remove old release flow

Signed-off-by: Kristoffer Dalby <kristoffer@dalby.cc>

.github/workflows/release-docker.yml

@@ -1,138 +0,0 @@
----
-name: Release Docker
-
-on:
-  push:
-    tags:
-      - "*" # triggers only if push new tag version
-  workflow_dispatch:
-
-jobs:
-  docker-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-          build-args: |
-            VERSION=${{ steps.meta.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
-  docker-debug-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-debug
-          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-debug-
-      - name: Docker meta
-        id: meta-debug
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            suffix=-debug,onlatest=true
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.debug
-          tags: ${{ steps.meta-debug.outputs.tags }}
-          labels: ${{ steps.meta-debug.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-debug
-          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
-          build-args: |
-            VERSION=${{ steps.meta-debug.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-debug
-          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug

.github/workflows/release.yml

@@ -19,6 +19,6 @@ jobs:
       - uses: cachix/install-nix-action@v16
 
       - name: Run goreleaser
-        run: nix develop --command -- goreleaser release --rm-dist
+        run: nix develop --command -- goreleaser release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-integration-derp.yml

@@ -1,35 +0,0 @@
-name: Integration Test DERP
-
-on: [pull_request]
-
-jobs:
-  integration-test-derp:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run Embedded DERP server integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_derp

.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml

@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLDevice1CanAccessDevice2
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLDevice1CanAccessDevice2$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml

@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLNamedHostsCanReach
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLNamedHostsCanReach$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml

@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLNamedHostsCanReachBySubnet
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLNamedHostsCanReachBySubnet$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestCreateTailscale.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestDERPServerScenario.yaml

@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestDERPServerScenario
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestDERPServerScenario$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestEnablingRoutes.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestEphemeral.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestExpireNode.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestHeadscale.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPingAllByHostname.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPingAllByIP.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestTaildrop.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestUserCommand.yaml

@@ -55,3 +55,9 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.gitignore

@@ -1,3 +1,5 @@
+ignored/
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -12,7 +14,7 @@
 *.out
 
 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
 
 dist/
 /headscale

.goreleaser.yml

@@ -2,6 +2,7 @@
 before:
   hooks:
     - go mod tidy -compat=1.20
+    - go mod vendor
 
 release:
   prerelease: auto
@@ -31,19 +32,17 @@ builds:
 
 archives:
   - id: golang-cross
-    builds:
-      - darwin-amd64
-      - darwin-arm64
-      - freebsd-amd64
-      - linux-386
-      - linux-amd64
-      - linux-arm64
-      - linux-arm-5
-      - linux-arm-6
-      - linux-arm-7
-    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
     format: binary
 
+source:
+  rlcp: true
+  enabled: true
+  name_template: "{{ .ProjectName }}_{{ .Version }}"
+  format: tar.gz
+  files:
+    - "vendor/"
+
 nfpms:
   # Configure nFPM for .deb and .rpm releases
   #
@@ -65,7 +64,6 @@ nfpms:
     bindir: /usr/bin
     formats:
       - deb
-      - rpm
     contents:
       - src: ./config-example.yaml
         dst: /etc/headscale/config.yaml
@@ -82,6 +80,36 @@ nfpms:
       postinstall: ./docs/packaging/postinstall.sh
       postremove: ./docs/packaging/postremove.sh
 
+kos:
+  - id: ghcr
+    build: headscale
+    base_image: gcr.io/distroless/base-debian11
+    repository: ghcr.io/juanfont/headscale
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+      - linux/arm/v6
+      - linux/arm/v5
+    tags:
+      - latest
+      - '{{.Tag}}'
+  - id: dockerhub
+    build: headscale
+    base_image: gcr.io/distroless/base-debian11
+    repository: headscale/headscale
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+      - linux/arm/v6
+      - linux/arm/v5
+    tags:
+      - latest
+      - '{{.Tag}}'
+
 checksum:
   name_template: "checksums.txt"
 snapshot:

CHANGELOG.md

@@ -1,12 +1,27 @@
 # CHANGELOG
 
-## 0.22.0 (2023-XX-XX)
+## 0.23.0 (2023-XX-XX)
 
 ### Changes
 
-- Add `.deb` and `.rpm` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+- Add environment flags to enable pprof (profiling) [#1382](https://github.com/juanfont/headscale/pull/1382)
+  - Profiles are continously generated in our integration tests.
+
+## 0.22.1 (2023-04-20)
+
+### Changes
+
+- Fix issue where SystemD could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
+
+## 0.22.0 (2023-04-20)
+
+### Changes
+
+- Add `.deb` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+- Update and simplify the documentation to use new `.deb` packages [#1349](https://github.com/juanfont/headscale/pull/1349)
 - Add 32-bit Arm platforms to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
 - Fix longstanding bug that would prevent "\*" from working properly in ACLs (issue [#699](https://github.com/juanfont/headscale/issues/699)) [#1279](https://github.com/juanfont/headscale/pull/1279)
+- Fix issue where IPv6 could not be used in, or while using ACLs (part of [#809](https://github.com/juanfont/headscale/issues/809)) [#1339](https://github.com/juanfont/headscale/pull/1339)
 - Target Go 1.20 and Tailscale 1.38 for Headscale [#1323](https://github.com/juanfont/headscale/pull/1323)
 
 ## 0.21.0 (2023-03-20)

Dockerfile

@@ -1,4 +1,7 @@
-# Builder image
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
 FROM docker.io/golang:1.20-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go

Dockerfile.debug

@@ -1,4 +1,7 @@
-# Builder image
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
 FROM docker.io/golang:1.20-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go

Dockerfile.tailscale

@@ -1,3 +1,7 @@
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
 FROM ubuntu:latest
 
 ARG TAILSCALE_VERSION=*

Dockerfile.tailscale-HEAD

@@ -1,3 +1,7 @@
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
 FROM golang:latest
 
 RUN apt-get update \

Makefile

@@ -36,17 +36,7 @@ test_integration_cli:
 		-v ~/.cache/hs-integration-go:/go \
 		-v $$PWD:$$PWD -w $$PWD \
 		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
-
-test_integration_derp:
-	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
-	docker network create headscale-test || true
-	docker run -t --rm \
-		--network headscale-test \
-		-v ~/.cache/hs-integration-go:/go \
-		-v $$PWD:$$PWD -w $$PWD \
-		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
+		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
 
 test_integration_v2_general:
 	docker run \
@@ -56,13 +46,7 @@ test_integration_v2_general:
 		-v $$PWD:$$PWD -w $$PWD/integration \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		golang:1 \
-		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8
-
-coverprofile_func:
-	go tool cover -func=coverage.out
-
-coverprofile_html:
-	go tool cover -html=coverage.out
+		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast ./... -timeout 120m -parallel 8
 
 lint:
 	golangci-lint run --fix --timeout 10m
@@ -80,11 +64,4 @@ compress: build
 
 generate:
 	rm -rf gen
-	go run github.com/bufbuild/buf/cmd/buf generate proto
-
-install-protobuf-plugins:
-	go install \
-		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
-		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
-		google.golang.org/protobuf/cmd/protoc-gen-go \
-		google.golang.org/grpc/cmd/protoc-gen-go-grpc
+	buf generate proto

acls.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/rs/zerolog/log"
+	"github.com/samber/lo"
 	"github.com/tailscale/hujson"
 	"go4.org/netipx"
 	"gopkg.in/yaml.v3"
@@ -162,23 +163,20 @@ func (h *Headscale) UpdateACLRules() error {
 // generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
 // of which Sources ("*" and IPs) can access destinations. This is to speed up the
 // process of generating MapResponses when deciding which Peers to inform nodes about.
-func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string]map[string]struct{} {
-	aclCachePeerMap := make(map[string]map[string]struct{})
+func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string][]string {
+	aclCachePeerMap := make(map[string][]string)
 	for _, rule := range rules {
 		for _, srcIP := range rule.SrcIPs {
 			for _, ip := range expandACLPeerAddr(srcIP) {
 				if data, ok := aclCachePeerMap[ip]; ok {
 					for _, dstPort := range rule.DstPorts {
-						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
-							data[dstIP] = struct{}{}
-						}
+						data = append(data, dstPort.IP)
 					}
+					aclCachePeerMap[ip] = data
 				} else {
-					dstPortsMap := make(map[string]struct{}, len(rule.DstPorts))
+					dstPortsMap := make([]string, 0)
 					for _, dstPort := range rule.DstPorts {
-						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
-							dstPortsMap[dstIP] = struct{}{}
-						}
+						dstPortsMap = append(dstPortsMap, dstPort.IP)
 					}
 					aclCachePeerMap[ip] = dstPortsMap
 				}
@@ -407,15 +405,40 @@ func generateACLPolicyDest(
 	needsWildcard bool,
 	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(dest, ":")
+	var tokens []string
+
+	log.Trace().Str("destination", dest).Msg("generating policy destination")
+
+	// Check if there is a IPv4/6:Port combination, IPv6 has more than
+	// three ":".
+	tokens = strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
-		return nil, errInvalidPortFormat
+		port := tokens[len(tokens)-1]
+
+		maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
+		log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
+
+		if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() {
+			log.Trace().Err(err).Msg("trying to parse as IPv6")
+
+			return nil, fmt.Errorf(
+				"failed to parse destination, tokens %v: %w",
+				tokens,
+				errInvalidPortFormat,
+			)
+		} else {
+			tokens = []string{maybeIPv6Str, port}
+		}
 	}
 
+	log.Trace().Strs("tokens", tokens).Msg("generating policy destination")
+
 	var alias string
 	// We can have here stuff like:
 	// git-server:*
 	// 192.168.1.0/24:22
+	// fd7a:115c:a1e0::2:22
+	// fd7a:115c:a1e0::2/128:22
 	// tag:montreal-webserver:80,443
 	// tag:api-server:443
 	// example-host-1:*
@@ -508,9 +531,11 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - a group
 // - a tag
 // - a host
+// - an ip
+// - a cidr
 // and transform these in IPAddresses.
 func expandAlias(
-	machines []Machine,
+	machines Machines,
 	aclPolicy ACLPolicy,
 	alias string,
 	stripEmailDomain bool,
@@ -592,19 +617,40 @@ func expandAlias(
 
 	// if alias is an host
 	if h, ok := aclPolicy.Hosts[alias]; ok {
-		return []string{h.String()}, nil
+		log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
+
+		return expandAlias(machines, aclPolicy, h.String(), stripEmailDomain)
 	}
 
 	// if alias is an IP
-	ip, err := netip.ParseAddr(alias)
-	if err == nil {
-		return []string{ip.String()}, nil
+	if ip, err := netip.ParseAddr(alias); err == nil {
+		log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
+		ips := []string{ip.String()}
+		matches := machines.FilterByIP(ip)
+
+		for _, machine := range matches {
+			ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+		}
+
+		return lo.Uniq(ips), nil
 	}
 
-	// if alias is an CIDR
-	cidr, err := netip.ParsePrefix(alias)
-	if err == nil {
-		return []string{cidr.String()}, nil
+	if cidr, err := netip.ParsePrefix(alias); err == nil {
+		log.Trace().Str("cidr", cidr.String()).Msg("expandAlias got cidr")
+		val := []string{cidr.String()}
+		// This is suboptimal and quite expensive, but if we only add the cidr, we will miss all the relevant IPv6
+		// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
+		for _, machine := range machines {
+			for _, ip := range machine.IPAddresses {
+				// log.Trace().
+				// 	Msgf("checking if machine ip (%s) is part of cidr (%s): %v, is single ip cidr (%v), addr: %s", ip.String(), cidr.String(), cidr.Contains(ip), cidr.IsSingleIP(), cidr.Addr().String())
+				if cidr.Contains(ip) {
+					val = append(val, machine.IPAddresses.ToStringSlice()...)
+				}
+			}
+		}
+
+		return lo.Uniq(val), nil
 	}
 
 	log.Warn().Msgf("No IPs found with the alias %v", alias)
@@ -666,6 +712,7 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err
 
 	ports := []tailcfg.PortRange{}
 	for _, portStr := range strings.Split(portsStr, ",") {
+		log.Trace().Msgf("parsing portstring: %s", portStr)
 		rang := strings.Split(portStr, "-")
 		switch len(rang) {
 		case 1:

acls_test.go

@@ -1026,22 +1026,7 @@ func Test_expandAlias(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "private network",
-			args: args{
-				alias:    "homeNetwork",
-				machines: []Machine{},
-				aclPolicy: ACLPolicy{
-					Hosts: Hosts{
-						"homeNetwork": netip.MustParsePrefix("192.168.1.0/24"),
-					},
-				},
-				stripEmailDomain: true,
-			},
-			want:    []string{"192.168.1.0/24"},
-			wantErr: false,
-		},
-		{
-			name: "simple host by ip",
+			name: "simple host by ip passed through",
 			args: args{
 				alias:            "10.0.0.1",
 				machines:         []Machine{},
@@ -1051,6 +1036,62 @@ func Test_expandAlias(t *testing.T) {
 			want:    []string{"10.0.0.1"},
 			wantErr: false,
 		},
+		{
+			name: "simple host by ipv4 single ipv4",
+			args: args{
+				alias: "10.0.0.1",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netip.MustParseAddr("10.0.0.1"),
+						},
+						User: User{Name: "mickael"},
+					},
+				},
+				aclPolicy:        ACLPolicy{},
+				stripEmailDomain: true,
+			},
+			want:    []string{"10.0.0.1"},
+			wantErr: false,
+		},
+		{
+			name: "simple host by ipv4 single dual stack",
+			args: args{
+				alias: "10.0.0.1",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netip.MustParseAddr("10.0.0.1"),
+							netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2222"),
+						},
+						User: User{Name: "mickael"},
+					},
+				},
+				aclPolicy:        ACLPolicy{},
+				stripEmailDomain: true,
+			},
+			want:    []string{"10.0.0.1", "fd7a:115c:a1e0:ab12:4843:2222:6273:2222"},
+			wantErr: false,
+		},
+		{
+			name: "simple host by ipv6 single dual stack",
+			args: args{
+				alias: "fd7a:115c:a1e0:ab12:4843:2222:6273:2222",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netip.MustParseAddr("10.0.0.1"),
+							netip.MustParseAddr("fd7a:115c:a1e0:ab12:4843:2222:6273:2222"),
+						},
+						User: User{Name: "mickael"},
+					},
+				},
+				aclPolicy:        ACLPolicy{},
+				stripEmailDomain: true,
+			},
+			want:    []string{"fd7a:115c:a1e0:ab12:4843:2222:6273:2222", "10.0.0.1"},
+			wantErr: false,
+		},
 		{
 			name: "simple host by hostname alias",
 			args: args{
@@ -1066,6 +1107,21 @@ func Test_expandAlias(t *testing.T) {
 			want:    []string{"10.0.0.132/32"},
 			wantErr: false,
 		},
+		{
+			name: "private network",
+			args: args{
+				alias:    "homeNetwork",
+				machines: []Machine{},
+				aclPolicy: ACLPolicy{
+					Hosts: Hosts{
+						"homeNetwork": netip.MustParsePrefix("192.168.1.0/24"),
+					},
+				},
+				stripEmailDomain: true,
+			},
+			want:    []string{"192.168.1.0/24"},
+			wantErr: false,
+		},
 		{
 			name: "simple CIDR",
 			args: args{

app.go

@@ -87,7 +87,7 @@ type Headscale struct {
 	aclPolicy         *ACLPolicy
 	aclRules          []tailcfg.FilterRule
 	aclPeerCacheMapRW sync.RWMutex
-	aclPeerCacheMap   map[string]map[string]struct{}
+	aclPeerCacheMap   map[string][]string
 	sshPolicy         *tailcfg.SSHPolicy
 
 	lastStateChange *xsync.MapOf[string, time.Time]
@@ -820,7 +820,6 @@ func (h *Headscale) Serve() error {
 
 				// And we're done:
 				cancel()
-				os.Exit(0)
 			}
 		}
 	}

cmd/gh-action-integration-generator/main.go

@@ -76,6 +76,12 @@ jobs:
         with:
           name: logs
           path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
 `),
 	)
 )

cmd/headscale/headscale.go

@@ -6,11 +6,25 @@ import (
 
 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
+	"github.com/pkg/profile"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )
 
 func main() {
+	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
+		if profilePath, ok := os.LookupEnv("HEADSCALE_PROFILING_PATH"); ok {
+			err := os.MkdirAll(profilePath, os.ModePerm)
+			if err != nil {
+				log.Fatal().Err(err).Msg("failed to create profiling directory")
+			}
+
+			defer profile.Start(profile.ProfilePath(profilePath)).Stop()
+		} else {
+			defer profile.Start().Stop()
+		}
+	}
+
 	var colors bool
 	switch l := termcolor.SupportLevel(os.Stderr); l {
 	case termcolor.Level16M:

docs/packaging/headscale.systemd.service

@@ -16,7 +16,7 @@ WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run
 
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
-CapabilityBoundingSet=CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
 LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true

docs/packaging/postinstall.sh

@@ -64,6 +64,7 @@ summary() {
 	echo ""
 	echo " Please follow the next steps to start the software:"
 	echo ""
+	echo "    sudo systemctl enable headscale"
 	echo "    sudo systemctl start headscale"
 	echo ""
 	echo " Configuration settings can be adjusted here:"

docs/running-headscale-linux-manual.md

@@ -0,0 +1,198 @@
+# Running headscale on Linux
+
+## Note: Outdated and "advanced"
+
+This documentation is considered the "legacy"/advanced/manual version of the documentation, you most likely do not
+want to use this documentation and rather look at the distro specific documentation (TODO LINK)[].
+
+## Goal
+
+This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
+In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
+describing how to make `headscale` run properly in a server environment.
+
+## Configure and run `headscale`
+
+1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+
+```shell
+wget --output-document=/usr/local/bin/headscale \
+   https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+```
+
+2. Make `headscale` executable:
+
+```shell
+chmod +x /usr/local/bin/headscale
+```
+
+3. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+
+```shell
+# Directory for configuration
+
+mkdir -p /etc/headscale
+
+# Directory for Database, and other variable data (like certificates)
+mkdir -p /var/lib/headscale
+# or if you create a headscale user:
+useradd \
+	--create-home \
+	--home-dir /var/lib/headscale/ \
+	--system \
+	--user-group \
+	--shell /usr/bin/nologin \
+	headscale
+```
+
+4. Create an empty SQLite database:
+
+```shell
+touch /var/lib/headscale/db.sqlite
+```
+
+5. Create a `headscale` configuration:
+
+```shell
+touch /etc/headscale/config.yaml
+```
+
+**(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
+
+6. Start the headscale server:
+
+```shell
+headscale serve
+```
+
+This command will start `headscale` in the current terminal session.
+
+---
+
+To continue the tutorial, open a new terminal and let it run in the background.
+Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
+
+To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
+
+7. Verify `headscale` is running:
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+
+```shell
+headscale users create myfirstuser
+```
+
+### Register a machine (normal login)
+
+On a client machine, execute the `tailscale` login command:
+
+```shell
+tailscale up --login-server YOUR_HEADSCALE_URL
+```
+
+Register the machine:
+
+```shell
+headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
+```
+
+### Register machine using a pre authenticated key
+
+Generate a key using the command line:
+
+```shell
+headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
+```
+
+This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
+```
+
+## Running `headscale` in the background with SystemD
+
+:warning: **Deprecated**: This part is very outdated and you should use the [pre-packaged Headscale for this](./running-headscale-linux.md
+
+This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
+This should work on most modern Linux distributions.
+
+1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
+
+```systemd
+[Unit]
+Description=headscale controller
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+User=headscale
+Group=headscale
+ExecStart=/usr/local/bin/headscale serve
+Restart=always
+RestartSec=5
+
+# Optional security enhancements
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+WorkingDirectory=/var/lib/headscale
+ReadWritePaths=/var/lib/headscale /var/run/headscale
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RuntimeDirectory=headscale
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
+
+```shell
+usermod -a -G headscale current_user
+```
+
+or run all headscale commands as the headscale user:
+
+```shell
+su - headscale
+```
+
+2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
+
+```yaml
+unix_socket: /var/run/headscale/headscale.sock
+```
+
+3. Reload SystemD to load the new configuration file:
+
+```shell
+systemctl daemon-reload
+```
+
+4. Enable and start the new `headscale` service:
+
+```shell
+systemctl enable --now headscale
+```
+
+5. Verify the headscale service:
+
+```shell
+systemctl status headscale
+```
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+`headscale` will now run in the background and start at boot.

docs/running-headscale-linux.md

@@ -1,83 +1,65 @@
 # Running headscale on Linux
 
+## Requirements
+
+- Ubuntu 20.04 or newer, Debian 11 or newer.
+
 ## Goal
 
-This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
-In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
-describing how to make `headscale` run properly in a server environment.
+Get Headscale up and running.
 
-## Configure and run `headscale`
+This includes running Headscale with SystemD.
 
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+## Migrating from manual install
+
+If you are migrating from the old manual install, the best thing would be to remove
+the files installed by following [the guide in reverse](./running-headscale-linux-manual.md).
+
+You should _not_ delete the database (`/var/headscale/db.sqlite`) and the
+configuration (`/etc/headscale/config.yaml`).
+
+## Installation
+
+1. Download the lastest Headscale package for your platform (`.deb` for Ubuntu and Debian) from [Headscale's releases page]():
 
 ```shell
-wget --output-document=/usr/local/bin/headscale \
-   https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+wget --output-document=headscale.deb \
+  https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>.deb
 ```
 
-2. Make `headscale` executable:
+2. Install Headscale:
 
 ```shell
-chmod +x /usr/local/bin/headscale
+sudo dpkg --install headscale.deb
 ```
 
-3. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+3. Enable Headscale service, this will start Headscale at boot:
 
 ```shell
-# Directory for configuration
-
-mkdir -p /etc/headscale
-
-# Directory for Database, and other variable data (like certificates)
-mkdir -p /var/lib/headscale
-# or if you create a headscale user:
-useradd \
-	--create-home \
-	--home-dir /var/lib/headscale/ \
-	--system \
-	--user-group \
-	--shell /usr/bin/nologin \
-	headscale
+sudo systemctl enable headscale
 ```
 
-4. Create an empty SQLite database:
+4. Configure Headscale by editing the configuration file:
 
 ```shell
-touch /var/lib/headscale/db.sqlite
+nano /etc/headscale/config.yaml
 ```
 
-5. Create a `headscale` configuration:
+5. Start Headscale:
 
 ```shell
-touch /etc/headscale/config.yaml
+sudo systemctl start headscale
 ```
 
-**(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-6. Start the headscale server:
+6. Check that Headscale is running as intended:
 
 ```shell
-headscale serve
+systemctl status headscale
 ```
 
-This command will start `headscale` in the current terminal session.
+## Using Headscale
 
----
-
-To continue the tutorial, open a new terminal and let it run in the background.
-Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
-
-To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
-
-7. Verify `headscale` is running:
-
-Verify `headscale` is available:
-
-```shell
-curl http://127.0.0.1:9090/metrics
-```
-
-8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+### Create a user
 
 ```shell
 headscale users create myfirstuser
@@ -85,16 +67,16 @@ headscale users create myfirstuser
 
 ### Register a machine (normal login)
 
-On a client machine, execute the `tailscale` login command:
+On a client machine, run the `tailscale` login command:
 
 ```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
+tailscale up --login-server <YOUR_HEADSCALE_URL>
 ```
 
 Register the machine:
 
 ```shell
-headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
+headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
 ```
 
 ### Register machine using a pre authenticated key
@@ -105,87 +87,9 @@ Generate a key using the command line:
 headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
 ```
 
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+This will return a pre-authenticated key that is used to
+connect a node to `headscale` during the `tailscale` command:
 
 ```shell
 tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
 ```
-
-## Running `headscale` in the background with SystemD
-
-This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
-This should work on most modern Linux distributions.
-
-1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
-
-```systemd
-[Unit]
-Description=headscale controller
-After=syslog.target
-After=network.target
-
-[Service]
-Type=simple
-User=headscale
-Group=headscale
-ExecStart=/usr/local/bin/headscale serve
-Restart=always
-RestartSec=5
-
-# Optional security enhancements
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
-WorkingDirectory=/var/lib/headscale
-ReadWritePaths=/var/lib/headscale /var/run/headscale
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-RuntimeDirectory=headscale
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
-
-```shell
-usermod -a -G headscale current_user
-```
-
-or run all headscale commands as the headscale user:
-
-```shell
-su - headscale
-```
-
-2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
-
-```yaml
-unix_socket: /var/run/headscale/headscale.sock
-```
-
-3. Reload SystemD to load the new configuration file:
-
-```shell
-systemctl daemon-reload
-```
-
-4. Enable and start the new `headscale` service:
-
-```shell
-systemctl enable --now headscale
-```
-
-5. Verify the headscale service:
-
-```shell
-systemctl status headscale
-```
-
-Verify `headscale` is available:
-
-```shell
-curl http://127.0.0.1:9090/metrics
-```
-
-`headscale` will now run in the background and start at boot.

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1680776469,
-        "narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
         "type": "github"
       },
       "original": {
@@ -17,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1680789907,
-        "narHash": "sha256-0AOMkabjbOauxspnqfzqgLKhB2gSh3sLkz1p/jIckcs=",
+        "lastModified": 1681753173,
+        "narHash": "sha256-MrGmzZWLUqh2VstoikKLFFIELXm/lsf/G9U9zR96VD4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9de84cd029054adc54fdc6442e121fbc5ac33baf",
+        "rev": "0a4206a51b386e5cda731e8ac78d76ad924c7125",
         "type": "github"
       },
       "original": {
@@ -36,6 +39,21 @@
         "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -36,7 +36,7 @@
 
             # When updating go.mod or go.sum, a new sha will need to be calculated,
             # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-+JxS4Q6rTpdBwms2nkVDY/Kluv2qu2T0BaOIjfeX85M=";
+            vendorSha256 = "sha256-Gu0RhzXnrZ5705X/1CbTfmZlIG9PkxBZzs1bqWQPqWg=";
 
             ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
           };
@@ -100,6 +100,10 @@
             nfpm
             gotestsum
 
+            # 'dot' is needed for pprof graphs
+            # go tool pprof -http=: <source>
+            graphviz
+
             # Protobuf dependencies
             protobuf
             protoc-gen-go
@@ -129,6 +133,14 @@
 
           shellHook = ''
             export GOFLAGS=-tags="ts2019"
+            export PATH="$PWD/result/bin:$PATH"
+
+            mkdir -p ./ignored
+            export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
+            export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
+            export HEADSCALE_DB_PATH="./ignored/db.sqlite"
+            export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
+            export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
           '';
         };
 

go.mod

@@ -4,7 +4,6 @@ go 1.20
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
-	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/davecgh/go-spew v1.1.1
@@ -20,6 +19,7 @@ require (
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
+	github.com/pkg/profile v1.7.0
 	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/common v0.42.0
 	github.com/pterm/pterm v0.12.58
@@ -64,6 +64,7 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/glebarez/go-sqlite v1.20.3 // indirect
@@ -75,6 +76,7 @@ require (
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.3 // indirect

go.sum

@@ -74,8 +74,6 @@ github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkU
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 h1:POmUHfxXdeyM8Aomg4tKDcwATCFuW+cYLkj6pwsw9pc=
-github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029/go.mod h1:Rpr5n9cGHYdM3S3IK8ROSUUUYjQOu+MSUCZDcJbYWi8=
 github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
 github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -129,6 +127,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
+github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -238,7 +238,9 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -272,6 +274,7 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -384,6 +387,8 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
+github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -669,6 +674,7 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

integration/acl_test.go

@@ -12,16 +12,14 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-const numberOfTestClients = 2
-
-func aclScenario(t *testing.T, policy headscale.ACLPolicy) *Scenario {
+func aclScenario(t *testing.T, policy *headscale.ACLPolicy, clientsPerUser int) *Scenario {
 	t.Helper()
 	scenario, err := NewScenario()
 	assert.NoError(t, err)
 
 	spec := map[string]int{
-		"user1": numberOfTestClients,
-		"user2": numberOfTestClients,
+		"user1": clientsPerUser,
+		"user2": clientsPerUser,
 	}
 
 	err = scenario.CreateHeadscaleEnv(spec,
@@ -29,18 +27,15 @@ func aclScenario(t *testing.T, policy headscale.ACLPolicy) *Scenario {
 			tsic.WithDockerEntrypoint([]string{
 				"/bin/bash",
 				"-c",
-				"/bin/sleep 3 ; update-ca-certificates ; python3 -m http.server 80 & tailscaled --tun=tsdev",
+				"/bin/sleep 3 ; update-ca-certificates ; python3 -m http.server --bind :: 80 & tailscaled --tun=tsdev",
 			}),
 			tsic.WithDockerWorkdir("/"),
 		},
-		hsic.WithACLPolicy(&policy),
+		hsic.WithACLPolicy(policy),
 		hsic.WithTestName("acl"),
 	)
 	assert.NoError(t, err)
 
-	// allClients, err := scenario.ListTailscaleClients()
-	// assert.NoError(t, err)
-
 	err = scenario.WaitForTailscaleSync()
 	assert.NoError(t, err)
 
@@ -230,7 +225,7 @@ func TestACLAllowUser80Dst(t *testing.T) {
 	IntegrationSkip(t)
 
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			ACLs: []headscale.ACL{
 				{
 					Action:       "accept",
@@ -239,6 +234,7 @@ func TestACLAllowUser80Dst(t *testing.T) {
 				},
 			},
 		},
+		1,
 	)
 
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -285,7 +281,7 @@ func TestACLDenyAllPort80(t *testing.T) {
 	IntegrationSkip(t)
 
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			Groups: map[string][]string{
 				"group:integration-acl-test": {"user1", "user2"},
 			},
@@ -297,6 +293,7 @@ func TestACLDenyAllPort80(t *testing.T) {
 				},
 			},
 		},
+		4,
 	)
 
 	allClients, err := scenario.ListTailscaleClients()
@@ -333,7 +330,7 @@ func TestACLAllowUserDst(t *testing.T) {
 	IntegrationSkip(t)
 
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			ACLs: []headscale.ACL{
 				{
 					Action:       "accept",
@@ -342,6 +339,7 @@ func TestACLAllowUserDst(t *testing.T) {
 				},
 			},
 		},
+		2,
 	)
 
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -390,7 +388,7 @@ func TestACLAllowStarDst(t *testing.T) {
 	IntegrationSkip(t)
 
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			ACLs: []headscale.ACL{
 				{
 					Action:       "accept",
@@ -399,6 +397,7 @@ func TestACLAllowStarDst(t *testing.T) {
 				},
 			},
 		},
+		2,
 	)
 
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -441,155 +440,6 @@ func TestACLAllowStarDst(t *testing.T) {
 	assert.NoError(t, err)
 }
 
-// This test aims to cover cases where individual hosts are allowed and denied
-// access based on their assigned hostname
-// https://github.com/juanfont/headscale/issues/941
-
-//	ACL = [{
-//			"DstPorts": [{
-//				"Bits": null,
-//				"IP": "100.64.0.3/32",
-//				"Ports": {
-//					"First": 0,
-//					"Last": 65535
-//				}
-//			}],
-//			"SrcIPs": ["*"]
-//		}, {
-//
-//			"DstPorts": [{
-//				"Bits": null,
-//				"IP": "100.64.0.2/32",
-//				"Ports": {
-//					"First": 0,
-//					"Last": 65535
-//				}
-//			}],
-//			"SrcIPs": ["100.64.0.1/32"]
-//		}]
-//
-//	ACL Cache Map= {
-//		"*": {
-//			"100.64.0.3/32": {}
-//		},
-//		"100.64.0.1/32": {
-//			"100.64.0.2/32": {}
-//		}
-//	}
-func TestACLNamedHostsCanReach(t *testing.T) {
-	IntegrationSkip(t)
-
-	scenario := aclScenario(t,
-		headscale.ACLPolicy{
-			Hosts: headscale.Hosts{
-				"test1": netip.MustParsePrefix("100.64.0.1/32"),
-				"test2": netip.MustParsePrefix("100.64.0.2/32"),
-				"test3": netip.MustParsePrefix("100.64.0.3/32"),
-			},
-			ACLs: []headscale.ACL{
-				// Everyone can curl test3
-				{
-					Action:       "accept",
-					Sources:      []string{"*"},
-					Destinations: []string{"test3:*"},
-				},
-				// test1 can curl test2
-				{
-					Action:       "accept",
-					Sources:      []string{"test1"},
-					Destinations: []string{"test2:*"},
-				},
-			},
-		},
-	)
-
-	// Since user/users dont matter here, we basically expect that some clients
-	// will be assigned these ips and that we can pick them up for our own use.
-	test1ip := netip.MustParseAddr("100.64.0.1")
-	test1, err := scenario.FindTailscaleClientByIP(test1ip)
-	assert.NoError(t, err)
-
-	test1fqdn, err := test1.FQDN()
-	assert.NoError(t, err)
-	test1ipURL := fmt.Sprintf("http://%s/etc/hostname", test1ip.String())
-	test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
-
-	test2ip := netip.MustParseAddr("100.64.0.2")
-	test2, err := scenario.FindTailscaleClientByIP(test2ip)
-	assert.NoError(t, err)
-
-	test2fqdn, err := test2.FQDN()
-	assert.NoError(t, err)
-	test2ipURL := fmt.Sprintf("http://%s/etc/hostname", test2ip.String())
-	test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
-
-	test3ip := netip.MustParseAddr("100.64.0.3")
-	test3, err := scenario.FindTailscaleClientByIP(test3ip)
-	assert.NoError(t, err)
-
-	test3fqdn, err := test3.FQDN()
-	assert.NoError(t, err)
-	test3ipURL := fmt.Sprintf("http://%s/etc/hostname", test3ip.String())
-	test3fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test3fqdn)
-
-	// test1 can query test3
-	result, err := test1.Curl(test3ipURL)
-	assert.Len(t, result, 13)
-	assert.NoError(t, err)
-
-	result, err = test1.Curl(test3fqdnURL)
-	assert.Len(t, result, 13)
-	assert.NoError(t, err)
-
-	// test2 can query test3
-	result, err = test2.Curl(test3ipURL)
-	assert.Len(t, result, 13)
-	assert.NoError(t, err)
-
-	result, err = test2.Curl(test3fqdnURL)
-	assert.Len(t, result, 13)
-	assert.NoError(t, err)
-
-	// test3 cannot query test1
-	result, err = test3.Curl(test1ipURL)
-	assert.Empty(t, result)
-	assert.Error(t, err)
-
-	result, err = test3.Curl(test1fqdnURL)
-	assert.Empty(t, result)
-	assert.Error(t, err)
-
-	// test3 cannot query test2
-	result, err = test3.Curl(test2ipURL)
-	assert.Empty(t, result)
-	assert.Error(t, err)
-
-	result, err = test3.Curl(test2fqdnURL)
-	assert.Empty(t, result)
-	assert.Error(t, err)
-
-	// test1 can query test2
-	result, err = test1.Curl(test2ipURL)
-	assert.Len(t, result, 13)
-	assert.NoError(t, err)
-
-	result, err = test1.Curl(test2fqdnURL)
-	assert.Len(t, result, 13)
-	assert.NoError(t, err)
-
-	// test2 cannot query test1
-	result, err = test2.Curl(test1ipURL)
-	assert.Empty(t, result)
-	assert.Error(t, err)
-
-	result, err = test2.Curl(test1fqdnURL)
-	assert.Empty(t, result)
-	assert.Error(t, err)
-
-	err = scenario.Shutdown()
-	assert.NoError(t, err)
-}
-
 // TestACLNamedHostsCanReachBySubnet is the same as
 // TestACLNamedHostsCanReach, but it tests if we expand a
 // full CIDR correctly. All routes should work.
@@ -597,7 +447,7 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 	IntegrationSkip(t)
 
 	scenario := aclScenario(t,
-		headscale.ACLPolicy{
+		&headscale.ACLPolicy{
 			Hosts: headscale.Hosts{
 				"all": netip.MustParsePrefix("100.64.0.0/24"),
 			},
@@ -610,6 +460,7 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 				},
 			},
 		},
+		3,
 	)
 
 	user1Clients, err := scenario.ListTailscaleClients("user1")
@@ -651,3 +502,450 @@ func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
 	err = scenario.Shutdown()
 	assert.NoError(t, err)
 }
+
+// This test aims to cover cases where individual hosts are allowed and denied
+// access based on their assigned hostname
+// https://github.com/juanfont/headscale/issues/941
+//
+//	ACL = [{
+//			"DstPorts": [{
+//				"Bits": null,
+//				"IP": "100.64.0.3/32",
+//				"Ports": {
+//					"First": 0,
+//					"Last": 65535
+//				}
+//			}],
+//			"SrcIPs": ["*"]
+//		}, {
+//
+//			"DstPorts": [{
+//				"Bits": null,
+//				"IP": "100.64.0.2/32",
+//				"Ports": {
+//					"First": 0,
+//					"Last": 65535
+//				}
+//			}],
+//			"SrcIPs": ["100.64.0.1/32"]
+//		}]
+//
+//	ACL Cache Map= {
+//		"*": {
+//			"100.64.0.3/32": {}
+//		},
+//		"100.64.0.1/32": {
+//			"100.64.0.2/32": {}
+//		}
+//	}
+//
+// https://github.com/juanfont/headscale/issues/941
+// Additionally verify ipv6 behaviour, part of
+// https://github.com/juanfont/headscale/issues/809
+func TestACLNamedHostsCanReach(t *testing.T) {
+	IntegrationSkip(t)
+
+	tests := map[string]struct {
+		policy headscale.ACLPolicy
+	}{
+		"ipv4": {
+			policy: headscale.ACLPolicy{
+				Hosts: headscale.Hosts{
+					"test1": netip.MustParsePrefix("100.64.0.1/32"),
+					"test2": netip.MustParsePrefix("100.64.0.2/32"),
+					"test3": netip.MustParsePrefix("100.64.0.3/32"),
+				},
+				ACLs: []headscale.ACL{
+					// Everyone can curl test3
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"test3:*"},
+					},
+					// test1 can curl test2
+					{
+						Action:       "accept",
+						Sources:      []string{"test1"},
+						Destinations: []string{"test2:*"},
+					},
+				},
+			},
+		},
+		"ipv6": {
+			policy: headscale.ACLPolicy{
+				Hosts: headscale.Hosts{
+					"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
+					"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
+					"test3": netip.MustParsePrefix("fd7a:115c:a1e0::3/128"),
+				},
+				ACLs: []headscale.ACL{
+					// Everyone can curl test3
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"test3:*"},
+					},
+					// test1 can curl test2
+					{
+						Action:       "accept",
+						Sources:      []string{"test1"},
+						Destinations: []string{"test2:*"},
+					},
+				},
+			},
+		},
+	}
+
+	for name, testCase := range tests {
+		t.Run(name, func(t *testing.T) {
+			scenario := aclScenario(t,
+				&testCase.policy,
+				2,
+			)
+
+			// Since user/users dont matter here, we basically expect that some clients
+			// will be assigned these ips and that we can pick them up for our own use.
+			test1ip4 := netip.MustParseAddr("100.64.0.1")
+			test1ip6 := netip.MustParseAddr("fd7a:115c:a1e0::1")
+			test1, err := scenario.FindTailscaleClientByIP(test1ip6)
+			assert.NoError(t, err)
+
+			test1fqdn, err := test1.FQDN()
+			assert.NoError(t, err)
+			test1ip4URL := fmt.Sprintf("http://%s/etc/hostname", test1ip4.String())
+			test1ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test1ip6.String())
+			test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
+
+			test2ip4 := netip.MustParseAddr("100.64.0.2")
+			test2ip6 := netip.MustParseAddr("fd7a:115c:a1e0::2")
+			test2, err := scenario.FindTailscaleClientByIP(test2ip6)
+			assert.NoError(t, err)
+
+			test2fqdn, err := test2.FQDN()
+			assert.NoError(t, err)
+			test2ip4URL := fmt.Sprintf("http://%s/etc/hostname", test2ip4.String())
+			test2ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test2ip6.String())
+			test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
+
+			test3ip4 := netip.MustParseAddr("100.64.0.3")
+			test3ip6 := netip.MustParseAddr("fd7a:115c:a1e0::3")
+			test3, err := scenario.FindTailscaleClientByIP(test3ip6)
+			assert.NoError(t, err)
+
+			test3fqdn, err := test3.FQDN()
+			assert.NoError(t, err)
+			test3ip4URL := fmt.Sprintf("http://%s/etc/hostname", test3ip4.String())
+			test3ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test3ip6.String())
+			test3fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test3fqdn)
+
+			// test1 can query test3
+			result, err := test1.Curl(test3ip4URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
+				test3ip4URL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test1.Curl(test3ip6URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
+				test3ip6URL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test1.Curl(test3fqdnURL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
+				test3fqdnURL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			// test2 can query test3
+			result, err = test2.Curl(test3ip4URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
+				test3ip4URL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test2.Curl(test3ip6URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
+				test3ip6URL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test2.Curl(test3fqdnURL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test3 with URL %s, expected hostname of 13 chars, got %s",
+				test3fqdnURL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			// test3 cannot query test1
+			result, err = test3.Curl(test1ip4URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test3.Curl(test1ip6URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test3.Curl(test1fqdnURL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			// test3 cannot query test2
+			result, err = test3.Curl(test2ip4URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test3.Curl(test2ip6URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test3.Curl(test2fqdnURL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			// test1 can query test2
+			result, err = test1.Curl(test2ip4URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test2 with URL %s, expected hostname of 13 chars, got %s",
+				test2ip4URL,
+				result,
+			)
+
+			assert.NoError(t, err)
+			result, err = test1.Curl(test2ip6URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test2 with URL %s, expected hostname of 13 chars, got %s",
+				test2ip6URL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test1.Curl(test2fqdnURL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test2 with URL %s, expected hostname of 13 chars, got %s",
+				test2fqdnURL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			// test2 cannot query test1
+			result, err = test2.Curl(test1ip4URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test2.Curl(test1ip6URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test2.Curl(test1fqdnURL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			err = scenario.Shutdown()
+			assert.NoError(t, err)
+		})
+	}
+}
+
+// TestACLDevice1CanAccessDevice2 is a table driven test that aims to test
+// the various ways to achieve a connection between device1 and device2 where
+// device1 can access device2, but not the other way around. This can be
+// viewed as one of the most important tests here as it covers most of the
+// syntax that can be used.
+//
+// Before adding new taste cases, consider if it can be reduced to a case
+// in this function.
+func TestACLDevice1CanAccessDevice2(t *testing.T) {
+	IntegrationSkip(t)
+
+	tests := map[string]struct {
+		policy headscale.ACLPolicy
+	}{
+		"ipv4": {
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"100.64.0.1"},
+						Destinations: []string{"100.64.0.2:*"},
+					},
+				},
+			},
+		},
+		"ipv6": {
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"fd7a:115c:a1e0::1"},
+						Destinations: []string{"fd7a:115c:a1e0::2:*"},
+					},
+				},
+			},
+		},
+		"hostv4cidr": {
+			policy: headscale.ACLPolicy{
+				Hosts: headscale.Hosts{
+					"test1": netip.MustParsePrefix("100.64.0.1/32"),
+					"test2": netip.MustParsePrefix("100.64.0.2/32"),
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"test1"},
+						Destinations: []string{"test2:*"},
+					},
+				},
+			},
+		},
+		"hostv6cidr": {
+			policy: headscale.ACLPolicy{
+				Hosts: headscale.Hosts{
+					"test1": netip.MustParsePrefix("fd7a:115c:a1e0::1/128"),
+					"test2": netip.MustParsePrefix("fd7a:115c:a1e0::2/128"),
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"test1"},
+						Destinations: []string{"test2:*"},
+					},
+				},
+			},
+		},
+		"group": {
+			policy: headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:one": {"user1"},
+					"group:two": {"user2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:one"},
+						Destinations: []string{"group:two:*"},
+					},
+				},
+			},
+		},
+		// TODO(kradalby): Add similar tests for Tags, might need support
+		// in the scenario function when we create or join the clients.
+	}
+
+	for name, testCase := range tests {
+		t.Run(name, func(t *testing.T) {
+			scenario := aclScenario(t, &testCase.policy, 1)
+
+			test1ip := netip.MustParseAddr("100.64.0.1")
+			test1ip6 := netip.MustParseAddr("fd7a:115c:a1e0::1")
+			test1, err := scenario.FindTailscaleClientByIP(test1ip)
+			assert.NotNil(t, test1)
+			assert.NoError(t, err)
+
+			test1fqdn, err := test1.FQDN()
+			assert.NoError(t, err)
+			test1ipURL := fmt.Sprintf("http://%s/etc/hostname", test1ip.String())
+			test1ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test1ip6.String())
+			test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
+
+			test2ip := netip.MustParseAddr("100.64.0.2")
+			test2ip6 := netip.MustParseAddr("fd7a:115c:a1e0::2")
+			test2, err := scenario.FindTailscaleClientByIP(test2ip)
+			assert.NotNil(t, test2)
+			assert.NoError(t, err)
+
+			test2fqdn, err := test2.FQDN()
+			assert.NoError(t, err)
+			test2ipURL := fmt.Sprintf("http://%s/etc/hostname", test2ip.String())
+			test2ip6URL := fmt.Sprintf("http://[%s]/etc/hostname", test2ip6.String())
+			test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
+
+			// test1 can query test2
+			result, err := test1.Curl(test2ipURL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test with URL %s, expected hostname of 13 chars, got %s",
+				test2ipURL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test1.Curl(test2ip6URL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test with URL %s, expected hostname of 13 chars, got %s",
+				test2ip6URL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test1.Curl(test2fqdnURL)
+			assert.Lenf(
+				t,
+				result,
+				13,
+				"failed to connect from test1 to test with URL %s, expected hostname of 13 chars, got %s",
+				test2fqdnURL,
+				result,
+			)
+			assert.NoError(t, err)
+
+			result, err = test2.Curl(test1ipURL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test2.Curl(test1ip6URL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			result, err = test2.Curl(test1fqdnURL)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+
+			err = scenario.Shutdown()
+			assert.NoError(t, err)
+		})
+	}
+}

integration/auth_oidc_test.go

@@ -362,6 +362,15 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 
 		user.joinWaitGroup.Wait()
 
+		for _, client := range user.Clients {
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("client %s was not ready: %s", client.Hostname(), err)
+
+				return fmt.Errorf("failed to up tailscale node: %w", err)
+			}
+		}
+
 		return nil
 	}
 

integration/auth_web_flow_test.go

@@ -274,6 +274,15 @@ func (s *AuthWebFlowScenario) runTailscaleUp(
 		}
 		user.joinWaitGroup.Wait()
 
+		for _, client := range user.Clients {
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("client %s was not ready: %s", client.Hostname(), err)
+
+				return fmt.Errorf("failed to up tailscale node: %w", err)
+			}
+		}
+
 		return nil
 	}
 

integration/control.go

@@ -2,12 +2,15 @@ package integration
 
 import (
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/ory/dockertest/v3"
 )
 
 type ControlServer interface {
 	Shutdown() error
 	SaveLog(string) error
+	SaveProfile(string) error
 	Execute(command []string) (string, error)
+	ConnectToNetwork(network *dockertest.Network) error
 	GetHealthEndpoint() string
 	GetEndpoint() string
 	WaitForReady() error

integration/embedded_derp_test.go

@@ -0,0 +1,236 @@
+package integration
+
+import (
+	"fmt"
+	"log"
+	"net/url"
+	"testing"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+)
+
+type EmbeddedDERPServerScenario struct {
+	*Scenario
+
+	tsicNetworks map[string]*dockertest.Network
+}
+
+func TestDERPServerScenario(t *testing.T) {
+	IntegrationSkip(t)
+	// t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := EmbeddedDERPServerScenario{
+		Scenario:     baseScenario,
+		tsicNetworks: map[string]*dockertest.Network{},
+	}
+
+	spec := map[string]int{
+		"user1": len(TailscaleVersions),
+	}
+
+	headscaleConfig := map[string]string{}
+	headscaleConfig["HEADSCALE_DERP_URLS"] = ""
+	headscaleConfig["HEADSCALE_DERP_SERVER_ENABLED"] = "true"
+	headscaleConfig["HEADSCALE_DERP_SERVER_REGION_ID"] = "999"
+	headscaleConfig["HEADSCALE_DERP_SERVER_REGION_CODE"] = "headscale"
+	headscaleConfig["HEADSCALE_DERP_SERVER_REGION_NAME"] = "Headscale Embedded DERP"
+	headscaleConfig["HEADSCALE_DERP_SERVER_STUN_LISTEN_ADDR"] = "0.0.0.0:3478"
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithConfigEnv(headscaleConfig),
+		hsic.WithTestName("derpserver"),
+		hsic.WithExtraPorts([]string{"3478/udp"}),
+		hsic.WithTLS(),
+		hsic.WithHostnameAsServerURL(),
+	)
+
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	allHostnames, err := scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	success := pingDerpAllHelper(t, allClients, allHostnames)
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *EmbeddedDERPServerScenario) CreateHeadscaleEnv(
+	users map[string]int,
+	opts ...hsic.Option,
+) error {
+	hsServer, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	headscaleEndpoint := hsServer.GetEndpoint()
+	headscaleURL, err := url.Parse(headscaleEndpoint)
+	if err != nil {
+		return err
+	}
+
+	headscaleURL.Host = fmt.Sprintf("%s:%s", hsServer.GetHostname(), headscaleURL.Port())
+
+	err = hsServer.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	hash, err := headscale.GenerateRandomStringDNSSafe(scenarioHashLength)
+	if err != nil {
+		return err
+	}
+
+	for userName, clientCount := range users {
+		err = s.CreateUser(userName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleIsolatedNodesInUser(
+			hash,
+			userName,
+			"all",
+			clientCount,
+		)
+		if err != nil {
+			return err
+		}
+
+		key, err := s.CreatePreAuthKey(userName, true, false)
+		if err != nil {
+			return err
+		}
+
+		err = s.RunTailscaleUp(userName, headscaleURL.String(), key.GetKey())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *EmbeddedDERPServerScenario) CreateTailscaleIsolatedNodesInUser(
+	hash string,
+	userStr string,
+	requestedVersion string,
+	count int,
+	opts ...tsic.Option,
+) error {
+	hsServer, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	if user, ok := s.users[userStr]; ok {
+		for clientN := 0; clientN < count; clientN++ {
+			networkName := fmt.Sprintf("tsnet-%s-%s-%d",
+				hash,
+				userStr,
+				clientN,
+			)
+			network, err := dockertestutil.GetFirstOrCreateNetwork(
+				s.pool,
+				networkName,
+			)
+			if err != nil {
+				return fmt.Errorf("failed to create or get %s network: %w", networkName, err)
+			}
+
+			s.tsicNetworks[networkName] = network
+
+			err = hsServer.ConnectToNetwork(network)
+			if err != nil {
+				return fmt.Errorf("failed to connect headscale to %s network: %w", networkName, err)
+			}
+
+			version := requestedVersion
+			if requestedVersion == "all" {
+				version = TailscaleVersions[clientN%len(TailscaleVersions)]
+			}
+
+			cert := hsServer.GetCert()
+
+			user.createWaitGroup.Add(1)
+
+			opts = append(opts,
+				tsic.WithHeadscaleTLS(cert),
+			)
+
+			go func() {
+				defer user.createWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					network,
+					opts...,
+				)
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
+				}
+
+				user.Clients[tsClient.Hostname()] = tsClient
+			}()
+		}
+		user.createWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to add tailscale node: %w", errNoUserAvailable)
+}
+
+func (s *EmbeddedDERPServerScenario) Shutdown() error {
+	for _, network := range s.tsicNetworks {
+		err := s.pool.RemoveNetwork(network)
+		if err != nil {
+			return err
+		}
+	}
+
+	return s.Scenario.Shutdown()
+}

integration/hsic/hsic.go

@@ -15,6 +15,10 @@ import (
 	"math/big"
 	"net"
 	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"strings"
 	"time"
 
 	"github.com/davecgh/go-spew/spew"
@@ -23,6 +27,7 @@ import (
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
 )
 
 const (
@@ -52,6 +57,8 @@ type HeadscaleInContainer struct {
 
 	// optional config
 	port             int
+	extraPorts       []string
+	hostPortBindings map[string][]string
 	aclPolicy        *headscale.ACLPolicy
 	env              map[string]string
 	tlsCert          []byte
@@ -77,7 +84,7 @@ func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 // WithTLS creates certificates and enables HTTPS.
 func WithTLS() Option {
 	return func(hsic *HeadscaleInContainer) {
-		cert, key, err := createCertificate()
+		cert, key, err := createCertificate(hsic.hostname)
 		if err != nil {
 			log.Fatalf("failed to create certificates for headscale test: %s", err)
 		}
@@ -108,6 +115,19 @@ func WithPort(port int) Option {
 	}
 }
 
+// WithExtraPorts exposes additional ports on the container (e.g. 3478/udp for STUN).
+func WithExtraPorts(ports []string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.extraPorts = ports
+	}
+}
+
+func WithHostPortBindings(bindings map[string][]string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.hostPortBindings = bindings
+	}
+}
+
 // WithTestName sets a name for the test, this will be reflected
 // in the Docker container name.
 func WithTestName(testName string) Option {
@@ -173,12 +193,25 @@ func New(
 
 	portProto := fmt.Sprintf("%d/tcp", hsic.port)
 
+	serverURL, err := url.Parse(hsic.env["HEADSCALE_SERVER_URL"])
+	if err != nil {
+		return nil, err
+	}
+
+	if len(hsic.tlsCert) != 0 && len(hsic.tlsKey) != 0 {
+		serverURL.Scheme = "https"
+		hsic.env["HEADSCALE_SERVER_URL"] = serverURL.String()
+	}
+
 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile.debug",
 		ContextDir: dockerContextPath,
 	}
 
-	env := []string{}
+	env := []string{
+		"HEADSCALE_PROFILING_ENABLED=1",
+		"HEADSCALE_PROFILING_PATH=/tmp/profile",
+	}
 	for key, value := range hsic.env {
 		env = append(env, fmt.Sprintf("%s=%s", key, value))
 	}
@@ -187,15 +220,27 @@ func New(
 
 	runOptions := &dockertest.RunOptions{
 		Name:         hsic.hostname,
-		ExposedPorts: []string{portProto},
+		ExposedPorts: append([]string{portProto}, hsic.extraPorts...),
 		Networks:     []*dockertest.Network{network},
 		// Cmd:          []string{"headscale", "serve"},
 		// TODO(kradalby): Get rid of this hack, we currently need to give us some
 		// to inject the headscale configuration further down.
-		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve"},
+		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve ; /bin/sleep 30"},
 		Env:        env,
 	}
 
+	if len(hsic.hostPortBindings) > 0 {
+		runOptions.PortBindings = map[docker.Port][]docker.PortBinding{}
+		for port, hostPorts := range hsic.hostPortBindings {
+			runOptions.PortBindings[docker.Port(port)] = []docker.PortBinding{}
+			for _, hostPort := range hostPorts {
+				runOptions.PortBindings[docker.Port(port)] = append(
+					runOptions.PortBindings[docker.Port(port)],
+					docker.PortBinding{HostPort: hostPort})
+			}
+		}
+	}
+
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
@@ -256,12 +301,43 @@ func New(
 	return hsic, nil
 }
 
+func (t *HeadscaleInContainer) ConnectToNetwork(network *dockertest.Network) error {
+	return t.container.ConnectToNetwork(network)
+}
+
 func (t *HeadscaleInContainer) hasTLS() bool {
 	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
 }
 
 // Shutdown stops and cleans up the Headscale container.
 func (t *HeadscaleInContainer) Shutdown() error {
+	err := t.SaveLog("/tmp/control")
+	if err != nil {
+		log.Printf(
+			"Failed to save log from control: %s",
+			fmt.Errorf("failed to save log from control: %w", err),
+		)
+	}
+
+	// Send a interrupt signal to the "headscale" process inside the container
+	// allowing it to shut down gracefully and flush the profile to disk.
+	// The container will live for a bit longer due to the sleep at the end.
+	err = t.SendInterrupt()
+	if err != nil {
+		log.Printf(
+			"Failed to send graceful interrupt to control: %s",
+			fmt.Errorf("failed to send graceful interrupt to control: %w", err),
+		)
+	}
+
+	err = t.SaveProfile("/tmp/control")
+	if err != nil {
+		log.Printf(
+			"Failed to save profile from control: %s",
+			fmt.Errorf("failed to save profile from control: %w", err),
+		)
+	}
+
 	return t.pool.Purge(t.container)
 }
 
@@ -271,6 +347,24 @@ func (t *HeadscaleInContainer) SaveLog(path string) error {
 	return dockertestutil.SaveLog(t.pool, t.container, path)
 }
 
+func (t *HeadscaleInContainer) SaveProfile(savePath string) error {
+	tarFile, err := t.FetchPath("/tmp/profile")
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(
+		path.Join(savePath, t.hostname+".pprof.tar"),
+		tarFile,
+		os.ModePerm,
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // Execute runs a command inside the Headscale container and returns the
 // result of stdout as a string.
 func (t *HeadscaleInContainer) Execute(
@@ -455,8 +549,28 @@ func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }
 
+// FetchPath gets a path from inside the Headscale container and returns a tar
+// file as byte array.
+func (t *HeadscaleInContainer) FetchPath(path string) ([]byte, error) {
+	return integrationutil.FetchPathFromContainer(t.pool, t.container, path)
+}
+
+func (t *HeadscaleInContainer) SendInterrupt() error {
+	pid, err := t.Execute([]string{"pidof", "headscale"})
+	if err != nil {
+		return err
+	}
+
+	_, err = t.Execute([]string{"kill", "-2", strings.Trim(pid, "'\n")})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // nolint
-func createCertificate() ([]byte, []byte, error) {
+func createCertificate(hostname string) ([]byte, []byte, error) {
 	// From:
 	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
 
@@ -468,7 +582,7 @@ func createCertificate() ([]byte, []byte, error) {
 			Locality:     []string{"Leiden"},
 		},
 		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(30 * time.Minute),
+		NotAfter:  time.Now().Add(60 * time.Minute),
 		IsCA:      true,
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
@@ -486,16 +600,17 @@ func createCertificate() ([]byte, []byte, error) {
 	cert := &x509.Certificate{
 		SerialNumber: big.NewInt(1658),
 		Subject: pkix.Name{
+			CommonName:   hostname,
 			Organization: []string{"Headscale testing INC"},
 			Country:      []string{"NL"},
 			Locality:     []string{"Leiden"},
 		},
-		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
 		NotBefore:    time.Now(),
-		NotAfter:     time.Now().Add(30 * time.Minute),
+		NotAfter:     time.Now().Add(60 * time.Minute),
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:     x509.KeyUsageDigitalSignature,
+		DNSNames:     []string{hostname},
 	}
 
 	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)

integration/integrationutil/util.go

@@ -72,3 +72,24 @@ func WriteFileToContainer(
 
 	return nil
 }
+
+func FetchPathFromContainer(
+	pool *dockertest.Pool,
+	container *dockertest.Resource,
+	path string,
+) ([]byte, error) {
+	buf := bytes.NewBuffer([]byte{})
+
+	err := pool.Client.DownloadFromContainer(
+		container.Container.ID,
+		docker.DownloadFromContainerOptions{
+			OutputStream: buf,
+			Path:         path,
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}

integration/scenario.go

@@ -149,15 +149,7 @@ func NewScenario() (*Scenario, error) {
 // environment running the tests.
 func (s *Scenario) Shutdown() error {
 	s.controlServers.Range(func(_ string, control ControlServer) bool {
-		err := control.SaveLog("/tmp/control")
-		if err != nil {
-			log.Printf(
-				"Failed to save log from control: %s",
-				fmt.Errorf("failed to save log from control: %w", err),
-			)
-		}
-
-		err = control.Shutdown()
+		err := control.Shutdown()
 		if err != nil {
 			log.Printf(
 				"Failed to shut down control: %s",
@@ -356,6 +348,15 @@ func (s *Scenario) RunTailscaleUp(
 
 		user.joinWaitGroup.Wait()
 
+		for _, client := range user.Clients {
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("client %s was not ready: %s", client.Hostname(), err)
+
+				return fmt.Errorf("failed to up tailscale node: %w", err)
+			}
+		}
+
 		return nil
 	}
 

integration/tailscale.go

@@ -4,6 +4,7 @@ import (
 	"net/netip"
 	"net/url"
 
+	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/tsic"
 	"tailscale.com/ipn/ipnstate"
 )
@@ -13,7 +14,7 @@ type TailscaleClient interface {
 	Hostname() string
 	Shutdown() error
 	Version() string
-	Execute(command []string) (string, string, error)
+	Execute(command []string, options ...dockertestutil.ExecuteCommandOption) (string, string, error)
 	Up(loginServer, authKey string) error
 	UpWithLoginURL(loginServer string) (*url.URL, error)
 	Logout() error

integration/tsic/tsic.go

@@ -29,6 +29,7 @@ const (
 
 var (
 	errTailscalePingFailed             = errors.New("ping failed")
+	errTailscalePingNotDERP            = errors.New("ping not via DERP")
 	errTailscaleNotLoggedIn            = errors.New("tailscale not logged in")
 	errTailscaleWrongPeerCount         = errors.New("wrong peer count")
 	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
@@ -56,6 +57,7 @@ type TailscaleInContainer struct {
 	withSSH           bool
 	withTags          []string
 	withEntrypoint    []string
+	withExtraHosts    []string
 	workdir           string
 }
 
@@ -124,6 +126,12 @@ func WithDockerWorkdir(dir string) Option {
 	}
 }
 
+func WithExtraHosts(hosts []string) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.withExtraHosts = hosts
+	}
+}
+
 // WithDockerEntrypoint allows the docker entrypoint of the container
 // to be overridden. This is a dangerous option which can make
 // the container not work as intended as a typo might prevent
@@ -169,11 +177,12 @@ func New(
 
 	tailscaleOptions := &dockertest.RunOptions{
 		Name:     hostname,
-		Networks: []*dockertest.Network{network},
+		Networks: []*dockertest.Network{tsic.network},
 		// Cmd: []string{
 		// 	"tailscaled", "--tun=tsdev",
 		// },
 		Entrypoint: tsic.withEntrypoint,
+		ExtraHosts: tsic.withExtraHosts,
 	}
 
 	if tsic.headscaleHostname != "" {
@@ -248,11 +257,13 @@ func (t *TailscaleInContainer) ID() string {
 // result of stdout as a string.
 func (t *TailscaleInContainer) Execute(
 	command []string,
+	options ...dockertestutil.ExecuteCommandOption,
 ) (string, string, error) {
 	stdout, stderr, err := dockertestutil.ExecuteCommand(
 		t.container,
 		command,
 		[]string{},
+		options...,
 	)
 	if err != nil {
 		log.Printf("command stderr: %s\n", stderr)
@@ -430,6 +441,15 @@ func (t *TailscaleInContainer) WaitForReady() error {
 			return nil
 		}
 
+		// ipnstate.Status.CurrentTailnet was added in Tailscale 1.22.0
+		// https://github.com/tailscale/tailscale/pull/3865
+		//
+		// Before that, we can check the BackendState to see if the
+		// tailscaled daemon is connected to the control system.
+		if status.BackendState == "Running" {
+			return nil
+		}
+
 		return errTailscaleNotConnected
 	})
 }
@@ -468,7 +488,7 @@ func (t *TailscaleInContainer) WaitForPeers(expected int) error {
 }
 
 type (
-	// PingOption repreent optional settings that can be given
+	// PingOption represent optional settings that can be given
 	// to ping another host.
 	PingOption = func(args *pingArgs)
 
@@ -526,7 +546,12 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) err
 	command = append(command, hostnameOrIP)
 
 	return t.pool.Retry(func() error {
-		result, _, err := t.Execute(command)
+		result, _, err := t.Execute(
+			command,
+			dockertestutil.ExecuteCommandTimeout(
+				time.Duration(int64(args.timeout)*int64(args.count)),
+			),
+		)
 		if err != nil {
 			log.Printf(
 				"failed to run ping command from %s to %s, err: %s",
@@ -538,10 +563,22 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) err
 			return err
 		}
 
-		if !strings.Contains(result, "pong") && !strings.Contains(result, "is local") {
+		if strings.Contains(result, "is local") {
+			return nil
+		}
+
+		if !strings.Contains(result, "pong") {
 			return backoff.Permanent(errTailscalePingFailed)
 		}
 
+		if !args.direct {
+			if strings.Contains(result, "via DERP") {
+				return nil
+			} else {
+				return backoff.Permanent(errTailscalePingNotDERP)
+			}
+		}
+
 		return nil
 	})
 }

integration/utils.go

@@ -2,6 +2,14 @@ package integration
 
 import (
 	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/integration/tsic"
+)
+
+const (
+	derpPingTimeout = 2 * time.Second
+	derpPingCount   = 10
 )
 
 func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
@@ -22,6 +30,52 @@ func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int
 	return success
 }
 
+func pingDerpAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
+	t.Helper()
+	success := 0
+
+	for _, client := range clients {
+		for _, addr := range addrs {
+			if isSelfClient(client, addr) {
+				continue
+			}
+
+			err := client.Ping(
+				addr,
+				tsic.WithPingTimeout(derpPingTimeout),
+				tsic.WithPingCount(derpPingCount),
+				tsic.WithPingUntilDirect(false),
+			)
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", addr, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	return success
+}
+
+func isSelfClient(client TailscaleClient, addr string) bool {
+	if addr == client.Hostname() {
+		return true
+	}
+
+	ips, err := client.IPs()
+	if err != nil {
+		return false
+	}
+
+	for _, ip := range ips {
+		if ip.String() == addr {
+			return true
+		}
+	}
+
+	return false
+}
+
 // pingAllNegativeHelper is intended to have 1 or more nodes timeing out from the ping,
 // it counts failures instead of successes.
 // func pingAllNegativeHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
@@ -46,3 +100,35 @@ func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int
 //
 // 	return failures
 // }
+
+// // findPeerByIP takes an IP and a map of peers from status.Peer, and returns a *ipnstate.PeerStatus
+// // if there is a peer with the given IP. If no peer is found, nil is returned.
+// func findPeerByIP(
+// 	ip netip.Addr,
+// 	peers map[key.NodePublic]*ipnstate.PeerStatus,
+// ) *ipnstate.PeerStatus {
+// 	for _, peer := range peers {
+// 		for _, peerIP := range peer.TailscaleIPs {
+// 			if ip == peerIP {
+// 				return peer
+// 			}
+// 		}
+// 	}
+//
+// 	return nil
+// }
+//
+// // findPeerByHostname takes a hostname and a map of peers from status.Peer, and returns a *ipnstate.PeerStatus
+// // if there is a peer with the given hostname. If no peer is found, nil is returned.
+// func findPeerByHostname(
+// 	hostname string,
+// 	peers map[key.NodePublic]*ipnstate.PeerStatus,
+// ) *ipnstate.PeerStatus {
+// 	for _, peer := range peers {
+// 		if hostname == peer.HostName {
+// 			return peer
+// 		}
+// 	}
+//
+// 	return nil
+// }

integration_embedded_derp_test.go

@@ -1,453 +0,0 @@
-// nolint
-package headscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/ccding/go-stun/stun"
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/suite"
-)
-
-const (
-	headscaleDerpHostname = "headscale-derp"
-	userName              = "derpuser"
-	totalContainers       = 3
-)
-
-type IntegrationDERPTestSuite struct {
-	suite.Suite
-	stats *suite.SuiteInformation
-
-	pool              dockertest.Pool
-	network           dockertest.Network
-	containerNetworks map[int]dockertest.Network // so we keep the containers isolated
-	headscale         dockertest.Resource
-	saveLogs          bool
-
-	tailscales    map[string]dockertest.Resource
-	joinWaitGroup sync.WaitGroup
-}
-
-func TestIntegrationDERPTestSuite(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping integration tests due to short flag")
-	}
-
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
-	s := new(IntegrationDERPTestSuite)
-
-	s.tailscales = make(map[string]dockertest.Resource)
-	s.containerNetworks = make(map[int]dockertest.Network)
-	s.saveLogs = saveLogs
-
-	suite.Run(t, s)
-
-	// HandleStats, which allows us to check if we passed and save logs
-	// is called after TearDown, so we cannot tear down containers before
-	// we have potentially saved the logs.
-	if s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
-				log.Printf("Could not save log: %s\n", err)
-			}
-		}
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		for _, network := range s.containerNetworks {
-			if err := network.Close(); err != nil {
-				log.Printf("Could not close network: %s\n", err)
-			}
-		}
-	}
-}
-
-func (s *IntegrationDERPTestSuite) SetupSuite() {
-	if ppool, err := dockertest.NewPool(""); err == nil {
-		s.pool = *ppool
-	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
-	}
-
-	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
-	}
-	s.network = network
-
-	for i := 0; i < totalContainers; i++ {
-		if pnetwork, err := s.pool.CreateNetwork(fmt.Sprintf("headscale-derp-%d", i)); err == nil {
-			s.containerNetworks[i] = *pnetwork
-		} else {
-			s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
-		}
-	}
-
-	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile",
-		ContextDir: ".",
-	}
-
-	currentPath, err := os.Getwd()
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
-	}
-
-	headscaleOptions := &dockertest.RunOptions{
-		Name: headscaleDerpHostname,
-		Mounts: []string{
-			fmt.Sprintf(
-				"%s/integration_test/etc_embedded_derp:/etc/headscale",
-				currentPath,
-			),
-		},
-		Cmd:          []string{"headscale", "serve"},
-		Networks:     []*dockertest.Network{&s.network},
-		ExposedPorts: []string{"8443/tcp", "3478/udp"},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			"8443/tcp": {{HostPort: "8443"}},
-			"3478/udp": {{HostPort: "3478"}},
-		},
-	}
-
-	err = s.pool.RemoveContainerByName(headscaleDerpHostname)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	log.Println("Creating headscale container for DERP integration tests")
-	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
-		s.headscale = *pheadscale
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
-	}
-	log.Println("Created headscale container for embedded DERP tests")
-
-	log.Println("Creating tailscale containers for embedded DERP tests")
-
-	for i := 0; i < totalContainers; i++ {
-		version := tailscaleVersions[i%len(tailscaleVersions)]
-		hostname, container := s.tailscaleContainer(
-			fmt.Sprint(i),
-			version,
-			s.containerNetworks[i],
-		)
-		s.tailscales[hostname] = *container
-	}
-
-	log.Println("Waiting for headscale to be ready for embedded DERP tests")
-	hostEndpoint := fmt.Sprintf("%s:%s",
-		s.headscale.GetIPInNetwork(&s.network),
-		s.headscale.GetPort("8443/tcp"))
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("https://%s/health", hostEndpoint)
-		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
-		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-		client := &http.Client{Transport: insecureTransport}
-		resp, err := client.Get(url)
-		if err != nil {
-			fmt.Printf("headscale for embedded DERP tests is not ready: %s\n", err)
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	log.Println("headscale container is ready for embedded DERP tests")
-
-	log.Printf("Creating headscale user: %s\n", userName)
-	result, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{"headscale", "users", "create", userName},
-		[]string{},
-	)
-	log.Println("headscale create user result: ", result)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Creating pre auth key for %s\n", userName)
-	preAuthResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"--user",
-			userName,
-			"preauthkeys",
-			"create",
-			"--reusable",
-			"--expiration",
-			"24h",
-			"--output",
-			"json",
-		},
-		[]string{"LOG_LEVEL=error"},
-	)
-	assert.Nil(s.T(), err)
-
-	var preAuthKey v1.PreAuthKey
-	err = json.Unmarshal([]byte(preAuthResult), &preAuthKey)
-	assert.Nil(s.T(), err)
-	assert.True(s.T(), preAuthKey.Reusable)
-
-	headscaleEndpoint := fmt.Sprintf(
-		"https://headscale:%s",
-		s.headscale.GetPort("8443/tcp"),
-	)
-
-	log.Printf(
-		"Joining tailscale containers to headscale at %s\n",
-		headscaleEndpoint,
-	)
-	for hostname, tailscale := range s.tailscales {
-		s.joinWaitGroup.Add(1)
-		go s.Join(headscaleEndpoint, preAuthKey.Key, hostname, tailscale)
-	}
-
-	s.joinWaitGroup.Wait()
-
-	// The nodes need a bit of time to get their updated maps from headscale
-	// TODO: See if we can have a more deterministic wait here.
-	time.Sleep(60 * time.Second)
-}
-
-func (s *IntegrationDERPTestSuite) Join(
-	endpoint, key, hostname string,
-	tailscale dockertest.Resource,
-) {
-	defer s.joinWaitGroup.Done()
-
-	command := []string{
-		"tailscale",
-		"up",
-		"-login-server",
-		endpoint,
-		"--authkey",
-		key,
-		"--hostname",
-		hostname,
-	}
-
-	log.Println("Join command:", command)
-	log.Printf("Running join command for %s\n", hostname)
-	_, _, err := ExecuteCommand(
-		&tailscale,
-		command,
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-	log.Printf("%s joined\n", hostname)
-}
-
-func (s *IntegrationDERPTestSuite) tailscaleContainer(
-	identifier, version string,
-	network dockertest.Network,
-) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := getDockerBuildOptions(version)
-
-	hostname := fmt.Sprintf(
-		"tailscale-%s-%s",
-		strings.Replace(version, ".", "-", -1),
-		identifier,
-	)
-	tailscaleOptions := &dockertest.RunOptions{
-		Name:     hostname,
-		Networks: []*dockertest.Network{&network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
-		},
-
-		// expose the host IP address, so we can access it from inside the container
-		ExtraHosts: []string{
-			"host.docker.internal:host-gateway",
-			"headscale:host-gateway",
-		},
-	}
-
-	pts, err := s.pool.BuildAndRunWithBuildOptions(
-		tailscaleBuildOptions,
-		tailscaleOptions,
-		DockerRestartPolicy,
-		DockerAllowLocalIPv6,
-		DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	return hostname, pts
-}
-
-func (s *IntegrationDERPTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		for _, network := range s.containerNetworks {
-			if err := network.Close(); err != nil {
-				log.Printf("Could not close network: %s\n", err)
-			}
-		}
-	}
-}
-
-func (s *IntegrationDERPTestSuite) HandleStats(
-	suiteName string,
-	stats *suite.SuiteInformation,
-) {
-	s.stats = stats
-}
-
-func (s *IntegrationDERPTestSuite) saveLog(
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = s.pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		stderr.Bytes(),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		stderr.Bytes(),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *IntegrationDERPTestSuite) TestPingAllPeersByHostname() {
-	hostnames, err := getDNSNames(&s.headscale)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Hostnames: %#v\n", hostnames)
-
-	for hostname, tailscale := range s.tailscales {
-		for _, peername := range hostnames {
-			if strings.Contains(peername, hostname) {
-				continue
-			}
-			s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-				command := []string{
-					"tailscale", "ping",
-					"--timeout=10s",
-					"--c=5",
-					"--until-direct=false",
-					peername,
-				}
-
-				log.Printf(
-					"Pinging using hostname from %s to %s\n",
-					hostname,
-					peername,
-				)
-				log.Println(command)
-				result, _, err := ExecuteCommand(
-					&tailscale,
-					command,
-					[]string{},
-				)
-				assert.Nil(t, err)
-				log.Printf("Result for %s: %s\n", hostname, result)
-				assert.Contains(t, result, "via DERP(headscale)")
-			})
-		}
-	}
-}
-
-func (s *IntegrationDERPTestSuite) TestDERPSTUN() {
-	headscaleSTUNAddr := fmt.Sprintf("%s:%s",
-		s.headscale.GetIPInNetwork(&s.network),
-		s.headscale.GetPort("3478/udp"))
-	client := stun.NewClient()
-	client.SetVerbose(true)
-	client.SetVVerbose(true)
-	client.SetServerAddr(headscaleSTUNAddr)
-	_, _, err := client.Discover()
-	assert.Nil(s.T(), err)
-}

machine.go

@@ -4,6 +4,7 @@ import (
 	"database/sql/driver"
 	"errors"
 	"fmt"
+	"net"
 	"net/netip"
 	"sort"
 	"strconv"
@@ -172,7 +173,7 @@ func filterMachinesByACL(
 	machine *Machine,
 	machines Machines,
 	lock *sync.RWMutex,
-	aclPeerCacheMap map[string]map[string]struct{},
+	aclPeerCacheMap map[string][]string,
 ) Machines {
 	log.Trace().
 		Caller().
@@ -197,43 +198,34 @@ func filterMachinesByACL(
 
 		if dstMap, ok := aclPeerCacheMap["*"]; ok {
 			// match source and all destination
-			if _, dstOk := dstMap["*"]; dstOk {
-				peers[peer.ID] = peer
 
-				continue
+			for _, dst := range dstMap {
+				if dst == "*" {
+					peers[peer.ID] = peer
+
+					continue
+				}
 			}
 
 			// match source and all destination
 			for _, peerIP := range peerIPs {
-				if _, dstOk := dstMap[peerIP]; dstOk {
-					peers[peer.ID] = peer
+				for _, dst := range dstMap {
+					_, cdr, _ := net.ParseCIDR(dst)
+					ip := net.ParseIP(peerIP)
+					if dst == peerIP || (cdr != nil && ip != nil && cdr.Contains(ip)) {
+						peers[peer.ID] = peer
 
-					continue
+						continue
+					}
 				}
 			}
 
 			// match all sources and source
 			for _, machineIP := range machineIPs {
-				if _, dstOk := dstMap[machineIP]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-			}
-		}
-
-		for _, machineIP := range machineIPs {
-			if dstMap, ok := aclPeerCacheMap[machineIP]; ok {
-				// match source and all destination
-				if _, dstOk := dstMap["*"]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-
-				// match source and destination
-				for _, peerIP := range peerIPs {
-					if _, dstOk := dstMap[peerIP]; dstOk {
+				for _, dst := range dstMap {
+					_, cdr, _ := net.ParseCIDR(dst)
+					ip := net.ParseIP(machineIP)
+					if dst == machineIP || (cdr != nil && ip != nil && cdr.Contains(ip)) {
 						peers[peer.ID] = peer
 
 						continue
@@ -242,22 +234,55 @@ func filterMachinesByACL(
 			}
 		}
 
-		for _, peerIP := range peerIPs {
-			if dstMap, ok := aclPeerCacheMap[peerIP]; ok {
+		for _, machineIP := range machineIPs {
+			if dstMap, ok := aclPeerCacheMap[machineIP]; ok {
 				// match source and all destination
-				if _, dstOk := dstMap["*"]; dstOk {
-					peers[peer.ID] = peer
-
-					continue
-				}
-				// match return path
-				for _, machineIP := range machineIPs {
-					if _, dstOk := dstMap[machineIP]; dstOk {
+				for _, dst := range dstMap {
+					if dst == "*" {
 						peers[peer.ID] = peer
 
 						continue
 					}
 				}
+
+				// match source and destination
+				for _, peerIP := range peerIPs {
+					for _, dst := range dstMap {
+						_, cdr, _ := net.ParseCIDR(dst)
+						ip := net.ParseIP(peerIP)
+						if dst == peerIP || (cdr != nil && ip != nil && cdr.Contains(ip)) {
+							peers[peer.ID] = peer
+
+							continue
+						}
+					}
+				}
+			}
+		}
+
+		for _, peerIP := range peerIPs {
+			if dstMap, ok := aclPeerCacheMap[peerIP]; ok {
+				// match source and all destination
+				for _, dst := range dstMap {
+					if dst == "*" {
+						peers[peer.ID] = peer
+
+						continue
+					}
+				}
+
+				// match return path
+				for _, machineIP := range machineIPs {
+					for _, dst := range dstMap {
+						_, cdr, _ := net.ParseCIDR(dst)
+						ip := net.ParseIP(machineIP)
+						if dst == machineIP || (cdr != nil && ip != nil && cdr.Contains(ip)) {
+							peers[peer.ID] = peer
+
+							continue
+						}
+					}
+				}
 			}
 		}
 	}
@@ -1267,3 +1292,17 @@ func (h *Headscale) GenerateGivenName(machineKey string, suppliedName string) (s
 
 	return givenName, nil
 }
+
+func (machines Machines) FilterByIP(ip netip.Addr) Machines {
+	found := make(Machines, 0)
+
+	for _, machine := range machines {
+		for _, mIP := range machine.IPAddresses {
+			if ip == mIP {
+				found = append(found, machine)
+			}
+		}
+	}
+
+	return found
+}