t, err)
 	result, err = test3.Curl(test1fqdnURL)
 	assert.Empty(t, result)
 	assert.Error(t, err)
 	// test3 cannot query test2
 	result, err = test3.Curl(test2ipURL)
 	assert.Empty(t, result)
 	assert.Error(t, err)
 	result, err = test3.Curl(test2fqdnURL)
 	assert.Empty(t, result)
 	assert.Error(t, err)
 	// test1 can query test2
 	result, err = test1.Curl(test2ipURL)
 	assert.Len(t, result, 13)
 	assert.NoError(t, err)
 	result, err = test1.Curl(test2fqdnURL)
 	assert.Len(t, result, 13)
 	assert.NoError(t, err)
 	// test2 cannot query test1
 	result, err = test2.Curl(test1ipURL)
 	assert.Empty(t, result)
 	assert.Error(t, err)
 	result, err = test2.Curl(test1fqdnURL)
 	assert.Empty(t, result)
 	assert.Error(t, err)
 	err = scenario.Shutdown()
 	assert.NoError(t, err)
 }
 // TestACLNamedHostsCanReachBySubnet is the same as
 // TestACLNamedHostsCanReach, but it tests if we expand a
 // full CIDR correctly. All routes should work.
@@ -597,7 +504,7 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 	IntegrationSkip(t)
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			Hosts: headscale.Hosts{
 				"all": netip.MustParsePrefix("100.64.0.0/24"),
 			},
@@ -610,6 +517,7 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 				},
 			},
 		},
 		3,
 	)
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -651,3 +559,450 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 	err = scenario.Shutdown()
 	assert.NoError(t, err)
 }
 // This test aims to cover cases where individual hosts are allowed and denied
 // access based on their assigned hostname
 // https://github.com/juanfont/headscale/issues/941
 //
 //	ACL = [{
 //			"DstPorts": [{
 //				"Bits": null,
 //				"IP": "100.64.0.3/32",
 //				"Ports": {
 //					"First": 0,
 //					"Last": 65535
 //				}
 //			}],
 //			"SrcIPs": ["*"]
 //		}, {
 //
 //			"DstPorts": [{
 //				"Bits": null,
 //				"IP": "100.64.0.2/32",
 //				"Ports": {
 //					"First": 0,
 //					"Last": 65535
 //				}
 //			}],
 //			"SrcIPs": ["100.64.0.1/32"]
 //		}]
 //
 //	ACL Cache Map= {
 //		"*": {
 //			"100.64.0.3/32": {}
 //		},
 //		"100.64.0.1/32": {
 //			"100.64.0.2/32": {}
 //		}
 //	}
 //
 // https://github.com/juanfont/headscale/issues/941
 // Additionally verify ipv6 behaviour, part of
 // https://github.com/juanfont/headscale/issues/809
 func TestACLNamedHostsCanReach(t *testing.T) {
 	IntegrationSkip(t)
 	tests := map[string]struct {
 		policy headscale.ACLPolicy
 	}{
 		"ipv4": {
 			policy: headscale.ACLPolicy{
 				Hosts: headscale.Hosts{
 					"test1": netip.MustParsePrefix("100.64.0.1/32"),
 					"test2": netip.MustParsePrefix("100.64.0.2/32"),
 					"test3": netip.MustParsePrefix("100.64.0.3/32"),
 				},
 				ACLs: []headscale.ACL{
 					// Everyone can curl test3
 					{
 						Action:       "accept",
 						Sources:      []string{"*"},
 						Destinations: []string{"test3:*"},
 					},
 					// test1 can curl test2
 					{
 						Action:       "accept",
 						Sources:      []string{"test1"},
 						Destinations: []string{"test2:*"},
 					},
 				},
 			},
 		},
 		"ipv6": {
 			policy: headscale.ACLPolicy{
 				Hosts: headscale.Hosts{
 					"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
 					"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
 					"test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"),
 				},
 				ACLs: []headscale.ACL{
 					// Everyone can curl test3
 					{
 						Action:       "accept",
 						Sources:      []string{"*"},
 						Destinations: []string{"test3:*"},
 					},
 					// test1 can curl test2
 					{
 						Action:       "accept",
 						Sources:      []string{"test1"},
 						Destinations: []string{"test2:*"},
 					},
 				},
 			},
 		},
 	}
 	for name, testCase := range tests {
 		t.Run(name, func(t *testing.T) {
 			scenario := aclScenario(t,
 				&testCase.policy,
 				2,
 			)
 			// Since user/users dont matter here, we basically expect that some clients
 			// will be assigned these ips and that we can pick them up for our own use.
 			test1ip4 := netip.MustParseAddr("100.64.0.1")
 			test1ip6 := netip.MustParseAddr("fd7a:115c:a1e0::1")
 			test1, err := scenario.FindTailscaleClientByIP(test1ip6)
 			assert.NoError(t, err)
 			test1fqdn, err := test1.FQDN()
 			assert.NoError(t, err)
 			test1ip4URL := fmt.Sprintf("http://%s/etc/hostname", test1ip4.String())
 			test1ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test1ip6.String())
 			test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
 			test2ip4 := netip.MustParseAddr("100.64.0.2")
 			test2ip6 := netip.MustParseAddr("fd7a:115c:a1e0::2")
 			test2, err := scenario.FindTailscaleClientByIP(test2ip6)
 			assert.NoError(t, err)
 			test2fqdn, err := test2.FQDN()
 			assert.NoError(t, err)
 			test2ip4URL := fmt.Sprintf("http://%s/etc/hostname", test2ip4.String())
 			test2ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test2ip6.String())
 			test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
 			test3ip4 := netip.MustParseAddr("100.64.0.3")
 			test3ip6 := netip.MustParseAddr("fd7a:115c:a1e0::3")
 			test3, err := scenario.FindTailscaleClientByIP(test3ip6)
 			assert.NoError(t, err)
 			test3fqdn, err := test3.FQDN()
 			assert.NoError(t, err)
 			test3ip4URL := fmt.Sprintf("http://%s/etc/hostname", test3ip4.String())
 			test3ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test3ip6.String())
 			test3fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test3fqdn)
 			// test1 can query test3
 			result, err := test1.Curl(test3ip4URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
 				test3ip4URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test1.Curl(test3ip6URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
 				test3ip6URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test1.Curl(test3fqdnURL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
 				test3fqdnURL,
 				result,
 			)
 			assert.NoError(t, err)
 			// test2 can query test3
 			result, err = test2.Curl(test3ip4URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
 				test3ip4URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test2.Curl(test3ip6URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
 				test3ip6URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test2.Curl(test3fqdnURL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
 				test3fqdnURL,
 				result,
 			)
 			assert.NoError(t, err)
 			// test3 cannot query test1
 			result, err = test3.Curl(test1ip4URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test3.Curl(test1ip6URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test3.Curl(test1fqdnURL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			// test3 cannot query test2
 			result, err = test3.Curl(test2ip4URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test3.Curl(test2ip6URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test3.Curl(test2fqdnURL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			// test1 can query test2
 			result, err = test1.Curl(test2ip4URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test2 with URL %s, expected hostname of 13 chars, got %s",
 				test2ip4URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test1.Curl(test2ip6URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test2 with URL %s, expected hostname of 13 chars, got %s",
 				test2ip6URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test1.Curl(test2fqdnURL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test2 with URL %s, expected hostname of 13 chars, got %s",
 				test2fqdnURL,
 				result,
 			)
 			assert.NoError(t, err)
 			// test2 cannot query test1
 			result, err = test2.Curl(test1ip4URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test2.Curl(test1ip6URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test2.Curl(test1fqdnURL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			err = scenario.Shutdown()
 			assert.NoError(t, err)
 		})
 	}
 }
 // TestACLDevice1CanAccessDevice2 is a table driven test that aims to test
 // the various ways to achieve a connection between device1 and device2 where
 // device1 can access device2, but not the other way around. This can be
 // viewed as one of the most important tests here as it covers most of the
 // syntax that can be used.
 //
 // Before adding new taste cases, consider if it can be reduced to a case
 // in this function.
 func TestACLDevice1CanAccessDevice2(t *testing.T) {
 	IntegrationSkip(t)
 	tests := map[string]struct {
 		policy headscale.ACLPolicy
 	}{
 		"ipv4": {
 			policy: headscale.ACLPolicy{
 				ACLs: []headscale.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"100.64.0.1"},
 						Destinations: []string{"100.64.0.2:*"},
 					},
 				},
 			},
 		},
 		"ipv6": {
 			policy: headscale.ACLPolicy{
 				ACLs: []headscale.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"fd7a:115c:a1e0::1"},
 						Destinations: []string{"fd7a:115c:a1e0::2:*"},
 					},
 				},
 			},
 		},
 		"hostv4cidr": {
 			policy: headscale.ACLPolicy{
 				Hosts: headscale.Hosts{
 					"test1": netip.MustParsePrefix("100.64.0.1/32"),
 					"test2": netip.MustParsePrefix("100.64.0.2/32"),
 				},
 				ACLs: []headscale.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"test1"},
 						Destinations: []string{"test2:*"},
 					},
 				},
 			},
 		},
 		"hostv6cidr": {
 			policy: headscale.ACLPolicy{
 				Hosts: headscale.Hosts{
 					"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
 					"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
 				},
 				ACLs: []headscale.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"test1"},
 						Destinations: []string{"test2:*"},
 					},
 				},
 			},
 		},
 		"group": {
 			policy: headscale.ACLPolicy{
 				Groups: map[string][]string{
 					"group:one": {"user1"},
 					"group:two": {"user2"},
 				},
 				ACLs: []headscale.ACL{
 					{
 						Action:       "accept",
 						Sources:      []string{"group:one"},
 						Destinations: []string{"group:two:*"},
 					},
 				},
 			},
 		},
 		// TODO(kradalby): Add similar tests for Tags, might need support
 		// in the scenario function when we create or join the clients.
 	}
 	for name, testCase := range tests {
 		t.Run(name, func(t *testing.T) {
 			scenario := aclScenario(t, &testCase.policy, 1)
 			test1ip := netip.MustParseAddr("100.64.0.1")
 			test1ip6 := netip.MustParseAddr("fd7a:115c:a1e0::1")
 			test1, err := scenario.FindTailscaleClientByIP(test1ip)
 			assert.NotNil(t, test1)
 			assert.NoError(t, err)
 			test1fqdn, err := test1.FQDN()
 			assert.NoError(t, err)
 			test1ipURL := fmt.Sprintf("http://%s/etc/hostname", test1ip.String())
 			test1ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test1ip6.String())
 			test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
 			test2ip := netip.MustParseAddr("100.64.0.2")
 			test2ip6 := netip.MustParseAddr("fd7a:115c:a1e0::2")
 			test2, err := scenario.FindTailscaleClientByIP(test2ip)
 			assert.NotNil(t, test2)
 			assert.NoError(t, err)
 			test2fqdn, err := test2.FQDN()
 			assert.NoError(t, err)
 			test2ipURL := fmt.Sprintf("http://%s/etc/hostname", test2ip.String())
 			test2ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test2ip6.String())
 			test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
 			// test1 can query test2
 			result, err := test1.Curl(test2ipURL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test with URL %s, expected hostname of 13 chars, got %s",
 				test2ipURL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test1.Curl(test2ip6URL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test with URL %s, expected hostname of 13 chars, got %s",
 				test2ip6URL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test1.Curl(test2fqdnURL)
 			assert.Lenf(
 				t,
 				result,
 				13,
 				"failed to connect from test1 to test with URL %s, expected hostname of 13 chars, got %s",
 				test2fqdnURL,
 				result,
 			)
 			assert.NoError(t, err)
 			result, err = test2.Curl(test1ipURL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test2.Curl(test1ip6URL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			result, err = test2.Curl(test1fqdnURL)
 			assert.Empty(t, result)
 			assert.Error(t, err)
 			err = scenario.Shutdown()
 			assert.NoError(t, err)
 		})
 	}
 }
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@@ -362,6 +362,15 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 		user.joinWaitGroup.Wait()
 		for _, client := range user.Clients {
 			err := client.WaitForReady()
 			if err != nil {
 				log.Printf("client %s was not ready: %s", client.Hostname(), err)
 				return fmt.Errorf("failed to up tailscale node: %w", err)
 			}
 		}
 		return nil
 	}
--- a/integration/auth_web_flow_test.go
+++ b/integration/auth_web_flow_test.go
@@ -274,6 +274,15 @@ func (s *AuthWebFlowScenario) runTailscaleUp(
 		}
 		user.joinWaitGroup.Wait()
 		for _, client := range user.Clients {
 			err := client.WaitForReady()
 			if err != nil {
 				log.Printf("client %s was not ready: %s", client.Hostname(), err)
 				return fmt.Errorf("failed to up tailscale node: %w", err)
 			}
 		}
 		return nil
 	}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Juan Font	f90ebb8567	Update config.go	2023-05-10 12:16:07 +02:00
Juan Font	7564c4548c	Fix socket location in config.go	2023-05-10 12:16:07 +02:00
Juan Font	5f80d1b155	Revert "Revert unix_socket to default value" This reverts commit `ca54fb9f56`.	2023-05-10 12:16:07 +02:00
Juan Font	9478c288f6	Added missing file	2023-05-10 10:26:21 +02:00
Juan Font	6043ec87cf	Update mkdocs.yml	2023-05-10 09:49:13 +02:00
Juan Font	dcf2439c61	Improved website More docs	2023-05-10 09:49:13 +02:00
Kristoffer Dalby	ba45d7dbd3	update readme and templates to clarify scope (#1437 ) Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-05-10 08:03:13 +01:00
Juan Font	bab4e14828	Further clarification on unsupported ranges in config example	2023-05-08 12:47:08 +02:00
Juan Font	526e568e1e	Update changelog	2023-05-07 15:27:30 +02:00
Juan Font	02ab0df2de	Disable and Delete route must affect both exit routes (IPv4 and IPv6) Fixed linting	2023-05-07 15:27:30 +02:00
Juan Font	7338775de7	Give a warning when users have set an unsupported prefix Fix minor log issue Removed debug meessage	2023-05-07 13:14:32 +02:00
Sebastian Muszytowski	00c514608e	Add IP forwarding requirement to documentation I propose to add the information, that IP forwarding needs to be enabled in order to use a node as an exit-node.	2023-05-06 21:48:59 +02:00
Maja Bojarska	6c5723a463	Update CHANGELOG.md Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-05-04 22:54:32 +02:00
Maja Bojarska	57fd5cf310	Update CHANGELOG.md	2023-05-04 22:54:32 +02:00
Maja Bojarska	f113cc7846	Add missing GH releases page link	2023-05-04 22:54:32 +02:00
ohdearaugustin	ca54fb9f56	Revert unix_socket to default value	2023-05-03 20:16:04 +02:00
Kristoffer Dalby	735b185e7f	use IPSet in acls instead of string slice Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	1a7ae11697	Add basic testcases for Machine.canAccess Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	644be822d5	move matcher to separate file Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	56b63c6e10	use netipx.IPSet for matcher Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	ccedf276ab	add a filter case with really large destination set #1372 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	10320a5f1f	lint and nolint tailscale borrowed func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	ecd62fb785	remove terrible filter code Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	0d24e878d0	update flake hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	889d5a1b29	testing without that horrible filtercode Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	1700a747f6	outline tests for full filter generate Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	200e3b88cc	make generateFilterRule a pol struct func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	5bbbe437df	clear up the acl function naming Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	6de53e2f8d	simplify expandAlias function, move seperate logic out Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	b23a9153df	trim dockerfiles, script to rebuild test images (#1403 )	2023-05-02 10:51:30 +01:00
Juan Font	80772033ee	Improvements on Noise implementation (#1379 )	2023-05-02 08:15:33 +02:00
Juan Font	a2b760834f	Fix extra space	2023-04-30 23:28:16 +02:00
loprima-l	493bcfcf18	Update mkdocs.yml Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-04-30 23:28:16 +02:00
loprima-l	df72508089	Fix : Change master branch to main This fix should change the edit branch to main in the documentation	2023-04-30 23:28:16 +02:00
loprima-l	0f8d8fc2d8	Fix : Updating the doc path Updating the doc path to be the doc website url as it's a better documentation tool	2023-04-30 22:56:38 +02:00
Jonathan Wright	744e5a11b6	Update CHANGELOG.md Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-04-30 18:25:43 +02:00
Jonathan Wright	3ea1750ea0	Update CHANGELOG.md	2023-04-30 18:25:43 +02:00
Jonathan Wright	a45777d22e	Put systemd service file in proper location	2023-04-30 18:25:43 +02:00
Kristoffer Dalby	56dd734300	Add go profiling flag, and enable on integration tests (#1382 )	2023-04-27 16:57:11 +02:00
Philipp Krivanec	d0113732fe	optimize generateACLPeerCacheMap (#1377 )	2023-04-26 06:02:54 +02:00
Kristoffer Dalby	6215eb6471	update flake hash (#1376 )	2023-04-24 15:52:15 +02:00
Juan Font	1d2b4bca8a	Remove legacy DERP tests	2023-04-24 12:35:29 +02:00
Juan Font	96f9680afd	Reuse Ping function for DERP ping	2023-04-24 12:17:24 +02:00
Juan Font	b465592c07	Do not use host networking in embedded DERP tests fixed linting	2023-04-24 12:17:24 +02:00
Juan Font	991ff25362	Added workflow for embedded derp	2023-04-24 12:17:24 +02:00
Juan Font	eacd687dbf	Added DERP integration tests Linting fixes Set listen addr to :8443	2023-04-24 12:17:24 +02:00
Juan Font	549f5a164d	Expand surface of hsic for better TLS support	2023-04-24 12:17:24 +02:00
Juan Font	bb07aec82c	Expand tsic to offer PingViaDerp	2023-04-24 12:17:24 +02:00
Kristoffer Dalby	a5afe4bd06	Add more capabilities for systemd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 15:53:19 +02:00
Kristoffer Dalby	a71cc81fe7	fix Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 12:05:57 +02:00
Kristoffer Dalby	679305c3e4	Add version to binary release Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 12:05:57 +02:00
Kristoffer Dalby	c0680f34f1	fix issue where binaries are not released Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 11:10:27 +02:00
Kristoffer Dalby	64ebe6b0c8	change date in changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 08:13:38 +02:00
Kristoffer Dalby	e6b26499f7	release source code with vendored dependencies Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 08:13:38 +02:00
Kristoffer Dalby	977eb1dee3	Update flakes, add some quality of life improvements (#1346 )	2023-04-20 07:56:53 +02:00
Kristoffer Dalby	b2e2b02210	set release date Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:47:31 +02:00
Kristoffer Dalby	2abff4bb08	update changelog for #1339 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:45:27 +02:00
Kristoffer Dalby	54c00645d1	update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	cad5ce0ebd	lint fix Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	b12a167fa2	remove rpm, might add back later Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	667295e15e	add new documentation on how to install on debian/ubuntu Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	bea52678e3	move current linux documentation into "manual" Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	307cfc3304	add systemd enable to postinstall script Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	5e74ca9414	Fix IPv6 in ACLs (#1339 )	2023-04-16 12:26:35 +02:00
Juan Font	9836b097a4	Make sure all clients of a user are ready (#1335 )	2023-04-12 09:25:51 +02:00
Juan Font	d0b3b1bfc4	Fix binary releases	2023-04-08 09:21:27 +02:00
Juan Font	6eea96eabc	Added 1.38.4 in the new tests	2023-04-07 19:45:46 +02:00
github-actions[bot]	d08fee78c3	docs(README): update contributors (#1325 )	2023-04-07 17:31:29 +02:00
Andriy Kushnir (Orhideous)	bb5f0d456c	Change primary color for light mode to white	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	c186c49e25	Removed custom accents, going with defaults	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	4ec6894773	Build with strict mode	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	dd9b4b1cb7	Move examples out of docs/ directory	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	a43bb9c958	Replace placeholder link with actual one	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	ba905ff6fc	Add GHA CI to build and deploy docs	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	99bd09f688	Add new index page	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	a6bc792a61	Move admonitions to relevant sections	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	6381d3660a	Add admonitions marking community-provided docs	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	66c5f74d78	Add admonitions marking community-provided docs	2023-04-07 15:24:13 +02:00
Andriy Kushnir (Orhideous)	1723a6bf40	Configure MkDocs Material scaffold	2023-04-07 15:24:13 +02:00