Expand the signature of policy.ExpandAlias() to support the implementation of autogroups

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

.github/workflows/build.yml

@@ -33,7 +33,9 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
         if: steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run build

.github/workflows/release.yml

@@ -16,7 +16,8 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
 
       - name: Run goreleaser
         run: nix develop --command -- goreleaser release --clean

.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestApiKeyCommand.yaml

@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestApiKeyCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestApiKeyCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestCreateTailscale.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestDERPServerScenario.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestEnablingRoutes.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestEphemeral.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestExpireNode.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestHeadscale.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestNodeCommand.yaml

@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestNodeExpireCommand.yaml

@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeExpireCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeExpireCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestNodeMoveCommand.yaml

@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeMoveCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeMoveCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestNodeRenameCommand.yaml

@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeRenameCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeRenameCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestNodeTagCommand.yaml

@@ -0,0 +1,65 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNodeTagCommand
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNodeTagCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"

.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestPingAllByHostname.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestPingAllByIP.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestTaildrop.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test-integration-v2-TestUserCommand.yaml

@@ -18,6 +18,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -29,9 +34,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

.github/workflows/test.yml

@@ -26,7 +26,9 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
         if: steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run tests

.gitignore

@@ -41,3 +41,5 @@ integration_test/etc/config.dump.yaml
 # MkDocs
 .cache
 /site
+
+__debug_bin

CHANGELOG.md

@@ -8,6 +8,9 @@
 
 ### Changes
 
+- Make the OIDC callback page better [#1484](https://github.com/juanfont/headscale/pull/1484)
+- SSH is no longer experimental [#1487](https://github.com/juanfont/headscale/pull/1487)
+
 ## 0.22.3 (2023-05-12)
 
 ### Changes

README.md

@@ -233,7 +233,7 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/arch4ngel>
+        <a href=https://github.com/ImpostorKeanu>
             <img src=https://avatars.githubusercontent.com/u/11574161?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Justin Angel/>
             <br />
             <sub style="font-size:14px"><b>Justin Angel</b></sub>
@@ -246,6 +246,13 @@ make build
             <sub style="font-size:14px"><b>Alessandro (Ale) Segala</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ohdearaugustin>
+            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+            <br />
+            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/unreality>
             <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
@@ -253,6 +260,8 @@ make build
             <sub style="font-size:14px"><b>unreality</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mpldr>
             <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
@@ -260,13 +269,11 @@ make build
             <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ohdearaugustin>
-            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+        <a href=https://github.com/Orhideous>
+            <img src=https://avatars.githubusercontent.com/u/2265184?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Andriy Kushnir/>
             <br />
-            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
+            <sub style="font-size:14px"><b>Andriy Kushnir</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -297,6 +304,8 @@ make build
             <sub style="font-size:14px"><b>Mike Lloyd</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/iSchluff>
             <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
@@ -304,8 +313,6 @@ make build
             <sub style="font-size:14px"><b>Anton Schubert</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Niek>
             <img src=https://avatars.githubusercontent.com/u/213140?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Niek van der Maas/>
@@ -341,6 +348,8 @@ make build
             <sub style="font-size:14px"><b>Igor Perepilitsyn</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Aluxima>
             <img src=https://avatars.githubusercontent.com/u/16262531?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Laurent Marchaud/>
@@ -348,8 +357,6 @@ make build
             <sub style="font-size:14px"><b>Laurent Marchaud</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/majst01>
             <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
@@ -385,13 +392,6 @@ make build
             <sub style="font-size:14px"><b>bravechamp</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/bravechamp>
-            <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
-            <br />
-            <sub style="font-size:14px"><b>bravechamp</b></sub>
-        </a>
-    </td>
 </tr>
 <tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -408,6 +408,13 @@ make build
             <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/jonathanspw>
+            <img src=https://avatars.githubusercontent.com/u/8390543?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan Wright/>
+            <br />
+            <sub style="font-size:14px"><b>Jonathan Wright</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ChibangLW>
             <img src=https://avatars.githubusercontent.com/u/22293464?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ChibangLW/>
@@ -415,6 +422,13 @@ make build
             <sub style="font-size:14px"><b>ChibangLW</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/majabojarska>
+            <img src=https://avatars.githubusercontent.com/u/33836570?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Maja Bojarska/>
+            <br />
+            <sub style="font-size:14px"><b>Maja Bojarska</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mevansam>
             <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -422,6 +436,8 @@ make build
             <sub style="font-size:14px"><b>Mevan Samaratunga</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/dragetd>
             <img src=https://avatars.githubusercontent.com/u/3639577?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael G./>
@@ -436,8 +452,6 @@ make build
             <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/samson4649>
             <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
@@ -445,6 +459,13 @@ make build
             <sub style="font-size:14px"><b>Samuel Lock</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/loprima-l>
+            <img src=https://avatars.githubusercontent.com/u/69201633?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=loprima-l/>
+            <br />
+            <sub style="font-size:14px"><b>loprima-l</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/kevin1sMe>
             <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
@@ -459,6 +480,8 @@ make build
             <sub style="font-size:14px"><b>Snack</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/artemklevtsov>
             <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -480,8 +503,6 @@ make build
             <sub style="font-size:14px"><b>dbevacqua</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/joshuataylor>
             <img src=https://avatars.githubusercontent.com/u/225131?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Josh Taylor/>
@@ -503,6 +524,8 @@ make build
             <sub style="font-size:14px"><b>Motiejus Jakštys</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/pvinis>
             <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
@@ -524,8 +547,6 @@ make build
             <sub style="font-size:14px"><b>Steven Honson</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ratsclub>
             <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
@@ -547,6 +568,8 @@ make build
             <sub style="font-size:14px"><b>Sean Reifschneider</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aberoham>
             <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -568,8 +591,6 @@ make build
             <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/theryecatcher>
             <img src=https://avatars.githubusercontent.com/u/16442416?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anoop Sundaresh/>
@@ -591,6 +612,8 @@ make build
             <sub style="font-size:14px"><b>Antonio Fernandez</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aofei>
             <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
@@ -605,6 +628,13 @@ make build
             <sub style="font-size:14px"><b>Arnar</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/awoimbee>
+            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
+            <br />
+            <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/avirut>
             <img src=https://avatars.githubusercontent.com/u/27095602?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Avirut Mehta/>
@@ -612,8 +642,6 @@ make build
             <sub style="font-size:14px"><b>Avirut Mehta</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/stensonb>
             <img src=https://avatars.githubusercontent.com/u/933389?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Bryan Stenson/>
@@ -628,11 +656,13 @@ make build
             <sub style="font-size:14px"><b> Carson Yang</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/kundel>
-            <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kundel/>
+            <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Darrell Kundel/>
             <br />
-            <sub style="font-size:14px"><b>kundel</b></sub>
+            <sub style="font-size:14px"><b>Darrell Kundel</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -656,8 +686,6 @@ make build
             <sub style="font-size:14px"><b>Felix Yan</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/gabe565>
             <img src=https://avatars.githubusercontent.com/u/7717888?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Gabe Cook/>
@@ -672,6 +700,8 @@ make build
             <sub style="font-size:14px"><b>JJGadgets</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/hrtkpf>
             <img src=https://avatars.githubusercontent.com/u/42646788?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hrtkpf/>
@@ -700,8 +730,6 @@ make build
             <sub style="font-size:14px"><b>John Axel Eriksson</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ShadowJonathan>
             <img src=https://avatars.githubusercontent.com/u/22740616?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan de Jong/>
@@ -716,6 +744,8 @@ make build
             <sub style="font-size:14px"><b>Julien Zweverink</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/win-t>
             <img src=https://avatars.githubusercontent.com/u/1589120?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Kurnia D Win/>
@@ -737,6 +767,13 @@ make build
             <sub style="font-size:14px"><b>Maxim Gajdaj</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mhameed>
+            <img src=https://avatars.githubusercontent.com/u/447017?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mesar Hameed/>
+            <br />
+            <sub style="font-size:14px"><b>Mesar Hameed</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mikejsavage>
             <img src=https://avatars.githubusercontent.com/u/579299?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael Savage/>
@@ -744,6 +781,13 @@ make build
             <sub style="font-size:14px"><b>Michael Savage</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/pkrivanec>
+            <img src=https://avatars.githubusercontent.com/u/25530641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Philipp Krivanec/>
+            <br />
+            <sub style="font-size:14px"><b>Philipp Krivanec</b></sub>
+        </a>
+    </td>
 </tr>
 <tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -790,6 +834,13 @@ make build
     </td>
 </tr>
 <tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/muzy>
+            <img src=https://avatars.githubusercontent.com/u/321723?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sebastian Muszytowski/>
+            <br />
+            <sub style="font-size:14px"><b>Sebastian Muszytowski</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/shaananc>
             <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -797,6 +848,13 @@ make build
             <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/6ixfalls>
+            <img src=https://avatars.githubusercontent.com/u/23470032?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Six/>
+            <br />
+            <sub style="font-size:14px"><b>Six</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/stefanvanburen>
             <img src=https://avatars.githubusercontent.com/u/622527?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan VanBuren/>
@@ -818,22 +876,15 @@ make build
             <sub style="font-size:14px"><b>Tanner</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/Teteros>
-            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
-            <br />
-            <sub style="font-size:14px"><b>Teteros</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/Teteros>
-            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
-            <br />
-            <sub style="font-size:14px"><b>Teteros</b></sub>
-        </a>
-    </td>
 </tr>
 <tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Teteros>
+            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
+            <br />
+            <sub style="font-size:14px"><b>Teteros</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/gitter-badger>
             <img src=https://avatars.githubusercontent.com/u/8518239?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=The Gitter Badger/>
@@ -869,6 +920,8 @@ make build
             <sub style="font-size:14px"><b>Yang Bin</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/gozssky>
             <img src=https://avatars.githubusercontent.com/u/17199941?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yujie Xia/>
@@ -876,8 +929,6 @@ make build
             <sub style="font-size:14px"><b>Yujie Xia</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/newellz2>
             <img src=https://avatars.githubusercontent.com/u/52436542?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zachary Newell/>
@@ -913,6 +964,8 @@ make build
             <sub style="font-size:14px"><b>caelansar</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/derelm>
             <img src=https://avatars.githubusercontent.com/u/465155?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=derelm/>
@@ -920,8 +973,6 @@ make build
             <sub style="font-size:14px"><b>derelm</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/dnaq>
             <img src=https://avatars.githubusercontent.com/u/1299717?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=dnaq/>
@@ -957,6 +1008,8 @@ make build
             <sub style="font-size:14px"><b>suhelen</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/lion24>
             <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sharkonet/>
@@ -964,8 +1017,6 @@ make build
             <sub style="font-size:14px"><b>sharkonet</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ma6174>
             <img src=https://avatars.githubusercontent.com/u/1449133?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ma6174/>
@@ -1001,6 +1052,8 @@ make build
             <sub style="font-size:14px"><b>phpmalik</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Wakeful-Cloud>
             <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>
@@ -1008,8 +1061,6 @@ make build
             <sub style="font-size:14px"><b>Wakeful-Cloud</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/xpzouying>
             <img src=https://avatars.githubusercontent.com/u/3946563?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=zy/>

cmd/gh-action-integration-generator/main.go

@@ -39,6 +39,11 @@ jobs:
         with:
           fetch-depth: 2
 
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: satackey/action-docker-layer-caching@main
+        continue-on-error: true
+
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v34
@@ -50,9 +55,6 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v18
-        if: {{ "${{ env.ACT }}" }} || steps.changed-files.outputs.any_changed == 'true'
-
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
         run: |

cmd/headscale/cli/api_key.go

@@ -6,7 +6,7 @@ import (
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
@@ -83,7 +83,7 @@ var listAPIKeys = &cobra.Command{
 			}
 
 			tableData = append(tableData, []string{
-				strconv.FormatUint(key.GetId(), hscontrol.Base10),
+				strconv.FormatUint(key.GetId(), util.Base10),
 				key.GetPrefix(),
 				expiration,
 				key.GetCreatedAt().AsTime().Format(HeadscaleDateTimeFormat),

cmd/headscale/cli/debug.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -93,7 +93,7 @@ var createNodeCmd = &cobra.Command{
 
 			return
 		}
-		if !hscontrol.NodePublicKeyRegex.Match([]byte(machineKey)) {
+		if !util.NodePublicKeyRegex.Match([]byte(machineKey)) {
 			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,

cmd/headscale/cli/nodes.go

@@ -10,7 +10,7 @@ import (
 
 	survey "github.com/AlecAivazis/survey/v2"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -529,7 +529,7 @@ func nodesToPtables(
 
 		var machineKey key.MachinePublic
 		err := machineKey.UnmarshalText(
-			[]byte(hscontrol.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(util.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
 		)
 		if err != nil {
 			machineKey = key.MachinePublic{}
@@ -537,7 +537,7 @@ func nodesToPtables(
 
 		var nodeKey key.NodePublic
 		err = nodeKey.UnmarshalText(
-			[]byte(hscontrol.NodePublicKeyEnsurePrefix(machine.NodeKey)),
+			[]byte(util.NodePublicKeyEnsurePrefix(machine.NodeKey)),
 		)
 		if err != nil {
 			return nil, err
@@ -596,7 +596,7 @@ func nodesToPtables(
 		}
 
 		nodeData := []string{
-			strconv.FormatUint(machine.Id, hscontrol.Base10),
+			strconv.FormatUint(machine.Id, util.Base10),
 			machine.Name,
 			machine.GetGivenName(),
 			machineKey.ShortString(),

cmd/headscale/cli/root.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"runtime"
 
-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -38,18 +38,18 @@ func initConfig() {
 		cfgFile = os.Getenv("HEADSCALE_CONFIG")
 	}
 	if cfgFile != "" {
-		err := hscontrol.LoadConfig(cfgFile, true)
+		err := types.LoadConfig(cfgFile, true)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
 		}
 	} else {
-		err := hscontrol.LoadConfig("", false)
+		err := types.LoadConfig("", false)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config")
 		}
 	}
 
-	cfg, err := hscontrol.GetHeadscaleConfig()
+	cfg, err := types.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().Caller().Err(err)
 	}
@@ -64,7 +64,7 @@ func initConfig() {
 		zerolog.SetGlobalLevel(zerolog.Disabled)
 	}
 
-	if cfg.Log.Format == hscontrol.JSONLogFormat {
+	if cfg.Log.Format == types.JSONLogFormat {
 		log.Logger = log.Output(os.Stdout)
 	}
 

cmd/headscale/cli/routes.go

@@ -7,7 +7,7 @@ import (
 	"strconv"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -277,7 +277,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 
 			continue
 		}
-		if prefix == hscontrol.ExitRouteV4 || prefix == hscontrol.ExitRouteV6 {
+		if prefix == types.ExitRouteV4 || prefix == types.ExitRouteV6 {
 			isPrimaryStr = "-"
 		} else {
 			isPrimaryStr = strconv.FormatBool(route.IsPrimary)

cmd/headscale/cli/users.go

@@ -1,11 +1,11 @@
 package cli
 
 import (
+	"errors"
 	"fmt"
 
 	survey "github.com/AlecAivazis/survey/v2"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -20,9 +20,7 @@ func init() {
 	userCmd.AddCommand(renameUserCmd)
 }
 
-const (
-	errMissingParameter = hscontrol.Error("missing parameters")
-)
+var errMissingParameter = errors.New("missing parameters")
 
 var userCmd = &cobra.Command{
 	Use:     "users",

cmd/headscale/cli/utils.go

@@ -10,6 +10,9 @@ import (
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -23,7 +26,7 @@ const (
 )
 
 func getHeadscaleApp() (*hscontrol.Headscale, error) {
-	cfg, err := hscontrol.GetHeadscaleConfig()
+	cfg, err := types.GetHeadscaleConfig()
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to load configuration while creating headscale instance: %w",
@@ -39,21 +42,23 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 	// We are doing this here, as in the future could be cool to have it also hot-reload
 
 	if cfg.ACL.PolicyPath != "" {
-		aclPath := hscontrol.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		err = app.LoadACLPolicyFromPath(aclPath)
+		aclPath := util.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
+		pol, err := policy.LoadACLPolicyFromPath(aclPath)
 		if err != nil {
 			log.Fatal().
 				Str("path", aclPath).
 				Err(err).
 				Msg("Could not load the ACL policy")
 		}
+
+		app.ACLPolicy = pol
 	}
 
 	return app, nil
 }
 
 func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg, err := hscontrol.GetHeadscaleConfig()
+	cfg, err := types.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().
 			Err(err).
@@ -98,7 +103,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 		grpcOptions = append(
 			grpcOptions,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithContextDialer(hscontrol.GrpcSocketDialer),
+			grpc.WithContextDialer(util.GrpcSocketDialer),
 		)
 	} else {
 		// If we are not connecting to a local server, require an API key for authentication

cmd/headscale/headscale.go

@@ -48,7 +48,7 @@ func main() {
 
 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnix
 	log.Logger = log.Output(zerolog.ConsoleWriter{
-		Out:        os.Stdout,
+		Out:        os.Stderr,
 		TimeFormat: time.RFC3339,
 		NoColor:    !colors,
 	})

cmd/headscale/headscale_test.go

@@ -7,7 +7,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -50,7 +51,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	}
 
 	// Load example config, it should load without validation errors
-	err = hscontrol.LoadConfig(cfgFile, true)
+	err = types.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)
 
 	// Test that config file was interpreted correctly
@@ -64,7 +65,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		hscontrol.GetFileMode("unix_socket_permission"),
+		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -93,7 +94,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	}
 
 	// Load example config, it should load without validation errors
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 
 	// Test that config file was interpreted correctly
@@ -107,7 +108,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		hscontrol.GetFileMode("unix_socket_permission"),
+		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -137,10 +138,10 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}
 
 	// Load example config, it should load without validation errors
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 
-	dnsConfig, baseDomain := hscontrol.GetDNSConfig()
+	dnsConfig, baseDomain := types.GetDNSConfig()
 
 	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
 	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
@@ -172,7 +173,7 @@ noise:
 	writeConfig(c, tmpDir, configYaml)
 
 	// Check configuration validation errors (1)
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
@@ -201,6 +202,6 @@ tls_letsencrypt_hostname: example.com
 tls_letsencrypt_challenge_type: TLS-ALPN-01
 `)
 	writeConfig(c, tmpDir, configYaml)
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = types.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }

flake.nix

@@ -6,177 +6,172 @@
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs =
-    { self
-    , nixpkgs
-    , flake-utils
-    , ...
-    }:
-    let
-      headscaleVersion =
-        if (self ? shortRev)
-        then self.shortRev
-        else "dev";
-    in
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    ...
+  }: let
+    headscaleVersion =
+      if (self ? shortRev)
+      then self.shortRev
+      else "dev";
+  in
     {
-      overlay = _: prev:
-        let
-          pkgs = nixpkgs.legacyPackages.${prev.system};
-        in
-        rec {
-          headscale = pkgs.buildGo120Module rec {
-            pname = "headscale";
-            version = headscaleVersion;
-            src = pkgs.lib.cleanSource self;
+      overlay = _: prev: let
+        pkgs = nixpkgs.legacyPackages.${prev.system};
+      in rec {
+        headscale = pkgs.buildGo120Module rec {
+          pname = "headscale";
+          version = headscaleVersion;
+          src = pkgs.lib.cleanSource self;
 
-            tags = [ "ts2019" ];
+          tags = ["ts2019"];
 
-            # Only run unit tests when testing a build
-            checkFlags = [ "-short" ];
+          # Only run unit tests when testing a build
+          checkFlags = ["-short"];
 
-            # When updating go.mod or go.sum, a new sha will need to be calculated,
-            # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-IOkbbFtE6+tNKnglE/8ZuNxhPSnloqM2sLgTvagMmnc=";
+          # When updating go.mod or go.sum, a new sha will need to be calculated,
+          # update this if you have a mismatch after doing a change to thos files.
+          vendorSha256 = "sha256-9Hol8w8HB28AlulshMYYQwOgvGzR47qxzyPrB8G0XSQ=";
 
-            ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
-          };
-
-          golines = pkgs.buildGoModule rec {
-            pname = "golines";
-            version = "0.11.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "segmentio";
-              repo = "golines";
-              rev = "v${version}";
-              sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
-            };
-
-            vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
-
-            nativeBuildInputs = [ pkgs.installShellFiles ];
-          };
-
-          golangci-lint = prev.golangci-lint.override {
-            # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
-            # to buildGo118Module because it does not build on Darwin.
-            inherit (prev) buildGoModule;
-          };
-
-          protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
-            pname = "grpc-gateway";
-            version = "2.14.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "grpc-ecosystem";
-              repo = "grpc-gateway";
-              rev = "v${version}";
-              sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
-            };
-
-            vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
-
-            nativeBuildInputs = [ pkgs.installShellFiles ];
-
-            subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
-          };
+          ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
         };
+
+        golines = pkgs.buildGoModule rec {
+          pname = "golines";
+          version = "0.11.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "segmentio";
+            repo = "golines";
+            rev = "v${version}";
+            sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
+          };
+
+          vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+        };
+
+        golangci-lint = prev.golangci-lint.override {
+          # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
+          # to buildGo118Module because it does not build on Darwin.
+          inherit (prev) buildGoModule;
+        };
+
+        protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
+          pname = "grpc-gateway";
+          version = "2.14.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "grpc-ecosystem";
+            repo = "grpc-gateway";
+            rev = "v${version}";
+            sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
+          };
+
+          vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+
+          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
+        };
+      };
     }
     // flake-utils.lib.eachDefaultSystem
-      (system:
-      let
-        pkgs = import nixpkgs {
-          overlays = [ self.overlay ];
-          inherit system;
-        };
-        buildDeps = with pkgs; [ git go_1_20 gnumake ];
-        devDeps = with pkgs;
-          buildDeps
-          ++ [
-            golangci-lint
-            golines
-            nodePackages.prettier
-            goreleaser
-            nfpm
-            gotestsum
-            gotests
+    (system: let
+      pkgs = import nixpkgs {
+        overlays = [self.overlay];
+        inherit system;
+      };
+      buildDeps = with pkgs; [git go_1_20 gnumake];
+      devDeps = with pkgs;
+        buildDeps
+        ++ [
+          golangci-lint
+          golines
+          nodePackages.prettier
+          goreleaser
+          nfpm
+          gotestsum
+          gotests
 
-            # 'dot' is needed for pprof graphs
-            # go tool pprof -http=: <source>
-            graphviz
+          # 'dot' is needed for pprof graphs
+          # go tool pprof -http=: <source>
+          graphviz
 
-            # Protobuf dependencies
-            protobuf
-            protoc-gen-go
-            protoc-gen-go-grpc
-            protoc-gen-grpc-gateway
-            buf
-            clang-tools # clang-format
-          ];
+          # Protobuf dependencies
+          protobuf
+          protoc-gen-go
+          protoc-gen-go-grpc
+          protoc-gen-grpc-gateway
+          buf
+          clang-tools # clang-format
+        ];
 
-        # Add entry to build a docker image with headscale
-        # caveat: only works on Linux
-        #
-        # Usage:
-        # nix build .#headscale-docker
-        # docker load < result
-        headscale-docker = pkgs.dockerTools.buildLayeredImage {
-          name = "headscale";
-          tag = headscaleVersion;
-          contents = [ pkgs.headscale ];
-          config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
-        };
-      in
-      rec {
-        # `nix develop`
-        devShell = pkgs.mkShell {
-          buildInputs = devDeps;
+      # Add entry to build a docker image with headscale
+      # caveat: only works on Linux
+      #
+      # Usage:
+      # nix build .#headscale-docker
+      # docker load < result
+      headscale-docker = pkgs.dockerTools.buildLayeredImage {
+        name = "headscale";
+        tag = headscaleVersion;
+        contents = [pkgs.headscale];
+        config.Entrypoint = [(pkgs.headscale + "/bin/headscale")];
+      };
+    in rec {
+      # `nix develop`
+      devShell = pkgs.mkShell {
+        buildInputs = devDeps;
 
-          shellHook = ''
-            export GOFLAGS=-tags="ts2019"
-            export PATH="$PWD/result/bin:$PATH"
+        shellHook = ''
+          export GOFLAGS=-tags="ts2019"
+          export PATH="$PWD/result/bin:$PATH"
 
-            mkdir -p ./ignored
-            export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
-            export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
-            export HEADSCALE_DB_PATH="./ignored/db.sqlite"
-            export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
-            export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
+          mkdir -p ./ignored
+          export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
+          export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
+          export HEADSCALE_DB_PATH="./ignored/db.sqlite"
+          export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
+          export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
+        '';
+      };
+
+      # `nix build`
+      packages = with pkgs; {
+        inherit headscale;
+        inherit headscale-docker;
+      };
+      defaultPackage = pkgs.headscale;
+
+      # `nix run`
+      apps.headscale = flake-utils.lib.mkApp {
+        drv = packages.headscale;
+      };
+      apps.default = apps.headscale;
+
+      checks = {
+        format =
+          pkgs.runCommand "check-format"
+          {
+            buildInputs = with pkgs; [
+              gnumake
+              nixpkgs-fmt
+              golangci-lint
+              nodePackages.prettier
+              golines
+              clang-tools
+            ];
+          } ''
+            ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
+            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
+            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
+            ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
           '';
-        };
-
-        # `nix build`
-        packages = with pkgs; {
-          inherit headscale;
-          inherit headscale-docker;
-        };
-        defaultPackage = pkgs.headscale;
-
-        # `nix run`
-        apps.headscale = flake-utils.lib.mkApp {
-          drv = packages.headscale;
-        };
-        apps.default = apps.headscale;
-
-        checks = {
-          format =
-            pkgs.runCommand "check-format"
-              {
-                buildInputs = with pkgs; [
-                  gnumake
-                  nixpkgs-fmt
-                  golangci-lint
-                  nodePackages.prettier
-                  golines
-                  clang-tools
-                ];
-              } ''
-              ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
-              ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
-              ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-              ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-              ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
-            '';
-        };
-      });
+      };
+    });
 }

go.mod

@@ -15,13 +15,13 @@ require (
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
-	github.com/klauspost/compress v1.16.4
+	github.com/klauspost/compress v1.16.5
 	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/pkg/profile v1.7.0
-	github.com/prometheus/client_golang v1.14.0
+	github.com/prometheus/client_golang v1.15.1
 	github.com/prometheus/common v0.42.0
 	github.com/pterm/pterm v0.12.58
 	github.com/puzpuzpuz/xsync/v2 v2.4.0
@@ -33,10 +33,10 @@ require (
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
-	golang.org/x/crypto v0.7.0
-	golang.org/x/net v0.9.0
+	golang.org/x/crypto v0.8.0
+	golang.org/x/net v0.10.0
 	golang.org/x/oauth2 v0.7.0
-	golang.org/x/sync v0.1.0
+	golang.org/x/sync v0.2.0
 	google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd
 	google.golang.org/grpc v1.54.0
 	google.golang.org/protobuf v1.30.0
@@ -44,7 +44,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.4.8
 	gorm.io/gorm v1.24.6
-	tailscale.com v1.38.4
+	tailscale.com v1.44.0
 )
 
 require (
@@ -52,7 +52,7 @@ require (
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
@@ -60,8 +60,8 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/docker/cli v23.0.1+incompatible // indirect
-	github.com/docker/docker v23.0.1+incompatible // indirect
+	github.com/docker/cli v23.0.5+incompatible // indirect
+	github.com/docker/docker v23.0.5+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -83,7 +83,7 @@ require (
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
@@ -91,7 +91,7 @@ require (
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
-	github.com/jsimonetti/rtnetlink v1.3.1 // indirect
+	github.com/jsimonetti/rtnetlink v1.3.2 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -99,28 +99,28 @@ require (
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.18 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/netlink v1.7.1 // indirect
-	github.com/mdlayher/socket v0.4.0 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
 	github.com/opencontainers/runc v1.1.4 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.4 // indirect
+	github.com/spf13/afero v1.9.5 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -131,13 +131,13 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a // indirect
+	golang.org/x/term v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

go.sum

@@ -44,13 +44,12 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek=
 filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns=
-filippo.io/mkcert v1.4.3 h1:axpnmtrZMM8u5Hf4N3UXxboGemMOV+Tn+e+pkHM6E3o=
+filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc=
 github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
 github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/MarvinJWendt/testza v0.1.0/go.mod h1:7AxNvlfeHP7Z/hDQ5JtE3OKYT3XFUeLCDE2DQninSqs=
 github.com/MarvinJWendt/testza v0.2.1/go.mod h1:God7bhG8n6uQxwdScay+gjm9/LnO4D3kkcZX4hv9Rp8=
@@ -60,8 +59,8 @@ github.com/MarvinJWendt/testza v0.2.12/go.mod h1:JOIegYyV7rX+7VZ9r77L/eH6CfJHHzX
 github.com/MarvinJWendt/testza v0.3.0/go.mod h1:eFcL4I0idjtIx8P9C6KkAuLgATNKpX4/2oUqKc6bF2c=
 github.com/MarvinJWendt/testza v0.4.2/go.mod h1:mSdhXiKH8sg/gQehJ63bINcCKp7RtYewEjXsvsVUPbE=
 github.com/MarvinJWendt/testza v0.5.2 h1:53KDo64C1z/h/d/stCYCPY69bt/OSwjq5KpFNwi+zB4=
-github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
@@ -108,10 +107,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deckarep/golang-set/v2 v2.3.0 h1:qs18EKUfHm2X9fA50Mr/M5hccg2tNnVqsiBImnyDs0g=
 github.com/deckarep/golang-set/v2 v2.3.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
-github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy13Ul2Q5oM=
-github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v23.0.1+incompatible h1:vjgvJZxprTTE1A37nm+CLNAdwu6xZekyoiVlUZEINcY=
-github.com/docker/docker v23.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
+github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k=
+github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
@@ -130,7 +129,7 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
@@ -275,8 +274,8 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4Dvx
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
-github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
-github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
+github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
+github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -293,8 +292,8 @@ github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
 github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
-github.com/jsimonetti/rtnetlink v1.3.1 h1:Bl3VxrWwi3eNj2pFuG2x3xcIArSAvHf9paz1OXiDT9A=
-github.com/jsimonetti/rtnetlink v1.3.1/go.mod h1:Wcc80IISX10gdeQoRzNPcCd1joPy+P0NyPPgOhQAvpk=
+github.com/jsimonetti/rtnetlink v1.3.2 h1:dcn0uWkfxycEEyNy0IGfx3GrhQ38LH7odjxAghimsVI=
+github.com/jsimonetti/rtnetlink v1.3.2/go.mod h1:BBu4jZCpTjP6Gk0/wfrO8qcqymnN3g0hoFqObRmUo6U=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -304,8 +303,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:C
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.16.4 h1:91KN02FnsOYhuunwU4ssRe8lc2JosWmizWa91B5v1PU=
-github.com/klauspost/compress v1.16.4/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
+github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
@@ -338,17 +337,17 @@ github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcME
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
+github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/mdlayher/netlink v1.7.1 h1:FdUaT/e33HjEXagwELR8R3/KL1Fq5x3G5jgHLp/BTmg=
-github.com/mdlayher/netlink v1.7.1/go.mod h1:nKO5CSjE/DJjVhk/TNp6vCE1ktVxEA8VEh8drhZzxsQ=
-github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
-github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -368,8 +367,8 @@ github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282 h1:TQMyrpijt
 github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282/go.mod h1:rW25Kyd08Wdn3UVn0YBsDTSvReu0jqpmJKzxITPSjks=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc2 h1:2zx/Stx4Wc5pIPDvIxHXvXtQFW/7XWJGmnM7r3wg034=
-github.com/opencontainers/image-spec v1.1.0-rc2/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
+github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg=
 github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
@@ -379,8 +378,8 @@ github.com/ory/dockertest/v3 v3.9.1 h1:v4dkG+dlu76goxMiTT2j8zV7s4oPPEppKT8K8p2f1
 github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
-github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
+github.com/pelletier/go-toml/v2 v2.0.7 h1:muncTPStnKRos5dpVKULv2FVd4bMOhNePj9CjgDb8Us=
+github.com/pelletier/go-toml/v2 v2.0.7/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
 github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -392,11 +391,11 @@ github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDj
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
-github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
+github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI=
+github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
-github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
 github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
 github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
@@ -420,8 +419,9 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
 github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
@@ -430,15 +430,15 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
 github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/afero v1.9.4 h1:Sd43wM1IWz/s1aVXdOBkjJvuP8UdyqioeE4AmM0QsBs=
-github.com/spf13/afero v1.9.4/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/spf13/afero v1.9.5 h1:stMpOSZFs//0Lv29HduCmli3GUfpFoF3Y1Q/aXj/wVM=
+github.com/spf13/afero v1.9.5/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
@@ -518,11 +518,11 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -533,9 +533,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
-golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE=
+golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 h1:5llv2sWeaMSnA3w2kS57ouQQ4pudlXrR0dCgw51QK9o=
+golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -560,8 +559,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
+golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -598,8 +597,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
-golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -623,8 +622,9 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -688,8 +688,9 @@ golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a h1:qMsju+PNttu/NMbq8bQ9waDdxgJMu9QNoUDuhnBaYt0=
+golang.org/x/sys v0.8.1-0.20230609144347-5059a07aa46a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
@@ -697,8 +698,8 @@ golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -767,8 +768,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
+golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -892,7 +893,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.4.8 h1:NDWizaclb7Q2aupT0jkwK8jx1HVCNzt+PQ8v/VnxviA=
@@ -909,7 +909,6 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.4.2 h1:6qXr+R5w+ktL5UkwEbPp+fEvfyoMPche6GkOpGHZcLc=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 modernc.org/libc v1.22.2 h1:4U7v51GyhlWqQmwCHj28Rdq2Yzwk55ovjFrdPjs8Hb0=
 modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
@@ -925,5 +924,5 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
-tailscale.com v1.38.4 h1:ItZfSYhLCnY/fjwlBqdgcf0mjjh2W8eFhUM5XIsSqdE=
-tailscale.com v1.38.4/go.mod h1:UWLQxcd8dz+lds2I+HpfXSruHrvXM1j4zd4zdx86t7w=
+tailscale.com v1.44.0 h1:MPos9n30kJvdyfL52045gVFyNg93K+bwgDsr8gqKq2o=
+tailscale.com v1.44.0/go.mod h1:+iYwTdeHyVJuNDu42Zafwihq1Uqfh+pW7pRaY1GD328=

hscontrol/api_common.go

@@ -1,113 +0,0 @@
-package hscontrol
-
-import (
-	"time"
-
-	"github.com/rs/zerolog/log"
-	"tailscale.com/tailcfg"
-)
-
-func (h *Headscale) generateMapResponse(
-	mapRequest tailcfg.MapRequest,
-	machine *Machine,
-) (*tailcfg.MapResponse, error) {
-	log.Trace().
-		Str("func", "generateMapResponse").
-		Str("machine", mapRequest.Hostinfo.Hostname).
-		Msg("Creating Map response")
-	node, err := h.toNode(*machine, h.cfg.BaseDomain, h.cfg.DNSConfig)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "generateMapResponse").
-			Err(err).
-			Msg("Cannot convert to node")
-
-		return nil, err
-	}
-
-	peers, err := h.getValidPeers(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "generateMapResponse").
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return nil, err
-	}
-
-	profiles := h.getMapResponseUserProfiles(*machine, peers)
-
-	nodePeers, err := h.toNodes(peers, h.cfg.BaseDomain, h.cfg.DNSConfig)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "generateMapResponse").
-			Err(err).
-			Msg("Failed to convert peers to Tailscale nodes")
-
-		return nil, err
-	}
-
-	dnsConfig := getMapResponseDNSConfig(
-		h.cfg.DNSConfig,
-		h.cfg.BaseDomain,
-		*machine,
-		peers,
-	)
-
-	now := time.Now()
-
-	resp := tailcfg.MapResponse{
-		KeepAlive: false,
-		Node:      node,
-
-		// TODO: Only send if updated
-		DERPMap: h.DERPMap,
-
-		// TODO: Only send if updated
-		Peers: nodePeers,
-
-		// TODO(kradalby): Implement:
-		// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L1351-L1374
-		// PeersChanged
-		// PeersRemoved
-		// PeersChangedPatch
-		// PeerSeenChange
-		// OnlineChange
-
-		// TODO: Only send if updated
-		DNSConfig: dnsConfig,
-
-		// TODO: Only send if updated
-		Domain: h.cfg.BaseDomain,
-
-		// Do not instruct clients to collect services, we do not
-		// support or do anything with them
-		CollectServices: "false",
-
-		// TODO: Only send if updated
-		PacketFilter: h.aclRules,
-
-		UserProfiles: profiles,
-
-		// TODO: Only send if updated
-		SSHPolicy: h.sshPolicy,
-
-		ControlTime: &now,
-
-		Debug: &tailcfg.Debug{
-			DisableLogTail:      !h.cfg.LogTail.Enabled,
-			RandomizeClientPort: h.cfg.RandomizeClientPort,
-		},
-	}
-
-	log.Trace().
-		Str("func", "generateMapResponse").
-		Str("machine", mapRequest.Hostinfo.Hostname).
-		// Interface("payload", resp).
-		Msgf("Generated map response: %s", tailMapResponseToString(resp))
-
-	return &resp, nil
-}

hscontrol/api_key.go

@@ -1,157 +0,0 @@
-package hscontrol
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"golang.org/x/crypto/bcrypt"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-const (
-	apiPrefixLength = 7
-	apiKeyLength    = 32
-
-	ErrAPIKeyFailedToParse = Error("Failed to parse ApiKey")
-)
-
-// APIKey describes the datamodel for API keys used to remotely authenticate with
-// headscale.
-type APIKey struct {
-	ID     uint64 `gorm:"primary_key"`
-	Prefix string `gorm:"uniqueIndex"`
-	Hash   []byte
-
-	CreatedAt  *time.Time
-	Expiration *time.Time
-	LastSeen   *time.Time
-}
-
-// CreateAPIKey creates a new ApiKey in a user, and returns it.
-func (h *Headscale) CreateAPIKey(
-	expiration *time.Time,
-) (string, *APIKey, error) {
-	prefix, err := GenerateRandomStringURLSafe(apiPrefixLength)
-	if err != nil {
-		return "", nil, err
-	}
-
-	toBeHashed, err := GenerateRandomStringURLSafe(apiKeyLength)
-	if err != nil {
-		return "", nil, err
-	}
-
-	// Key to return to user, this will only be visible _once_
-	keyStr := prefix + "." + toBeHashed
-
-	hash, err := bcrypt.GenerateFromPassword([]byte(toBeHashed), bcrypt.DefaultCost)
-	if err != nil {
-		return "", nil, err
-	}
-
-	key := APIKey{
-		Prefix:     prefix,
-		Hash:       hash,
-		Expiration: expiration,
-	}
-
-	if err := h.db.Save(&key).Error; err != nil {
-		return "", nil, fmt.Errorf("failed to save API key to database: %w", err)
-	}
-
-	return keyStr, &key, nil
-}
-
-// ListAPIKeys returns the list of ApiKeys for a user.
-func (h *Headscale) ListAPIKeys() ([]APIKey, error) {
-	keys := []APIKey{}
-	if err := h.db.Find(&keys).Error; err != nil {
-		return nil, err
-	}
-
-	return keys, nil
-}
-
-// GetAPIKey returns a ApiKey for a given key.
-func (h *Headscale) GetAPIKey(prefix string) (*APIKey, error) {
-	key := APIKey{}
-	if result := h.db.First(&key, "prefix = ?", prefix); result.Error != nil {
-		return nil, result.Error
-	}
-
-	return &key, nil
-}
-
-// GetAPIKeyByID returns a ApiKey for a given id.
-func (h *Headscale) GetAPIKeyByID(id uint64) (*APIKey, error) {
-	key := APIKey{}
-	if result := h.db.Find(&APIKey{ID: id}).First(&key); result.Error != nil {
-		return nil, result.Error
-	}
-
-	return &key, nil
-}
-
-// DestroyAPIKey destroys a ApiKey. Returns error if the ApiKey
-// does not exist.
-func (h *Headscale) DestroyAPIKey(key APIKey) error {
-	if result := h.db.Unscoped().Delete(key); result.Error != nil {
-		return result.Error
-	}
-
-	return nil
-}
-
-// ExpireAPIKey marks a ApiKey as expired.
-func (h *Headscale) ExpireAPIKey(key *APIKey) error {
-	if err := h.db.Model(&key).Update("Expiration", time.Now()).Error; err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
-	prefix, hash, found := strings.Cut(keyStr, ".")
-	if !found {
-		return false, ErrAPIKeyFailedToParse
-	}
-
-	key, err := h.GetAPIKey(prefix)
-	if err != nil {
-		return false, fmt.Errorf("failed to validate api key: %w", err)
-	}
-
-	if key.Expiration.Before(time.Now()) {
-		return false, nil
-	}
-
-	if err := bcrypt.CompareHashAndPassword(key.Hash, []byte(hash)); err != nil {
-		return false, err
-	}
-
-	return true, nil
-}
-
-func (key *APIKey) toProto() *v1.ApiKey {
-	protoKey := v1.ApiKey{
-		Id:     key.ID,
-		Prefix: key.Prefix,
-	}
-
-	if key.Expiration != nil {
-		protoKey.Expiration = timestamppb.New(*key.Expiration)
-	}
-
-	if key.CreatedAt != nil {
-		protoKey.CreatedAt = timestamppb.New(*key.CreatedAt)
-	}
-
-	if key.LastSeen != nil {
-		protoKey.LastSeen = timestamppb.New(*key.LastSeen)
-	}
-
-	return &protoKey
-}

hscontrol/app.go

@@ -23,6 +23,12 @@ import (
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/db"
+	"github.com/juanfont/headscale/hscontrol/derp"
+	derpServer "github.com/juanfont/headscale/hscontrol/derp/server"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -41,53 +47,42 @@ import (
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/grpc/status"
-	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 )
 
-const (
-	errSTUNAddressNotSet                   = Error("STUN address not set")
-	errUnsupportedDatabase                 = Error("unsupported DB")
-	errUnsupportedLetsEncryptChallengeType = Error(
+var (
+	errSTUNAddressNotSet                   = errors.New("STUN address not set")
+	errUnsupportedDatabase                 = errors.New("unsupported DB")
+	errUnsupportedLetsEncryptChallengeType = errors.New(
 		"unknown value for Lets Encrypt challenge type",
 	)
 )
 
 const (
-	AuthPrefix          = "Bearer "
-	Postgres            = "postgres"
-	Sqlite              = "sqlite3"
-	updateInterval      = 5000
-	HTTPReadTimeout     = 30 * time.Second
-	HTTPShutdownTimeout = 3 * time.Second
-	privateKeyFileMode  = 0o600
+	AuthPrefix         = "Bearer "
+	updateInterval     = 5000
+	privateKeyFileMode = 0o600
 
 	registerCacheExpiration = time.Minute * 15
 	registerCacheCleanup    = time.Minute * 20
-
-	DisabledClientAuth = "disabled"
-	RelaxedClientAuth  = "relaxed"
-	EnforcedClientAuth = "enforced"
 )
 
 // Headscale represents the base app of the service.
 type Headscale struct {
-	cfg             *Config
-	db              *gorm.DB
+	cfg             *types.Config
+	db              *db.HSDatabase
 	dbString        string
 	dbType          string
 	dbDebug         bool
-	privateKey      *key.MachinePrivate
+	privateKey2019  *key.MachinePrivate
 	noisePrivateKey *key.MachinePrivate
 
 	DERPMap    *tailcfg.DERPMap
-	DERPServer *DERPServer
+	DERPServer *derpServer.DERPServer
 
-	aclPolicy *ACLPolicy
-	aclRules  []tailcfg.FilterRule
-	sshPolicy *tailcfg.SSHPolicy
+	ACLPolicy *policy.ACLPolicy
 
 	lastStateChange *xsync.MapOf[string, time.Time]
 
@@ -96,13 +91,14 @@ type Headscale struct {
 
 	registrationCache *cache.Cache
 
-	ipAllocationMutex sync.Mutex
-
 	shutdownChan       chan struct{}
 	pollNetMapStreamWG sync.WaitGroup
+
+	stateUpdateChan       chan struct{}
+	cancelStateUpdateChan chan struct{}
 }
 
-func NewHeadscale(cfg *Config) (*Headscale, error) {
+func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read or create private key: %w", err)
@@ -120,7 +116,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 
 	var dbString string
 	switch cfg.DBtype {
-	case Postgres:
+	case db.Postgres:
 		dbString = fmt.Sprintf(
 			"host=%s dbname=%s user=%s",
 			cfg.DBhost,
@@ -143,7 +139,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 		if cfg.DBpass != "" {
 			dbString += fmt.Sprintf(" password=%s", cfg.DBpass)
 		}
-	case Sqlite:
+	case db.Sqlite:
 		dbString = cfg.DBpath
 	default:
 		return nil, errUnsupportedDatabase
@@ -158,19 +154,31 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 		cfg:                cfg,
 		dbType:             cfg.DBtype,
 		dbString:           dbString,
-		privateKey:         privateKey,
+		privateKey2019:     privateKey,
 		noisePrivateKey:    noisePrivateKey,
-		aclRules:           tailcfg.FilterAllowAll, // default allowall
 		registrationCache:  registrationCache,
 		pollNetMapStreamWG: sync.WaitGroup{},
 		lastStateChange:    xsync.NewMapOf[time.Time](),
+
+		stateUpdateChan:       make(chan struct{}),
+		cancelStateUpdateChan: make(chan struct{}),
 	}
 
-	err = app.initDB()
+	go app.watchStateChannel()
+
+	database, err := db.NewHeadscaleDatabase(
+		cfg.DBtype,
+		dbString,
+		app.dbDebug,
+		app.stateUpdateChan,
+		cfg.IPPrefixes,
+		cfg.BaseDomain)
 	if err != nil {
 		return nil, err
 	}
 
+	app.db = database
+
 	if cfg.OIDC.Issuer != "" {
 		err = app.initOIDC()
 		if err != nil {
@@ -183,7 +191,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	}
 
 	if app.cfg.DNSConfig != nil && app.cfg.DNSConfig.Proxied { // if MagicDNS
-		magicDNSDomains := generateMagicDNSRootDomains(app.cfg.IPPrefixes)
+		magicDNSDomains := util.GenerateMagicDNSRootDomains(app.cfg.IPPrefixes)
 		// we might have routes already from Split DNS
 		if app.cfg.DNSConfig.Routes == nil {
 			app.cfg.DNSConfig.Routes = make(map[string][]*dnstype.Resolver)
@@ -194,7 +202,8 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	}
 
 	if cfg.DERP.ServerEnabled {
-		embeddedDERPServer, err := app.NewDERPServer()
+		// TODO(kradalby): replace this key with a dedicated DERP key.
+		embeddedDERPServer, err := derpServer.NewDERPServer(cfg.ServerURL, key.NodePrivate(*privateKey), &cfg.DERP)
 		if err != nil {
 			return nil, err
 		}
@@ -215,7 +224,7 @@ func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
 func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
 	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
 	for range ticker.C {
-		h.expireEphemeralNodesWorker()
+		h.db.ExpireEphemeralMachines(h.cfg.EphemeralNodeInactivityTimeout)
 	}
 }
 
@@ -224,112 +233,46 @@ func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
 func (h *Headscale) expireExpiredMachines(milliSeconds int64) {
 	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
 	for range ticker.C {
-		h.expireExpiredMachinesWorker()
+		h.db.ExpireExpiredMachines(h.getLastStateChange())
+	}
+}
+
+// scheduledDERPMapUpdateWorker refreshes the DERPMap stored on the global object
+// at a set interval.
+func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
+	log.Info().
+		Dur("frequency", h.cfg.DERP.UpdateFrequency).
+		Msg("Setting up a DERPMap update worker")
+	ticker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
+
+	for {
+		select {
+		case <-cancelChan:
+			return
+
+		case <-ticker.C:
+			log.Info().Msg("Fetching DERPMap updates")
+			h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
+			if h.cfg.DERP.ServerEnabled {
+				region, _ := h.DERPServer.GenerateRegion()
+				h.DERPMap.Regions[region.RegionID] = &region
+			}
+
+			h.setLastStateChangeToNow()
+		}
 	}
 }
 
 func (h *Headscale) failoverSubnetRoutes(milliSeconds int64) {
 	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
 	for range ticker.C {
-		err := h.handlePrimarySubnetFailover()
+		err := h.db.HandlePrimarySubnetFailover()
 		if err != nil {
 			log.Error().Err(err).Msg("failed to handle primary subnet failover")
 		}
 	}
 }
 
-func (h *Headscale) expireEphemeralNodesWorker() {
-	users, err := h.ListUsers()
-	if err != nil {
-		log.Error().Err(err).Msg("Error listing users")
-
-		return
-	}
-
-	for _, user := range users {
-		machines, err := h.ListMachinesByUser(user.Name)
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("user", user.Name).
-				Msg("Error listing machines in user")
-
-			return
-		}
-
-		expiredFound := false
-		for _, machine := range machines {
-			if machine.isEphemeral() && machine.LastSeen != nil &&
-				time.Now().
-					After(machine.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
-				expiredFound = true
-				log.Info().
-					Str("machine", machine.Hostname).
-					Msg("Ephemeral client removed from database")
-
-				err = h.db.Unscoped().Delete(machine).Error
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("machine", machine.Hostname).
-						Msg("🤮 Cannot delete ephemeral machine from the database")
-				}
-			}
-		}
-
-		if expiredFound {
-			h.setLastStateChangeToNow()
-		}
-	}
-}
-
-func (h *Headscale) expireExpiredMachinesWorker() {
-	users, err := h.ListUsers()
-	if err != nil {
-		log.Error().Err(err).Msg("Error listing users")
-
-		return
-	}
-
-	for _, user := range users {
-		machines, err := h.ListMachinesByUser(user.Name)
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("user", user.Name).
-				Msg("Error listing machines in user")
-
-			return
-		}
-
-		expiredFound := false
-		for index, machine := range machines {
-			if machine.isExpired() &&
-				machine.Expiry.After(h.getLastStateChange(user)) {
-				expiredFound = true
-
-				err := h.ExpireMachine(&machines[index])
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("machine", machine.Hostname).
-						Str("name", machine.GivenName).
-						Msg("🤮 Cannot expire machine")
-				} else {
-					log.Info().
-						Str("machine", machine.Hostname).
-						Str("name", machine.GivenName).
-						Msg("Machine successfully expired")
-				}
-			}
-		}
-
-		if expiredFound {
-			h.setLastStateChangeToNow()
-		}
-	}
-}
-
 func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 	req interface{},
 	info *grpc.UnaryServerInfo,
@@ -387,7 +330,7 @@ func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 		)
 	}
 
-	valid, err := h.ValidateAPIKey(strings.TrimPrefix(token, AuthPrefix))
+	valid, err := h.db.ValidateAPIKey(strings.TrimPrefix(token, AuthPrefix))
 	if err != nil {
 		log.Error().
 			Caller().
@@ -438,7 +381,7 @@ func (h *Headscale) httpAuthenticationMiddleware(next http.Handler) http.Handler
 			return
 		}
 
-		valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
+		valid, err := h.db.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
 		if err != nil {
 			log.Error().
 				Caller().
@@ -515,9 +458,9 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 		Methods(http.MethodGet)
 
 	if h.cfg.DERP.ServerEnabled {
-		router.HandleFunc("/derp", h.DERPHandler)
-		router.HandleFunc("/derp/probe", h.DERPProbeHandler)
-		router.HandleFunc("/bootstrap-dns", h.DERPBootstrapDNSHandler)
+		router.HandleFunc("/derp", h.DERPServer.DERPHandler)
+		router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)
+		router.HandleFunc("/bootstrap-dns", derpServer.DERPBootstrapDNSHandler(h.DERPMap))
 	}
 
 	apiRouter := router.PathPrefix("/api").Subrouter()
@@ -534,7 +477,7 @@ func (h *Headscale) Serve() error {
 	var err error
 
 	// Fetch an initial DERP Map before we start serving
-	h.DERPMap = GetDERPMap(h.cfg.DERP)
+	h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
 
 	if h.cfg.DERP.ServerEnabled {
 		// When embedded DERP is enabled we always need a STUN server
@@ -542,8 +485,14 @@ func (h *Headscale) Serve() error {
 			return errSTUNAddressNotSet
 		}
 
-		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
-		go h.ServeSTUN()
+		region, err := h.DERPServer.GenerateRegion()
+		if err != nil {
+			return err
+		}
+
+		h.DERPMap.Regions[region.RegionID] = &region
+
+		go h.DERPServer.ServeSTUN()
 	}
 
 	if h.cfg.DERP.AutoUpdate {
@@ -552,6 +501,8 @@ func (h *Headscale) Serve() error {
 		go h.scheduledDERPMapUpdateWorker(derpMapCancelChannel)
 	}
 
+	// TODO(kradalby): These should have cancel channels and be cleaned
+	// up on shutdown.
 	go h.expireEphemeralNodes(updateInterval)
 	go h.expireExpiredMachines(updateInterval)
 
@@ -597,7 +548,7 @@ func (h *Headscale) Serve() error {
 		h.cfg.UnixSocket,
 		[]grpc.DialOption{
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithContextDialer(GrpcSocketDialer),
+			grpc.WithContextDialer(util.GrpcSocketDialer),
 		}...,
 	)
 	if err != nil {
@@ -692,7 +643,7 @@ func (h *Headscale) Serve() error {
 	httpServer := &http.Server{
 		Addr:        h.cfg.Addr,
 		Handler:     router,
-		ReadTimeout: HTTPReadTimeout,
+		ReadTimeout: types.HTTPReadTimeout,
 		// Go does not handle timeouts in HTTP very well, and there is
 		// no good way to handle streaming timeouts, therefore we need to
 		// keep this at unlimited and be careful to clean up connections
@@ -722,7 +673,7 @@ func (h *Headscale) Serve() error {
 	promHTTPServer := &http.Server{
 		Addr:         h.cfg.MetricsAddr,
 		Handler:      promMux,
-		ReadTimeout:  HTTPReadTimeout,
+		ReadTimeout:  types.HTTPReadTimeout,
 		WriteTimeout: 0,
 	}
 
@@ -760,11 +711,13 @@ func (h *Headscale) Serve() error {
 				// TODO(kradalby): Reload config on SIGHUP
 
 				if h.cfg.ACL.PolicyPath != "" {
-					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
-					err := h.LoadACLPolicyFromPath(aclPath)
+					aclPath := util.AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
+					pol, err := policy.LoadACLPolicyFromPath(aclPath)
 					if err != nil {
 						log.Error().Err(err).Msg("Failed to reload ACL policy")
 					}
+
+					h.ACLPolicy = pol
 					log.Info().
 						Str("path", aclPath).
 						Msg("ACL policy successfully reloaded, notifying nodes of change")
@@ -778,12 +731,13 @@ func (h *Headscale) Serve() error {
 					Msg("Received signal to stop, shutting down gracefully")
 
 				close(h.shutdownChan)
+
 				h.pollNetMapStreamWG.Wait()
 
 				// Gracefully shut down servers
 				ctx, cancel := context.WithTimeout(
 					context.Background(),
-					HTTPShutdownTimeout,
+					types.HTTPShutdownTimeout,
 				)
 				if err := promHTTPServer.Shutdown(ctx); err != nil {
 					log.Error().Err(err).Msg("Failed to shutdown prometheus http")
@@ -806,12 +760,12 @@ func (h *Headscale) Serve() error {
 				// Stop listening (and unlink the socket if unix type):
 				socketListener.Close()
 
+				<-h.cancelStateUpdateChan
+				close(h.stateUpdateChan)
+				close(h.cancelStateUpdateChan)
+
 				// Close db connections
-				db, err := h.db.DB()
-				if err != nil {
-					log.Error().Err(err).Msg("Failed to get db handle")
-				}
-				err = db.Close()
+				err = h.db.Close()
 				if err != nil {
 					log.Error().Err(err).Msg("Failed to close db")
 				}
@@ -852,13 +806,13 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		}
 
 		switch h.cfg.TLS.LetsEncrypt.ChallengeType {
-		case tlsALPN01ChallengeType:
+		case types.TLSALPN01ChallengeType:
 			// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
 			// The RFC requires that the validation is done on port 443; in other words, headscale
 			// must be reachable on port 443.
 			return certManager.TLSConfig(), nil
 
-		case http01ChallengeType:
+		case types.HTTP01ChallengeType:
 			// Configuration via autocert with HTTP-01. This requires listening on
 			// port 80 for the certificate validation in addition to the headscale
 			// service, which can be configured to run on any other port.
@@ -866,7 +820,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			server := &http.Server{
 				Addr:        h.cfg.TLS.LetsEncrypt.Listen,
 				Handler:     certManager.HTTPHandler(http.HandlerFunc(h.redirect)),
-				ReadTimeout: HTTPReadTimeout,
+				ReadTimeout: types.HTTPReadTimeout,
 			}
 
 			go func() {
@@ -905,12 +859,25 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 	}
 }
 
+// TODO(kradalby): baby steps, make this more robust.
+func (h *Headscale) watchStateChannel() {
+	for {
+		select {
+		case <-h.stateUpdateChan:
+			h.setLastStateChangeToNow()
+
+		case <-h.cancelStateUpdateChan:
+			return
+		}
+	}
+}
+
 func (h *Headscale) setLastStateChangeToNow() {
 	var err error
 
 	now := time.Now().UTC()
 
-	users, err := h.ListUsers()
+	users, err := h.db.ListUsers()
 	if err != nil {
 		log.Error().
 			Caller().
@@ -927,7 +894,7 @@ func (h *Headscale) setLastStateChangeToNow() {
 	}
 }
 
-func (h *Headscale) getLastStateChange(users ...User) time.Time {
+func (h *Headscale) getLastStateChange(users ...types.User) time.Time {
 	times := []time.Time{}
 
 	// getLastStateChange takes a list of users as a "filter", if no users
@@ -1002,7 +969,7 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 	}
 
 	trimmedPrivateKey := strings.TrimSpace(string(privateKey))
-	privateKeyEnsurePrefix := PrivateKeyEnsurePrefix(trimmedPrivateKey)
+	privateKeyEnsurePrefix := util.PrivateKeyEnsurePrefix(trimmedPrivateKey)
 
 	var machineKey key.MachinePrivate
 	if err = machineKey.UnmarshalText([]byte(privateKeyEnsurePrefix)); err != nil {

hscontrol/assets/oidc_callback_template.html

@@ -0,0 +1,297 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Headscale Authentication Succeeded</title>
+    <style>
+      body {
+        font-size: 14px;
+        font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI",
+          "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Fira Sans", "Droid Sans",
+          "Helvetica Neue", sans-serif;
+      }
+
+      hr {
+        border-color: #fdfdfe;
+        margin: 24px 0;
+      }
+
+      .container {
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        height: 70vh;
+      }
+
+      #logo {
+        display: block;
+        margin-left: -20px;
+        margin-bottom: 16px;
+      }
+
+      .message {
+        display: flex;
+        min-width: 40vw;
+        background: #fafdfa;
+        border: 1px solid #c6e9c9;
+        margin-bottom: 12px;
+        padding: 12px 16px 16px 12px;
+        position: relative;
+        border-radius: 2px;
+        font-size: 14px;
+      }
+
+      .message-content {
+        margin-left: 4px;
+      }
+
+      .message #checkbox {
+        fill: #2eb039;
+      }
+
+      .message .message-title {
+        color: #1e7125;
+        font-size: 16px;
+        font-weight: 700;
+        line-height: 1.25;
+      }
+
+      .message .message-body {
+        border: 0;
+        margin-top: 4px;
+      }
+
+      .message p {
+        font-size: 12px;
+        margin: 0;
+        padding: 0;
+        color: #17421b;
+      }
+
+      a {
+        display: block;
+        margin: 8px 0;
+        color: #1563ff;
+        text-decoration: none;
+        font-weight: 600;
+      }
+
+      a:hover {
+        color: black;
+      }
+
+      a svg {
+        fill: currentcolor;
+      }
+
+      .icon {
+        align-items: center;
+        display: inline-flex;
+        justify-content: center;
+        height: 21px;
+        width: 21px;
+        vertical-align: middle;
+      }
+
+      h1 {
+        font-size: 17.5px;
+        font-weight: 700;
+        margin-bottom: 0;
+      }
+
+      h1 + p {
+        margin: 8px 0 16px 0;
+      }
+    </style>
+  </head>
+  <body translate="no">
+    <div class="container">
+      <div>
+        <svg
+          id="logo"
+          width="146"
+          height="51"
+          xmlns="http://www.w3.org/2000/svg"
+          xml:space="preserve"
+          style="
+            fill-rule: evenodd;
+            clip-rule: evenodd;
+            stroke-linejoin: round;
+            stroke-miterlimit: 2;
+          "
+          viewBox="0 0 1280 640"
+        >
+          <path
+            d="M.08 0v-.736h.068v.3C.203-.509.27-.545.347-.545c.029 0 .055.005.079.015.024.01.045.025.062.045.017.02.031.045.041.075.009.03.014.065.014.105V0H.475v-.289C.475-.352.464-.4.443-.433.422-.466.385-.483.334-.483c-.027 0-.052.006-.075.017C.236-.455.216-.439.2-.419c-.017.02-.029.044-.038.072-.009.028-.014.059-.014.093V0H.08Z"
+            style="fill: #f8b5cb; fill-rule: nonzero"
+            transform="translate(32.92220721 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.264c0-.036.007-.071.02-.105.013-.034.031-.064.055-.09.023-.026.052-.047.086-.063.033-.015.071-.023.112-.023.039 0 .076.007.109.021.033.014.062.033.087.058.025.025.044.054.058.088.014.035.021.072.021.113v.005H.121c.001.031.007.059.018.084.01.025.024.047.042.065.018.019.04.033.065.043.025.01.052.015.082.015.026 0 .049-.003.069-.01.02-.007.038-.016.054-.028C.466-.102.48-.115.492-.13c.011-.015.022-.03.032-.046l.057.03C.556-.097.522-.058.48-.03.437-.001.387.013.328.013.284.013.245.006.21-.01.175-.024.146-.045.123-.07.1-.095.082-.125.07-.159.057-.192.051-.227.051-.264ZM.128-.32h.396C.51-.375.485-.416.449-.441.412-.466.371-.479.325-.479c-.048 0-.089.013-.123.039-.034.026-.059.066-.074.12Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(177.16674681 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.097h.067V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.012-.027.018-.056.018-.089 0-.031-.005-.059-.016-.086C.515-.375.501-.398.482-.417.462-.436.44-.452.415-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(327.76463481 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.302h.068V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.011-.027.017-.056.017-.089 0-.031-.005-.059-.016-.086C.514-.375.5-.398.481-.417.462-.436.439-.452.414-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(488.71612761 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="m.034-.062.043-.049c.017.019.035.034.054.044.018.01.037.015.057.015.013 0 .026-.002.038-.007.011-.004.021-.01.031-.018.009-.008.016-.017.021-.028.005-.011.008-.022.008-.035 0-.019-.005-.034-.014-.047C.263-.199.248-.21.229-.221.205-.234.183-.247.162-.259.14-.271.122-.284.107-.298.092-.311.08-.327.071-.344.062-.361.058-.381.058-.404c0-.021.004-.04.012-.058.007-.016.018-.031.031-.044.013-.013.028-.022.046-.029.018-.007.037-.01.057-.01.029 0 .056.006.079.019s.045.031.068.053l-.044.045C.291-.443.275-.456.258-.465.241-.474.221-.479.2-.479c-.022 0-.041.007-.056.02C.128-.445.12-.428.12-.408c0 .019.006.035.017.048.011.013.027.026.048.037.027.015.05.028.071.04.021.013.038.026.052.039.014.013.025.028.032.044.007.016.011.035.011.057 0 .021-.004.041-.011.059-.008.019-.019.036-.033.05-.014.015-.031.026-.05.035C.237.01.215.014.191.014c-.03 0-.059-.006-.086-.02C.077-.019.053-.037.034-.062Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(649.90292961 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.266c0-.04.007-.077.022-.111.014-.034.034-.063.059-.089.025-.025.054-.044.089-.058.035-.014.072-.021.113-.021.051 0 .098.01.139.03.041.021.075.049.1.085l-.05.043C.498-.418.47-.441.439-.456.408-.471.372-.479.331-.479c-.03 0-.058.005-.083.016C.222-.452.2-.436.181-.418.162-.399.148-.376.137-.35c-.011.026-.016.054-.016.084 0 .031.005.06.016.086.011.027.025.049.044.068.019.019.041.034.067.044.025.011.053.016.084.016.077 0 .141-.03.191-.09l.051.04c-.028.036-.062.064-.103.085C.43.004.384.014.332.014.291.014.254.007.219-.008.184-.022.155-.042.13-.067.105-.092.086-.121.072-.156.058-.19.051-.227.051-.266Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(741.20289921 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.267c0-.038.007-.074.021-.108.014-.033.033-.063.058-.088.025-.025.054-.045.087-.06.033-.015.069-.022.108-.022.043 0 .083.009.119.027.035.019.066.047.093.084v-.097h.067V0H.537v-.091C.508-.056.475-.029.44-.013.404.005.365.013.323.013.284.013.248.006.215-.01.182-.024.153-.045.129-.071.104-.096.085-.126.072-.16.058-.193.051-.229.051-.267Zm.279.218c.027 0 .054-.005.079-.015.025-.01.048-.024.068-.043.019-.018.035-.04.047-.067.012-.027.018-.056.018-.089 0-.031-.005-.059-.016-.086C.515-.375.501-.398.482-.417.462-.436.44-.452.415-.463.389-.474.361-.479.331-.479c-.031 0-.059.006-.084.017C.221-.45.199-.434.18-.415c-.019.02-.033.043-.043.068-.011.026-.016.053-.016.082 0 .029.005.056.016.082.011.026.025.049.044.069.019.02.041.036.066.047.025.012.053.018.083.018Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(884.27089281 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.066-.736h.068V0H.066z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(1045.22238561 521.8022953) scale(235.3092)"
+          />
+          <path
+            d="M.051-.264c0-.036.007-.071.02-.105.013-.034.031-.064.055-.09.023-.026.052-.047.086-.063.033-.015.071-.023.112-.023.039 0 .076.007.109.021.033.014.062.033.087.058.025.025.044.054.058.088.014.035.021.072.021.113v.005H.121c.001.031.007.059.018.084.01.025.024.047.042.065.018.019.04.033.065.043.025.01.052.015.082.015.026 0 .049-.003.069-.01.02-.007.038-.016.054-.028C.466-.102.48-.115.492-.13c.011-.015.022-.03.032-.046l.057.03C.556-.097.522-.058.48-.03.437-.001.387.013.328.013.284.013.245.006.21-.01.175-.024.146-.045.123-.07.1-.095.082-.125.07-.159.057-.192.051-.227.051-.264ZM.128-.32h.396C.51-.375.485-.416.449-.441.412-.466.371-.479.325-.479c-.048 0-.089.013-.123.039-.034.026-.059.066-.074.12Z"
+            style="fill: #8d8d8d; fill-rule: nonzero"
+            transform="translate(1092.28422561 521.8022953) scale(235.3092)"
+          />
+          <circle
+            cx="141.023"
+            cy="338.36"
+            r="117.472"
+            style="fill: #f8b5cb"
+            transform="matrix(.581302 0 0 .58613 40.06479894 12.59842153)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 32.39345942 21.2386)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 32.39345942 88.80371146)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 120.7528627 88.80371146)"
+          />
+          <circle
+            cx="352.014"
+            cy="268.302"
+            r="33.095"
+            style="fill: #a2a2a2"
+            transform="matrix(.59308 0 0 .58289 120.99825939 21.2386)"
+          />
+          <circle
+            cx="805.557"
+            cy="336.915"
+            r="118.199"
+            style="fill: #8d8d8d"
+            transform="matrix(.5782 0 0 .58289 36.19871106 15.26642564)"
+          />
+          <circle
+            cx="805.557"
+            cy="336.915"
+            r="118.199"
+            style="fill: #8d8d8d"
+            transform="matrix(.5782 0 0 .58289 183.24041937 15.26642564)"
+          />
+          <path
+            d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z"
+            style="fill: #303030"
+            transform="translate(34.2345 21.2386) scale(.58289)"
+          />
+          <path
+            d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z"
+            style="fill: #303030"
+            transform="matrix(-.58289 0 0 .58289 1116.7719791 21.2386)"
+          />
+        </svg>
+        <div class="message is-success">
+          <svg
+            id="checkbox"
+            aria-hidden="true"
+            xmlns="http://www.w3.org/2000/svg"
+            width="20"
+            height="20"
+            viewBox="0 0 512 512"
+          >
+            <path
+              d="M256 32C132.3 32 32 132.3 32 256s100.3 224 224 224 224-100.3 224-224S379.7 32 256 32zm114.9 149.1L231.8 359.6c-1.1 1.1-2.9 3.5-5.1 3.5-2.3 0-3.8-1.6-5.1-2.9-1.3-1.3-78.9-75.9-78.9-75.9l-1.5-1.5c-.6-.9-1.1-2-1.1-3.2 0-1.2.5-2.3 1.1-3.2.4-.4.7-.7 1.1-1.2 7.7-8.1 23.3-24.5 24.3-25.5 1.3-1.3 2.4-3 4.8-3 2.5 0 4.1 2.1 5.3 3.3 1.2 1.2 45 43.3 45 43.3l111.3-143c1-.8 2.2-1.4 3.5-1.4 1.3 0 2.5.5 3.5 1.3l30.6 24.1c.8 1 1.3 2.2 1.3 3.5.1 1.3-.4 2.4-1 3.3z"
+            ></path>
+          </svg>
+          <div class="message-content">
+            <div class="message-title">Signed in via your OIDC provider</div>
+            <p class="message-body">
+              {{.Verb}} as {{.User}}, you can now close this window.
+            </p>
+          </div>
+        </div>
+        <hr />
+        <h1>Not sure how to get started?</h1>
+        <p class="learn">
+          Check out beginner and advanced guides on, or read more in the
+          documentation.
+        </p>
+        <a
+          href="https://github.com/juanfont/headscale/tree/main/docs"
+          rel="noreferrer noopener"
+          target="_blank"
+        >
+          <span class="icon">
+            <svg
+              width="16"
+              height="16"
+              viewBox="0 0 16 16"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="M13.307 1H11.5a.5.5 0 1 1 0-1h3a.499.499 0 0 1 .5.65V3.5a.5.5 0 1 1-1 0V1.72l-1.793 1.774a.5.5 0 0 1-.713-.701L13.307 1zM12 14V8a.5.5 0 1 1 1 0v6.5a.5.5 0 0 1-.5.5H.563a.5.5 0 0 1-.5-.5v-13a.5.5 0 0 1 .5-.5H8a.5.5 0 0 1 0 1H1v12h11zM4 6a.5.5 0 0 1 0-1h3a.5.5 0 0 1 0 1H4zm0 2.5a.5.5 0 0 1 0-1h5a.5.5 0 0 1 0 1H4zM4 11a.5.5 0 1 1 0-1h5a.5.5 0 1 1 0 1H4z"
+              />
+            </svg>
+          </span>
+          View the headscale documentation
+        </a>
+        <a
+          href="https://tailscale.com/kb/"
+          rel="noreferrer noopener"
+          target="_blank"
+        >
+          <span class="icon">
+            <svg
+              width="16"
+              height="16"
+              viewBox="0 0 16 16"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="M13.307 1H11.5a.5.5 0 1 1 0-1h3a.499.499 0 0 1 .5.65V3.5a.5.5 0 1 1-1 0V1.72l-1.793 1.774a.5.5 0 0 1-.713-.701L13.307 1zM12 14V8a.5.5 0 1 1 1 0v6.5a.5.5 0 0 1-.5.5H.563a.5.5 0 0 1-.5-.5v-13a.5.5 0 0 1 .5-.5H8a.5.5 0 0 1 0 1H1v12h11zM4 6a.5.5 0 0 1 0-1h3a.5.5 0 0 1 0 1H4zm0 2.5a.5.5 0 0 1 0-1h5a.5.5 0 0 1 0 1H4zM4 11a.5.5 0 1 1 0-1h5a.5.5 0 1 1 0 1H4z"
+              />
+            </svg>
+          </span>
+          View the tailscale documentation
+        </a>
+      </div>
+    </div>
+  </body>
+</html>

hscontrol/auth.go

@@ -1,100 +1,25 @@
 package hscontrol
 
 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
-	"strconv"
 	"strings"
 	"time"
 
+	"github.com/juanfont/headscale/hscontrol/mapper"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
 
-const (
-	// The CapabilityVersion is used by Tailscale clients to indicate
-	// their codebase version. Tailscale clients can communicate over TS2021
-	// from CapabilityVersion 28, but we only have good support for it
-	// since https://github.com/tailscale/tailscale/pull/4323 (Noise in any HTTPS port).
-	//
-	// Related to this change, there is https://github.com/tailscale/tailscale/pull/5379,
-	// where CapabilityVersion 39 is introduced to indicate #4323 was merged.
-	//
-	// See also https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
-	NoiseCapabilityVersion = 39
-)
-
-// KeyHandler provides the Headscale pub key
-// Listens in /key.
-func (h *Headscale) KeyHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	// New Tailscale clients send a 'v' parameter to indicate the CurrentCapabilityVersion
-	clientCapabilityStr := req.URL.Query().Get("v")
-	if clientCapabilityStr != "" {
-		log.Debug().
-			Str("handler", "/key").
-			Str("v", clientCapabilityStr).
-			Msg("New noise client")
-		clientCapabilityVersion, err := strconv.Atoi(clientCapabilityStr)
-		if err != nil {
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-			writer.WriteHeader(http.StatusBadRequest)
-			_, err := writer.Write([]byte("Wrong params"))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
-
-			return
-		}
-
-		// TS2021 (Tailscale v2 protocol) requires to have a different key
-		if clientCapabilityVersion >= NoiseCapabilityVersion {
-			resp := tailcfg.OverTLSPublicKeyResponse{
-				LegacyPublicKey: h.privateKey.Public(),
-				PublicKey:       h.noisePrivateKey.Public(),
-			}
-			writer.Header().Set("Content-Type", "application/json")
-			writer.WriteHeader(http.StatusOK)
-			err = json.NewEncoder(writer).Encode(resp)
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
-
-			return
-		}
-	}
-	log.Debug().
-		Str("handler", "/key").
-		Msg("New legacy client")
-
-	// Old clients don't send a 'v' parameter, so we send the legacy public key
-	writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write([]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-}
-
-// handleRegisterCommon is the common logic for registering a client in the legacy and Noise protocols
+// handleRegister is the common logic for registering a client in the legacy and Noise protocols
 //
 // When using Noise, the machineKey is Zero.
-func (h *Headscale) handleRegisterCommon(
+func (h *Headscale) handleRegister(
 	writer http.ResponseWriter,
 	req *http.Request,
 	registerRequest tailcfg.RegisterRequest,
@@ -102,11 +27,11 @@ func (h *Headscale) handleRegisterCommon(
 	isNoise bool,
 ) {
 	now := time.Now().UTC()
-	machine, err := h.GetMachineByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
+	machine, err := h.db.GetMachineByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		// If the machine has AuthKey set, handle registration via PreAuthKeys
 		if registerRequest.Auth.AuthKey != "" {
-			h.handleAuthKeyCommon(writer, registerRequest, machineKey, isNoise)
+			h.handleAuthKey(writer, registerRequest, machineKey, isNoise)
 
 			return
 		}
@@ -120,7 +45,7 @@ func (h *Headscale) handleRegisterCommon(
 		// is that the client will hammer headscale with requests until it gets a
 		// successful RegisterResponse.
 		if registerRequest.Followup != "" {
-			if _, ok := h.registrationCache.Get(NodePublicKeyStripPrefix(registerRequest.NodeKey)); ok {
+			if _, ok := h.registrationCache.Get(util.NodePublicKeyStripPrefix(registerRequest.NodeKey)); ok {
 				log.Debug().
 					Caller().
 					Str("machine", registerRequest.Hostinfo.Hostname).
@@ -135,7 +60,7 @@ func (h *Headscale) handleRegisterCommon(
 				case <-req.Context().Done():
 					return
 				case <-time.After(registrationHoldoff):
-					h.handleNewMachineCommon(writer, registerRequest, machineKey, isNoise)
+					h.handleNewMachine(writer, registerRequest, machineKey, isNoise)
 
 					return
 				}
@@ -152,7 +77,7 @@ func (h *Headscale) handleRegisterCommon(
 			Bool("noise", isNoise).
 			Msg("New machine not yet in the database")
 
-		givenName, err := h.GenerateGivenName(
+		givenName, err := h.db.GenerateGivenName(
 			machineKey.String(),
 			registerRequest.Hostinfo.Hostname,
 		)
@@ -170,11 +95,11 @@ func (h *Headscale) handleRegisterCommon(
 		// that we rely on a method that calls back some how (OpenID or CLI)
 		// We create the machine and then keep it around until a callback
 		// happens
-		newMachine := Machine{
-			MachineKey: MachinePublicKeyStripPrefix(machineKey),
+		newMachine := types.Machine{
+			MachineKey: util.MachinePublicKeyStripPrefix(machineKey),
 			Hostname:   registerRequest.Hostinfo.Hostname,
 			GivenName:  givenName,
-			NodeKey:    NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			NodeKey:    util.NodePublicKeyStripPrefix(registerRequest.NodeKey),
 			LastSeen:   &now,
 			Expiry:     &time.Time{},
 		}
@@ -195,7 +120,7 @@ func (h *Headscale) handleRegisterCommon(
 			registerCacheExpiration,
 		)
 
-		h.handleNewMachineCommon(writer, registerRequest, machineKey, isNoise)
+		h.handleNewMachine(writer, registerRequest, machineKey, isNoise)
 
 		return
 	}
@@ -210,11 +135,10 @@ func (h *Headscale) handleRegisterCommon(
 		// So if we have a not valid MachineKey (but we were able to fetch the machine with the NodeKeys), we update it.
 		var storedMachineKey key.MachinePublic
 		err = storedMachineKey.UnmarshalText(
-			[]byte(MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(util.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
 		)
 		if err != nil || storedMachineKey.IsZero() {
-			machine.MachineKey = MachinePublicKeyStripPrefix(machineKey)
-			if err := h.db.Save(&machine).Error; err != nil {
+			if err := h.db.MachineSetMachineKey(machine, machineKey); err != nil {
 				log.Error().
 					Caller().
 					Str("func", "RegistrationHandler").
@@ -231,29 +155,29 @@ func (h *Headscale) handleRegisterCommon(
 		// - Trying to log out (sending a expiry in the past)
 		// - A valid, registered machine, looking for /map
 		// - Expired machine wanting to reauthenticate
-		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.NodeKey) {
+		if machine.NodeKey == util.NodePublicKeyStripPrefix(registerRequest.NodeKey) {
 			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
 			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
 			if !registerRequest.Expiry.IsZero() &&
 				registerRequest.Expiry.UTC().Before(now) {
-				h.handleMachineLogOutCommon(writer, *machine, machineKey, isNoise)
+				h.handleMachineLogOut(writer, *machine, machineKey, isNoise)
 
 				return
 			}
 
 			// If machine is not expired, and it is register, we have a already accepted this machine,
 			// let it proceed with a valid registration
-			if !machine.isExpired() {
-				h.handleMachineValidRegistrationCommon(writer, *machine, machineKey, isNoise)
+			if !machine.IsExpired() {
+				h.handleMachineWithValidRegistration(writer, *machine, machineKey, isNoise)
 
 				return
 			}
 		}
 
 		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.OldNodeKey) &&
-			!machine.isExpired() {
-			h.handleMachineRefreshKeyCommon(
+		if machine.NodeKey == util.NodePublicKeyStripPrefix(registerRequest.OldNodeKey) &&
+			!machine.IsExpired() {
+			h.handleMachineKeyRefresh(
 				writer,
 				registerRequest,
 				*machine,
@@ -273,7 +197,7 @@ func (h *Headscale) handleRegisterCommon(
 		}
 
 		// The machine has expired or it is logged out
-		h.handleMachineExpiredOrLoggedOutCommon(writer, registerRequest, *machine, machineKey, isNoise)
+		h.handleMachineExpiredOrLoggedOut(writer, registerRequest, *machine, machineKey, isNoise)
 
 		// TODO(juan): RegisterRequest includes an Expiry time, that we could optionally use
 		machine.Expiry = &time.Time{}
@@ -282,9 +206,9 @@ func (h *Headscale) handleRegisterCommon(
 		// we need to make sure the NodeKey matches the one in the request
 		// TODO(juan): What happens when using fast user switching between two
 		// headscale-managed tailnets?
-		machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
+		machine.NodeKey = util.NodePublicKeyStripPrefix(registerRequest.NodeKey)
 		h.registrationCache.Set(
-			NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			util.NodePublicKeyStripPrefix(registerRequest.NodeKey),
 			*machine,
 			registerCacheExpiration,
 		)
@@ -293,46 +217,44 @@ func (h *Headscale) handleRegisterCommon(
 	}
 }
 
-// handleAuthKeyCommon contains the logic to manage auth key client registration
+// handleAuthKey contains the logic to manage auth key client registration
 // It is used both by the legacy and the new Noise protocol.
 // When using Noise, the machineKey is Zero.
 //
 // TODO: check if any locks are needed around IP allocation.
-func (h *Headscale) handleAuthKeyCommon(
+func (h *Headscale) handleAuthKey(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
 	log.Debug().
-		Str("func", "handleAuthKeyCommon").
+		Caller().
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Bool("noise", isNoise).
 		Msgf("Processing auth key for %s", registerRequest.Hostinfo.Hostname)
 	resp := tailcfg.RegisterResponse{}
 
-	pak, err := h.checkKeyValidity(registerRequest.Auth.AuthKey)
+	pak, err := h.db.ValidatePreAuthKey(registerRequest.Auth.AuthKey)
 	if err != nil {
 		log.Error().
 			Caller().
-			Str("func", "handleAuthKeyCommon").
 			Bool("noise", isNoise).
 			Str("machine", registerRequest.Hostinfo.Hostname).
 			Err(err).
 			Msg("Failed authentication via AuthKey")
 		resp.MachineAuthorized = false
 
-		respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+		respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 		if err != nil {
 			log.Error().
 				Caller().
-				Str("func", "handleAuthKeyCommon").
 				Bool("noise", isNoise).
 				Str("machine", registerRequest.Hostinfo.Hostname).
 				Err(err).
 				Msg("Cannot encode message")
 			http.Error(writer, "Internal server error", http.StatusInternalServerError)
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+			machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 				Inc()
 
 			return
@@ -351,34 +273,33 @@ func (h *Headscale) handleAuthKeyCommon(
 
 		log.Error().
 			Caller().
-			Str("func", "handleAuthKeyCommon").
 			Bool("noise", isNoise).
 			Str("machine", registerRequest.Hostinfo.Hostname).
 			Msg("Failed authentication via AuthKey")
 
 		if pak != nil {
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+			machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 				Inc()
 		} else {
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", "unknown").Inc()
+			machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", "unknown").Inc()
 		}
 
 		return
 	}
 
 	log.Debug().
-		Str("func", "handleAuthKeyCommon").
+		Caller().
 		Bool("noise", isNoise).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("Authentication key was valid, proceeding to acquire IP addresses")
 
-	nodeKey := NodePublicKeyStripPrefix(registerRequest.NodeKey)
+	nodeKey := util.NodePublicKeyStripPrefix(registerRequest.NodeKey)
 
 	// retrieve machine information if it exist
 	// The error is not important, because if it does not
 	// exist, then this is a new machine and we will move
 	// on to registration.
-	machine, _ := h.GetMachineByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
+	machine, _ := h.db.GetMachineByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
 	if machine != nil {
 		log.Trace().
 			Caller().
@@ -388,7 +309,7 @@ func (h *Headscale) handleAuthKeyCommon(
 
 		machine.NodeKey = nodeKey
 		machine.AuthKeyID = uint(pak.ID)
-		err := h.RefreshMachine(machine, registerRequest.Expiry)
+		err := h.db.RefreshMachine(machine, registerRequest.Expiry)
 		if err != nil {
 			log.Error().
 				Caller().
@@ -400,10 +321,10 @@ func (h *Headscale) handleAuthKeyCommon(
 			return
 		}
 
-		aclTags := pak.toProto().AclTags
+		aclTags := pak.Proto().AclTags
 		if len(aclTags) > 0 {
 			// This conditional preserves the existing behaviour, although SaaS would reset the tags on auth-key login
-			err = h.SetTags(machine, aclTags)
+			err = h.db.SetTags(machine, aclTags)
 
 			if err != nil {
 				log.Error().
@@ -420,7 +341,7 @@ func (h *Headscale) handleAuthKeyCommon(
 	} else {
 		now := time.Now().UTC()
 
-		givenName, err := h.GenerateGivenName(MachinePublicKeyStripPrefix(machineKey), registerRequest.Hostinfo.Hostname)
+		givenName, err := h.db.GenerateGivenName(util.MachinePublicKeyStripPrefix(machineKey), registerRequest.Hostinfo.Hostname)
 		if err != nil {
 			log.Error().
 				Caller().
@@ -432,20 +353,20 @@ func (h *Headscale) handleAuthKeyCommon(
 			return
 		}
 
-		machineToRegister := Machine{
+		machineToRegister := types.Machine{
 			Hostname:       registerRequest.Hostinfo.Hostname,
 			GivenName:      givenName,
 			UserID:         pak.User.ID,
-			MachineKey:     MachinePublicKeyStripPrefix(machineKey),
-			RegisterMethod: RegisterMethodAuthKey,
+			MachineKey:     util.MachinePublicKeyStripPrefix(machineKey),
+			RegisterMethod: util.RegisterMethodAuthKey,
 			Expiry:         &registerRequest.Expiry,
 			NodeKey:        nodeKey,
 			LastSeen:       &now,
 			AuthKeyID:      uint(pak.ID),
-			ForcedTags:     pak.toProto().AclTags,
+			ForcedTags:     pak.Proto().AclTags,
 		}
 
-		machine, err = h.RegisterMachine(
+		machine, err = h.db.RegisterMachine(
 			machineToRegister,
 		)
 		if err != nil {
@@ -454,7 +375,7 @@ func (h *Headscale) handleAuthKeyCommon(
 				Bool("noise", isNoise).
 				Err(err).
 				Msg("could not register machine")
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+			machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 				Inc()
 			http.Error(writer, "Internal server error", http.StatusInternalServerError)
 
@@ -462,14 +383,14 @@ func (h *Headscale) handleAuthKeyCommon(
 		}
 	}
 
-	err = h.UsePreAuthKey(pak)
+	err = h.db.UsePreAuthKey(pak)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
 			Err(err).
 			Msg("Failed to use pre-auth key")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+		machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 			Inc()
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)
 
@@ -477,27 +398,26 @@ func (h *Headscale) handleAuthKeyCommon(
 	}
 
 	resp.MachineAuthorized = true
-	resp.User = *pak.User.toTailscaleUser()
+	resp.User = *pak.User.TailscaleUser()
 	// Provide LoginName when registering with pre-auth key
 	// Otherwise it will need to exec `tailscale up` twice to fetch the *LoginName*
-	resp.Login = *pak.User.toTailscaleLogin()
+	resp.Login = *pak.User.TailscaleLogin()
 
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
-			Str("func", "handleAuthKeyCommon").
 			Str("machine", registerRequest.Hostinfo.Hostname).
 			Err(err).
 			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.User.Name).
+		machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "error", pak.User.Name).
 			Inc()
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)
 
 		return
 	}
-	machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "success", pak.User.Name).
+	machineRegistrations.WithLabelValues("new", util.RegisterMethodAuthKey, "success", pak.User.Name).
 		Inc()
 	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
@@ -511,16 +431,15 @@ func (h *Headscale) handleAuthKeyCommon(
 	}
 
 	log.Info().
-		Str("func", "handleAuthKeyCommon").
 		Bool("noise", isNoise).
 		Str("machine", registerRequest.Hostinfo.Hostname).
-		Str("ips", strings.Join(machine.IPAddresses.ToStringSlice(), ", ")).
+		Str("ips", strings.Join(machine.IPAddresses.StringSlice(), ", ")).
 		Msg("Successfully authenticated via AuthKey")
 }
 
-// handleNewMachineCommon exposes for both legacy and Noise the functionality to get a URL
+// handleNewMachine exposes for both legacy and Noise the functionality to get a URL
 // for authorizing the machine. This url is then showed to the user by the local Tailscale client.
-func (h *Headscale) handleNewMachineCommon(
+func (h *Headscale) handleNewMachine(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
@@ -547,7 +466,7 @@ func (h *Headscale) handleNewMachineCommon(
 			registerRequest.NodeKey)
 	}
 
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -578,9 +497,9 @@ func (h *Headscale) handleNewMachineCommon(
 		Msg("Successfully sent auth url")
 }
 
-func (h *Headscale) handleMachineLogOutCommon(
+func (h *Headscale) handleMachineLogOut(
 	writer http.ResponseWriter,
-	machine Machine,
+	machine types.Machine,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
@@ -591,12 +510,11 @@ func (h *Headscale) handleMachineLogOutCommon(
 		Str("machine", machine.Hostname).
 		Msg("Client requested logout")
 
-	err := h.ExpireMachine(&machine)
+	err := h.db.ExpireMachine(&machine)
 	if err != nil {
 		log.Error().
 			Caller().
 			Bool("noise", isNoise).
-			Str("func", "handleMachineLogOutCommon").
 			Err(err).
 			Msg("Failed to expire machine")
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)
@@ -607,8 +525,8 @@ func (h *Headscale) handleMachineLogOutCommon(
 	resp.AuthURL = ""
 	resp.MachineAuthorized = false
 	resp.NodeKeyExpired = true
-	resp.User = *machine.User.toTailscaleUser()
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	resp.User = *machine.User.TailscaleUser()
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -633,8 +551,8 @@ func (h *Headscale) handleMachineLogOutCommon(
 		return
 	}
 
-	if machine.isEphemeral() {
-		err = h.HardDeleteMachine(&machine)
+	if machine.IsEphemeral() {
+		err = h.db.HardDeleteMachine(&machine)
 		if err != nil {
 			log.Error().
 				Err(err).
@@ -652,9 +570,9 @@ func (h *Headscale) handleMachineLogOutCommon(
 		Msg("Successfully logged out")
 }
 
-func (h *Headscale) handleMachineValidRegistrationCommon(
+func (h *Headscale) handleMachineWithValidRegistration(
 	writer http.ResponseWriter,
-	machine Machine,
+	machine types.Machine,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
@@ -669,10 +587,10 @@ func (h *Headscale) handleMachineValidRegistrationCommon(
 
 	resp.AuthURL = ""
 	resp.MachineAuthorized = true
-	resp.User = *machine.User.toTailscaleUser()
-	resp.Login = *machine.User.toTailscaleLogin()
+	resp.User = *machine.User.TailscaleUser()
+	resp.Login = *machine.User.TailscaleLogin()
 
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -706,10 +624,10 @@ func (h *Headscale) handleMachineValidRegistrationCommon(
 		Msg("Machine successfully authorized")
 }
 
-func (h *Headscale) handleMachineRefreshKeyCommon(
+func (h *Headscale) handleMachineKeyRefresh(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
+	machine types.Machine,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
@@ -720,9 +638,9 @@ func (h *Headscale) handleMachineRefreshKeyCommon(
 		Bool("noise", isNoise).
 		Str("machine", machine.Hostname).
 		Msg("We have the OldNodeKey in the database. This is a key refresh")
-	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
 
-	if err := h.db.Save(&machine).Error; err != nil {
+	err := h.db.MachineSetNodeKey(&machine, registerRequest.NodeKey)
+	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
@@ -733,8 +651,8 @@ func (h *Headscale) handleMachineRefreshKeyCommon(
 	}
 
 	resp.AuthURL = ""
-	resp.User = *machine.User.toTailscaleUser()
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	resp.User = *machine.User.TailscaleUser()
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -766,17 +684,17 @@ func (h *Headscale) handleMachineRefreshKeyCommon(
 		Msg("Node key successfully refreshed")
 }
 
-func (h *Headscale) handleMachineExpiredOrLoggedOutCommon(
+func (h *Headscale) handleMachineExpiredOrLoggedOut(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
+	machine types.Machine,
 	machineKey key.MachinePublic,
 	isNoise bool,
 ) {
 	resp := tailcfg.RegisterResponse{}
 
 	if registerRequest.Auth.AuthKey != "" {
-		h.handleAuthKeyCommon(writer, registerRequest, machineKey, isNoise)
+		h.handleAuthKey(writer, registerRequest, machineKey, isNoise)
 
 		return
 	}
@@ -801,7 +719,7 @@ func (h *Headscale) handleMachineExpiredOrLoggedOutCommon(
 			registerRequest.NodeKey)
 	}
 
-	respBody, err := h.marshalResponse(resp, machineKey, isNoise)
+	respBody, err := mapper.MarshalResponse(resp, isNoise, h.privateKey2019, machineKey)
 	if err != nil {
 		log.Error().
 			Caller().

hscontrol/auth_legacy.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -32,7 +33,7 @@ func (h *Headscale) RegistrationHandler(
 	body, _ := io.ReadAll(req.Body)
 
 	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
+	err := machineKey.UnmarshalText([]byte(util.MachinePublicKeyEnsurePrefix(machineKeyStr)))
 	if err != nil {
 		log.Error().
 			Caller().
@@ -44,7 +45,7 @@ func (h *Headscale) RegistrationHandler(
 		return
 	}
 	registerRequest := tailcfg.RegisterRequest{}
-	err = decode(body, &registerRequest, &machineKey, h.privateKey)
+	err = util.DecodeAndUnmarshalNaCl(body, &registerRequest, &machineKey, h.privateKey2019)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -56,5 +57,5 @@ func (h *Headscale) RegistrationHandler(
 		return
 	}
 
-	h.handleRegisterCommon(writer, req, registerRequest, machineKey, false)
+	h.handleRegister(writer, req, registerRequest, machineKey, false)
 }

hscontrol/auth_noise.go

@@ -40,5 +40,5 @@ func (ns *noiseServer) NoiseRegistrationHandler(
 
 	ns.nodeKey = registerRequest.NodeKey
 
-	ns.headscale.handleRegisterCommon(writer, req, registerRequest, ns.conn.Peer(), true)
+	ns.headscale.handleRegister(writer, req, registerRequest, ns.conn.Peer(), true)
 }

hscontrol/db.go

@@ -1,404 +0,0 @@
-package hscontrol
-
-import (
-	"context"
-	"database/sql/driver"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/netip"
-	"time"
-
-	"github.com/glebarez/sqlite"
-	"github.com/rs/zerolog/log"
-	"gorm.io/driver/postgres"
-	"gorm.io/gorm"
-	"gorm.io/gorm/logger"
-	"tailscale.com/tailcfg"
-)
-
-const (
-	dbVersion = "1"
-
-	errValueNotFound     = Error("not found")
-	ErrCannotParsePrefix = Error("cannot parse prefix")
-)
-
-// KV is a key-value store in a psql table. For future use...
-type KV struct {
-	Key   string
-	Value string
-}
-
-func (h *Headscale) initDB() error {
-	db, err := h.openDB()
-	if err != nil {
-		return err
-	}
-	h.db = db
-
-	if h.dbType == Postgres {
-		db.Exec(`create extension if not exists "uuid-ossp";`)
-	}
-
-	_ = db.Migrator().RenameTable("namespaces", "users")
-
-	err = db.AutoMigrate(&User{})
-	if err != nil {
-		return err
-	}
-
-	_ = db.Migrator().RenameColumn(&Machine{}, "namespace_id", "user_id")
-	_ = db.Migrator().RenameColumn(&PreAuthKey{}, "namespace_id", "user_id")
-
-	_ = db.Migrator().RenameColumn(&Machine{}, "ip_address", "ip_addresses")
-	_ = db.Migrator().RenameColumn(&Machine{}, "name", "hostname")
-
-	// GivenName is used as the primary source of DNS names, make sure
-	// the field is populated and normalized if it was not when the
-	// machine was registered.
-	_ = db.Migrator().RenameColumn(&Machine{}, "nickname", "given_name")
-
-	// If the Machine table has a column for registered,
-	// find all occourences of "false" and drop them. Then
-	// remove the column.
-	if db.Migrator().HasColumn(&Machine{}, "registered") {
-		log.Info().
-			Msg(`Database has legacy "registered" column in machine, removing...`)
-
-		machines := Machines{}
-		if err := h.db.Not("registered").Find(&machines).Error; err != nil {
-			log.Error().Err(err).Msg("Error accessing db")
-		}
-
-		for _, machine := range machines {
-			log.Info().
-				Str("machine", machine.Hostname).
-				Str("machine_key", machine.MachineKey).
-				Msg("Deleting unregistered machine")
-			if err := h.db.Delete(&Machine{}, machine.ID).Error; err != nil {
-				log.Error().
-					Err(err).
-					Str("machine", machine.Hostname).
-					Str("machine_key", machine.MachineKey).
-					Msg("Error deleting unregistered machine")
-			}
-		}
-
-		err := db.Migrator().DropColumn(&Machine{}, "registered")
-		if err != nil {
-			log.Error().Err(err).Msg("Error dropping registered column")
-		}
-	}
-
-	err = db.AutoMigrate(&Route{})
-	if err != nil {
-		return err
-	}
-
-	if db.Migrator().HasColumn(&Machine{}, "enabled_routes") {
-		log.Info().Msgf("Database has legacy enabled_routes column in machine, migrating...")
-
-		type MachineAux struct {
-			ID            uint64
-			EnabledRoutes IPPrefixes
-		}
-
-		machinesAux := []MachineAux{}
-		err := db.Table("machines").Select("id, enabled_routes").Scan(&machinesAux).Error
-		if err != nil {
-			log.Fatal().Err(err).Msg("Error accessing db")
-		}
-		for _, machine := range machinesAux {
-			for _, prefix := range machine.EnabledRoutes {
-				if err != nil {
-					log.Error().
-						Err(err).
-						Str("enabled_route", prefix.String()).
-						Msg("Error parsing enabled_route")
-
-					continue
-				}
-
-				err = db.Preload("Machine").
-					Where("machine_id = ? AND prefix = ?", machine.ID, IPPrefix(prefix)).
-					First(&Route{}).
-					Error
-				if err == nil {
-					log.Info().
-						Str("enabled_route", prefix.String()).
-						Msg("Route already migrated to new table, skipping")
-
-					continue
-				}
-
-				route := Route{
-					MachineID:  machine.ID,
-					Advertised: true,
-					Enabled:    true,
-					Prefix:     IPPrefix(prefix),
-				}
-				if err := h.db.Create(&route).Error; err != nil {
-					log.Error().Err(err).Msg("Error creating route")
-				} else {
-					log.Info().
-						Uint64("machine_id", route.MachineID).
-						Str("prefix", prefix.String()).
-						Msg("Route migrated")
-				}
-			}
-		}
-
-		err = db.Migrator().DropColumn(&Machine{}, "enabled_routes")
-		if err != nil {
-			log.Error().Err(err).Msg("Error dropping enabled_routes column")
-		}
-	}
-
-	err = db.AutoMigrate(&Machine{})
-	if err != nil {
-		return err
-	}
-
-	if db.Migrator().HasColumn(&Machine{}, "given_name") {
-		machines := Machines{}
-		if err := h.db.Find(&machines).Error; err != nil {
-			log.Error().Err(err).Msg("Error accessing db")
-		}
-
-		for item, machine := range machines {
-			if machine.GivenName == "" {
-				normalizedHostname, err := NormalizeToFQDNRules(
-					machine.Hostname,
-					h.cfg.OIDC.StripEmaildomain,
-				)
-				if err != nil {
-					log.Error().
-						Caller().
-						Str("hostname", machine.Hostname).
-						Err(err).
-						Msg("Failed to normalize machine hostname in DB migration")
-				}
-
-				err = h.RenameMachine(&machines[item], normalizedHostname)
-				if err != nil {
-					log.Error().
-						Caller().
-						Str("hostname", machine.Hostname).
-						Err(err).
-						Msg("Failed to save normalized machine name in DB migration")
-				}
-			}
-		}
-	}
-
-	err = db.AutoMigrate(&KV{})
-	if err != nil {
-		return err
-	}
-
-	err = db.AutoMigrate(&PreAuthKey{})
-	if err != nil {
-		return err
-	}
-
-	err = db.AutoMigrate(&PreAuthKeyACLTag{})
-	if err != nil {
-		return err
-	}
-
-	_ = db.Migrator().DropTable("shared_machines")
-
-	err = db.AutoMigrate(&APIKey{})
-	if err != nil {
-		return err
-	}
-
-	err = h.setValue("db_version", dbVersion)
-
-	return err
-}
-
-func (h *Headscale) openDB() (*gorm.DB, error) {
-	var db *gorm.DB
-	var err error
-
-	var log logger.Interface
-	if h.dbDebug {
-		log = logger.Default
-	} else {
-		log = logger.Default.LogMode(logger.Silent)
-	}
-
-	switch h.dbType {
-	case Sqlite:
-		db, err = gorm.Open(
-			sqlite.Open(h.dbString+"?_synchronous=1&_journal_mode=WAL"),
-			&gorm.Config{
-				DisableForeignKeyConstraintWhenMigrating: true,
-				Logger:                                   log,
-			},
-		)
-
-		db.Exec("PRAGMA foreign_keys=ON")
-
-		// The pure Go SQLite library does not handle locking in
-		// the same way as the C based one and we cant use the gorm
-		// connection pool as of 2022/02/23.
-		sqlDB, _ := db.DB()
-		sqlDB.SetMaxIdleConns(1)
-		sqlDB.SetMaxOpenConns(1)
-		sqlDB.SetConnMaxIdleTime(time.Hour)
-
-	case Postgres:
-		db, err = gorm.Open(postgres.Open(h.dbString), &gorm.Config{
-			DisableForeignKeyConstraintWhenMigrating: true,
-			Logger:                                   log,
-		})
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return db, nil
-}
-
-// getValue returns the value for the given key in KV.
-func (h *Headscale) getValue(key string) (string, error) {
-	var row KV
-	if result := h.db.First(&row, "key = ?", key); errors.Is(
-		result.Error,
-		gorm.ErrRecordNotFound,
-	) {
-		return "", errValueNotFound
-	}
-
-	return row.Value, nil
-}
-
-// setValue sets value for the given key in KV.
-func (h *Headscale) setValue(key string, value string) error {
-	keyValue := KV{
-		Key:   key,
-		Value: value,
-	}
-
-	if _, err := h.getValue(key); err == nil {
-		h.db.Model(&keyValue).Where("key = ?", key).Update("value", value)
-
-		return nil
-	}
-
-	if err := h.db.Create(keyValue).Error; err != nil {
-		return fmt.Errorf("failed to create key value pair in the database: %w", err)
-	}
-
-	return nil
-}
-
-func (h *Headscale) pingDB(ctx context.Context) error {
-	ctx, cancel := context.WithTimeout(ctx, time.Second)
-	defer cancel()
-	db, err := h.db.DB()
-	if err != nil {
-		return err
-	}
-
-	return db.PingContext(ctx)
-}
-
-// This is a "wrapper" type around tailscales
-// Hostinfo to allow us to add database "serialization"
-// methods. This allows us to use a typed values throughout
-// the code and not have to marshal/unmarshal and error
-// check all over the code.
-type HostInfo tailcfg.Hostinfo
-
-func (hi *HostInfo) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case []byte:
-		return json.Unmarshal(value, hi)
-
-	case string:
-		return json.Unmarshal([]byte(value), hi)
-
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (hi HostInfo) Value() (driver.Value, error) {
-	bytes, err := json.Marshal(hi)
-
-	return string(bytes), err
-}
-
-type IPPrefix netip.Prefix
-
-func (i *IPPrefix) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case string:
-		prefix, err := netip.ParsePrefix(value)
-		if err != nil {
-			return err
-		}
-		*i = IPPrefix(prefix)
-
-		return nil
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrCannotParsePrefix, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (i IPPrefix) Value() (driver.Value, error) {
-	prefixStr := netip.Prefix(i).String()
-
-	return prefixStr, nil
-}
-
-type IPPrefixes []netip.Prefix
-
-func (i *IPPrefixes) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case []byte:
-		return json.Unmarshal(value, i)
-
-	case string:
-		return json.Unmarshal([]byte(value), i)
-
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (i IPPrefixes) Value() (driver.Value, error) {
-	bytes, err := json.Marshal(i)
-
-	return string(bytes), err
-}
-
-type StringList []string
-
-func (i *StringList) Scan(destination interface{}) error {
-	switch value := destination.(type) {
-	case []byte:
-		return json.Unmarshal(value, i)
-
-	case string:
-		return json.Unmarshal([]byte(value), i)
-
-	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
-	}
-}
-
-// Value return json value, implement driver.Valuer interface.
-func (i StringList) Value() (driver.Value, error) {
-	bytes, err := json.Marshal(i)
-
-	return string(bytes), err
-}

hscontrol/db/addresses.go

@@ -0,0 +1,99 @@
+// Codehere is mostly taken from github.com/tailscale/tailscale
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package db
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"go4.org/netipx"
+)
+
+var ErrCouldNotAllocateIP = errors.New("could not find any suitable IP")
+
+func (hsdb *HSDatabase) getAvailableIPs() (types.MachineAddresses, error) {
+	var ips types.MachineAddresses
+	var err error
+	for _, ipPrefix := range hsdb.ipPrefixes {
+		var ip *netip.Addr
+		ip, err = hsdb.getAvailableIP(ipPrefix)
+		if err != nil {
+			return ips, err
+		}
+		ips = append(ips, *ip)
+	}
+
+	return ips, err
+}
+
+func (hsdb *HSDatabase) getAvailableIP(ipPrefix netip.Prefix) (*netip.Addr, error) {
+	usedIps, err := hsdb.getUsedIPs()
+	if err != nil {
+		return nil, err
+	}
+
+	ipPrefixNetworkAddress, ipPrefixBroadcastAddress := util.GetIPPrefixEndpoints(ipPrefix)
+
+	// Get the first IP in our prefix
+	ip := ipPrefixNetworkAddress.Next()
+
+	for {
+		if !ipPrefix.Contains(ip) {
+			return nil, ErrCouldNotAllocateIP
+		}
+
+		switch {
+		case ip.Compare(ipPrefixBroadcastAddress) == 0:
+			fallthrough
+		case usedIps.Contains(ip):
+			fallthrough
+		case ip == netip.Addr{} || ip.IsLoopback():
+			ip = ip.Next()
+
+			continue
+
+		default:
+			return &ip, nil
+		}
+	}
+}
+
+func (hsdb *HSDatabase) getUsedIPs() (*netipx.IPSet, error) {
+	// FIXME: This really deserves a better data model,
+	// but this was quick to get running and it should be enough
+	// to begin experimenting with a dual stack tailnet.
+	var addressesSlices []string
+	hsdb.db.Model(&types.Machine{}).Pluck("ip_addresses", &addressesSlices)
+
+	var ips netipx.IPSetBuilder
+	for _, slice := range addressesSlices {
+		var machineAddresses types.MachineAddresses
+		err := machineAddresses.Scan(slice)
+		if err != nil {
+			return &netipx.IPSet{}, fmt.Errorf(
+				"failed to read ip from database: %w",
+				err,
+			)
+		}
+
+		for _, ip := range machineAddresses {
+			ips.Add(ip)
+		}
+	}
+
+	ipSet, err := ips.IPSet()
+	if err != nil {
+		return &netipx.IPSet{}, fmt.Errorf(
+			"failed to build IP Set: %w",
+			err,
+		)
+	}
+
+	return ipSet, nil
+}

hscontrol/db/addresses_test.go

@@ -1,14 +1,16 @@
-package hscontrol
+package db
 
 import (
 	"net/netip"
 
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"go4.org/netipx"
 	"gopkg.in/check.v1"
 )
 
 func (s *Suite) TestGetAvailableIp(c *check.C) {
-	ips, err := app.getAvailableIPs()
+	ips, err := db.getAvailableIPs()
 
 	c.Assert(err, check.IsNil)
 
@@ -19,32 +21,32 @@ func (s *Suite) TestGetAvailableIp(c *check.C) {
 }
 
 func (s *Suite) TestGetUsedIps(c *check.C) {
-	ips, err := app.getAvailableIPs()
+	ips, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)
 
-	user, err := app.CreateUser("test-ip")
+	user, err := db.CreateUser("test-ip")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	_, err = app.GetMachine("test", "testmachine")
+	_, err = db.GetMachine("test", "testmachine")
 	c.Assert(err, check.NotNil)
 
-	machine := Machine{
+	machine := types.Machine{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testmachine",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 		IPAddresses:    ips,
 	}
-	app.db.Save(&machine)
+	db.db.Save(&machine)
 
-	usedIps, err := app.getUsedIPs()
+	usedIps, err := db.getUsedIPs()
 
 	c.Assert(err, check.IsNil)
 
@@ -56,46 +58,48 @@ func (s *Suite) TestGetUsedIps(c *check.C) {
 	c.Assert(usedIps.Equal(expectedIPSet), check.Equals, true)
 	c.Assert(usedIps.Contains(expected), check.Equals, true)
 
-	machine1, err := app.GetMachineByID(0)
+	machine1, err := db.GetMachineByID(0)
 	c.Assert(err, check.IsNil)
 
 	c.Assert(len(machine1.IPAddresses), check.Equals, 1)
 	c.Assert(machine1.IPAddresses[0], check.Equals, expected)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }
 
 func (s *Suite) TestGetMultiIp(c *check.C) {
-	user, err := app.CreateUser("test-ip-multi")
+	user, err := db.CreateUser("test-ip-multi")
 	c.Assert(err, check.IsNil)
 
 	for index := 1; index <= 350; index++ {
-		app.ipAllocationMutex.Lock()
+		db.ipAllocationMutex.Lock()
 
-		ips, err := app.getAvailableIPs()
+		ips, err := db.getAvailableIPs()
 		c.Assert(err, check.IsNil)
 
-		pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+		pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 		c.Assert(err, check.IsNil)
 
-		_, err = app.GetMachine("test", "testmachine")
+		_, err = db.GetMachine("test", "testmachine")
 		c.Assert(err, check.NotNil)
 
-		machine := Machine{
+		machine := types.Machine{
 			ID:             uint64(index),
 			MachineKey:     "foo",
 			NodeKey:        "bar",
 			DiscoKey:       "faa",
 			Hostname:       "testmachine",
 			UserID:         user.ID,
-			RegisterMethod: RegisterMethodAuthKey,
+			RegisterMethod: util.RegisterMethodAuthKey,
 			AuthKeyID:      uint(pak.ID),
 			IPAddresses:    ips,
 		}
-		app.db.Save(&machine)
+		db.db.Save(&machine)
 
-		app.ipAllocationMutex.Unlock()
+		db.ipAllocationMutex.Unlock()
 	}
 
-	usedIps, err := app.getUsedIPs()
+	usedIps, err := db.getUsedIPs()
 	c.Assert(err, check.IsNil)
 
 	expected0 := netip.MustParseAddr("10.27.0.1")
@@ -117,7 +121,7 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 	c.Assert(usedIps.Contains(expected300), check.Equals, true)
 
 	// Check that we can read back the IPs
-	machine1, err := app.GetMachineByID(1)
+	machine1, err := db.GetMachineByID(1)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(machine1.IPAddresses), check.Equals, 1)
 	c.Assert(
@@ -126,7 +130,7 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 		netip.MustParseAddr("10.27.0.1"),
 	)
 
-	machine50, err := app.GetMachineByID(50)
+	machine50, err := db.GetMachineByID(50)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(machine50.IPAddresses), check.Equals, 1)
 	c.Assert(
@@ -136,7 +140,7 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 	)
 
 	expectedNextIP := netip.MustParseAddr("10.27.1.95")
-	nextIP, err := app.getAvailableIPs()
+	nextIP, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)
 
 	c.Assert(len(nextIP), check.Equals, 1)
@@ -144,15 +148,17 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 
 	// If we call get Available again, we should receive
 	// the same IP, as it has not been reserved.
-	nextIP2, err := app.getAvailableIPs()
+	nextIP2, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)
 
 	c.Assert(len(nextIP2), check.Equals, 1)
 	c.Assert(nextIP2[0].String(), check.Equals, expectedNextIP.String())
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }
 
 func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
-	ips, err := app.getAvailableIPs()
+	ips, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)
 
 	expected := netip.MustParseAddr("10.27.0.1")
@@ -160,42 +166,32 @@ func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
 	c.Assert(len(ips), check.Equals, 1)
 	c.Assert(ips[0].String(), check.Equals, expected.String())
 
-	user, err := app.CreateUser("test-ip")
+	user, err := db.CreateUser("test-ip")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	_, err = app.GetMachine("test", "testmachine")
+	_, err = db.GetMachine("test", "testmachine")
 	c.Assert(err, check.NotNil)
 
-	machine := Machine{
+	machine := types.Machine{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testmachine",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&machine)
 
-	ips2, err := app.getAvailableIPs()
+	ips2, err := db.getAvailableIPs()
 	c.Assert(err, check.IsNil)
 
 	c.Assert(len(ips2), check.Equals, 1)
 	c.Assert(ips2[0].String(), check.Equals, expected.String())
-}
 
-func (s *Suite) TestGenerateRandomStringDNSSafe(c *check.C) {
-	for i := 0; i < 100000; i++ {
-		str, err := GenerateRandomStringDNSSafe(8)
-		if err != nil {
-			c.Error(err)
-		}
-		if len(str) != 8 {
-			c.Error("invalid length", len(str), str)
-		}
-	}
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }

hscontrol/db/api_key.go

@@ -0,0 +1,125 @@
+package db
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const (
+	apiPrefixLength = 7
+	apiKeyLength    = 32
+)
+
+var ErrAPIKeyFailedToParse = errors.New("failed to parse ApiKey")
+
+// CreateAPIKey creates a new ApiKey in a user, and returns it.
+func (hsdb *HSDatabase) CreateAPIKey(
+	expiration *time.Time,
+) (string, *types.APIKey, error) {
+	prefix, err := util.GenerateRandomStringURLSafe(apiPrefixLength)
+	if err != nil {
+		return "", nil, err
+	}
+
+	toBeHashed, err := util.GenerateRandomStringURLSafe(apiKeyLength)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Key to return to user, this will only be visible _once_
+	keyStr := prefix + "." + toBeHashed
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(toBeHashed), bcrypt.DefaultCost)
+	if err != nil {
+		return "", nil, err
+	}
+
+	key := types.APIKey{
+		Prefix:     prefix,
+		Hash:       hash,
+		Expiration: expiration,
+	}
+
+	if err := hsdb.db.Save(&key).Error; err != nil {
+		return "", nil, fmt.Errorf("failed to save API key to database: %w", err)
+	}
+
+	return keyStr, &key, nil
+}
+
+// ListAPIKeys returns the list of ApiKeys for a user.
+func (hsdb *HSDatabase) ListAPIKeys() ([]types.APIKey, error) {
+	keys := []types.APIKey{}
+	if err := hsdb.db.Find(&keys).Error; err != nil {
+		return nil, err
+	}
+
+	return keys, nil
+}
+
+// GetAPIKey returns a ApiKey for a given key.
+func (hsdb *HSDatabase) GetAPIKey(prefix string) (*types.APIKey, error) {
+	key := types.APIKey{}
+	if result := hsdb.db.First(&key, "prefix = ?", prefix); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &key, nil
+}
+
+// GetAPIKeyByID returns a ApiKey for a given id.
+func (hsdb *HSDatabase) GetAPIKeyByID(id uint64) (*types.APIKey, error) {
+	key := types.APIKey{}
+	if result := hsdb.db.Find(&types.APIKey{ID: id}).First(&key); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &key, nil
+}
+
+// DestroyAPIKey destroys a ApiKey. Returns error if the ApiKey
+// does not exist.
+func (hsdb *HSDatabase) DestroyAPIKey(key types.APIKey) error {
+	if result := hsdb.db.Unscoped().Delete(key); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// ExpireAPIKey marks a ApiKey as expired.
+func (hsdb *HSDatabase) ExpireAPIKey(key *types.APIKey) error {
+	if err := hsdb.db.Model(&key).Update("Expiration", time.Now()).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) ValidateAPIKey(keyStr string) (bool, error) {
+	prefix, hash, found := strings.Cut(keyStr, ".")
+	if !found {
+		return false, ErrAPIKeyFailedToParse
+	}
+
+	key, err := hsdb.GetAPIKey(prefix)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate api key: %w", err)
+	}
+
+	if key.Expiration.Before(time.Now()) {
+		return false, nil
+	}
+
+	if err := bcrypt.CompareHashAndPassword(key.Hash, []byte(hash)); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}

hscontrol/db/api_key_test.go

@@ -1,4 +1,4 @@
-package hscontrol
+package db
 
 import (
 	"time"
@@ -7,7 +7,7 @@ import (
 )
 
 func (*Suite) TestCreateAPIKey(c *check.C) {
-	apiKeyStr, apiKey, err := app.CreateAPIKey(nil)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(nil)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)
 
@@ -16,74 +16,82 @@ func (*Suite) TestCreateAPIKey(c *check.C) {
 	c.Assert(apiKey.Hash, check.NotNil)
 	c.Assert(apiKeyStr, check.Not(check.Equals), "")
 
-	_, err = app.ListAPIKeys()
+	_, err = db.ListAPIKeys()
 	c.Assert(err, check.IsNil)
 
-	keys, err := app.ListAPIKeys()
+	keys, err := db.ListAPIKeys()
 	c.Assert(err, check.IsNil)
 	c.Assert(len(keys), check.Equals, 1)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }
 
 func (*Suite) TestAPIKeyDoesNotExist(c *check.C) {
-	key, err := app.GetAPIKey("does-not-exist")
+	key, err := db.GetAPIKey("does-not-exist")
 	c.Assert(err, check.NotNil)
 	c.Assert(key, check.IsNil)
 }
 
 func (*Suite) TestValidateAPIKeyOk(c *check.C) {
 	nowPlus2 := time.Now().Add(2 * time.Hour)
-	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowPlus2)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(&nowPlus2)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)
 
-	valid, err := app.ValidateAPIKey(apiKeyStr)
+	valid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(valid, check.Equals, true)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }
 
 func (*Suite) TestValidateAPIKeyNotOk(c *check.C) {
 	nowMinus2 := time.Now().Add(time.Duration(-2) * time.Hour)
-	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowMinus2)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(&nowMinus2)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)
 
-	valid, err := app.ValidateAPIKey(apiKeyStr)
+	valid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(valid, check.Equals, false)
 
 	now := time.Now()
-	apiKeyStrNow, apiKey, err := app.CreateAPIKey(&now)
+	apiKeyStrNow, apiKey, err := db.CreateAPIKey(&now)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)
 
-	validNow, err := app.ValidateAPIKey(apiKeyStrNow)
+	validNow, err := db.ValidateAPIKey(apiKeyStrNow)
 	c.Assert(err, check.IsNil)
 	c.Assert(validNow, check.Equals, false)
 
-	validSilly, err := app.ValidateAPIKey("nota.validkey")
+	validSilly, err := db.ValidateAPIKey("nota.validkey")
 	c.Assert(err, check.NotNil)
 	c.Assert(validSilly, check.Equals, false)
 
-	validWithErr, err := app.ValidateAPIKey("produceerrorkey")
+	validWithErr, err := db.ValidateAPIKey("produceerrorkey")
 	c.Assert(err, check.NotNil)
 	c.Assert(validWithErr, check.Equals, false)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }
 
 func (*Suite) TestExpireAPIKey(c *check.C) {
 	nowPlus2 := time.Now().Add(2 * time.Hour)
-	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowPlus2)
+	apiKeyStr, apiKey, err := db.CreateAPIKey(&nowPlus2)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey, check.NotNil)
 
-	valid, err := app.ValidateAPIKey(apiKeyStr)
+	valid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(valid, check.Equals, true)
 
-	err = app.ExpireAPIKey(apiKey)
+	err = db.ExpireAPIKey(apiKey)
 	c.Assert(err, check.IsNil)
 	c.Assert(apiKey.Expiration, check.NotNil)
 
-	notValid, err := app.ValidateAPIKey(apiKeyStr)
+	notValid, err := db.ValidateAPIKey(apiKeyStr)
 	c.Assert(err, check.IsNil)
 	c.Assert(notValid, check.Equals, false)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
 }

hscontrol/db/db.go

@@ -0,0 +1,355 @@
+package db
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"sync"
+	"time"
+
+	"github.com/glebarez/sqlite"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/rs/zerolog/log"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+)
+
+const (
+	dbVersion = "1"
+	Postgres  = "postgres"
+	Sqlite    = "sqlite3"
+)
+
+var (
+	errValueNotFound        = errors.New("not found")
+	errDatabaseNotSupported = errors.New("database type not supported")
+)
+
+// KV is a key-value store in a psql table. For future use...
+// TODO(kradalby): Is this used for anything?
+type KV struct {
+	Key   string
+	Value string
+}
+
+type HSDatabase struct {
+	db              *gorm.DB
+	notifyStateChan chan<- struct{}
+
+	ipAllocationMutex sync.Mutex
+
+	ipPrefixes []netip.Prefix
+	baseDomain string
+}
+
+// TODO(kradalby): assemble this struct from toptions or something typed
+// rather than arguments.
+func NewHeadscaleDatabase(
+	dbType, connectionAddr string,
+	debug bool,
+	notifyStateChan chan<- struct{},
+	ipPrefixes []netip.Prefix,
+	baseDomain string,
+) (*HSDatabase, error) {
+	dbConn, err := openDB(dbType, connectionAddr, debug)
+	if err != nil {
+		return nil, err
+	}
+
+	db := HSDatabase{
+		db:              dbConn,
+		notifyStateChan: notifyStateChan,
+
+		ipPrefixes: ipPrefixes,
+		baseDomain: baseDomain,
+	}
+
+	log.Debug().Msgf("database %#v", dbConn)
+
+	if dbType == Postgres {
+		dbConn.Exec(`create extension if not exists "uuid-ossp";`)
+	}
+
+	_ = dbConn.Migrator().RenameTable("namespaces", "users")
+
+	err = dbConn.AutoMigrate(types.User{})
+	if err != nil {
+		return nil, err
+	}
+
+	_ = dbConn.Migrator().RenameColumn(&types.Machine{}, "namespace_id", "user_id")
+	_ = dbConn.Migrator().RenameColumn(&types.PreAuthKey{}, "namespace_id", "user_id")
+
+	_ = dbConn.Migrator().RenameColumn(&types.Machine{}, "ip_address", "ip_addresses")
+	_ = dbConn.Migrator().RenameColumn(&types.Machine{}, "name", "hostname")
+
+	// GivenName is used as the primary source of DNS names, make sure
+	// the field is populated and normalized if it was not when the
+	// machine was registered.
+	_ = dbConn.Migrator().RenameColumn(&types.Machine{}, "nickname", "given_name")
+
+	// If the Machine table has a column for registered,
+	// find all occourences of "false" and drop them. Then
+	// remove the column.
+	if dbConn.Migrator().HasColumn(&types.Machine{}, "registered") {
+		log.Info().
+			Msg(`Database has legacy "registered" column in machine, removing...`)
+
+		machines := types.Machines{}
+		if err := dbConn.Not("registered").Find(&machines).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for _, machine := range machines {
+			log.Info().
+				Str("machine", machine.Hostname).
+				Str("machine_key", machine.MachineKey).
+				Msg("Deleting unregistered machine")
+			if err := dbConn.Delete(&types.Machine{}, machine.ID).Error; err != nil {
+				log.Error().
+					Err(err).
+					Str("machine", machine.Hostname).
+					Str("machine_key", machine.MachineKey).
+					Msg("Error deleting unregistered machine")
+			}
+		}
+
+		err := dbConn.Migrator().DropColumn(&types.Machine{}, "registered")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping registered column")
+		}
+	}
+
+	err = dbConn.AutoMigrate(&types.Route{})
+	if err != nil {
+		return nil, err
+	}
+
+	if dbConn.Migrator().HasColumn(&types.Machine{}, "enabled_routes") {
+		log.Info().Msgf("Database has legacy enabled_routes column in machine, migrating...")
+
+		type MachineAux struct {
+			ID            uint64
+			EnabledRoutes types.IPPrefixes
+		}
+
+		machinesAux := []MachineAux{}
+		err := dbConn.Table("machines").Select("id, enabled_routes").Scan(&machinesAux).Error
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error accessing db")
+		}
+		for _, machine := range machinesAux {
+			for _, prefix := range machine.EnabledRoutes {
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("enabled_route", prefix.String()).
+						Msg("Error parsing enabled_route")
+
+					continue
+				}
+
+				err = dbConn.Preload("Machine").
+					Where("machine_id = ? AND prefix = ?", machine.ID, types.IPPrefix(prefix)).
+					First(&types.Route{}).
+					Error
+				if err == nil {
+					log.Info().
+						Str("enabled_route", prefix.String()).
+						Msg("Route already migrated to new table, skipping")
+
+					continue
+				}
+
+				route := types.Route{
+					MachineID:  machine.ID,
+					Advertised: true,
+					Enabled:    true,
+					Prefix:     types.IPPrefix(prefix),
+				}
+				if err := dbConn.Create(&route).Error; err != nil {
+					log.Error().Err(err).Msg("Error creating route")
+				} else {
+					log.Info().
+						Uint64("machine_id", route.MachineID).
+						Str("prefix", prefix.String()).
+						Msg("Route migrated")
+				}
+			}
+		}
+
+		err = dbConn.Migrator().DropColumn(&types.Machine{}, "enabled_routes")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping enabled_routes column")
+		}
+	}
+
+	err = dbConn.AutoMigrate(&types.Machine{})
+	if err != nil {
+		return nil, err
+	}
+
+	if dbConn.Migrator().HasColumn(&types.Machine{}, "given_name") {
+		machines := types.Machines{}
+		if err := dbConn.Find(&machines).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for item, machine := range machines {
+			if machine.GivenName == "" {
+				normalizedHostname, err := util.NormalizeToFQDNRulesConfigFromViper(
+					machine.Hostname,
+				)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", machine.Hostname).
+						Err(err).
+						Msg("Failed to normalize machine hostname in DB migration")
+				}
+
+				err = db.RenameMachine(&machines[item], normalizedHostname)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", machine.Hostname).
+						Err(err).
+						Msg("Failed to save normalized machine name in DB migration")
+				}
+			}
+		}
+	}
+
+	err = dbConn.AutoMigrate(&KV{})
+	if err != nil {
+		return nil, err
+	}
+
+	err = dbConn.AutoMigrate(&types.PreAuthKey{})
+	if err != nil {
+		return nil, err
+	}
+
+	err = dbConn.AutoMigrate(&types.PreAuthKeyACLTag{})
+	if err != nil {
+		return nil, err
+	}
+
+	_ = dbConn.Migrator().DropTable("shared_machines")
+
+	err = dbConn.AutoMigrate(&types.APIKey{})
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO(kradalby): is this needed?
+	err = db.setValue("db_version", dbVersion)
+
+	return &db, err
+}
+
+func openDB(dbType, connectionAddr string, debug bool) (*gorm.DB, error) {
+	log.Debug().Str("type", dbType).Str("connection", connectionAddr).Msg("opening database")
+
+	var dbLogger logger.Interface
+	if debug {
+		dbLogger = logger.Default
+	} else {
+		dbLogger = logger.Default.LogMode(logger.Silent)
+	}
+
+	switch dbType {
+	case Sqlite:
+		db, err := gorm.Open(
+			sqlite.Open(connectionAddr+"?_synchronous=1&_journal_mode=WAL"),
+			&gorm.Config{
+				DisableForeignKeyConstraintWhenMigrating: true,
+				Logger:                                   dbLogger,
+			},
+		)
+
+		db.Exec("PRAGMA foreign_keys=ON")
+
+		// The pure Go SQLite library does not handle locking in
+		// the same way as the C based one and we cant use the gorm
+		// connection pool as of 2022/02/23.
+		sqlDB, _ := db.DB()
+		sqlDB.SetMaxIdleConns(1)
+		sqlDB.SetMaxOpenConns(1)
+		sqlDB.SetConnMaxIdleTime(time.Hour)
+
+		return db, err
+
+	case Postgres:
+		return gorm.Open(postgres.Open(connectionAddr), &gorm.Config{
+			DisableForeignKeyConstraintWhenMigrating: true,
+			Logger:                                   dbLogger,
+		})
+	}
+
+	return nil, fmt.Errorf(
+		"database of type %s is not supported: %w",
+		dbType,
+		errDatabaseNotSupported,
+	)
+}
+
+func (hsdb *HSDatabase) notifyStateChange() {
+	hsdb.notifyStateChan <- struct{}{}
+}
+
+// getValue returns the value for the given key in KV.
+func (hsdb *HSDatabase) getValue(key string) (string, error) {
+	var row KV
+	if result := hsdb.db.First(&row, "key = ?", key); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return "", errValueNotFound
+	}
+
+	return row.Value, nil
+}
+
+// setValue sets value for the given key in KV.
+func (hsdb *HSDatabase) setValue(key string, value string) error {
+	keyValue := KV{
+		Key:   key,
+		Value: value,
+	}
+
+	if _, err := hsdb.getValue(key); err == nil {
+		hsdb.db.Model(&keyValue).Where("key = ?", key).Update("value", value)
+
+		return nil
+	}
+
+	if err := hsdb.db.Create(keyValue).Error; err != nil {
+		return fmt.Errorf("failed to create key value pair in the database: %w", err)
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) PingDB(ctx context.Context) error {
+	ctx, cancel := context.WithTimeout(ctx, time.Second)
+	defer cancel()
+	sqlDB, err := hsdb.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return sqlDB.PingContext(ctx)
+}
+
+func (hsdb *HSDatabase) Close() error {
+	db, err := hsdb.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return db.Close()
+}

hscontrol/db/machine.go

@@ -0,0 +1,776 @@
+package db
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/patrickmn/go-cache"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+	"tailscale.com/types/key"
+)
+
+const (
+	MachineGivenNameHashLength = 8
+	MachineGivenNameTrimSize   = 2
+)
+
+var (
+	ErrMachineNotFound                  = errors.New("machine not found")
+	ErrMachineRouteIsNotAvailable       = errors.New("route is not available on machine")
+	ErrMachineNotFoundRegistrationCache = errors.New(
+		"machine not found in registration cache",
+	)
+	ErrCouldNotConvertMachineInterface = errors.New("failed to convert machine interface")
+	ErrDifferentRegisteredUser         = errors.New(
+		"machine was previously registered with a different user",
+	)
+)
+
+// ListPeers returns all peers of machine, regardless of any Policy or if the node is expired.
+func (hsdb *HSDatabase) ListPeers(machine *types.Machine) (types.Machines, error) {
+	log.Trace().
+		Caller().
+		Str("machine", machine.Hostname).
+		Msg("Finding direct peers")
+
+	machines := types.Machines{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Where("node_key <> ?",
+			machine.NodeKey).Find(&machines).Error; err != nil {
+		return types.Machines{}, err
+	}
+
+	sort.Slice(machines, func(i, j int) bool { return machines[i].ID < machines[j].ID })
+
+	log.Trace().
+		Caller().
+		Str("machine", machine.Hostname).
+		Msgf("Found peers: %s", machines.String())
+
+	return machines, nil
+}
+
+func (hsdb *HSDatabase) ListMachines() ([]types.Machine, error) {
+	machines := []types.Machine{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Find(&machines).Error; err != nil {
+		return nil, err
+	}
+
+	return machines, nil
+}
+
+func (hsdb *HSDatabase) ListMachinesByGivenName(givenName string) (types.Machines, error) {
+	machines := types.Machines{}
+	if err := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Where("given_name = ?", givenName).Find(&machines).Error; err != nil {
+		return nil, err
+	}
+
+	return machines, nil
+}
+
+// GetMachine finds a Machine by name and user and returns the Machine struct.
+func (hsdb *HSDatabase) GetMachine(user string, name string) (*types.Machine, error) {
+	machines, err := hsdb.ListMachinesByUser(user)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, m := range machines {
+		if m.Hostname == name {
+			return &m, nil
+		}
+	}
+
+	return nil, ErrMachineNotFound
+}
+
+// GetMachineByGivenName finds a Machine by given name and user and returns the Machine struct.
+func (hsdb *HSDatabase) GetMachineByGivenName(
+	user string,
+	givenName string,
+) (*types.Machine, error) {
+	machines, err := hsdb.ListMachinesByUser(user)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, m := range machines {
+		if m.GivenName == givenName {
+			return &m, nil
+		}
+	}
+
+	return nil, ErrMachineNotFound
+}
+
+// GetMachineByID finds a Machine by ID and returns the Machine struct.
+func (hsdb *HSDatabase) GetMachineByID(id uint64) (*types.Machine, error) {
+	mach := types.Machine{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		Find(&types.Machine{ID: id}).First(&mach); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &mach, nil
+}
+
+// GetMachineByMachineKey finds a Machine by its MachineKey and returns the Machine struct.
+func (hsdb *HSDatabase) GetMachineByMachineKey(
+	machineKey key.MachinePublic,
+) (*types.Machine, error) {
+	mach := types.Machine{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		First(&mach, "machine_key = ?", util.MachinePublicKeyStripPrefix(machineKey)); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &mach, nil
+}
+
+// GetMachineByNodeKey finds a Machine by its current NodeKey.
+func (hsdb *HSDatabase) GetMachineByNodeKey(
+	nodeKey key.NodePublic,
+) (*types.Machine, error) {
+	machine := types.Machine{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		First(&machine, "node_key = ?",
+			util.NodePublicKeyStripPrefix(nodeKey)); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &machine, nil
+}
+
+// GetMachineByAnyNodeKey finds a Machine by its MachineKey, its current NodeKey or the old one, and returns the Machine struct.
+func (hsdb *HSDatabase) GetMachineByAnyKey(
+	machineKey key.MachinePublic, nodeKey key.NodePublic, oldNodeKey key.NodePublic,
+) (*types.Machine, error) {
+	machine := types.Machine{}
+	if result := hsdb.db.
+		Preload("AuthKey").
+		Preload("AuthKey.User").
+		Preload("User").
+		Preload("Routes").
+		First(&machine, "machine_key = ? OR node_key = ? OR node_key = ?",
+			util.MachinePublicKeyStripPrefix(machineKey),
+			util.NodePublicKeyStripPrefix(nodeKey),
+			util.NodePublicKeyStripPrefix(oldNodeKey)); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &machine, nil
+}
+
+// TODO(kradalby): rename this, it sounds like a mix of getting and setting to db
+// UpdateMachineFromDatabase takes a Machine struct pointer (typically already loaded from database
+// and updates it with the latest data from the database.
+func (hsdb *HSDatabase) UpdateMachineFromDatabase(machine *types.Machine) error {
+	if result := hsdb.db.Find(machine).First(&machine); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// SetTags takes a Machine struct pointer and update the forced tags.
+func (hsdb *HSDatabase) SetTags(
+	machine *types.Machine,
+	tags []string,
+) error {
+	newTags := []string{}
+	for _, tag := range tags {
+		if !util.StringOrPrefixListContains(newTags, tag) {
+			newTags = append(newTags, tag)
+		}
+	}
+	machine.ForcedTags = newTags
+
+	hsdb.notifyStateChange()
+
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed to update tags for machine in the database: %w", err)
+	}
+
+	return nil
+}
+
+// ExpireMachine takes a Machine struct and sets the expire field to now.
+func (hsdb *HSDatabase) ExpireMachine(machine *types.Machine) error {
+	now := time.Now()
+	machine.Expiry = &now
+
+	hsdb.notifyStateChange()
+
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed to expire machine in the database: %w", err)
+	}
+
+	return nil
+}
+
+// RenameMachine takes a Machine struct and a new GivenName for the machines
+// and renames it.
+func (hsdb *HSDatabase) RenameMachine(machine *types.Machine, newName string) error {
+	err := util.CheckForFQDNRules(
+		newName,
+	)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "RenameMachine").
+			Str("machine", machine.Hostname).
+			Str("newName", newName).
+			Err(err)
+
+		return err
+	}
+	machine.GivenName = newName
+
+	hsdb.notifyStateChange()
+
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed to rename machine in the database: %w", err)
+	}
+
+	return nil
+}
+
+// RefreshMachine takes a Machine struct and  a new expiry time.
+func (hsdb *HSDatabase) RefreshMachine(machine *types.Machine, expiry time.Time) error {
+	now := time.Now()
+
+	machine.LastSuccessfulUpdate = &now
+	machine.Expiry = &expiry
+
+	hsdb.notifyStateChange()
+
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return fmt.Errorf(
+			"failed to refresh machine (update expiration) in the database: %w",
+			err,
+		)
+	}
+
+	return nil
+}
+
+// DeleteMachine softs deletes a Machine from the database.
+func (hsdb *HSDatabase) DeleteMachine(machine *types.Machine) error {
+	err := hsdb.DeleteMachineRoutes(machine)
+	if err != nil {
+		return err
+	}
+
+	if err := hsdb.db.Delete(&machine).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) TouchMachine(machine *types.Machine) error {
+	return hsdb.db.Updates(types.Machine{
+		ID:                   machine.ID,
+		LastSeen:             machine.LastSeen,
+		LastSuccessfulUpdate: machine.LastSuccessfulUpdate,
+	}).Error
+}
+
+// HardDeleteMachine hard deletes a Machine from the database.
+func (hsdb *HSDatabase) HardDeleteMachine(machine *types.Machine) error {
+	err := hsdb.DeleteMachineRoutes(machine)
+	if err != nil {
+		return err
+	}
+
+	if err := hsdb.db.Unscoped().Delete(&machine).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) IsOutdated(machine *types.Machine, lastChange time.Time) bool {
+	if err := hsdb.UpdateMachineFromDatabase(machine); err != nil {
+		// It does not seem meaningful to propagate this error as the end result
+		// will have to be that the machine has to be considered outdated.
+		return true
+	}
+
+	// Get the last update from all headscale users to compare with our nodes
+	// last update.
+	// TODO(kradalby): Only request updates from users where we can talk to nodes
+	// This would mostly be for a bit of performance, and can be calculated based on
+	// ACLs.
+	lastUpdate := machine.CreatedAt
+	if machine.LastSuccessfulUpdate != nil {
+		lastUpdate = *machine.LastSuccessfulUpdate
+	}
+	log.Trace().
+		Caller().
+		Str("machine", machine.Hostname).
+		Time("last_successful_update", lastChange).
+		Time("last_state_change", lastUpdate).
+		Msgf("Checking if %s is missing updates", machine.Hostname)
+
+	return lastUpdate.Before(lastChange)
+}
+
+func (hsdb *HSDatabase) RegisterMachineFromAuthCallback(
+	cache *cache.Cache,
+	nodeKeyStr string,
+	userName string,
+	machineExpiry *time.Time,
+	registrationMethod string,
+) (*types.Machine, error) {
+	nodeKey := key.NodePublic{}
+	err := nodeKey.UnmarshalText([]byte(nodeKeyStr))
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debug().
+		Str("nodeKey", nodeKey.ShortString()).
+		Str("userName", userName).
+		Str("registrationMethod", registrationMethod).
+		Str("expiresAt", fmt.Sprintf("%v", machineExpiry)).
+		Msg("Registering machine from API/CLI or auth callback")
+
+	if machineInterface, ok := cache.Get(util.NodePublicKeyStripPrefix(nodeKey)); ok {
+		if registrationMachine, ok := machineInterface.(types.Machine); ok {
+			user, err := hsdb.GetUser(userName)
+			if err != nil {
+				return nil, fmt.Errorf(
+					"failed to find user in register machine from auth callback, %w",
+					err,
+				)
+			}
+
+			// Registration of expired machine with different user
+			if registrationMachine.ID != 0 &&
+				registrationMachine.UserID != user.ID {
+				return nil, ErrDifferentRegisteredUser
+			}
+
+			registrationMachine.UserID = user.ID
+			registrationMachine.RegisterMethod = registrationMethod
+
+			if machineExpiry != nil {
+				registrationMachine.Expiry = machineExpiry
+			}
+
+			machine, err := hsdb.RegisterMachine(
+				registrationMachine,
+			)
+
+			if err == nil {
+				cache.Delete(nodeKeyStr)
+			}
+
+			return machine, err
+		} else {
+			return nil, ErrCouldNotConvertMachineInterface
+		}
+	}
+
+	return nil, ErrMachineNotFoundRegistrationCache
+}
+
+// RegisterMachine is executed from the CLI to register a new Machine using its MachineKey.
+func (hsdb *HSDatabase) RegisterMachine(machine types.Machine,
+) (*types.Machine, error) {
+	log.Debug().
+		Str("machine", machine.Hostname).
+		Str("machine_key", machine.MachineKey).
+		Str("node_key", machine.NodeKey).
+		Str("user", machine.User.Name).
+		Msg("Registering machine")
+
+	// If the machine exists and we had already IPs for it, we just save it
+	// so we store the machine.Expire and machine.Nodekey that has been set when
+	// adding it to the registrationCache
+	if len(machine.IPAddresses) > 0 {
+		if err := hsdb.db.Save(&machine).Error; err != nil {
+			return nil, fmt.Errorf("failed register existing machine in the database: %w", err)
+		}
+
+		log.Trace().
+			Caller().
+			Str("machine", machine.Hostname).
+			Str("machine_key", machine.MachineKey).
+			Str("node_key", machine.NodeKey).
+			Str("user", machine.User.Name).
+			Msg("Machine authorized again")
+
+		return &machine, nil
+	}
+
+	hsdb.ipAllocationMutex.Lock()
+	defer hsdb.ipAllocationMutex.Unlock()
+
+	ips, err := hsdb.getAvailableIPs()
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not find IP for the new machine")
+
+		return nil, err
+	}
+
+	machine.IPAddresses = ips
+
+	if err := hsdb.db.Save(&machine).Error; err != nil {
+		return nil, fmt.Errorf("failed register(save) machine in the database: %w", err)
+	}
+
+	log.Trace().
+		Caller().
+		Str("machine", machine.Hostname).
+		Str("ip", strings.Join(ips.StringSlice(), ",")).
+		Msg("Machine registered with the database")
+
+	return &machine, nil
+}
+
+// MachineSetNodeKey sets the node key of a machine and saves it to the database.
+func (hsdb *HSDatabase) MachineSetNodeKey(machine *types.Machine, nodeKey key.NodePublic) error {
+	machine.NodeKey = util.NodePublicKeyStripPrefix(nodeKey)
+
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MachineSetMachineKey sets the machine key of a machine and saves it to the database.
+func (hsdb *HSDatabase) MachineSetMachineKey(
+	machine *types.Machine,
+	nodeKey key.MachinePublic,
+) error {
+	machine.MachineKey = util.MachinePublicKeyStripPrefix(nodeKey)
+
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// MachineSave saves a machine object to the database, prefer to use a specific save method rather
+// than this. It is intended to be used when we are changing or.
+func (hsdb *HSDatabase) MachineSave(machine *types.Machine) error {
+	if err := hsdb.db.Save(machine).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// GetAdvertisedRoutes returns the routes that are be advertised by the given machine.
+func (hsdb *HSDatabase) GetAdvertisedRoutes(machine *types.Machine) ([]netip.Prefix, error) {
+	routes := types.Routes{}
+
+	err := hsdb.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = ?", machine.ID, true).Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not get advertised routes for machine")
+
+		return nil, err
+	}
+
+	prefixes := []netip.Prefix{}
+	for _, route := range routes {
+		prefixes = append(prefixes, netip.Prefix(route.Prefix))
+	}
+
+	return prefixes, nil
+}
+
+// GetEnabledRoutes returns the routes that are enabled for the machine.
+func (hsdb *HSDatabase) GetEnabledRoutes(machine *types.Machine) ([]netip.Prefix, error) {
+	routes := types.Routes{}
+
+	err := hsdb.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = ? AND enabled = ?", machine.ID, true, true).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not get enabled routes for machine")
+
+		return nil, err
+	}
+
+	prefixes := []netip.Prefix{}
+	for _, route := range routes {
+		prefixes = append(prefixes, netip.Prefix(route.Prefix))
+	}
+
+	return prefixes, nil
+}
+
+func (hsdb *HSDatabase) IsRoutesEnabled(machine *types.Machine, routeStr string) bool {
+	route, err := netip.ParsePrefix(routeStr)
+	if err != nil {
+		return false
+	}
+
+	enabledRoutes, err := hsdb.GetEnabledRoutes(machine)
+	if err != nil {
+		log.Error().Err(err).Msg("Could not get enabled routes")
+
+		return false
+	}
+
+	for _, enabledRoute := range enabledRoutes {
+		if route == enabledRoute {
+			return true
+		}
+	}
+
+	return false
+}
+
+// enableRoutes enables new routes based on a list of new routes.
+func (hsdb *HSDatabase) enableRoutes(machine *types.Machine, routeStrs ...string) error {
+	newRoutes := make([]netip.Prefix, len(routeStrs))
+	for index, routeStr := range routeStrs {
+		route, err := netip.ParsePrefix(routeStr)
+		if err != nil {
+			return err
+		}
+
+		newRoutes[index] = route
+	}
+
+	advertisedRoutes, err := hsdb.GetAdvertisedRoutes(machine)
+	if err != nil {
+		return err
+	}
+
+	for _, newRoute := range newRoutes {
+		if !util.StringOrPrefixListContains(advertisedRoutes, newRoute) {
+			return fmt.Errorf(
+				"route (%s) is not available on node %s: %w",
+				machine.Hostname,
+				newRoute, ErrMachineRouteIsNotAvailable,
+			)
+		}
+	}
+
+	// Separate loop so we don't leave things in a half-updated state
+	for _, prefix := range newRoutes {
+		route := types.Route{}
+		err := hsdb.db.Preload("Machine").
+			Where("machine_id = ? AND prefix = ?", machine.ID, types.IPPrefix(prefix)).
+			First(&route).Error
+		if err == nil {
+			route.Enabled = true
+
+			// Mark already as primary if there is only this node offering this subnet
+			// (and is not an exit route)
+			if !route.IsExitRoute() {
+				route.IsPrimary = hsdb.isUniquePrefix(route)
+			}
+
+			err = hsdb.db.Save(&route).Error
+			if err != nil {
+				return fmt.Errorf("failed to enable route: %w", err)
+			}
+		} else {
+			return fmt.Errorf("failed to find route: %w", err)
+		}
+	}
+
+	hsdb.notifyStateChange()
+
+	return nil
+}
+
+func (hsdb *HSDatabase) generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
+	normalizedHostname, err := util.NormalizeToFQDNRulesConfigFromViper(
+		suppliedName,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	if randomSuffix {
+		// Trim if a hostname will be longer than 63 chars after adding the hash.
+		trimmedHostnameLength := util.LabelHostnameLength - MachineGivenNameHashLength - MachineGivenNameTrimSize
+		if len(normalizedHostname) > trimmedHostnameLength {
+			normalizedHostname = normalizedHostname[:trimmedHostnameLength]
+		}
+
+		suffix, err := util.GenerateRandomStringDNSSafe(MachineGivenNameHashLength)
+		if err != nil {
+			return "", err
+		}
+
+		normalizedHostname += "-" + suffix
+	}
+
+	return normalizedHostname, nil
+}
+
+func (hsdb *HSDatabase) GenerateGivenName(machineKey string, suppliedName string) (string, error) {
+	givenName, err := hsdb.generateGivenName(suppliedName, false)
+	if err != nil {
+		return "", err
+	}
+
+	// Tailscale rules (may differ) https://tailscale.com/kb/1098/machine-names/
+	machines, err := hsdb.ListMachinesByGivenName(givenName)
+	if err != nil {
+		return "", err
+	}
+
+	for _, machine := range machines {
+		if machine.MachineKey != machineKey && machine.GivenName == givenName {
+			postfixedName, err := hsdb.generateGivenName(suppliedName, true)
+			if err != nil {
+				return "", err
+			}
+
+			givenName = postfixedName
+		}
+	}
+
+	return givenName, nil
+}
+
+func (hsdb *HSDatabase) ExpireEphemeralMachines(inactivityThreshhold time.Duration) {
+	users, err := hsdb.ListUsers()
+	if err != nil {
+		log.Error().Err(err).Msg("Error listing users")
+
+		return
+	}
+
+	for _, user := range users {
+		machines, err := hsdb.ListMachinesByUser(user.Name)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("user", user.Name).
+				Msg("Error listing machines in user")
+
+			return
+		}
+
+		expiredFound := false
+		for idx, machine := range machines {
+			if machine.IsEphemeral() && machine.LastSeen != nil &&
+				time.Now().
+					After(machine.LastSeen.Add(inactivityThreshhold)) {
+				expiredFound = true
+				log.Info().
+					Str("machine", machine.Hostname).
+					Msg("Ephemeral client removed from database")
+
+				err = hsdb.HardDeleteMachine(&machines[idx])
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("machine", machine.Hostname).
+						Msg("🤮 Cannot delete ephemeral machine from the database")
+				}
+			}
+		}
+
+		if expiredFound {
+			hsdb.notifyStateChange()
+		}
+	}
+}
+
+func (hsdb *HSDatabase) ExpireExpiredMachines(lastChange time.Time) {
+	users, err := hsdb.ListUsers()
+	if err != nil {
+		log.Error().Err(err).Msg("Error listing users")
+
+		return
+	}
+
+	for _, user := range users {
+		machines, err := hsdb.ListMachinesByUser(user.Name)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("user", user.Name).
+				Msg("Error listing machines in user")
+
+			return
+		}
+
+		expiredFound := false
+		for index, machine := range machines {
+			if machine.IsExpired() &&
+				machine.Expiry.After(lastChange) {
+				expiredFound = true
+
+				err := hsdb.ExpireMachine(&machines[index])
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("machine", machine.Hostname).
+						Str("name", machine.GivenName).
+						Msg("🤮 Cannot expire machine")
+				} else {
+					log.Info().
+						Str("machine", machine.Hostname).
+						Str("name", machine.GivenName).
+						Msg("Machine successfully expired")
+				}
+			}
+		}
+
+		if expiredFound {
+			hsdb.notifyStateChange()
+		}
+	}
+}

hscontrol/db/machine_test.go

@@ -0,0 +1,660 @@
+package db
+
+import (
+	"fmt"
+	"net/netip"
+	"regexp"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"gopkg.in/check.v1"
+	"tailscale.com/types/key"
+)
+
+func (s *Suite) TestGetMachine(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "testmachine")
+	c.Assert(err, check.NotNil)
+
+	machine := &types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(machine)
+
+	_, err = db.GetMachine("test", "testmachine")
+	c.Assert(err, check.IsNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestGetMachineByID(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&machine)
+
+	_, err = db.GetMachineByID(0)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestGetMachineByNodeKey(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	nodeKey := key.NewNode()
+	machineKey := key.NewMachine()
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     util.MachinePublicKeyStripPrefix(machineKey.Public()),
+		NodeKey:        util.NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&machine)
+
+	_, err = db.GetMachineByNodeKey(nodeKey.Public())
+	c.Assert(err, check.IsNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestGetMachineByAnyNodeKey(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	nodeKey := key.NewNode()
+	oldNodeKey := key.NewNode()
+
+	machineKey := key.NewMachine()
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     util.MachinePublicKeyStripPrefix(machineKey.Public()),
+		NodeKey:        util.NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&machine)
+
+	_, err = db.GetMachineByAnyKey(machineKey.Public(), nodeKey.Public(), oldNodeKey.Public())
+	c.Assert(err, check.IsNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestDeleteMachine(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(1),
+	}
+	db.db.Save(&machine)
+
+	err = db.DeleteMachine(&machine)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine(user.Name, "testmachine")
+	c.Assert(err, check.NotNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestHardDeleteMachine(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine3",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(1),
+	}
+	db.db.Save(&machine)
+
+	err = db.HardDeleteMachine(&machine)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine(user.Name, "testmachine3")
+	c.Assert(err, check.NotNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestListPeers(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	for index := 0; index <= 10; index++ {
+		machine := types.Machine{
+			ID:             uint64(index),
+			MachineKey:     "foo" + strconv.Itoa(index),
+			NodeKey:        "bar" + strconv.Itoa(index),
+			DiscoKey:       "faa" + strconv.Itoa(index),
+			Hostname:       "testmachine" + strconv.Itoa(index),
+			UserID:         user.ID,
+			RegisterMethod: util.RegisterMethodAuthKey,
+			AuthKeyID:      uint(pak.ID),
+		}
+		db.db.Save(&machine)
+	}
+
+	machine0ByID, err := db.GetMachineByID(0)
+	c.Assert(err, check.IsNil)
+
+	peersOfMachine0, err := db.ListPeers(machine0ByID)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(len(peersOfMachine0), check.Equals, 9)
+	c.Assert(peersOfMachine0[0].Hostname, check.Equals, "testmachine2")
+	c.Assert(peersOfMachine0[5].Hostname, check.Equals, "testmachine7")
+	c.Assert(peersOfMachine0[8].Hostname, check.Equals, "testmachine10")
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
+	type base struct {
+		user *types.User
+		key  *types.PreAuthKey
+	}
+
+	stor := make([]base, 0)
+
+	for _, name := range []string{"test", "admin"} {
+		user, err := db.CreateUser(name)
+		c.Assert(err, check.IsNil)
+		pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+		c.Assert(err, check.IsNil)
+		stor = append(stor, base{user, pak})
+	}
+
+	_, err := db.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	for index := 0; index <= 10; index++ {
+		machine := types.Machine{
+			ID:         uint64(index),
+			MachineKey: "foo" + strconv.Itoa(index),
+			NodeKey:    "bar" + strconv.Itoa(index),
+			DiscoKey:   "faa" + strconv.Itoa(index),
+			IPAddresses: types.MachineAddresses{
+				netip.MustParseAddr(fmt.Sprintf("100.64.0.%v", strconv.Itoa(index+1))),
+			},
+			Hostname:       "testmachine" + strconv.Itoa(index),
+			UserID:         stor[index%2].user.ID,
+			RegisterMethod: util.RegisterMethodAuthKey,
+			AuthKeyID:      uint(stor[index%2].key.ID),
+		}
+		db.db.Save(&machine)
+	}
+
+	aclPolicy := &policy.ACLPolicy{
+		Groups: map[string][]string{
+			"group:test": {"admin"},
+		},
+		Hosts:     map[string]netip.Prefix{},
+		TagOwners: map[string][]string{},
+		ACLs: []policy.ACL{
+			{
+				Action:       "accept",
+				Sources:      []string{"admin"},
+				Destinations: []string{"*:*"},
+			},
+			{
+				Action:       "accept",
+				Sources:      []string{"test"},
+				Destinations: []string{"test:*"},
+			},
+		},
+		Tests: []policy.ACLTest{},
+	}
+
+	adminMachine, err := db.GetMachineByID(1)
+	c.Logf("Machine(%v), user: %v", adminMachine.Hostname, adminMachine.User)
+	c.Assert(err, check.IsNil)
+
+	testMachine, err := db.GetMachineByID(2)
+	c.Logf("Machine(%v), user: %v", testMachine.Hostname, testMachine.User)
+	c.Assert(err, check.IsNil)
+
+	adminPeers, err := db.ListPeers(adminMachine)
+	c.Assert(err, check.IsNil)
+
+	testPeers, err := db.ListPeers(testMachine)
+	c.Assert(err, check.IsNil)
+
+	adminRules, _, err := policy.GenerateFilterAndSSHRules(aclPolicy, adminMachine, adminPeers)
+	c.Assert(err, check.IsNil)
+
+	testRules, _, err := policy.GenerateFilterAndSSHRules(aclPolicy, testMachine, testPeers)
+	c.Assert(err, check.IsNil)
+
+	peersOfAdminMachine := policy.FilterMachinesByACL(adminMachine, adminPeers, adminRules)
+	peersOfTestMachine := policy.FilterMachinesByACL(testMachine, testPeers, testRules)
+
+	c.Log(peersOfTestMachine)
+	c.Assert(len(peersOfTestMachine), check.Equals, 9)
+	c.Assert(peersOfTestMachine[0].Hostname, check.Equals, "testmachine1")
+	c.Assert(peersOfTestMachine[1].Hostname, check.Equals, "testmachine3")
+	c.Assert(peersOfTestMachine[3].Hostname, check.Equals, "testmachine5")
+
+	c.Log(peersOfAdminMachine)
+	c.Assert(len(peersOfAdminMachine), check.Equals, 9)
+	c.Assert(peersOfAdminMachine[0].Hostname, check.Equals, "testmachine2")
+	c.Assert(peersOfAdminMachine[2].Hostname, check.Equals, "testmachine4")
+	c.Assert(peersOfAdminMachine[5].Hostname, check.Equals, "testmachine7")
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestExpireMachine(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "testmachine")
+	c.Assert(err, check.NotNil)
+
+	machine := &types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		Expiry:         &time.Time{},
+	}
+	db.db.Save(machine)
+
+	machineFromDB, err := db.GetMachine("test", "testmachine")
+	c.Assert(err, check.IsNil)
+	c.Assert(machineFromDB, check.NotNil)
+
+	c.Assert(machineFromDB.IsExpired(), check.Equals, false)
+
+	err = db.ExpireMachine(machineFromDB)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(machineFromDB.IsExpired(), check.Equals, true)
+
+	c.Assert(channelUpdates, check.Equals, int32(1))
+}
+
+func (s *Suite) TestSerdeAddressStrignSlice(c *check.C) {
+	input := types.MachineAddresses([]netip.Addr{
+		netip.MustParseAddr("192.0.2.1"),
+		netip.MustParseAddr("2001:db8::1"),
+	})
+	serialized, err := input.Value()
+	c.Assert(err, check.IsNil)
+	if serial, ok := serialized.(string); ok {
+		c.Assert(serial, check.Equals, "192.0.2.1,2001:db8::1")
+	}
+
+	var deserialized types.MachineAddresses
+	err = deserialized.Scan(serialized)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(len(deserialized), check.Equals, len(input))
+	for i := range deserialized {
+		c.Assert(deserialized[i], check.Equals, input[i])
+	}
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestGenerateGivenName(c *check.C) {
+	user1, err := db.CreateUser("user-1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user1.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("user-1", "testmachine")
+	c.Assert(err, check.NotNil)
+
+	machine := &types.Machine{
+		ID:             0,
+		MachineKey:     "machine-key-1",
+		NodeKey:        "node-key-1",
+		DiscoKey:       "disco-key-1",
+		Hostname:       "hostname-1",
+		GivenName:      "hostname-1",
+		UserID:         user1.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(machine)
+
+	givenName, err := db.GenerateGivenName("machine-key-2", "hostname-2")
+	comment := check.Commentf("Same user, unique machines, unique hostnames, no conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Equals, "hostname-2", comment)
+
+	givenName, err = db.GenerateGivenName("machine-key-1", "hostname-1")
+	comment = check.Commentf("Same user, same machine, same hostname, no conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Equals, "hostname-1", comment)
+
+	givenName, err = db.GenerateGivenName("machine-key-2", "hostname-1")
+	comment = check.Commentf("Same user, unique machines, same hostname, conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Matches, fmt.Sprintf("^hostname-1-[a-z0-9]{%d}$", MachineGivenNameHashLength), comment)
+
+	givenName, err = db.GenerateGivenName("machine-key-2", "hostname-1")
+	comment = check.Commentf("Unique users, unique machines, same hostname, conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Matches, fmt.Sprintf("^hostname-1-[a-z0-9]{%d}$", MachineGivenNameHashLength), comment)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestSetTags(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "testmachine")
+	c.Assert(err, check.NotNil)
+
+	machine := &types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(machine)
+
+	// assign simple tags
+	sTags := []string{"tag:test", "tag:foo"}
+	err = db.SetTags(machine, sTags)
+	c.Assert(err, check.IsNil)
+	machine, err = db.GetMachine("test", "testmachine")
+	c.Assert(err, check.IsNil)
+	c.Assert(machine.ForcedTags, check.DeepEquals, types.StringList(sTags))
+
+	// assign duplicat tags, expect no errors but no doubles in DB
+	eTags := []string{"tag:bar", "tag:test", "tag:unknown", "tag:test"}
+	err = db.SetTags(machine, eTags)
+	c.Assert(err, check.IsNil)
+	machine, err = db.GetMachine("test", "testmachine")
+	c.Assert(err, check.IsNil)
+	c.Assert(
+		machine.ForcedTags,
+		check.DeepEquals,
+		types.StringList([]string{"tag:bar", "tag:test", "tag:unknown"}),
+	)
+
+	c.Assert(channelUpdates, check.Equals, int32(2))
+}
+
+func TestHeadscale_generateGivenName(t *testing.T) {
+	type args struct {
+		suppliedName string
+		randomSuffix bool
+	}
+	tests := []struct {
+		name    string
+		db      *HSDatabase
+		args    args
+		want    *regexp.Regexp
+		wantErr bool
+	}{
+		{
+			name: "simple machine name generation",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "testmachine",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^testmachine$"),
+			wantErr: false,
+		},
+		{
+			name: "machine name with 53 chars",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine$"),
+			wantErr: false,
+		},
+		{
+			name: "machine name with 63 chars",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "machineeee12345678901234567890123456789012345678901234567890123",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^machineeee12345678901234567890123456789012345678901234567890123$"),
+			wantErr: false,
+		},
+		{
+			name: "machine name with 64 chars",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "machineeee123456789012345678901234567890123456789012345678901234",
+				randomSuffix: false,
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "machine name with 73 chars",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "machineeee123456789012345678901234567890123456789012345678901234567890123",
+				randomSuffix: false,
+			},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "machine name with random suffix",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "test",
+				randomSuffix: true,
+			},
+			want:    regexp.MustCompile(fmt.Sprintf("^test-[a-z0-9]{%d}$", MachineGivenNameHashLength)),
+			wantErr: false,
+		},
+		{
+			name: "machine name with 63 chars with random suffix",
+			db:   &HSDatabase{},
+			args: args{
+				suppliedName: "machineeee12345678901234567890123456789012345678901234567890123",
+				randomSuffix: true,
+			},
+			want:    regexp.MustCompile(fmt.Sprintf("^machineeee1234567890123456789012345678901234567890123-[a-z0-9]{%d}$", MachineGivenNameHashLength)),
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.db.generateGivenName(tt.args.suppliedName, tt.args.randomSuffix)
+			if (err != nil) != tt.wantErr {
+				t.Errorf(
+					"Headscale.GenerateGivenName() error = %v, wantErr %v",
+					err,
+					tt.wantErr,
+				)
+
+				return
+			}
+
+			if tt.want != nil && !tt.want.MatchString(got) {
+				t.Errorf(
+					"Headscale.GenerateGivenName() = %v, does not match %v",
+					tt.want,
+					got,
+				)
+			}
+
+			if len(got) > util.LabelHostnameLength {
+				t.Errorf(
+					"Headscale.GenerateGivenName() = %v is larger than allowed DNS segment %d",
+					got,
+					util.LabelHostnameLength,
+				)
+			}
+		})
+	}
+}
+
+func (s *Suite) TestAutoApproveRoutes(c *check.C) {
+	acl := []byte(`
+{
+	"tagOwners": {
+		"tag:exit": ["test"],
+	},
+
+	"groups": {
+		"group:test": ["test"]
+	},
+
+	"acls": [
+		{"action": "accept", "users": ["*"], "ports": ["*:*"]},
+	],
+
+	"autoApprovers": {
+		"exitNode": ["tag:exit"],
+		"routes": {
+			"10.10.0.0/16": ["group:test"],
+			"10.11.0.0/16": ["test"],
+		}
+	}
+}
+	`)
+
+	pol, err := policy.LoadACLPolicyFromBytes(acl, "hujson")
+	c.Assert(err, check.IsNil)
+	c.Assert(pol, check.NotNil)
+
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	nodeKey := key.NewNode()
+
+	defaultRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
+	defaultRouteV6 := netip.MustParsePrefix("::/0")
+	route1 := netip.MustParsePrefix("10.10.0.0/16")
+	// Check if a subprefix of an autoapproved route is approved
+	route2 := netip.MustParsePrefix("10.11.0.0/24")
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        util.NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "test",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo: types.HostInfo{
+			RequestTags: []string{"tag:exit"},
+			RoutableIPs: []netip.Prefix{defaultRouteV4, defaultRouteV6, route1, route2},
+		},
+		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.1")},
+	}
+
+	db.db.Save(&machine)
+
+	err = db.ProcessMachineRoutes(&machine)
+	c.Assert(err, check.IsNil)
+
+	machine0ByID, err := db.GetMachineByID(0)
+	c.Assert(err, check.IsNil)
+
+	err = db.EnableAutoApprovedRoutes(pol, machine0ByID)
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes, err := db.GetEnabledRoutes(machine0ByID)
+	c.Assert(err, check.IsNil)
+	c.Assert(enabledRoutes, check.HasLen, 4)
+
+	c.Assert(channelUpdates, check.Equals, int32(4))
+}

hscontrol/db/preauth_keys.go

@@ -0,0 +1,196 @@
+package db
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"gorm.io/gorm"
+)
+
+var (
+	ErrPreAuthKeyNotFound          = errors.New("AuthKey not found")
+	ErrPreAuthKeyExpired           = errors.New("AuthKey expired")
+	ErrSingleUseAuthKeyHasBeenUsed = errors.New("AuthKey has already been used")
+	ErrUserMismatch                = errors.New("user mismatch")
+	ErrPreAuthKeyACLTagInvalid     = errors.New("AuthKey tag is invalid")
+)
+
+// CreatePreAuthKey creates a new PreAuthKey in a user, and returns it.
+func (hsdb *HSDatabase) CreatePreAuthKey(
+	userName string,
+	reusable bool,
+	ephemeral bool,
+	expiration *time.Time,
+	aclTags []string,
+) (*types.PreAuthKey, error) {
+	user, err := hsdb.GetUser(userName)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, tag := range aclTags {
+		if !strings.HasPrefix(tag, "tag:") {
+			return nil, fmt.Errorf(
+				"%w: '%s' did not begin with 'tag:'",
+				ErrPreAuthKeyACLTagInvalid,
+				tag,
+			)
+		}
+	}
+
+	now := time.Now().UTC()
+	kstr, err := hsdb.generateKey()
+	if err != nil {
+		return nil, err
+	}
+
+	key := types.PreAuthKey{
+		Key:        kstr,
+		UserID:     user.ID,
+		User:       *user,
+		Reusable:   reusable,
+		Ephemeral:  ephemeral,
+		CreatedAt:  &now,
+		Expiration: expiration,
+	}
+
+	err = hsdb.db.Transaction(func(db *gorm.DB) error {
+		if err := db.Save(&key).Error; err != nil {
+			return fmt.Errorf("failed to create key in the database: %w", err)
+		}
+
+		if len(aclTags) > 0 {
+			seenTags := map[string]bool{}
+
+			for _, tag := range aclTags {
+				if !seenTags[tag] {
+					if err := db.Save(&types.PreAuthKeyACLTag{PreAuthKeyID: key.ID, Tag: tag}).Error; err != nil {
+						return fmt.Errorf(
+							"failed to ceate key tag in the database: %w",
+							err,
+						)
+					}
+					seenTags[tag] = true
+				}
+			}
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &key, nil
+}
+
+// ListPreAuthKeys returns the list of PreAuthKeys for a user.
+func (hsdb *HSDatabase) ListPreAuthKeys(userName string) ([]types.PreAuthKey, error) {
+	user, err := hsdb.GetUser(userName)
+	if err != nil {
+		return nil, err
+	}
+
+	keys := []types.PreAuthKey{}
+	if err := hsdb.db.Preload("User").Preload("ACLTags").Where(&types.PreAuthKey{UserID: user.ID}).Find(&keys).Error; err != nil {
+		return nil, err
+	}
+
+	return keys, nil
+}
+
+// GetPreAuthKey returns a PreAuthKey for a given key.
+func (hsdb *HSDatabase) GetPreAuthKey(user string, key string) (*types.PreAuthKey, error) {
+	pak, err := hsdb.ValidatePreAuthKey(key)
+	if err != nil {
+		return nil, err
+	}
+
+	if pak.User.Name != user {
+		return nil, ErrUserMismatch
+	}
+
+	return pak, nil
+}
+
+// DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey
+// does not exist.
+func (hsdb *HSDatabase) DestroyPreAuthKey(pak types.PreAuthKey) error {
+	return hsdb.db.Transaction(func(db *gorm.DB) error {
+		if result := db.Unscoped().Where(types.PreAuthKeyACLTag{PreAuthKeyID: pak.ID}).Delete(&types.PreAuthKeyACLTag{}); result.Error != nil {
+			return result.Error
+		}
+
+		if result := db.Unscoped().Delete(pak); result.Error != nil {
+			return result.Error
+		}
+
+		return nil
+	})
+}
+
+// MarkExpirePreAuthKey marks a PreAuthKey as expired.
+func (hsdb *HSDatabase) ExpirePreAuthKey(k *types.PreAuthKey) error {
+	if err := hsdb.db.Model(&k).Update("Expiration", time.Now()).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// UsePreAuthKey marks a PreAuthKey as used.
+func (hsdb *HSDatabase) UsePreAuthKey(k *types.PreAuthKey) error {
+	k.Used = true
+	if err := hsdb.db.Save(k).Error; err != nil {
+		return fmt.Errorf("failed to update key used status in the database: %w", err)
+	}
+
+	return nil
+}
+
+// ValidatePreAuthKey does the heavy lifting for validation of the PreAuthKey coming from a node
+// If returns no error and a PreAuthKey, it can be used.
+func (hsdb *HSDatabase) ValidatePreAuthKey(k string) (*types.PreAuthKey, error) {
+	pak := types.PreAuthKey{}
+	if result := hsdb.db.Preload("User").Preload("ACLTags").First(&pak, "key = ?", k); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return nil, ErrPreAuthKeyNotFound
+	}
+
+	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
+		return nil, ErrPreAuthKeyExpired
+	}
+
+	if pak.Reusable || pak.Ephemeral { // we don't need to check if has been used before
+		return &pak, nil
+	}
+
+	machines := types.Machines{}
+	if err := hsdb.db.Preload("AuthKey").Where(&types.Machine{AuthKeyID: uint(pak.ID)}).Find(&machines).Error; err != nil {
+		return nil, err
+	}
+
+	if len(machines) != 0 || pak.Used {
+		return nil, ErrSingleUseAuthKeyHasBeenUsed
+	}
+
+	return &pak, nil
+}
+
+func (hsdb *HSDatabase) generateKey() (string, error) {
+	size := 24
+	bytes := make([]byte, size)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(bytes), nil
+}

hscontrol/db/preauth_keys_test.go

@@ -1,20 +1,22 @@
-package hscontrol
+package db
 
 import (
 	"time"
 
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"gopkg.in/check.v1"
 )
 
 func (*Suite) TestCreatePreAuthKey(c *check.C) {
-	_, err := app.CreatePreAuthKey("bogus", true, false, nil, nil)
+	_, err := db.CreatePreAuthKey("bogus", true, false, nil, nil)
 
 	c.Assert(err, check.NotNil)
 
-	user, err := app.CreateUser("test")
+	user, err := db.CreateUser("test")
 	c.Assert(err, check.IsNil)
 
-	key, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	key, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	// Did we get a valid key?
@@ -24,10 +26,10 @@ func (*Suite) TestCreatePreAuthKey(c *check.C) {
 	// Make sure the User association is populated
 	c.Assert(key.User.Name, check.Equals, user.Name)
 
-	_, err = app.ListPreAuthKeys("bogus")
+	_, err = db.ListPreAuthKeys("bogus")
 	c.Assert(err, check.NotNil)
 
-	keys, err := app.ListPreAuthKeys(user.Name)
+	keys, err := db.ListPreAuthKeys(user.Name)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(keys), check.Equals, 1)
 
@@ -36,174 +38,176 @@ func (*Suite) TestCreatePreAuthKey(c *check.C) {
 }
 
 func (*Suite) TestExpiredPreAuthKey(c *check.C) {
-	user, err := app.CreateUser("test2")
+	user, err := db.CreateUser("test2")
 	c.Assert(err, check.IsNil)
 
 	now := time.Now()
-	pak, err := app.CreatePreAuthKey(user.Name, true, false, &now, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, &now, nil)
 	c.Assert(err, check.IsNil)
 
-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
 	c.Assert(key, check.IsNil)
 }
 
 func (*Suite) TestPreAuthKeyDoesNotExist(c *check.C) {
-	key, err := app.checkKeyValidity("potatoKey")
+	key, err := db.ValidatePreAuthKey("potatoKey")
 	c.Assert(err, check.Equals, ErrPreAuthKeyNotFound)
 	c.Assert(key, check.IsNil)
 }
 
 func (*Suite) TestValidateKeyOk(c *check.C) {
-	user, err := app.CreateUser("test3")
+	user, err := db.CreateUser("test3")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.IsNil)
 	c.Assert(key.ID, check.Equals, pak.ID)
 }
 
 func (*Suite) TestAlreadyUsedKey(c *check.C) {
-	user, err := app.CreateUser("test4")
+	user, err := db.CreateUser("test4")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	machine := Machine{
+	machine := types.Machine{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testest",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&machine)
 
-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
 	c.Assert(key, check.IsNil)
 }
 
 func (*Suite) TestReusableBeingUsedKey(c *check.C) {
-	user, err := app.CreateUser("test5")
+	user, err := db.CreateUser("test5")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	machine := Machine{
+	machine := types.Machine{
 		ID:             1,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testest",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&machine)
 
-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.IsNil)
 	c.Assert(key.ID, check.Equals, pak.ID)
 }
 
 func (*Suite) TestNotReusableNotBeingUsedKey(c *check.C) {
-	user, err := app.CreateUser("test6")
+	user, err := db.CreateUser("test6")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.IsNil)
 	c.Assert(key.ID, check.Equals, pak.ID)
 }
 
 func (*Suite) TestEphemeralKey(c *check.C) {
-	user, err := app.CreateUser("test7")
+	user, err := db.CreateUser("test7")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, false, true, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, true, nil, nil)
 	c.Assert(err, check.IsNil)
 
-	now := time.Now()
-	machine := Machine{
+	now := time.Now().Add(-time.Second * 30)
+	machine := types.Machine{
 		ID:             0,
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testest",
 		UserID:         user.ID,
-		RegisterMethod: RegisterMethodAuthKey,
+		RegisterMethod: util.RegisterMethodAuthKey,
 		LastSeen:       &now,
 		AuthKeyID:      uint(pak.ID),
 	}
-	app.db.Save(&machine)
+	db.db.Save(&machine)
 
-	_, err = app.checkKeyValidity(pak.Key)
+	_, err = db.ValidatePreAuthKey(pak.Key)
 	// Ephemeral keys are by definition reusable
 	c.Assert(err, check.IsNil)
 
-	_, err = app.GetMachine("test7", "testest")
+	_, err = db.GetMachine("test7", "testest")
 	c.Assert(err, check.IsNil)
 
-	app.expireEphemeralNodesWorker()
+	db.ExpireEphemeralMachines(time.Second * 20)
 
 	// The machine record should have been deleted
-	_, err = app.GetMachine("test7", "testest")
+	_, err = db.GetMachine("test7", "testest")
 	c.Assert(err, check.NotNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(1))
 }
 
 func (*Suite) TestExpirePreauthKey(c *check.C) {
-	user, err := app.CreateUser("test3")
+	user, err := db.CreateUser("test3")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
 	c.Assert(err, check.IsNil)
 	c.Assert(pak.Expiration, check.IsNil)
 
-	err = app.ExpirePreAuthKey(pak)
+	err = db.ExpirePreAuthKey(pak)
 	c.Assert(err, check.IsNil)
 	c.Assert(pak.Expiration, check.NotNil)
 
-	key, err := app.checkKeyValidity(pak.Key)
+	key, err := db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
 	c.Assert(key, check.IsNil)
 }
 
 func (*Suite) TestNotReusableMarkedAsUsed(c *check.C) {
-	user, err := app.CreateUser("test6")
+	user, err := db.CreateUser("test6")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 	pak.Used = true
-	app.db.Save(&pak)
+	db.db.Save(&pak)
 
-	_, err = app.checkKeyValidity(pak.Key)
+	_, err = db.ValidatePreAuthKey(pak.Key)
 	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
 }
 
 func (*Suite) TestPreAuthKeyACLTags(c *check.C) {
-	user, err := app.CreateUser("test8")
+	user, err := db.CreateUser("test8")
 	c.Assert(err, check.IsNil)
 
-	_, err = app.CreatePreAuthKey(user.Name, false, false, nil, []string{"badtag"})
+	_, err = db.CreatePreAuthKey(user.Name, false, false, nil, []string{"badtag"})
 	c.Assert(err, check.NotNil) // Confirm that malformed tags are rejected
 
 	tags := []string{"tag:test1", "tag:test2"}
 	tagsWithDuplicate := []string{"tag:test1", "tag:test2", "tag:test2"}
-	_, err = app.CreatePreAuthKey(user.Name, false, false, nil, tagsWithDuplicate)
+	_, err = db.CreatePreAuthKey(user.Name, false, false, nil, tagsWithDuplicate)
 	c.Assert(err, check.IsNil)
 
-	listedPaks, err := app.ListPreAuthKeys("test8")
+	listedPaks, err := db.ListPreAuthKeys("test8")
 	c.Assert(err, check.IsNil)
-	c.Assert(listedPaks[0].toProto().AclTags, check.DeepEquals, tags)
+	c.Assert(listedPaks[0].Proto().AclTags, check.DeepEquals, tags)
 }

hscontrol/db/routes.go

@@ -0,0 +1,457 @@
+package db
+
+import (
+	"errors"
+	"net/netip"
+
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+)
+
+var ErrRouteIsNotAvailable = errors.New("route is not available")
+
+func (hsdb *HSDatabase) GetRoutes() (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.Preload("Machine").Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) GetMachineAdvertisedRoutes(machine *types.Machine) (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = true", machine.ID).
+		Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) GetMachineRoutes(m *types.Machine) (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Machine").
+		Where("machine_id = ?", m.ID).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) GetRoute(id uint64) (*types.Route, error) {
+	var route types.Route
+	err := hsdb.db.Preload("Machine").First(&route, id).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return &route, nil
+}
+
+func (hsdb *HSDatabase) EnableRoute(id uint64) error {
+	route, err := hsdb.GetRoute(id)
+	if err != nil {
+		return err
+	}
+
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if route.IsExitRoute() {
+		return hsdb.enableRoutes(
+			&route.Machine,
+			types.ExitRouteV4.String(),
+			types.ExitRouteV6.String(),
+		)
+	}
+
+	return hsdb.enableRoutes(&route.Machine, netip.Prefix(route.Prefix).String())
+}
+
+func (hsdb *HSDatabase) DisableRoute(id uint64) error {
+	route, err := hsdb.GetRoute(id)
+	if err != nil {
+		return err
+	}
+
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if !route.IsExitRoute() {
+		route.Enabled = false
+		route.IsPrimary = false
+		err = hsdb.db.Save(route).Error
+		if err != nil {
+			return err
+		}
+
+		return hsdb.HandlePrimarySubnetFailover()
+	}
+
+	routes, err := hsdb.GetMachineRoutes(&route.Machine)
+	if err != nil {
+		return err
+	}
+
+	for i := range routes {
+		if routes[i].IsExitRoute() {
+			routes[i].Enabled = false
+			routes[i].IsPrimary = false
+			err = hsdb.db.Save(&routes[i]).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return hsdb.HandlePrimarySubnetFailover()
+}
+
+func (hsdb *HSDatabase) DeleteRoute(id uint64) error {
+	route, err := hsdb.GetRoute(id)
+	if err != nil {
+		return err
+	}
+
+	// Tailscale requires both IPv4 and IPv6 exit routes to
+	// be enabled at the same time, as per
+	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	if !route.IsExitRoute() {
+		if err := hsdb.db.Unscoped().Delete(&route).Error; err != nil {
+			return err
+		}
+
+		return hsdb.HandlePrimarySubnetFailover()
+	}
+
+	routes, err := hsdb.GetMachineRoutes(&route.Machine)
+	if err != nil {
+		return err
+	}
+
+	routesToDelete := types.Routes{}
+	for _, r := range routes {
+		if r.IsExitRoute() {
+			routesToDelete = append(routesToDelete, r)
+		}
+	}
+
+	if err := hsdb.db.Unscoped().Delete(&routesToDelete).Error; err != nil {
+		return err
+	}
+
+	return hsdb.HandlePrimarySubnetFailover()
+}
+
+func (hsdb *HSDatabase) DeleteMachineRoutes(m *types.Machine) error {
+	routes, err := hsdb.GetMachineRoutes(m)
+	if err != nil {
+		return err
+	}
+
+	for i := range routes {
+		if err := hsdb.db.Unscoped().Delete(&routes[i]).Error; err != nil {
+			return err
+		}
+	}
+
+	return hsdb.HandlePrimarySubnetFailover()
+}
+
+// isUniquePrefix returns if there is another machine providing the same route already.
+func (hsdb *HSDatabase) isUniquePrefix(route types.Route) bool {
+	var count int64
+	hsdb.db.
+		Model(&types.Route{}).
+		Where("prefix = ? AND machine_id != ? AND advertised = ? AND enabled = ?",
+			route.Prefix,
+			route.MachineID,
+			true, true).Count(&count)
+
+	return count == 0
+}
+
+func (hsdb *HSDatabase) getPrimaryRoute(prefix netip.Prefix) (*types.Route, error) {
+	var route types.Route
+	err := hsdb.db.
+		Preload("Machine").
+		Where("prefix = ? AND advertised = ? AND enabled = ? AND is_primary = ?", types.IPPrefix(prefix), true, true, true).
+		First(&route).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, err
+	}
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, gorm.ErrRecordNotFound
+	}
+
+	return &route, nil
+}
+
+// getMachinePrimaryRoutes returns the routes that are enabled and marked as primary (for subnet failover)
+// Exit nodes are not considered for this, as they are never marked as Primary.
+func (hsdb *HSDatabase) GetMachinePrimaryRoutes(m *types.Machine) (types.Routes, error) {
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = ? AND enabled = ? AND is_primary = ?", m.ID, true, true, true).
+		Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (hsdb *HSDatabase) ProcessMachineRoutes(machine *types.Machine) error {
+	currentRoutes := types.Routes{}
+	err := hsdb.db.Where("machine_id = ?", machine.ID).Find(&currentRoutes).Error
+	if err != nil {
+		return err
+	}
+
+	advertisedRoutes := map[netip.Prefix]bool{}
+	for _, prefix := range machine.HostInfo.RoutableIPs {
+		advertisedRoutes[prefix] = false
+	}
+
+	for pos, route := range currentRoutes {
+		if _, ok := advertisedRoutes[netip.Prefix(route.Prefix)]; ok {
+			if !route.Advertised {
+				currentRoutes[pos].Advertised = true
+				err := hsdb.db.Save(&currentRoutes[pos]).Error
+				if err != nil {
+					return err
+				}
+			}
+			advertisedRoutes[netip.Prefix(route.Prefix)] = true
+		} else if route.Advertised {
+			currentRoutes[pos].Advertised = false
+			currentRoutes[pos].Enabled = false
+			err := hsdb.db.Save(&currentRoutes[pos]).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	for prefix, exists := range advertisedRoutes {
+		if !exists {
+			route := types.Route{
+				MachineID:  machine.ID,
+				Prefix:     types.IPPrefix(prefix),
+				Advertised: true,
+				Enabled:    false,
+			}
+			err := hsdb.db.Create(&route).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (hsdb *HSDatabase) HandlePrimarySubnetFailover() error {
+	// first, get all the enabled routes
+	var routes types.Routes
+	err := hsdb.db.
+		Preload("Machine").
+		Where("advertised = ? AND enabled = ?", true, true).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().Err(err).Msg("error getting routes")
+	}
+
+	routesChanged := false
+	for pos, route := range routes {
+		if route.IsExitRoute() {
+			continue
+		}
+
+		if !route.IsPrimary {
+			_, err := hsdb.getPrimaryRoute(netip.Prefix(route.Prefix))
+			if hsdb.isUniquePrefix(route) || errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Info().
+					Str("prefix", netip.Prefix(route.Prefix).String()).
+					Str("machine", route.Machine.GivenName).
+					Msg("Setting primary route")
+				routes[pos].IsPrimary = true
+				err := hsdb.db.Save(&routes[pos]).Error
+				if err != nil {
+					log.Error().Err(err).Msg("error marking route as primary")
+
+					return err
+				}
+
+				routesChanged = true
+
+				continue
+			}
+		}
+
+		if route.IsPrimary {
+			if route.Machine.IsOnline() {
+				continue
+			}
+
+			// machine offline, find a new primary
+			log.Info().
+				Str("machine", route.Machine.Hostname).
+				Str("prefix", netip.Prefix(route.Prefix).String()).
+				Msgf("machine offline, finding a new primary subnet")
+
+			// find a new primary route
+			var newPrimaryRoutes types.Routes
+			err := hsdb.db.
+				Preload("Machine").
+				Where("prefix = ? AND machine_id != ? AND advertised = ? AND enabled = ?",
+					route.Prefix,
+					route.MachineID,
+					true, true).
+				Find(&newPrimaryRoutes).Error
+			if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Error().Err(err).Msg("error finding new primary route")
+
+				return err
+			}
+
+			var newPrimaryRoute *types.Route
+			for pos, r := range newPrimaryRoutes {
+				if r.Machine.IsOnline() {
+					newPrimaryRoute = &newPrimaryRoutes[pos]
+
+					break
+				}
+			}
+
+			if newPrimaryRoute == nil {
+				log.Warn().
+					Str("machine", route.Machine.Hostname).
+					Str("prefix", netip.Prefix(route.Prefix).String()).
+					Msgf("no alternative primary route found")
+
+				continue
+			}
+
+			log.Info().
+				Str("old_machine", route.Machine.Hostname).
+				Str("prefix", netip.Prefix(route.Prefix).String()).
+				Str("new_machine", newPrimaryRoute.Machine.Hostname).
+				Msgf("found new primary route")
+
+			// disable the old primary route
+			routes[pos].IsPrimary = false
+			err = hsdb.db.Save(&routes[pos]).Error
+			if err != nil {
+				log.Error().Err(err).Msg("error disabling old primary route")
+
+				return err
+			}
+
+			// enable the new primary route
+			newPrimaryRoute.IsPrimary = true
+			err = hsdb.db.Save(&newPrimaryRoute).Error
+			if err != nil {
+				log.Error().Err(err).Msg("error enabling new primary route")
+
+				return err
+			}
+
+			routesChanged = true
+		}
+	}
+
+	if routesChanged {
+		hsdb.notifyStateChange()
+	}
+
+	return nil
+}
+
+// EnableAutoApprovedRoutes enables any routes advertised by a machine that match the ACL autoApprovers policy.
+func (hsdb *HSDatabase) EnableAutoApprovedRoutes(
+	aclPolicy *policy.ACLPolicy,
+	machine *types.Machine,
+) error {
+	if len(machine.IPAddresses) == 0 {
+		return nil // This machine has no IPAddresses, so can't possibly match any autoApprovers ACLs
+	}
+
+	routes, err := hsdb.GetMachineAdvertisedRoutes(machine)
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not get advertised routes for machine")
+
+		return err
+	}
+
+	approvedRoutes := types.Routes{}
+
+	for _, advertisedRoute := range routes {
+		if advertisedRoute.Enabled {
+			continue
+		}
+
+		routeApprovers, err := aclPolicy.AutoApprovers.GetRouteApprovers(
+			netip.Prefix(advertisedRoute.Prefix),
+		)
+		if err != nil {
+			log.Err(err).
+				Str("advertisedRoute", advertisedRoute.String()).
+				Uint64("machineId", machine.ID).
+				Msg("Failed to resolve autoApprovers for advertised route")
+
+			return err
+		}
+
+		for _, approvedAlias := range routeApprovers {
+			if approvedAlias == machine.User.Name {
+				approvedRoutes = append(approvedRoutes, advertisedRoute)
+			} else {
+				// TODO(kradalby): figure out how to get this to depend on less stuff
+				approvedIps, err := aclPolicy.ExpandAlias(*machine, types.Machines{}, approvedAlias)
+				if err != nil {
+					log.Err(err).
+						Str("alias", approvedAlias).
+						Msg("Failed to expand alias when processing autoApprovers policy")
+
+					return err
+				}
+
+				// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
+				if approvedIps.Contains(machine.IPAddresses[0]) {
+					approvedRoutes = append(approvedRoutes, advertisedRoute)
+				}
+			}
+		}
+	}
+
+	for _, approvedRoute := range approvedRoutes {
+		err := hsdb.EnableRoute(uint64(approvedRoute.ID))
+		if err != nil {
+			log.Err(err).
+				Str("approvedRoute", approvedRoute.String()).
+				Uint64("machineId", machine.ID).
+				Msg("Failed to enable approved route")
+
+			return err
+		}
+	}
+
+	return nil
+}

hscontrol/db/routes_test.go

@@ -0,0 +1,425 @@
+package db
+
+import (
+	"net/netip"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"gopkg.in/check.v1"
+	"tailscale.com/tailcfg"
+)
+
+func (s *Suite) TestGetRoutes(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "test_get_route_machine")
+	c.Assert(err, check.NotNil)
+
+	route, err := netip.ParsePrefix("10.0.0.0/24")
+	c.Assert(err, check.IsNil)
+
+	hostInfo := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{route},
+	}
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_get_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo),
+	}
+	db.db.Save(&machine)
+
+	err = db.ProcessMachineRoutes(&machine)
+	c.Assert(err, check.IsNil)
+
+	advertisedRoutes, err := db.GetAdvertisedRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(advertisedRoutes), check.Equals, 1)
+
+	err = db.enableRoutes(&machine, "192.168.0.0/24")
+	c.Assert(err, check.NotNil)
+
+	err = db.enableRoutes(&machine, "10.0.0.0/24")
+	c.Assert(err, check.IsNil)
+
+	c.Assert(channelUpdates, check.Equals, int32(0))
+}
+
+func (s *Suite) TestGetEnableRoutes(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "test_enable_route_machine")
+	c.Assert(err, check.NotNil)
+
+	route, err := netip.ParsePrefix(
+		"10.0.0.0/24",
+	)
+	c.Assert(err, check.IsNil)
+
+	route2, err := netip.ParsePrefix(
+		"150.0.10.0/25",
+	)
+	c.Assert(err, check.IsNil)
+
+	hostInfo := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{route, route2},
+	}
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo),
+	}
+	db.db.Save(&machine)
+
+	err = db.ProcessMachineRoutes(&machine)
+	c.Assert(err, check.IsNil)
+
+	availableRoutes, err := db.GetAdvertisedRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(availableRoutes), check.Equals, 2)
+
+	noEnabledRoutes, err := db.GetEnabledRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(noEnabledRoutes), check.Equals, 0)
+
+	err = db.enableRoutes(&machine, "192.168.0.0/24")
+	c.Assert(err, check.NotNil)
+
+	err = db.enableRoutes(&machine, "10.0.0.0/24")
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes, err := db.GetEnabledRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes), check.Equals, 1)
+
+	// Adding it twice will just let it pass through
+	err = db.enableRoutes(&machine, "10.0.0.0/24")
+	c.Assert(err, check.IsNil)
+
+	enableRoutesAfterDoubleApply, err := db.GetEnabledRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enableRoutesAfterDoubleApply), check.Equals, 1)
+
+	err = db.enableRoutes(&machine, "150.0.10.0/25")
+	c.Assert(err, check.IsNil)
+
+	enabledRoutesWithAdditionalRoute, err := db.GetEnabledRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutesWithAdditionalRoute), check.Equals, 2)
+
+	c.Assert(channelUpdates, check.Equals, int32(3))
+}
+
+func (s *Suite) TestIsUniquePrefix(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "test_enable_route_machine")
+	c.Assert(err, check.NotNil)
+
+	route, err := netip.ParsePrefix(
+		"10.0.0.0/24",
+	)
+	c.Assert(err, check.IsNil)
+
+	route2, err := netip.ParsePrefix(
+		"150.0.10.0/25",
+	)
+	c.Assert(err, check.IsNil)
+
+	hostInfo1 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{route, route2},
+	}
+	machine1 := types.Machine{
+		ID:             1,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo1),
+	}
+	db.db.Save(&machine1)
+
+	err = db.ProcessMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine1, route.String())
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine1, route2.String())
+	c.Assert(err, check.IsNil)
+
+	hostInfo2 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{route2},
+	}
+	machine2 := types.Machine{
+		ID:             2,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo2),
+	}
+	db.db.Save(&machine2)
+
+	err = db.ProcessMachineRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine2, route2.String())
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err := db.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 2)
+
+	enabledRoutes2, err := db.GetEnabledRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes2), check.Equals, 1)
+
+	routes, err := db.GetMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
+
+	routes, err = db.GetMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 0)
+
+	c.Assert(channelUpdates, check.Equals, int32(3))
+}
+
+func (s *Suite) TestSubnetFailover(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "test_enable_route_machine")
+	c.Assert(err, check.NotNil)
+
+	prefix, err := netip.ParsePrefix(
+		"10.0.0.0/24",
+	)
+	c.Assert(err, check.IsNil)
+
+	prefix2, err := netip.ParsePrefix(
+		"150.0.10.0/25",
+	)
+	c.Assert(err, check.IsNil)
+
+	hostInfo1 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix, prefix2},
+	}
+
+	now := time.Now()
+	machine1 := types.Machine{
+		ID:             1,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo1),
+		LastSeen:       &now,
+	}
+	db.db.Save(&machine1)
+
+	err = db.ProcessMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine1, prefix.String())
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine1, prefix2.String())
+	c.Assert(err, check.IsNil)
+
+	err = db.HandlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err := db.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 2)
+
+	route, err := db.getPrimaryRoute(prefix)
+	c.Assert(err, check.IsNil)
+	c.Assert(route.MachineID, check.Equals, machine1.ID)
+
+	hostInfo2 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix2},
+	}
+	machine2 := types.Machine{
+		ID:             2,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo2),
+		LastSeen:       &now,
+	}
+	db.db.Save(&machine2)
+
+	err = db.ProcessMachineRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine2, prefix2.String())
+	c.Assert(err, check.IsNil)
+
+	err = db.HandlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err = db.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 2)
+
+	enabledRoutes2, err := db.GetEnabledRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes2), check.Equals, 1)
+
+	routes, err := db.GetMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
+
+	routes, err = db.GetMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 0)
+
+	// lets make machine1 lastseen 10 mins ago
+	before := now.Add(-10 * time.Minute)
+	machine1.LastSeen = &before
+	err = db.db.Save(&machine1).Error
+	c.Assert(err, check.IsNil)
+
+	err = db.HandlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	routes, err = db.GetMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 1)
+
+	routes, err = db.GetMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 1)
+
+	machine2.HostInfo = types.HostInfo(tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix, prefix2},
+	})
+	err = db.db.Save(&machine2).Error
+	c.Assert(err, check.IsNil)
+
+	err = db.ProcessMachineRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine2, prefix.String())
+	c.Assert(err, check.IsNil)
+
+	err = db.HandlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	routes, err = db.GetMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 0)
+
+	routes, err = db.GetMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
+
+	c.Assert(channelUpdates, check.Equals, int32(6))
+}
+
+func (s *Suite) TestDeleteRoutes(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetMachine("test", "test_enable_route_machine")
+	c.Assert(err, check.NotNil)
+
+	prefix, err := netip.ParsePrefix(
+		"10.0.0.0/24",
+	)
+	c.Assert(err, check.IsNil)
+
+	prefix2, err := netip.ParsePrefix(
+		"150.0.10.0/25",
+	)
+	c.Assert(err, check.IsNil)
+
+	hostInfo1 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix, prefix2},
+	}
+
+	now := time.Now()
+	machine1 := types.Machine{
+		ID:             1,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       types.HostInfo(hostInfo1),
+		LastSeen:       &now,
+	}
+	db.db.Save(&machine1)
+
+	err = db.ProcessMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine1, prefix.String())
+	c.Assert(err, check.IsNil)
+
+	err = db.enableRoutes(&machine1, prefix2.String())
+	c.Assert(err, check.IsNil)
+
+	routes, err := db.GetMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+
+	err = db.DeleteRoute(uint64(routes[0].ID))
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err := db.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 1)
+
+	c.Assert(channelUpdates, check.Equals, int32(2))
+}

hscontrol/db/suite_test.go

@@ -0,0 +1,72 @@
+package db
+
+import (
+	"net/netip"
+	"os"
+	"sync/atomic"
+	"testing"
+
+	"gopkg.in/check.v1"
+)
+
+func Test(t *testing.T) {
+	check.TestingT(t)
+}
+
+var _ = check.Suite(&Suite{})
+
+type Suite struct{}
+
+var (
+	tmpDir string
+	db     *HSDatabase
+
+	// channelUpdates counts the number of times
+	// either of the channels was notified.
+	channelUpdates int32
+)
+
+func (s *Suite) SetUpTest(c *check.C) {
+	atomic.StoreInt32(&channelUpdates, 0)
+	s.ResetDB(c)
+}
+
+func (s *Suite) TearDownTest(c *check.C) {
+	os.RemoveAll(tmpDir)
+}
+
+func notificationSink(c <-chan struct{}) {
+	for {
+		<-c
+		atomic.AddInt32(&channelUpdates, 1)
+	}
+}
+
+func (s *Suite) ResetDB(c *check.C) {
+	if len(tmpDir) != 0 {
+		os.RemoveAll(tmpDir)
+	}
+	var err error
+	tmpDir, err = os.MkdirTemp("", "autoygg-client-test")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	sink := make(chan struct{})
+
+	go notificationSink(sink)
+
+	db, err = NewHeadscaleDatabase(
+		"sqlite3",
+		tmpDir+"/headscale_test.db",
+		false,
+		sink,
+		[]netip.Prefix{
+			netip.MustParsePrefix("10.27.0.0/23"),
+		},
+		"",
+	)
+	if err != nil {
+		c.Fatal(err)
+	}
+}

hscontrol/db/users.go

@@ -0,0 +1,163 @@
+package db
+
+import (
+	"errors"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+)
+
+var (
+	ErrUserExists        = errors.New("user already exists")
+	ErrUserNotFound      = errors.New("user not found")
+	ErrUserStillHasNodes = errors.New("user not empty: node(s) found")
+)
+
+// CreateUser creates a new User. Returns error if could not be created
+// or another user already exists.
+func (hsdb *HSDatabase) CreateUser(name string) (*types.User, error) {
+	err := util.CheckForFQDNRules(name)
+	if err != nil {
+		return nil, err
+	}
+	user := types.User{}
+	if err := hsdb.db.Where("name = ?", name).First(&user).Error; err == nil {
+		return nil, ErrUserExists
+	}
+	user.Name = name
+	if err := hsdb.db.Create(&user).Error; err != nil {
+		log.Error().
+			Str("func", "CreateUser").
+			Err(err).
+			Msg("Could not create row")
+
+		return nil, err
+	}
+
+	return &user, nil
+}
+
+// DestroyUser destroys a User. Returns error if the User does
+// not exist or if there are machines associated with it.
+func (hsdb *HSDatabase) DestroyUser(name string) error {
+	user, err := hsdb.GetUser(name)
+	if err != nil {
+		return ErrUserNotFound
+	}
+
+	machines, err := hsdb.ListMachinesByUser(name)
+	if err != nil {
+		return err
+	}
+	if len(machines) > 0 {
+		return ErrUserStillHasNodes
+	}
+
+	keys, err := hsdb.ListPreAuthKeys(name)
+	if err != nil {
+		return err
+	}
+	for _, key := range keys {
+		err = hsdb.DestroyPreAuthKey(key)
+		if err != nil {
+			return err
+		}
+	}
+
+	if result := hsdb.db.Unscoped().Delete(&user); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// RenameUser renames a User. Returns error if the User does
+// not exist or if another User exists with the new name.
+func (hsdb *HSDatabase) RenameUser(oldName, newName string) error {
+	var err error
+	oldUser, err := hsdb.GetUser(oldName)
+	if err != nil {
+		return err
+	}
+	err = util.CheckForFQDNRules(newName)
+	if err != nil {
+		return err
+	}
+	_, err = hsdb.GetUser(newName)
+	if err == nil {
+		return ErrUserExists
+	}
+	if !errors.Is(err, ErrUserNotFound) {
+		return err
+	}
+
+	oldUser.Name = newName
+
+	if result := hsdb.db.Save(&oldUser); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// GetUser fetches a user by name.
+func (hsdb *HSDatabase) GetUser(name string) (*types.User, error) {
+	user := types.User{}
+	if result := hsdb.db.First(&user, "name = ?", name); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return nil, ErrUserNotFound
+	}
+
+	return &user, nil
+}
+
+// ListUsers gets all the existing users.
+func (hsdb *HSDatabase) ListUsers() ([]types.User, error) {
+	users := []types.User{}
+	if err := hsdb.db.Find(&users).Error; err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
+
+// ListMachinesByUser gets all the nodes in a given user.
+func (hsdb *HSDatabase) ListMachinesByUser(name string) (types.Machines, error) {
+	err := util.CheckForFQDNRules(name)
+	if err != nil {
+		return nil, err
+	}
+	user, err := hsdb.GetUser(name)
+	if err != nil {
+		return nil, err
+	}
+
+	machines := types.Machines{}
+	if err := hsdb.db.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Where(&types.Machine{UserID: user.ID}).Find(&machines).Error; err != nil {
+		return nil, err
+	}
+
+	return machines, nil
+}
+
+// SetMachineUser assigns a Machine to a user.
+func (hsdb *HSDatabase) SetMachineUser(machine *types.Machine, username string) error {
+	err := util.CheckForFQDNRules(username)
+	if err != nil {
+		return err
+	}
+	user, err := hsdb.GetUser(username)
+	if err != nil {
+		return err
+	}
+	machine.User = *user
+	if result := hsdb.db.Save(&machine); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}

hscontrol/db/users_test.go

@@ -0,0 +1,129 @@
+package db
+
+import (
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"gopkg.in/check.v1"
+	"gorm.io/gorm"
+)
+
+func (s *Suite) TestCreateAndDestroyUser(c *check.C) {
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+	c.Assert(user.Name, check.Equals, "test")
+
+	users, err := db.ListUsers()
+	c.Assert(err, check.IsNil)
+	c.Assert(len(users), check.Equals, 1)
+
+	err = db.DestroyUser("test")
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetUser("test")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *Suite) TestDestroyUserErrors(c *check.C) {
+	err := db.DestroyUser("test")
+	c.Assert(err, check.Equals, ErrUserNotFound)
+
+	user, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	err = db.DestroyUser("test")
+	c.Assert(err, check.IsNil)
+
+	result := db.db.Preload("User").First(&pak, "key = ?", pak.Key)
+	// destroying a user also deletes all associated preauthkeys
+	c.Assert(result.Error, check.Equals, gorm.ErrRecordNotFound)
+
+	user, err = db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err = db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&machine)
+
+	err = db.DestroyUser("test")
+	c.Assert(err, check.Equals, ErrUserStillHasNodes)
+}
+
+func (s *Suite) TestRenameUser(c *check.C) {
+	userTest, err := db.CreateUser("test")
+	c.Assert(err, check.IsNil)
+	c.Assert(userTest.Name, check.Equals, "test")
+
+	users, err := db.ListUsers()
+	c.Assert(err, check.IsNil)
+	c.Assert(len(users), check.Equals, 1)
+
+	err = db.RenameUser("test", "test-renamed")
+	c.Assert(err, check.IsNil)
+
+	_, err = db.GetUser("test")
+	c.Assert(err, check.Equals, ErrUserNotFound)
+
+	_, err = db.GetUser("test-renamed")
+	c.Assert(err, check.IsNil)
+
+	err = db.RenameUser("test-does-not-exit", "test")
+	c.Assert(err, check.Equals, ErrUserNotFound)
+
+	userTest2, err := db.CreateUser("test2")
+	c.Assert(err, check.IsNil)
+	c.Assert(userTest2.Name, check.Equals, "test2")
+
+	err = db.RenameUser("test2", "test-renamed")
+	c.Assert(err, check.Equals, ErrUserExists)
+}
+
+func (s *Suite) TestSetMachineUser(c *check.C) {
+	oldUser, err := db.CreateUser("old")
+	c.Assert(err, check.IsNil)
+
+	newUser, err := db.CreateUser("new")
+	c.Assert(err, check.IsNil)
+
+	pak, err := db.CreatePreAuthKey(oldUser.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	machine := types.Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		UserID:         oldUser.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	db.db.Save(&machine)
+	c.Assert(machine.UserID, check.Equals, oldUser.ID)
+
+	err = db.SetMachineUser(&machine, newUser.Name)
+	c.Assert(err, check.IsNil)
+	c.Assert(machine.UserID, check.Equals, newUser.ID)
+	c.Assert(machine.User.Name, check.Equals, newUser.Name)
+
+	err = db.SetMachineUser(&machine, "non-existing-user")
+	c.Assert(err, check.Equals, ErrUserNotFound)
+
+	err = db.SetMachineUser(&machine, newUser.Name)
+	c.Assert(err, check.IsNil)
+	c.Assert(machine.UserID, check.Equals, newUser.ID)
+	c.Assert(machine.User.Name, check.Equals, newUser.Name)
+}

hscontrol/derp/derp.go

@@ -1,4 +1,4 @@
-package hscontrol
+package derp
 
 import (
 	"context"
@@ -7,8 +7,8 @@ import (
 	"net/http"
 	"net/url"
 	"os"
-	"time"
 
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"gopkg.in/yaml.v3"
 	"tailscale.com/tailcfg"
@@ -31,7 +31,7 @@ func loadDERPMapFromPath(path string) (*tailcfg.DERPMap, error) {
 }
 
 func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), HTTPReadTimeout)
+	ctx, cancel := context.WithTimeout(context.Background(), types.HTTPReadTimeout)
 	defer cancel()
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, addr.String(), nil)
@@ -40,7 +40,7 @@ func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
 	}
 
 	client := http.Client{
-		Timeout: HTTPReadTimeout,
+		Timeout: types.HTTPReadTimeout,
 	}
 
 	resp, err := client.Do(req)
@@ -80,7 +80,7 @@ func mergeDERPMaps(derpMaps []*tailcfg.DERPMap) *tailcfg.DERPMap {
 	return &result
 }
 
-func GetDERPMap(cfg DERPConfig) *tailcfg.DERPMap {
+func GetDERPMap(cfg types.DERPConfig) *tailcfg.DERPMap {
 	derpMaps := make([]*tailcfg.DERPMap, 0)
 
 	for _, path := range cfg.Paths {
@@ -132,26 +132,3 @@ func GetDERPMap(cfg DERPConfig) *tailcfg.DERPMap {
 
 	return derpMap
 }
-
-func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
-	log.Info().
-		Dur("frequency", h.cfg.DERP.UpdateFrequency).
-		Msg("Setting up a DERPMap update worker")
-	ticker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
-
-	for {
-		select {
-		case <-cancelChan:
-			return
-
-		case <-ticker.C:
-			log.Info().Msg("Fetching DERPMap updates")
-			h.DERPMap = GetDERPMap(h.cfg.DERP)
-			if h.cfg.DERP.ServerEnabled {
-				h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
-			}
-
-			h.setLastStateChangeToNow()
-		}
-	}
-}

hscontrol/derp/server/derp_server.go

@@ -1,4 +1,4 @@
-package hscontrol
+package server
 
 import (
 	"context"
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/derp"
 	"tailscale.com/net/stun"
@@ -26,23 +27,30 @@ import (
 const fastStartHeader = "Derp-Fast-Start"
 
 type DERPServer struct {
+	serverURL     string
+	key           key.NodePrivate
+	cfg           *types.DERPConfig
 	tailscaleDERP *derp.Server
-	region        tailcfg.DERPRegion
 }
 
-func (h *Headscale) NewDERPServer() (*DERPServer, error) {
+func NewDERPServer(
+	serverURL string,
+	derpKey key.NodePrivate,
+	cfg *types.DERPConfig,
+) (*DERPServer, error) {
 	log.Trace().Caller().Msg("Creating new embedded DERP server")
-	server := derp.NewServer(key.NodePrivate(*h.privateKey), log.Info().Msgf)
-	region, err := h.generateRegionLocalDERP()
-	if err != nil {
-		return nil, err
-	}
+	server := derp.NewServer(derpKey, log.Debug().Msgf)
 
-	return &DERPServer{server, region}, nil
+	return &DERPServer{
+		serverURL:     serverURL,
+		key:           derpKey,
+		cfg:           cfg,
+		tailscaleDERP: server,
+	}, nil
 }
 
-func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
-	serverURL, err := url.Parse(h.cfg.ServerURL)
+func (d *DERPServer) GenerateRegion() (tailcfg.DERPRegion, error) {
+	serverURL, err := url.Parse(d.serverURL)
 	if err != nil {
 		return tailcfg.DERPRegion{}, err
 	}
@@ -65,21 +73,21 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
 	}
 
 	localDERPregion := tailcfg.DERPRegion{
-		RegionID:   h.cfg.DERP.ServerRegionID,
-		RegionCode: h.cfg.DERP.ServerRegionCode,
-		RegionName: h.cfg.DERP.ServerRegionName,
+		RegionID:   d.cfg.ServerRegionID,
+		RegionCode: d.cfg.ServerRegionCode,
+		RegionName: d.cfg.ServerRegionName,
 		Avoid:      false,
 		Nodes: []*tailcfg.DERPNode{
 			{
-				Name:     fmt.Sprintf("%d", h.cfg.DERP.ServerRegionID),
-				RegionID: h.cfg.DERP.ServerRegionID,
+				Name:     fmt.Sprintf("%d", d.cfg.ServerRegionID),
+				RegionID: d.cfg.ServerRegionID,
 				HostName: host,
 				DERPPort: port,
 			},
 		},
 	}
 
-	_, portSTUNStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
+	_, portSTUNStr, err := net.SplitHostPort(d.cfg.STUNAddr)
 	if err != nil {
 		return tailcfg.DERPRegion{}, err
 	}
@@ -94,7 +102,7 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
 	return localDERPregion, nil
 }
 
-func (h *Headscale) DERPHandler(
+func (d *DERPServer) DERPHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
@@ -156,7 +164,7 @@ func (h *Headscale) DERPHandler(
 	log.Trace().Caller().Msgf("Hijacked connection from %v", req.RemoteAddr)
 
 	if !fastStart {
-		pubKey := h.privateKey.Public()
+		pubKey := d.key.Public()
 		pubKeyStr, _ := pubKey.MarshalText() //nolint
 		fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
 			"Upgrade: DERP\r\n"+
@@ -167,12 +175,12 @@ func (h *Headscale) DERPHandler(
 			string(pubKeyStr))
 	}
 
-	h.DERPServer.tailscaleDERP.Accept(req.Context(), netConn, conn, netConn.RemoteAddr().String())
+	d.tailscaleDERP.Accept(req.Context(), netConn, conn, netConn.RemoteAddr().String())
 }
 
 // DERPProbeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
-func (h *Headscale) DERPProbeHandler(
+func DERPProbeHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
@@ -199,43 +207,47 @@ func (h *Headscale) DERPProbeHandler(
 // The initial implementation is here https://github.com/tailscale/tailscale/pull/1406
 // They have a cache, but not clear if that is really necessary at Headscale, uh, scale.
 // An example implementation is found here https://derp.tailscale.com/bootstrap-dns
-func (h *Headscale) DERPBootstrapDNSHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	dnsEntries := make(map[string][]net.IP)
+func DERPBootstrapDNSHandler(
+	derpMap *tailcfg.DERPMap,
+) func(http.ResponseWriter, *http.Request) {
+	return func(
+		writer http.ResponseWriter,
+		req *http.Request,
+	) {
+		dnsEntries := make(map[string][]net.IP)
 
-	resolvCtx, cancel := context.WithTimeout(req.Context(), time.Minute)
-	defer cancel()
-	var resolver net.Resolver
-	for _, region := range h.DERPMap.Regions {
-		for _, node := range region.Nodes { // we don't care if we override some nodes
-			addrs, err := resolver.LookupIP(resolvCtx, "ip", node.HostName)
-			if err != nil {
-				log.Trace().
-					Caller().
-					Err(err).
-					Msgf("bootstrap DNS lookup failed %q", node.HostName)
+		resolvCtx, cancel := context.WithTimeout(req.Context(), time.Minute)
+		defer cancel()
+		var resolver net.Resolver
+		for _, region := range derpMap.Regions {
+			for _, node := range region.Nodes { // we don't care if we override some nodes
+				addrs, err := resolver.LookupIP(resolvCtx, "ip", node.HostName)
+				if err != nil {
+					log.Trace().
+						Caller().
+						Err(err).
+						Msgf("bootstrap DNS lookup failed %q", node.HostName)
 
-				continue
+					continue
+				}
+				dnsEntries[node.HostName] = addrs
 			}
-			dnsEntries[node.HostName] = addrs
 		}
-	}
-	writer.Header().Set("Content-Type", "application/json")
-	writer.WriteHeader(http.StatusOK)
-	err := json.NewEncoder(writer).Encode(dnsEntries)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
+		writer.Header().Set("Content-Type", "application/json")
+		writer.WriteHeader(http.StatusOK)
+		err := json.NewEncoder(writer).Encode(dnsEntries)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 	}
 }
 
 // ServeSTUN starts a STUN server on the configured addr.
-func (h *Headscale) ServeSTUN() {
-	packetConn, err := net.ListenPacket("udp", h.cfg.DERP.STUNAddr)
+func (d *DERPServer) ServeSTUN() {
+	packetConn, err := net.ListenPacket("udp", d.cfg.STUNAddr)
 	if err != nil {
 		log.Fatal().Msgf("failed to open STUN listener: %v", err)
 	}

hscontrol/dns_test.go

@@ -1,394 +0,0 @@
-package hscontrol
-
-import (
-	"fmt"
-	"net/netip"
-
-	"gopkg.in/check.v1"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
-)
-
-func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("100.64.0.0/10"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	found := false
-	for _, domain := range domains {
-		if domain == "64.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "100.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "127.100.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-}
-
-func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("172.16.0.0/16"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	found := false
-	for _, domain := range domains {
-		if domain == "0.16.172.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-
-	found = false
-	for _, domain := range domains {
-		if domain == "255.16.172.in-addr.arpa." {
-			found = true
-
-			break
-		}
-	}
-	c.Assert(found, check.Equals, true)
-}
-
-// Happens when netmask is a multiple of 4 bits (sounds likely).
-func (s *Suite) TestMagicDNSRootDomainsIPv6Single(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	c.Assert(len(domains), check.Equals, 1)
-	c.Assert(
-		domains[0].WithTrailingDot(),
-		check.Equals,
-		"0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.",
-	)
-}
-
-func (s *Suite) TestMagicDNSRootDomainsIPv6SingleMultiple(c *check.C) {
-	prefixes := []netip.Prefix{
-		netip.MustParsePrefix("fd7a:115c:a1e0::/50"),
-	}
-	domains := generateMagicDNSRootDomains(prefixes)
-
-	yieldsRoot := func(dom string) bool {
-		for _, candidate := range domains {
-			if candidate.WithTrailingDot() == dom {
-				return true
-			}
-		}
-
-		return false
-	}
-
-	c.Assert(len(domains), check.Equals, 4)
-	c.Assert(yieldsRoot("0.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-	c.Assert(yieldsRoot("1.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-	c.Assert(yieldsRoot("2.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-	c.Assert(yieldsRoot("3.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
-}
-
-func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
-	userShared1, err := app.CreateUser("shared1")
-	c.Assert(err, check.IsNil)
-
-	userShared2, err := app.CreateUser("shared2")
-	c.Assert(err, check.IsNil)
-
-	userShared3, err := app.CreateUser("shared3")
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared2, err := app.CreatePreAuthKey(
-		userShared2.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared3, err := app.CreatePreAuthKey(
-		userShared3.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	PreAuthKey2InShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(userShared1.Name, "test_get_shared_nodes_1")
-	c.Assert(err, check.NotNil)
-
-	machineInShared1 := &Machine{
-		ID:             1,
-		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Hostname:       "test_get_shared_nodes_1",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
-		AuthKeyID:      uint(preAuthKeyInShared1.ID),
-	}
-	app.db.Save(machineInShared1)
-
-	_, err = app.GetMachine(userShared1.Name, machineInShared1.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared2 := &Machine{
-		ID:             2,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_2",
-		UserID:         userShared2.ID,
-		User:           *userShared2,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
-		AuthKeyID:      uint(preAuthKeyInShared2.ID),
-	}
-	app.db.Save(machineInShared2)
-
-	_, err = app.GetMachine(userShared2.Name, machineInShared2.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared3 := &Machine{
-		ID:             3,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_3",
-		UserID:         userShared3.ID,
-		User:           *userShared3,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
-		AuthKeyID:      uint(preAuthKeyInShared3.ID),
-	}
-	app.db.Save(machineInShared3)
-
-	_, err = app.GetMachine(userShared3.Name, machineInShared3.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machine2InShared1 := &Machine{
-		ID:             4,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_4",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
-		AuthKeyID:      uint(PreAuthKey2InShared1.ID),
-	}
-	app.db.Save(machine2InShared1)
-
-	baseDomain := "foobar.headscale.net"
-	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]*dnstype.Resolver),
-		Domains: []string{baseDomain},
-		Proxied: true,
-	}
-
-	peersOfMachineInShared1, err := app.getPeers(machineInShared1)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig := getMapResponseDNSConfig(
-		&dnsConfigOrig,
-		baseDomain,
-		*machineInShared1,
-		peersOfMachineInShared1,
-	)
-	c.Assert(dnsConfig, check.NotNil)
-
-	c.Assert(len(dnsConfig.Routes), check.Equals, 3)
-
-	domainRouteShared1 := fmt.Sprintf("%s.%s", userShared1.Name, baseDomain)
-	_, ok := dnsConfig.Routes[domainRouteShared1]
-	c.Assert(ok, check.Equals, true)
-
-	domainRouteShared2 := fmt.Sprintf("%s.%s", userShared2.Name, baseDomain)
-	_, ok = dnsConfig.Routes[domainRouteShared2]
-	c.Assert(ok, check.Equals, true)
-
-	domainRouteShared3 := fmt.Sprintf("%s.%s", userShared3.Name, baseDomain)
-	_, ok = dnsConfig.Routes[domainRouteShared3]
-	c.Assert(ok, check.Equals, true)
-}
-
-func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
-	userShared1, err := app.CreateUser("shared1")
-	c.Assert(err, check.IsNil)
-
-	userShared2, err := app.CreateUser("shared2")
-	c.Assert(err, check.IsNil)
-
-	userShared3, err := app.CreateUser("shared3")
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared2, err := app.CreatePreAuthKey(
-		userShared2.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKeyInShared3, err := app.CreatePreAuthKey(
-		userShared3.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	preAuthKey2InShared1, err := app.CreatePreAuthKey(
-		userShared1.Name,
-		false,
-		false,
-		nil,
-		nil,
-	)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine(userShared1.Name, "test_get_shared_nodes_1")
-	c.Assert(err, check.NotNil)
-
-	machineInShared1 := &Machine{
-		ID:             1,
-		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Hostname:       "test_get_shared_nodes_1",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
-		AuthKeyID:      uint(preAuthKeyInShared1.ID),
-	}
-	app.db.Save(machineInShared1)
-
-	_, err = app.GetMachine(userShared1.Name, machineInShared1.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared2 := &Machine{
-		ID:             2,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_2",
-		UserID:         userShared2.ID,
-		User:           *userShared2,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
-		AuthKeyID:      uint(preAuthKeyInShared2.ID),
-	}
-	app.db.Save(machineInShared2)
-
-	_, err = app.GetMachine(userShared2.Name, machineInShared2.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machineInShared3 := &Machine{
-		ID:             3,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_3",
-		UserID:         userShared3.ID,
-		User:           *userShared3,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
-		AuthKeyID:      uint(preAuthKeyInShared3.ID),
-	}
-	app.db.Save(machineInShared3)
-
-	_, err = app.GetMachine(userShared3.Name, machineInShared3.Hostname)
-	c.Assert(err, check.IsNil)
-
-	machine2InShared1 := &Machine{
-		ID:             4,
-		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:       "test_get_shared_nodes_4",
-		UserID:         userShared1.ID,
-		User:           *userShared1,
-		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
-		AuthKeyID:      uint(preAuthKey2InShared1.ID),
-	}
-	app.db.Save(machine2InShared1)
-
-	baseDomain := "foobar.headscale.net"
-	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]*dnstype.Resolver),
-		Domains: []string{baseDomain},
-		Proxied: false,
-	}
-
-	peersOfMachine1Shared1, err := app.getPeers(machineInShared1)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig := getMapResponseDNSConfig(
-		&dnsConfigOrig,
-		baseDomain,
-		*machineInShared1,
-		peersOfMachine1Shared1,
-	)
-	c.Assert(dnsConfig, check.NotNil)
-	c.Assert(len(dnsConfig.Routes), check.Equals, 0)
-	c.Assert(len(dnsConfig.Domains), check.Equals, 1)
-}

hscontrol/grpcv1.go

@@ -8,6 +8,8 @@ import (
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -30,48 +32,48 @@ func (api headscaleV1APIServer) GetUser(
 	ctx context.Context,
 	request *v1.GetUserRequest,
 ) (*v1.GetUserResponse, error) {
-	user, err := api.h.GetUser(request.GetName())
+	user, err := api.h.db.GetUser(request.GetName())
 	if err != nil {
 		return nil, err
 	}
 
-	return &v1.GetUserResponse{User: user.toProto()}, nil
+	return &v1.GetUserResponse{User: user.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) CreateUser(
 	ctx context.Context,
 	request *v1.CreateUserRequest,
 ) (*v1.CreateUserResponse, error) {
-	user, err := api.h.CreateUser(request.GetName())
+	user, err := api.h.db.CreateUser(request.GetName())
 	if err != nil {
 		return nil, err
 	}
 
-	return &v1.CreateUserResponse{User: user.toProto()}, nil
+	return &v1.CreateUserResponse{User: user.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) RenameUser(
 	ctx context.Context,
 	request *v1.RenameUserRequest,
 ) (*v1.RenameUserResponse, error) {
-	err := api.h.RenameUser(request.GetOldName(), request.GetNewName())
+	err := api.h.db.RenameUser(request.GetOldName(), request.GetNewName())
 	if err != nil {
 		return nil, err
 	}
 
-	user, err := api.h.GetUser(request.GetNewName())
+	user, err := api.h.db.GetUser(request.GetNewName())
 	if err != nil {
 		return nil, err
 	}
 
-	return &v1.RenameUserResponse{User: user.toProto()}, nil
+	return &v1.RenameUserResponse{User: user.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) DeleteUser(
 	ctx context.Context,
 	request *v1.DeleteUserRequest,
 ) (*v1.DeleteUserResponse, error) {
-	err := api.h.DestroyUser(request.GetName())
+	err := api.h.db.DestroyUser(request.GetName())
 	if err != nil {
 		return nil, err
 	}
@@ -83,14 +85,14 @@ func (api headscaleV1APIServer) ListUsers(
 	ctx context.Context,
 	request *v1.ListUsersRequest,
 ) (*v1.ListUsersResponse, error) {
-	users, err := api.h.ListUsers()
+	users, err := api.h.db.ListUsers()
 	if err != nil {
 		return nil, err
 	}
 
 	response := make([]*v1.User, len(users))
 	for index, user := range users {
-		response[index] = user.toProto()
+		response[index] = user.Proto()
 	}
 
 	log.Trace().Caller().Interface("users", response).Msg("")
@@ -116,7 +118,7 @@ func (api headscaleV1APIServer) CreatePreAuthKey(
 		}
 	}
 
-	preAuthKey, err := api.h.CreatePreAuthKey(
+	preAuthKey, err := api.h.db.CreatePreAuthKey(
 		request.GetUser(),
 		request.GetReusable(),
 		request.GetEphemeral(),
@@ -127,19 +129,19 @@ func (api headscaleV1APIServer) CreatePreAuthKey(
 		return nil, err
 	}
 
-	return &v1.CreatePreAuthKeyResponse{PreAuthKey: preAuthKey.toProto()}, nil
+	return &v1.CreatePreAuthKeyResponse{PreAuthKey: preAuthKey.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) ExpirePreAuthKey(
 	ctx context.Context,
 	request *v1.ExpirePreAuthKeyRequest,
 ) (*v1.ExpirePreAuthKeyResponse, error) {
-	preAuthKey, err := api.h.GetPreAuthKey(request.GetUser(), request.Key)
+	preAuthKey, err := api.h.db.GetPreAuthKey(request.GetUser(), request.Key)
 	if err != nil {
 		return nil, err
 	}
 
-	err = api.h.ExpirePreAuthKey(preAuthKey)
+	err = api.h.db.ExpirePreAuthKey(preAuthKey)
 	if err != nil {
 		return nil, err
 	}
@@ -151,14 +153,14 @@ func (api headscaleV1APIServer) ListPreAuthKeys(
 	ctx context.Context,
 	request *v1.ListPreAuthKeysRequest,
 ) (*v1.ListPreAuthKeysResponse, error) {
-	preAuthKeys, err := api.h.ListPreAuthKeys(request.GetUser())
+	preAuthKeys, err := api.h.db.ListPreAuthKeys(request.GetUser())
 	if err != nil {
 		return nil, err
 	}
 
 	response := make([]*v1.PreAuthKey, len(preAuthKeys))
 	for index, key := range preAuthKeys {
-		response[index] = key.toProto()
+		response[index] = key.Proto()
 	}
 
 	return &v1.ListPreAuthKeysResponse{PreAuthKeys: response}, nil
@@ -173,36 +175,37 @@ func (api headscaleV1APIServer) RegisterMachine(
 		Str("node_key", request.GetKey()).
 		Msg("Registering machine")
 
-	machine, err := api.h.RegisterMachineFromAuthCallback(
+	machine, err := api.h.db.RegisterMachineFromAuthCallback(
+		api.h.registrationCache,
 		request.GetKey(),
 		request.GetUser(),
 		nil,
-		RegisterMethodCLI,
+		util.RegisterMethodCLI,
 	)
 	if err != nil {
 		return nil, err
 	}
 
-	return &v1.RegisterMachineResponse{Machine: machine.toProto()}, nil
+	return &v1.RegisterMachineResponse{Machine: machine.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) GetMachine(
 	ctx context.Context,
 	request *v1.GetMachineRequest,
 ) (*v1.GetMachineResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
 
-	return &v1.GetMachineResponse{Machine: machine.toProto()}, nil
+	return &v1.GetMachineResponse{Machine: machine.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) SetTags(
 	ctx context.Context,
 	request *v1.SetTagsRequest,
 ) (*v1.SetTagsResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
@@ -216,7 +219,7 @@ func (api headscaleV1APIServer) SetTags(
 		}
 	}
 
-	err = api.h.SetTags(machine, request.GetTags())
+	err = api.h.db.SetTags(machine, request.GetTags())
 	if err != nil {
 		return &v1.SetTagsResponse{
 			Machine: nil,
@@ -228,7 +231,7 @@ func (api headscaleV1APIServer) SetTags(
 		Strs("tags", request.GetTags()).
 		Msg("Changing tags of machine")
 
-	return &v1.SetTagsResponse{Machine: machine.toProto()}, nil
+	return &v1.SetTagsResponse{Machine: machine.Proto()}, nil
 }
 
 func validateTag(tag string) error {
@@ -248,12 +251,12 @@ func (api headscaleV1APIServer) DeleteMachine(
 	ctx context.Context,
 	request *v1.DeleteMachineRequest,
 ) (*v1.DeleteMachineResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
 
-	err = api.h.DeleteMachine(
+	err = api.h.db.DeleteMachine(
 		machine,
 	)
 	if err != nil {
@@ -267,12 +270,12 @@ func (api headscaleV1APIServer) ExpireMachine(
 	ctx context.Context,
 	request *v1.ExpireMachineRequest,
 ) (*v1.ExpireMachineResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
 
-	api.h.ExpireMachine(
+	api.h.db.ExpireMachine(
 		machine,
 	)
 
@@ -281,19 +284,19 @@ func (api headscaleV1APIServer) ExpireMachine(
 		Time("expiry", *machine.Expiry).
 		Msg("machine expired")
 
-	return &v1.ExpireMachineResponse{Machine: machine.toProto()}, nil
+	return &v1.ExpireMachineResponse{Machine: machine.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) RenameMachine(
 	ctx context.Context,
 	request *v1.RenameMachineRequest,
 ) (*v1.RenameMachineResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
 
-	err = api.h.RenameMachine(
+	err = api.h.db.RenameMachine(
 		machine,
 		request.GetNewName(),
 	)
@@ -306,7 +309,7 @@ func (api headscaleV1APIServer) RenameMachine(
 		Str("new_name", request.GetNewName()).
 		Msg("machine renamed")
 
-	return &v1.RenameMachineResponse{Machine: machine.toProto()}, nil
+	return &v1.RenameMachineResponse{Machine: machine.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) ListMachines(
@@ -314,31 +317,29 @@ func (api headscaleV1APIServer) ListMachines(
 	request *v1.ListMachinesRequest,
 ) (*v1.ListMachinesResponse, error) {
 	if request.GetUser() != "" {
-		machines, err := api.h.ListMachinesByUser(request.GetUser())
+		machines, err := api.h.db.ListMachinesByUser(request.GetUser())
 		if err != nil {
 			return nil, err
 		}
 
 		response := make([]*v1.Machine, len(machines))
 		for index, machine := range machines {
-			response[index] = machine.toProto()
+			response[index] = machine.Proto()
 		}
 
 		return &v1.ListMachinesResponse{Machines: response}, nil
 	}
 
-	machines, err := api.h.ListMachines()
+	machines, err := api.h.db.ListMachines()
 	if err != nil {
 		return nil, err
 	}
 
 	response := make([]*v1.Machine, len(machines))
 	for index, machine := range machines {
-		m := machine.toProto()
-		validTags, invalidTags := getTags(
-			api.h.aclPolicy,
+		m := machine.Proto()
+		validTags, invalidTags := api.h.ACLPolicy.TagsOfMachine(
 			machine,
-			api.h.cfg.OIDC.StripEmaildomain,
 		)
 		m.InvalidTags = invalidTags
 		m.ValidTags = validTags
@@ -352,30 +353,30 @@ func (api headscaleV1APIServer) MoveMachine(
 	ctx context.Context,
 	request *v1.MoveMachineRequest,
 ) (*v1.MoveMachineResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
 
-	err = api.h.SetMachineUser(machine, request.GetUser())
+	err = api.h.db.SetMachineUser(machine, request.GetUser())
 	if err != nil {
 		return nil, err
 	}
 
-	return &v1.MoveMachineResponse{Machine: machine.toProto()}, nil
+	return &v1.MoveMachineResponse{Machine: machine.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) GetRoutes(
 	ctx context.Context,
 	request *v1.GetRoutesRequest,
 ) (*v1.GetRoutesResponse, error) {
-	routes, err := api.h.GetRoutes()
+	routes, err := api.h.db.GetRoutes()
 	if err != nil {
 		return nil, err
 	}
 
 	return &v1.GetRoutesResponse{
-		Routes: Routes(routes).toProto(),
+		Routes: types.Routes(routes).Proto(),
 	}, nil
 }
 
@@ -383,7 +384,7 @@ func (api headscaleV1APIServer) EnableRoute(
 	ctx context.Context,
 	request *v1.EnableRouteRequest,
 ) (*v1.EnableRouteResponse, error) {
-	err := api.h.EnableRoute(request.GetRouteId())
+	err := api.h.db.EnableRoute(request.GetRouteId())
 	if err != nil {
 		return nil, err
 	}
@@ -395,7 +396,7 @@ func (api headscaleV1APIServer) DisableRoute(
 	ctx context.Context,
 	request *v1.DisableRouteRequest,
 ) (*v1.DisableRouteResponse, error) {
-	err := api.h.DisableRoute(request.GetRouteId())
+	err := api.h.db.DisableRoute(request.GetRouteId())
 	if err != nil {
 		return nil, err
 	}
@@ -407,18 +408,18 @@ func (api headscaleV1APIServer) GetMachineRoutes(
 	ctx context.Context,
 	request *v1.GetMachineRoutesRequest,
 ) (*v1.GetMachineRoutesResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	machine, err := api.h.db.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}
 
-	routes, err := api.h.GetMachineRoutes(machine)
+	routes, err := api.h.db.GetMachineRoutes(machine)
 	if err != nil {
 		return nil, err
 	}
 
 	return &v1.GetMachineRoutesResponse{
-		Routes: Routes(routes).toProto(),
+		Routes: types.Routes(routes).Proto(),
 	}, nil
 }
 
@@ -426,7 +427,7 @@ func (api headscaleV1APIServer) DeleteRoute(
 	ctx context.Context,
 	request *v1.DeleteRouteRequest,
 ) (*v1.DeleteRouteResponse, error) {
-	err := api.h.DeleteRoute(request.GetRouteId())
+	err := api.h.db.DeleteRoute(request.GetRouteId())
 	if err != nil {
 		return nil, err
 	}
@@ -443,7 +444,7 @@ func (api headscaleV1APIServer) CreateApiKey(
 		expiration = request.GetExpiration().AsTime()
 	}
 
-	apiKey, _, err := api.h.CreateAPIKey(
+	apiKey, _, err := api.h.db.CreateAPIKey(
 		&expiration,
 	)
 	if err != nil {
@@ -457,15 +458,15 @@ func (api headscaleV1APIServer) ExpireApiKey(
 	ctx context.Context,
 	request *v1.ExpireApiKeyRequest,
 ) (*v1.ExpireApiKeyResponse, error) {
-	var apiKey *APIKey
+	var apiKey *types.APIKey
 	var err error
 
-	apiKey, err = api.h.GetAPIKey(request.Prefix)
+	apiKey, err = api.h.db.GetAPIKey(request.Prefix)
 	if err != nil {
 		return nil, err
 	}
 
-	err = api.h.ExpireAPIKey(apiKey)
+	err = api.h.db.ExpireAPIKey(apiKey)
 	if err != nil {
 		return nil, err
 	}
@@ -477,14 +478,14 @@ func (api headscaleV1APIServer) ListApiKeys(
 	ctx context.Context,
 	request *v1.ListApiKeysRequest,
 ) (*v1.ListApiKeysResponse, error) {
-	apiKeys, err := api.h.ListAPIKeys()
+	apiKeys, err := api.h.db.ListAPIKeys()
 	if err != nil {
 		return nil, err
 	}
 
 	response := make([]*v1.ApiKey, len(apiKeys))
 	for index, key := range apiKeys {
-		response[index] = key.toProto()
+		response[index] = key.Proto()
 	}
 
 	return &v1.ListApiKeysResponse{ApiKeys: response}, nil
@@ -495,12 +496,12 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 	ctx context.Context,
 	request *v1.DebugCreateMachineRequest,
 ) (*v1.DebugCreateMachineResponse, error) {
-	user, err := api.h.GetUser(request.GetUser())
+	user, err := api.h.db.GetUser(request.GetUser())
 	if err != nil {
 		return nil, err
 	}
 
-	routes, err := stringToIPPrefix(request.GetRoutes())
+	routes, err := util.StringToIPPrefix(request.GetRoutes())
 	if err != nil {
 		return nil, err
 	}
@@ -517,12 +518,12 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 		Hostname:    "DebugTestMachine",
 	}
 
-	givenName, err := api.h.GenerateGivenName(request.GetKey(), request.GetName())
+	givenName, err := api.h.db.GenerateGivenName(request.GetKey(), request.GetName())
 	if err != nil {
 		return nil, err
 	}
 
-	newMachine := Machine{
+	newMachine := types.Machine{
 		MachineKey: request.GetKey(),
 		Hostname:   request.GetName(),
 		GivenName:  givenName,
@@ -532,7 +533,7 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 		LastSeen:             &time.Time{},
 		LastSuccessfulUpdate: &time.Time{},
 
-		HostInfo: HostInfo(hostinfo),
+		HostInfo: types.HostInfo(hostinfo),
 	}
 
 	nodeKey := key.NodePublic{}
@@ -542,12 +543,12 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 	}
 
 	api.h.registrationCache.Set(
-		NodePublicKeyStripPrefix(nodeKey),
+		util.NodePublicKeyStripPrefix(nodeKey),
 		newMachine,
 		registerCacheExpiration,
 	)
 
-	return &v1.DebugCreateMachineResponse{Machine: newMachine.toProto()}, nil
+	return &v1.DebugCreateMachineResponse{Machine: newMachine.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) mustEmbedUnimplementedHeadscaleServiceServer() {}

hscontrol/handlers.go

@@ -3,27 +3,103 @@ package hscontrol
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"html/template"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
 
 const (
+	// The CapabilityVersion is used by Tailscale clients to indicate
+	// their codebase version. Tailscale clients can communicate over TS2021
+	// from CapabilityVersion 28, but we only have good support for it
+	// since https://github.com/tailscale/tailscale/pull/4323 (Noise in any HTTPS port).
+	//
+	// Related to this change, there is https://github.com/tailscale/tailscale/pull/5379,
+	// where CapabilityVersion 39 is introduced to indicate #4323 was merged.
+	//
+	// See also https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
+	NoiseCapabilityVersion = 39
+
 	// TODO(juan): remove this once https://github.com/juanfont/headscale/issues/727 is fixed.
-	registrationHoldoff                      = time.Second * 5
-	reservedResponseHeaderSize               = 4
-	RegisterMethodAuthKey                    = "authkey"
-	RegisterMethodOIDC                       = "oidc"
-	RegisterMethodCLI                        = "cli"
-	ErrRegisterMethodCLIDoesNotSupportExpire = Error(
-		"machines registered with CLI does not support expire",
-	)
+	registrationHoldoff        = time.Second * 5
+	reservedResponseHeaderSize = 4
 )
 
+var ErrRegisterMethodCLIDoesNotSupportExpire = errors.New(
+	"machines registered with CLI does not support expire",
+)
+
+// KeyHandler provides the Headscale pub key
+// Listens in /key.
+func (h *Headscale) KeyHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	// New Tailscale clients send a 'v' parameter to indicate the CurrentCapabilityVersion
+	clientCapabilityStr := req.URL.Query().Get("v")
+	if clientCapabilityStr != "" {
+		log.Debug().
+			Str("handler", "/key").
+			Str("v", clientCapabilityStr).
+			Msg("New noise client")
+		clientCapabilityVersion, err := strconv.Atoi(clientCapabilityStr)
+		if err != nil {
+			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			writer.WriteHeader(http.StatusBadRequest)
+			_, err := writer.Write([]byte("Wrong params"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
+		}
+
+		// TS2021 (Tailscale v2 protocol) requires to have a different key
+		if clientCapabilityVersion >= NoiseCapabilityVersion {
+			resp := tailcfg.OverTLSPublicKeyResponse{
+				LegacyPublicKey: h.privateKey2019.Public(),
+				PublicKey:       h.noisePrivateKey.Public(),
+			}
+			writer.Header().Set("Content-Type", "application/json")
+			writer.WriteHeader(http.StatusOK)
+			err = json.NewEncoder(writer).Encode(resp)
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
+		}
+	}
+	log.Debug().
+		Str("handler", "/key").
+		Msg("New legacy client")
+
+	// Old clients don't send a 'v' parameter, so we send the legacy public key
+	writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write([]byte(util.MachinePublicKeyStripPrefix(h.privateKey2019.Public())))
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
 func (h *Headscale) HealthHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
@@ -53,7 +129,7 @@ func (h *Headscale) HealthHandler(
 		}
 	}
 
-	if err := h.pingDB(req.Context()); err != nil {
+	if err := h.db.PingDB(req.Context()); err != nil {
 		respond(err)
 
 		return
@@ -95,7 +171,7 @@ func (h *Headscale) RegisterWebAPI(
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]
 
-	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+	if !util.NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
 		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
 
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -116,7 +192,7 @@ func (h *Headscale) RegisterWebAPI(
 	// the template and log an error.
 	var nodeKey key.NodePublic
 	err := nodeKey.UnmarshalText(
-		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+		[]byte(util.NodePublicKeyEnsurePrefix(nodeKeyStr)),
 	)
 
 	if !ok || nodeKeyStr == "" || err != nil {

hscontrol/mapper/mapper.go

@@ -0,0 +1,435 @@
+package mapper
+
+import (
+	"encoding/binary"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	mapset "github.com/deckarep/golang-set/v2"
+	"github.com/juanfont/headscale/hscontrol/db"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/klauspost/compress/zstd"
+	"github.com/rs/zerolog/log"
+	"github.com/samber/lo"
+	"tailscale.com/smallzstd"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
+	"tailscale.com/types/key"
+)
+
+const (
+	nextDNSDoHPrefix           = "https://dns.nextdns.io"
+	reservedResponseHeaderSize = 4
+)
+
+type Mapper struct {
+	db *db.HSDatabase
+
+	privateKey2019 *key.MachinePrivate
+	isNoise        bool
+
+	// Configuration
+	// TODO(kradalby): figure out if this is the format we want this in
+	derpMap          *tailcfg.DERPMap
+	baseDomain       string
+	dnsCfg           *tailcfg.DNSConfig
+	logtail          bool
+	randomClientPort bool
+}
+
+func NewMapper(
+	db *db.HSDatabase,
+	privateKey *key.MachinePrivate,
+	isNoise bool,
+	derpMap *tailcfg.DERPMap,
+	baseDomain string,
+	dnsCfg *tailcfg.DNSConfig,
+	logtail bool,
+	randomClientPort bool,
+) *Mapper {
+	return &Mapper{
+		db: db,
+
+		privateKey2019: privateKey,
+		isNoise:        isNoise,
+
+		derpMap:          derpMap,
+		baseDomain:       baseDomain,
+		dnsCfg:           dnsCfg,
+		logtail:          logtail,
+		randomClientPort: randomClientPort,
+	}
+}
+
+// TODO: Optimise
+// As this work continues, the idea is that there will be one Mapper instance
+// per node, attached to the open stream between the control and client.
+// This means that this can hold a state per machine and we can use that to
+// improve the mapresponses sent.
+// We could:
+// - Keep information about the previous mapresponse so we can send a diff
+// - Store hashes
+// - Create a "minifier" that removes info not needed for the node
+
+// fullMapResponse is the internal function for generating a MapResponse
+// for a machine.
+func fullMapResponse(
+	pol *policy.ACLPolicy,
+	machine *types.Machine,
+	peers types.Machines,
+
+	baseDomain string,
+	dnsCfg *tailcfg.DNSConfig,
+	derpMap *tailcfg.DERPMap,
+	logtail bool,
+	randomClientPort bool,
+) (*tailcfg.MapResponse, error) {
+	tailnode, err := tailNode(*machine, pol, dnsCfg, baseDomain)
+	if err != nil {
+		return nil, err
+	}
+
+	rules, sshPolicy, err := policy.GenerateFilterAndSSHRules(
+		pol,
+		machine,
+		peers,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Filter out peers that have expired.
+	peers = lo.Filter(peers, func(item types.Machine, index int) bool {
+		return !item.IsExpired()
+	})
+
+	// If there are filter rules present, see if there are any machines that cannot
+	// access eachother at all and remove them from the peers.
+	if len(rules) > 0 {
+		peers = policy.FilterMachinesByACL(machine, peers, rules)
+	}
+
+	profiles := generateUserProfiles(machine, peers, baseDomain)
+
+	dnsConfig := generateDNSConfig(
+		dnsCfg,
+		baseDomain,
+		*machine,
+		peers,
+	)
+
+	tailPeers, err := tailNodes(peers, pol, dnsCfg, baseDomain)
+	if err != nil {
+		return nil, err
+	}
+
+	now := time.Now()
+
+	resp := tailcfg.MapResponse{
+		KeepAlive: false,
+		Node:      tailnode,
+
+		// TODO: Only send if updated
+		DERPMap: derpMap,
+
+		// TODO: Only send if updated
+		Peers: tailPeers,
+
+		// TODO(kradalby): Implement:
+		// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L1351-L1374
+		// PeersChanged
+		// PeersRemoved
+		// PeersChangedPatch
+		// PeerSeenChange
+		// OnlineChange
+
+		// TODO: Only send if updated
+		DNSConfig: dnsConfig,
+
+		// TODO: Only send if updated
+		Domain: baseDomain,
+
+		// Do not instruct clients to collect services, we do not
+		// support or do anything with them
+		CollectServices: "false",
+
+		// TODO: Only send if updated
+		PacketFilter: policy.ReduceFilterRules(machine, rules),
+
+		UserProfiles: profiles,
+
+		// TODO: Only send if updated
+		SSHPolicy: sshPolicy,
+
+		ControlTime: &now,
+
+		Debug: &tailcfg.Debug{
+			DisableLogTail:      !logtail,
+			RandomizeClientPort: randomClientPort,
+		},
+	}
+
+	return &resp, nil
+}
+
+func generateUserProfiles(
+	machine *types.Machine,
+	peers types.Machines,
+	baseDomain string,
+) []tailcfg.UserProfile {
+	userMap := make(map[string]types.User)
+	userMap[machine.User.Name] = machine.User
+	for _, peer := range peers {
+		userMap[peer.User.Name] = peer.User // not worth checking if already is there
+	}
+
+	profiles := []tailcfg.UserProfile{}
+	for _, user := range userMap {
+		displayName := user.Name
+
+		if baseDomain != "" {
+			displayName = fmt.Sprintf("%s@%s", user.Name, baseDomain)
+		}
+
+		profiles = append(profiles,
+			tailcfg.UserProfile{
+				ID:          tailcfg.UserID(user.ID),
+				LoginName:   user.Name,
+				DisplayName: displayName,
+			})
+	}
+
+	return profiles
+}
+
+func generateDNSConfig(
+	base *tailcfg.DNSConfig,
+	baseDomain string,
+	machine types.Machine,
+	peers types.Machines,
+) *tailcfg.DNSConfig {
+	dnsConfig := base.Clone()
+
+	// if MagicDNS is enabled
+	if base != nil && base.Proxied {
+		// Only inject the Search Domain of the current user
+		// shared nodes should use their full FQDN
+		dnsConfig.Domains = append(
+			dnsConfig.Domains,
+			fmt.Sprintf(
+				"%s.%s",
+				machine.User.Name,
+				baseDomain,
+			),
+		)
+
+		userSet := mapset.NewSet[types.User]()
+		userSet.Add(machine.User)
+		for _, p := range peers {
+			userSet.Add(p.User)
+		}
+		for _, user := range userSet.ToSlice() {
+			dnsRoute := fmt.Sprintf("%v.%v", user.Name, baseDomain)
+			dnsConfig.Routes[dnsRoute] = nil
+		}
+	} else {
+		dnsConfig = base
+	}
+
+	addNextDNSMetadata(dnsConfig.Resolvers, machine)
+
+	return dnsConfig
+}
+
+// If any nextdns DoH resolvers are present in the list of resolvers it will
+// take metadata from the machine metadata and instruct tailscale to add it
+// to the requests. This makes it possible to identify from which device the
+// requests come in the NextDNS dashboard.
+//
+// This will produce a resolver like:
+// `https://dns.nextdns.io/<nextdns-id>?device_name=node-name&device_model=linux&device_ip=100.64.0.1`
+func addNextDNSMetadata(resolvers []*dnstype.Resolver, machine types.Machine) {
+	for _, resolver := range resolvers {
+		if strings.HasPrefix(resolver.Addr, nextDNSDoHPrefix) {
+			attrs := url.Values{
+				"device_name":  []string{machine.Hostname},
+				"device_model": []string{machine.HostInfo.OS},
+			}
+
+			if len(machine.IPAddresses) > 0 {
+				attrs.Add("device_ip", machine.IPAddresses[0].String())
+			}
+
+			resolver.Addr = fmt.Sprintf("%s?%s", resolver.Addr, attrs.Encode())
+		}
+	}
+}
+
+// CreateMapResponse returns a MapResponse for the given machine.
+func (m Mapper) CreateMapResponse(
+	mapRequest tailcfg.MapRequest,
+	machine *types.Machine,
+	pol *policy.ACLPolicy,
+) ([]byte, error) {
+	peers, err := m.db.ListPeers(machine)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot fetch peers")
+
+		return nil, err
+	}
+
+	mapResponse, err := fullMapResponse(
+		pol,
+		machine,
+		peers,
+		m.baseDomain,
+		m.dnsCfg,
+		m.derpMap,
+		m.logtail,
+		m.randomClientPort,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	if m.isNoise {
+		return m.marshalMapResponse(mapResponse, key.MachinePublic{}, mapRequest.Compress)
+	}
+
+	var machineKey key.MachinePublic
+	err = machineKey.UnmarshalText([]byte(util.MachinePublicKeyEnsurePrefix(machine.MachineKey)))
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot parse client key")
+
+		return nil, err
+	}
+
+	return m.marshalMapResponse(mapResponse, machineKey, mapRequest.Compress)
+}
+
+func (m Mapper) CreateKeepAliveResponse(
+	mapRequest tailcfg.MapRequest,
+	machine *types.Machine,
+) ([]byte, error) {
+	keepAliveResponse := tailcfg.MapResponse{
+		KeepAlive: true,
+	}
+
+	if m.isNoise {
+		return m.marshalMapResponse(
+			keepAliveResponse,
+			key.MachinePublic{},
+			mapRequest.Compress,
+		)
+	}
+
+	var machineKey key.MachinePublic
+	err := machineKey.UnmarshalText([]byte(util.MachinePublicKeyEnsurePrefix(machine.MachineKey)))
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot parse client key")
+
+		return nil, err
+	}
+
+	return m.marshalMapResponse(keepAliveResponse, machineKey, mapRequest.Compress)
+}
+
+// MarshalResponse takes an Tailscale Response, marhsal it to JSON.
+// If isNoise is set, then the JSON body will be returned
+// If !isNoise and privateKey2019 is set, the JSON body will be sealed in a Nacl box.
+func MarshalResponse(
+	resp interface{},
+	isNoise bool,
+	privateKey2019 *key.MachinePrivate,
+	machineKey key.MachinePublic,
+) ([]byte, error) {
+	jsonBody, err := json.Marshal(resp)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot marshal response")
+
+		return nil, err
+	}
+
+	if !isNoise && privateKey2019 != nil {
+		return privateKey2019.SealTo(machineKey, jsonBody), nil
+	}
+
+	return jsonBody, nil
+}
+
+func (m Mapper) marshalMapResponse(
+	resp interface{},
+	machineKey key.MachinePublic,
+	compression string,
+) ([]byte, error) {
+	jsonBody, err := json.Marshal(resp)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot marshal map response")
+	}
+
+	var respBody []byte
+	if compression == util.ZstdCompression {
+		respBody = zstdEncode(jsonBody)
+		if !m.isNoise { // if legacy protocol
+			respBody = m.privateKey2019.SealTo(machineKey, respBody)
+		}
+	} else {
+		if !m.isNoise { // if legacy protocol
+			respBody = m.privateKey2019.SealTo(machineKey, jsonBody)
+		} else {
+			respBody = jsonBody
+		}
+	}
+
+	data := make([]byte, reservedResponseHeaderSize)
+	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
+	data = append(data, respBody...)
+
+	return data, nil
+}
+
+func zstdEncode(in []byte) []byte {
+	encoder, ok := zstdEncoderPool.Get().(*zstd.Encoder)
+	if !ok {
+		panic("invalid type in sync pool")
+	}
+	out := encoder.EncodeAll(in, nil)
+	_ = encoder.Close()
+	zstdEncoderPool.Put(encoder)
+
+	return out
+}
+
+var zstdEncoderPool = &sync.Pool{
+	New: func() any {
+		encoder, err := smallzstd.NewEncoder(
+			nil,
+			zstd.WithEncoderLevel(zstd.SpeedFastest))
+		if err != nil {
+			panic(err)
+		}
+
+		return encoder
+	},
+}

hscontrol/mapper/mapper_test.go

@@ -0,0 +1,482 @@
+package mapper
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/davecgh/go-spew/spew"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"gopkg.in/check.v1"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
+	"tailscale.com/types/key"
+)
+
+func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
+	mach := func(hostname, username string, userid uint) types.Machine {
+		return types.Machine{
+			Hostname: hostname,
+			UserID:   userid,
+			User: types.User{
+				Name: username,
+			},
+		}
+	}
+
+	machineInShared1 := mach("test_get_shared_nodes_1", "user1", 1)
+	machineInShared2 := mach("test_get_shared_nodes_2", "user2", 2)
+	machineInShared3 := mach("test_get_shared_nodes_3", "user3", 3)
+	machine2InShared1 := mach("test_get_shared_nodes_4", "user1", 1)
+
+	userProfiles := generateUserProfiles(
+		&machineInShared1,
+		types.Machines{
+			machineInShared2, machineInShared3, machine2InShared1,
+		},
+		"",
+	)
+
+	c.Assert(len(userProfiles), check.Equals, 3)
+
+	users := []string{
+		"user1", "user2", "user3",
+	}
+
+	for _, user := range users {
+		found := false
+		for _, userProfile := range userProfiles {
+			if userProfile.DisplayName == user {
+				found = true
+
+				break
+			}
+		}
+		c.Assert(found, check.Equals, true)
+	}
+}
+
+func TestDNSConfigMapResponse(t *testing.T) {
+	tests := []struct {
+		magicDNS bool
+		want     *tailcfg.DNSConfig
+	}{
+		{
+			magicDNS: true,
+			want: &tailcfg.DNSConfig{
+				Routes: map[string][]*dnstype.Resolver{
+					"shared1.foobar.headscale.net": {},
+					"shared2.foobar.headscale.net": {},
+					"shared3.foobar.headscale.net": {},
+				},
+				Domains: []string{
+					"foobar.headscale.net",
+					"shared1.foobar.headscale.net",
+				},
+				Proxied: true,
+			},
+		},
+		{
+			magicDNS: false,
+			want: &tailcfg.DNSConfig{
+				Domains: []string{"foobar.headscale.net"},
+				Proxied: false,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("with-magicdns-%v", tt.magicDNS), func(t *testing.T) {
+			mach := func(hostname, username string, userid uint) types.Machine {
+				return types.Machine{
+					Hostname: hostname,
+					UserID:   userid,
+					User: types.User{
+						Name: username,
+					},
+				}
+			}
+
+			baseDomain := "foobar.headscale.net"
+
+			dnsConfigOrig := tailcfg.DNSConfig{
+				Routes:  make(map[string][]*dnstype.Resolver),
+				Domains: []string{baseDomain},
+				Proxied: tt.magicDNS,
+			}
+
+			machineInShared1 := mach("test_get_shared_nodes_1", "shared1", 1)
+			machineInShared2 := mach("test_get_shared_nodes_2", "shared2", 2)
+			machineInShared3 := mach("test_get_shared_nodes_3", "shared3", 3)
+			machine2InShared1 := mach("test_get_shared_nodes_4", "shared1", 1)
+
+			peersOfMachineInShared1 := types.Machines{
+				machineInShared1,
+				machineInShared2,
+				machineInShared3,
+				machine2InShared1,
+			}
+
+			got := generateDNSConfig(
+				&dnsConfigOrig,
+				baseDomain,
+				machineInShared1,
+				peersOfMachineInShared1,
+			)
+
+			if diff := cmp.Diff(tt.want, got, cmpopts.EquateEmpty()); diff != "" {
+				t.Errorf("expandAlias() unexpected result (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func Test_fullMapResponse(t *testing.T) {
+	mustNK := func(str string) key.NodePublic {
+		var k key.NodePublic
+		_ = k.UnmarshalText([]byte(str))
+
+		return k
+	}
+
+	mustDK := func(str string) key.DiscoPublic {
+		var k key.DiscoPublic
+		_ = k.UnmarshalText([]byte(str))
+
+		return k
+	}
+
+	mustMK := func(str string) key.MachinePublic {
+		var k key.MachinePublic
+		_ = k.UnmarshalText([]byte(str))
+
+		return k
+	}
+
+	hiview := func(hoin tailcfg.Hostinfo) tailcfg.HostinfoView {
+		return hoin.View()
+	}
+
+	created := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+	lastSeen := time.Date(2009, time.November, 10, 23, 9, 0, 0, time.UTC)
+	expire := time.Date(2500, time.November, 11, 23, 0, 0, 0, time.UTC)
+
+	mini := &types.Machine{
+		ID:          0,
+		MachineKey:  "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		NodeKey:     "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		DiscoKey:    "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.1")},
+		Hostname:    "mini",
+		GivenName:   "mini",
+		UserID:      0,
+		User:        types.User{Name: "mini"},
+		ForcedTags:  []string{},
+		AuthKeyID:   0,
+		AuthKey:     &types.PreAuthKey{},
+		LastSeen:    &lastSeen,
+		Expiry:      &expire,
+		HostInfo:    types.HostInfo{},
+		Endpoints:   []string{},
+		Routes: []types.Route{
+			{
+				Prefix:     types.IPPrefix(netip.MustParsePrefix("0.0.0.0/0")),
+				Advertised: true,
+				Enabled:    true,
+				IsPrimary:  false,
+			},
+			{
+				Prefix:     types.IPPrefix(netip.MustParsePrefix("192.168.0.0/24")),
+				Advertised: true,
+				Enabled:    true,
+				IsPrimary:  true,
+			},
+			{
+				Prefix:     types.IPPrefix(netip.MustParsePrefix("172.0.0.0/10")),
+				Advertised: true,
+				Enabled:    false,
+				IsPrimary:  true,
+			},
+		},
+		CreatedAt: created,
+	}
+
+	tailMini := &tailcfg.Node{
+		ID:       0,
+		StableID: "0",
+		Name:     "mini",
+		User:     0,
+		Key: mustNK(
+			"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		),
+		KeyExpiry: expire,
+		Machine: mustMK(
+			"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		),
+		DiscoKey: mustDK(
+			"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		),
+		Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
+		AllowedIPs: []netip.Prefix{
+			netip.MustParsePrefix("100.64.0.1/32"),
+			netip.MustParsePrefix("0.0.0.0/0"),
+			netip.MustParsePrefix("192.168.0.0/24"),
+		},
+		Endpoints:         []string{},
+		DERP:              "127.3.3.40:0",
+		Hostinfo:          hiview(tailcfg.Hostinfo{}),
+		Created:           created,
+		Tags:              []string{},
+		PrimaryRoutes:     []netip.Prefix{netip.MustParsePrefix("192.168.0.0/24")},
+		LastSeen:          &lastSeen,
+		Online:            new(bool),
+		KeepAlive:         true,
+		MachineAuthorized: true,
+		Capabilities: []string{
+			tailcfg.CapabilityFileSharing,
+			tailcfg.CapabilityAdmin,
+			tailcfg.CapabilitySSH,
+		},
+	}
+
+	peer1 := types.Machine{
+		ID:          1,
+		MachineKey:  "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		NodeKey:     "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		DiscoKey:    "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.2")},
+		Hostname:    "peer1",
+		GivenName:   "peer1",
+		UserID:      0,
+		User:        types.User{Name: "mini"},
+		ForcedTags:  []string{},
+		LastSeen:    &lastSeen,
+		Expiry:      &expire,
+		HostInfo:    types.HostInfo{},
+		Endpoints:   []string{},
+		Routes:      []types.Route{},
+		CreatedAt:   created,
+	}
+
+	tailPeer1 := &tailcfg.Node{
+		ID:       1,
+		StableID: "1",
+		Name:     "peer1",
+		Key: mustNK(
+			"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		),
+		KeyExpiry: expire,
+		Machine: mustMK(
+			"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		),
+		DiscoKey: mustDK(
+			"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		),
+		Addresses:         []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		AllowedIPs:        []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Endpoints:         []string{},
+		DERP:              "127.3.3.40:0",
+		Hostinfo:          hiview(tailcfg.Hostinfo{}),
+		Created:           created,
+		Tags:              []string{},
+		PrimaryRoutes:     []netip.Prefix{},
+		LastSeen:          &lastSeen,
+		Online:            new(bool),
+		KeepAlive:         true,
+		MachineAuthorized: true,
+		Capabilities: []string{
+			tailcfg.CapabilityFileSharing,
+			tailcfg.CapabilityAdmin,
+			tailcfg.CapabilitySSH,
+		},
+	}
+
+	peer2 := types.Machine{
+		ID:          2,
+		MachineKey:  "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		NodeKey:     "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		DiscoKey:    "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		IPAddresses: []netip.Addr{netip.MustParseAddr("100.64.0.3")},
+		Hostname:    "peer2",
+		GivenName:   "peer2",
+		UserID:      1,
+		User:        types.User{Name: "peer2"},
+		ForcedTags:  []string{},
+		LastSeen:    &lastSeen,
+		Expiry:      &expire,
+		HostInfo:    types.HostInfo{},
+		Endpoints:   []string{},
+		Routes:      []types.Route{},
+		CreatedAt:   created,
+	}
+
+	tests := []struct {
+		name    string
+		pol     *policy.ACLPolicy
+		machine *types.Machine
+		peers   types.Machines
+
+		baseDomain       string
+		dnsConfig        *tailcfg.DNSConfig
+		derpMap          *tailcfg.DERPMap
+		logtail          bool
+		randomClientPort bool
+		want             *tailcfg.MapResponse
+		wantErr          bool
+	}{
+		// {
+		// 	name:             "empty-machine",
+		// 	machine:          types.Machine{},
+		// 	pol:              &policy.ACLPolicy{},
+		// 	dnsConfig:        &tailcfg.DNSConfig{},
+		// 	baseDomain:       "",
+		// 	want:             nil,
+		// 	wantErr:          true,
+		// },
+		{
+			name:             "no-pol-no-peers-map-response",
+			pol:              &policy.ACLPolicy{},
+			machine:          mini,
+			peers:            []types.Machine{},
+			baseDomain:       "",
+			dnsConfig:        &tailcfg.DNSConfig{},
+			derpMap:          &tailcfg.DERPMap{},
+			logtail:          false,
+			randomClientPort: false,
+			want: &tailcfg.MapResponse{
+				Node:            tailMini,
+				KeepAlive:       false,
+				DERPMap:         &tailcfg.DERPMap{},
+				Peers:           []*tailcfg.Node{},
+				DNSConfig:       &tailcfg.DNSConfig{},
+				Domain:          "",
+				CollectServices: "false",
+				PacketFilter:    []tailcfg.FilterRule{},
+				UserProfiles:    []tailcfg.UserProfile{{LoginName: "mini", DisplayName: "mini"}},
+				SSHPolicy:       &tailcfg.SSHPolicy{Rules: []*tailcfg.SSHRule{}},
+				ControlTime:     &time.Time{},
+				Debug: &tailcfg.Debug{
+					DisableLogTail: true,
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name:    "no-pol-with-peer-map-response",
+			pol:     &policy.ACLPolicy{},
+			machine: mini,
+			peers: []types.Machine{
+				peer1,
+			},
+			baseDomain:       "",
+			dnsConfig:        &tailcfg.DNSConfig{},
+			derpMap:          &tailcfg.DERPMap{},
+			logtail:          false,
+			randomClientPort: false,
+			want: &tailcfg.MapResponse{
+				KeepAlive: false,
+				Node:      tailMini,
+				DERPMap:   &tailcfg.DERPMap{},
+				Peers: []*tailcfg.Node{
+					tailPeer1,
+				},
+				DNSConfig:       &tailcfg.DNSConfig{},
+				Domain:          "",
+				CollectServices: "false",
+				PacketFilter:    []tailcfg.FilterRule{},
+				UserProfiles:    []tailcfg.UserProfile{{LoginName: "mini", DisplayName: "mini"}},
+				SSHPolicy:       &tailcfg.SSHPolicy{Rules: []*tailcfg.SSHRule{}},
+				ControlTime:     &time.Time{},
+				Debug: &tailcfg.Debug{
+					DisableLogTail: true,
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "with-pol-map-response",
+			pol: &policy.ACLPolicy{
+				ACLs: []policy.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"100.64.0.2"},
+						Destinations: []string{"mini:*"},
+					},
+				},
+			},
+			machine: mini,
+			peers: []types.Machine{
+				peer1,
+				peer2,
+			},
+			baseDomain:       "",
+			dnsConfig:        &tailcfg.DNSConfig{},
+			derpMap:          &tailcfg.DERPMap{},
+			logtail:          false,
+			randomClientPort: false,
+			want: &tailcfg.MapResponse{
+				KeepAlive: false,
+				Node:      tailMini,
+				DERPMap:   &tailcfg.DERPMap{},
+				Peers: []*tailcfg.Node{
+					tailPeer1,
+				},
+				DNSConfig:       &tailcfg.DNSConfig{},
+				Domain:          "",
+				CollectServices: "false",
+				PacketFilter: []tailcfg.FilterRule{
+					{
+						SrcIPs: []string{"100.64.0.2/32"},
+						DstPorts: []tailcfg.NetPortRange{
+							{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
+						},
+					},
+				},
+				UserProfiles: []tailcfg.UserProfile{{LoginName: "mini", DisplayName: "mini"}},
+				SSHPolicy:    &tailcfg.SSHPolicy{Rules: []*tailcfg.SSHRule{}},
+				ControlTime:  &time.Time{},
+				Debug: &tailcfg.Debug{
+					DisableLogTail: true,
+				},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := fullMapResponse(
+				tt.pol,
+				tt.machine,
+				tt.peers,
+				tt.baseDomain,
+				tt.dnsConfig,
+				tt.derpMap,
+				tt.logtail,
+				tt.randomClientPort,
+			)
+
+			if (err != nil) != tt.wantErr {
+				t.Errorf("fullMapResponse() error = %v, wantErr %v", err, tt.wantErr)
+
+				return
+			}
+
+			spew.Dump(got)
+
+			if diff := cmp.Diff(
+				tt.want,
+				got,
+				cmpopts.EquateEmpty(),
+				// Ignore ControlTime, it is set to now and we dont really need to mock it.
+				cmpopts.IgnoreFields(tailcfg.MapResponse{}, "ControlTime"),
+			); diff != "" {
+				t.Errorf("fullMapResponse() unexpected result (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

hscontrol/mapper/suite_test.go

@@ -0,0 +1,15 @@
+package mapper
+
+import (
+	"testing"
+
+	"gopkg.in/check.v1"
+)
+
+func Test(t *testing.T) {
+	check.TestingT(t)
+}
+
+var _ = check.Suite(&Suite{})
+
+type Suite struct{}

hscontrol/mapper/tail.go

@@ -0,0 +1,148 @@
+package mapper
+
+import (
+	"fmt"
+	"net/netip"
+	"strconv"
+	"time"
+
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/samber/lo"
+	"tailscale.com/tailcfg"
+)
+
+func tailNodes(
+	machines types.Machines,
+	pol *policy.ACLPolicy,
+	dnsConfig *tailcfg.DNSConfig,
+	baseDomain string,
+) ([]*tailcfg.Node, error) {
+	nodes := make([]*tailcfg.Node, len(machines))
+
+	for index, machine := range machines {
+		node, err := tailNode(
+			machine,
+			pol,
+			dnsConfig,
+			baseDomain,
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		nodes[index] = node
+	}
+
+	return nodes, nil
+}
+
+// tailNode converts a Machine into a Tailscale Node. includeRoutes is false for shared nodes
+// as per the expected behaviour in the official SaaS.
+func tailNode(
+	machine types.Machine,
+	pol *policy.ACLPolicy,
+	dnsConfig *tailcfg.DNSConfig,
+	baseDomain string,
+) (*tailcfg.Node, error) {
+	nodeKey, err := machine.NodePublicKey()
+	if err != nil {
+		return nil, err
+	}
+
+	// MachineKey is only used in the legacy protocol
+	machineKey, err := machine.MachinePublicKey()
+	if err != nil {
+		return nil, err
+	}
+
+	discoKey, err := machine.DiscoPublicKey()
+	if err != nil {
+		return nil, err
+	}
+
+	addrs := machine.IPAddresses.Prefixes()
+
+	allowedIPs := append(
+		[]netip.Prefix{},
+		addrs...) // we append the node own IP, as it is required by the clients
+
+	primaryPrefixes := []netip.Prefix{}
+
+	for _, route := range machine.Routes {
+		if route.Enabled {
+			if route.IsPrimary {
+				allowedIPs = append(allowedIPs, netip.Prefix(route.Prefix))
+				primaryPrefixes = append(primaryPrefixes, netip.Prefix(route.Prefix))
+			} else if route.IsExitRoute() {
+				allowedIPs = append(allowedIPs, netip.Prefix(route.Prefix))
+			}
+		}
+	}
+
+	var derp string
+	if machine.HostInfo.NetInfo != nil {
+		derp = fmt.Sprintf("127.3.3.40:%d", machine.HostInfo.NetInfo.PreferredDERP)
+	} else {
+		derp = "127.3.3.40:0" // Zero means disconnected or unknown.
+	}
+
+	var keyExpiry time.Time
+	if machine.Expiry != nil {
+		keyExpiry = *machine.Expiry
+	} else {
+		keyExpiry = time.Time{}
+	}
+
+	hostname, err := machine.GetFQDN(dnsConfig, baseDomain)
+	if err != nil {
+		return nil, err
+	}
+
+	hostInfo := machine.GetHostInfo()
+
+	online := machine.IsOnline()
+
+	tags, _ := pol.TagsOfMachine(machine)
+	tags = lo.Uniq(append(tags, machine.ForcedTags...))
+
+	node := tailcfg.Node{
+		ID: tailcfg.NodeID(machine.ID), // this is the actual ID
+		StableID: tailcfg.StableNodeID(
+			strconv.FormatUint(machine.ID, util.Base10),
+		), // in headscale, unlike tailcontrol server, IDs are permanent
+		Name: hostname,
+
+		User: tailcfg.UserID(machine.UserID),
+
+		Key:       nodeKey,
+		KeyExpiry: keyExpiry,
+
+		Machine:    machineKey,
+		DiscoKey:   discoKey,
+		Addresses:  addrs,
+		AllowedIPs: allowedIPs,
+		Endpoints:  machine.Endpoints,
+		DERP:       derp,
+		Hostinfo:   hostInfo.View(),
+		Created:    machine.CreatedAt,
+
+		Tags: tags,
+
+		PrimaryRoutes: primaryPrefixes,
+
+		LastSeen:          machine.LastSeen,
+		Online:            &online,
+		KeepAlive:         true,
+		MachineAuthorized: !machine.IsExpired(),
+
+		Capabilities: []string{
+			tailcfg.CapabilityFileSharing,
+			tailcfg.CapabilityAdmin,
+			tailcfg.CapabilitySSH,
+		},
+	}
+
+	return &node, nil
+}

hscontrol/mapper/tail_test.go

@@ -0,0 +1,185 @@
+package mapper
+
+import (
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+func TestTailNode(t *testing.T) {
+	mustNK := func(str string) key.NodePublic {
+		var k key.NodePublic
+		_ = k.UnmarshalText([]byte(str))
+
+		return k
+	}
+
+	mustDK := func(str string) key.DiscoPublic {
+		var k key.DiscoPublic
+		_ = k.UnmarshalText([]byte(str))
+
+		return k
+	}
+
+	mustMK := func(str string) key.MachinePublic {
+		var k key.MachinePublic
+		_ = k.UnmarshalText([]byte(str))
+
+		return k
+	}
+
+	hiview := func(hoin tailcfg.Hostinfo) tailcfg.HostinfoView {
+		return hoin.View()
+	}
+
+	created := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+	lastSeen := time.Date(2009, time.November, 10, 23, 9, 0, 0, time.UTC)
+	expire := time.Date(2500, time.November, 11, 23, 0, 0, 0, time.UTC)
+
+	tests := []struct {
+		name       string
+		machine    types.Machine
+		pol        *policy.ACLPolicy
+		dnsConfig  *tailcfg.DNSConfig
+		baseDomain string
+		want       *tailcfg.Node
+		wantErr    bool
+	}{
+		{
+			name:       "empty-machine",
+			machine:    types.Machine{},
+			pol:        &policy.ACLPolicy{},
+			dnsConfig:  &tailcfg.DNSConfig{},
+			baseDomain: "",
+			want:       nil,
+			wantErr:    true,
+		},
+		{
+			name: "minimal-machine",
+			machine: types.Machine{
+				ID:         0,
+				MachineKey: "mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+				NodeKey:    "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+				DiscoKey:   "discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+				IPAddresses: []netip.Addr{
+					netip.MustParseAddr("100.64.0.1"),
+				},
+				Hostname:  "mini",
+				GivenName: "mini",
+				UserID:    0,
+				User: types.User{
+					Name: "mini",
+				},
+				ForcedTags: []string{},
+				AuthKeyID:  0,
+				AuthKey:    &types.PreAuthKey{},
+				LastSeen:   &lastSeen,
+				Expiry:     &expire,
+				HostInfo:   types.HostInfo{},
+				Endpoints:  []string{},
+				Routes: []types.Route{
+					{
+						Prefix:     types.IPPrefix(netip.MustParsePrefix("0.0.0.0/0")),
+						Advertised: true,
+						Enabled:    true,
+						IsPrimary:  false,
+					},
+					{
+						Prefix:     types.IPPrefix(netip.MustParsePrefix("192.168.0.0/24")),
+						Advertised: true,
+						Enabled:    true,
+						IsPrimary:  true,
+					},
+					{
+						Prefix:     types.IPPrefix(netip.MustParsePrefix("172.0.0.0/10")),
+						Advertised: true,
+						Enabled:    false,
+						IsPrimary:  true,
+					},
+				},
+				CreatedAt: created,
+			},
+			pol:        &policy.ACLPolicy{},
+			dnsConfig:  &tailcfg.DNSConfig{},
+			baseDomain: "",
+			want: &tailcfg.Node{
+				ID:       0,
+				StableID: "0",
+				Name:     "mini",
+
+				User: 0,
+
+				Key: mustNK(
+					"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+				),
+				KeyExpiry: expire,
+
+				Machine: mustMK(
+					"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+				),
+				DiscoKey: mustDK(
+					"discokey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+				),
+				Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
+				AllowedIPs: []netip.Prefix{
+					netip.MustParsePrefix("100.64.0.1/32"),
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("192.168.0.0/24"),
+				},
+				Endpoints: []string{},
+				DERP:      "127.3.3.40:0",
+				Hostinfo:  hiview(tailcfg.Hostinfo{}),
+				Created:   created,
+
+				Tags: []string{},
+
+				PrimaryRoutes: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+				},
+
+				LastSeen:          &lastSeen,
+				Online:            new(bool),
+				KeepAlive:         true,
+				MachineAuthorized: true,
+
+				Capabilities: []string{
+					tailcfg.CapabilityFileSharing,
+					tailcfg.CapabilityAdmin,
+					tailcfg.CapabilitySSH,
+				},
+			},
+			wantErr: false,
+		},
+		// TODO: Add tests to check other aspects of the node conversion:
+		// - With tags and policy
+		// - dnsconfig and basedomain
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tailNode(
+				tt.machine,
+				tt.pol,
+				tt.dnsConfig,
+				tt.baseDomain,
+			)
+
+			if (err != nil) != tt.wantErr {
+				t.Errorf("tailNode() error = %v, wantErr %v", err, tt.wantErr)
+
+				return
+			}
+
+			if diff := cmp.Diff(tt.want, got, cmpopts.EquateEmpty()); diff != "" {
+				t.Errorf("tailNode() unexpected result (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

hscontrol/noise.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
@@ -100,12 +101,12 @@ func (h *Headscale) NoiseUpgradeHandler(
 	router.HandleFunc("/machine/map", noiseServer.NoisePollNetMapHandler)
 
 	server := http.Server{
-		ReadTimeout: HTTPReadTimeout,
+		ReadTimeout: types.HTTPReadTimeout,
 	}
 
 	noiseServer.httpBaseConfig = &http.Server{
 		Handler:           router,
-		ReadHeaderTimeout: HTTPReadTimeout,
+		ReadHeaderTimeout: types.HTTPReadTimeout,
 	}
 	noiseServer.http2Server = &http2.Server{}
 

hscontrol/oidc.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/rand"
+	_ "embed"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -14,6 +15,9 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/mux"
+	"github.com/juanfont/headscale/hscontrol/db"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/oauth2"
 	"tailscale.com/types/key"
@@ -21,16 +25,22 @@ import (
 
 const (
 	randomByteSize = 16
+)
 
-	errEmptyOIDCCallbackParams = Error("empty OIDC callback params")
-	errNoOIDCIDToken           = Error("could not extract ID Token for OIDC callback")
-	errOIDCAllowedDomains      = Error("authenticated principal does not match any allowed domain")
-	errOIDCAllowedGroups       = Error("authenticated principal is not in any allowed group")
-	errOIDCAllowedUsers        = Error("authenticated principal does not match any allowed user")
-	errOIDCInvalidMachineState = Error(
+var (
+	errEmptyOIDCCallbackParams = errors.New("empty OIDC callback params")
+	errNoOIDCIDToken           = errors.New("could not extract ID Token for OIDC callback")
+	errOIDCAllowedDomains      = errors.New(
+		"authenticated principal does not match any allowed domain",
+	)
+	errOIDCAllowedGroups = errors.New("authenticated principal is not in any allowed group")
+	errOIDCAllowedUsers  = errors.New(
+		"authenticated principal does not match any allowed user",
+	)
+	errOIDCInvalidMachineState = errors.New(
 		"requested machine state key expired before authorisation completed",
 	)
-	errOIDCNodeKeyMissing = Error("could not get node key from cache")
+	errOIDCNodeKeyMissing = errors.New("could not get node key from cache")
 )
 
 type IDTokenClaims struct {
@@ -94,17 +104,14 @@ func (h *Headscale) RegisterOIDC(
 		Bool("ok", ok).
 		Msg("Received oidc register call")
 
-	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+	if !util.NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
 		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
 
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusUnauthorized)
 		_, err := writer.Write([]byte("Unauthorized"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return
@@ -115,7 +122,7 @@ func (h *Headscale) RegisterOIDC(
 	// the template and log an error.
 	var nodeKey key.NodePublic
 	err := nodeKey.UnmarshalText(
-		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+		[]byte(util.NodePublicKeyEnsurePrefix(nodeKeyStr)),
 	)
 
 	if !ok || nodeKeyStr == "" || err != nil {
@@ -127,10 +134,7 @@ func (h *Headscale) RegisterOIDC(
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("Wrong params"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return
@@ -138,9 +142,8 @@ func (h *Headscale) RegisterOIDC(
 
 	randomBlob := make([]byte, randomByteSize)
 	if _, err := rand.Read(randomBlob); err != nil {
-		log.Error().
-			Caller().
-			Msg("could not read 16 bytes from rand")
+		util.LogErr(err, "could not read 16 bytes from rand")
+
 		http.Error(writer, "Internal server error", http.StatusInternalServerError)
 
 		return
@@ -149,7 +152,11 @@ func (h *Headscale) RegisterOIDC(
 	stateStr := hex.EncodeToString(randomBlob)[:32]
 
 	// place the node key into the state cache, so it can be retrieved later
-	h.registrationCache.Set(stateStr, NodePublicKeyStripPrefix(nodeKey), registerCacheExpiration)
+	h.registrationCache.Set(
+		stateStr,
+		util.NodePublicKeyStripPrefix(nodeKey),
+		registerCacheExpiration,
+	)
 
 	// Add any extra parameter provided in the configuration to the Authorize Endpoint request
 	extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
@@ -169,15 +176,11 @@ type oidcCallbackTemplateConfig struct {
 	Verb string
 }
 
+//go:embed assets/oidc_callback_template.html
+var oidcCallbackTemplateContent string
+
 var oidcCallbackTemplate = template.Must(
-	template.New("oidccallback").Parse(`<html>
-	<body>
-	<h1>headscale</h1>
-	<p>
-			{{.Verb}} as {{.User}}, you can now close this window.
-	</p>
-	</body>
-	</html>`),
+	template.New("oidccallback").Parse(oidcCallbackTemplateContent),
 )
 
 // OIDCCallback handles the callback from the OIDC endpoint
@@ -264,10 +267,7 @@ func (h *Headscale) OIDCCallback(
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
 	if _, err := writer.Write(content.Bytes()); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
+		util.LogErr(err, "Failed to write response")
 	}
 }
 
@@ -283,10 +283,7 @@ func validateOIDCCallbackParams(
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("Wrong params"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return "", "", errEmptyOIDCCallbackParams
@@ -302,18 +299,12 @@ func (h *Headscale) getIDTokenForOIDCCallback(
 ) (string, error) {
 	oauth2Token, err := h.oauth2Config.Exchange(ctx, code)
 	if err != nil {
-		log.Error().
-			Err(err).
-			Caller().
-			Msg("Could not exchange code for token")
+		util.LogErr(err, "Could not exchange code for token")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, werr := writer.Write([]byte("Could not exchange code for token"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return "", err
@@ -331,10 +322,7 @@ func (h *Headscale) getIDTokenForOIDCCallback(
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("Could not extract ID Token"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return "", errNoOIDCIDToken
@@ -351,18 +339,12 @@ func (h *Headscale) verifyIDTokenForOIDCCallback(
 	verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
-		log.Error().
-			Err(err).
-			Caller().
-			Msg("failed to verify id token")
+		util.LogErr(err, "failed to verify id token")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, werr := writer.Write([]byte("Failed to verify id token"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, err
@@ -377,18 +359,13 @@ func extractIDTokenClaims(
 ) (*IDTokenClaims, error) {
 	var claims IDTokenClaims
 	if err := idToken.Claims(&claims); err != nil {
-		log.Error().
-			Err(err).
-			Caller().
-			Msg("Failed to decode id token claims")
+		util.LogErr(err, "Failed to decode id token claims")
+
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, werr := writer.Write([]byte("Failed to decode id token claims"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, err
@@ -406,16 +383,14 @@ func validateOIDCAllowedDomains(
 ) error {
 	if len(allowedDomains) > 0 {
 		if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
-			!IsStringInSlice(allowedDomains, claims.Email[at+1:]) {
-			log.Error().Msg("authenticated principal does not match any allowed domain")
+			!util.IsStringInSlice(allowedDomains, claims.Email[at+1:]) {
+			log.Trace().Msg("authenticated principal does not match any allowed domain")
+
 			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 			writer.WriteHeader(http.StatusBadRequest)
 			_, err := writer.Write([]byte("unauthorized principal (domain mismatch)"))
 			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
+				util.LogErr(err, "Failed to write response")
 			}
 
 			return errOIDCAllowedDomains
@@ -436,20 +411,17 @@ func validateOIDCAllowedGroups(
 ) error {
 	if len(allowedGroups) > 0 {
 		for _, group := range allowedGroups {
-			if IsStringInSlice(claims.Groups, group) {
+			if util.IsStringInSlice(claims.Groups, group) {
 				return nil
 			}
 		}
 
-		log.Error().Msg("authenticated principal not in any allowed groups")
+		log.Trace().Msg("authenticated principal not in any allowed groups")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("unauthorized principal (allowed groups)"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return errOIDCAllowedGroups
@@ -466,16 +438,13 @@ func validateOIDCAllowedUsers(
 	claims *IDTokenClaims,
 ) error {
 	if len(allowedUsers) > 0 &&
-		!IsStringInSlice(allowedUsers, claims.Email) {
-		log.Error().Msg("authenticated principal does not match any allowed user")
+		!util.IsStringInSlice(allowedUsers, claims.Email) {
+		log.Trace().Msg("authenticated principal does not match any allowed user")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("unauthorized principal (user mismatch)"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return errOIDCAllowedUsers
@@ -497,16 +466,13 @@ func (h *Headscale) validateMachineForOIDCCallback(
 	// retrieve machinekey from state cache
 	nodeKeyIf, nodeKeyFound := h.registrationCache.Get(state)
 	if !nodeKeyFound {
-		log.Error().
+		log.Trace().
 			Msg("requested machine state key expired before authorisation completed")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("state has expired"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, false, errOIDCNodeKeyMissing
@@ -515,23 +481,20 @@ func (h *Headscale) validateMachineForOIDCCallback(
 	var nodeKey key.NodePublic
 	nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
 	if !nodeKeyOK {
-		log.Error().
+		log.Trace().
 			Msg("requested machine state key is not a string")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("state is invalid"))
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, false, errOIDCInvalidMachineState
 	}
 
 	err := nodeKey.UnmarshalText(
-		[]byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
+		[]byte(util.NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
 	)
 	if err != nil {
 		log.Error().
@@ -542,10 +505,7 @@ func (h *Headscale) validateMachineForOIDCCallback(
 		writer.WriteHeader(http.StatusBadRequest)
 		_, werr := writer.Write([]byte("could not parse node public key"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, false, err
@@ -555,7 +515,7 @@ func (h *Headscale) validateMachineForOIDCCallback(
 	// The error is not important, because if it does not
 	// exist, then this is a new machine and we will move
 	// on to registration.
-	machine, _ := h.GetMachineByNodeKey(nodeKey)
+	machine, _ := h.db.GetMachineByNodeKey(nodeKey)
 
 	if machine != nil {
 		log.Trace().
@@ -563,12 +523,9 @@ func (h *Headscale) validateMachineForOIDCCallback(
 			Str("machine", machine.Hostname).
 			Msg("machine already registered, reauthenticating")
 
-		err := h.RefreshMachine(machine, expiry)
+		err := h.db.RefreshMachine(machine, expiry)
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to refresh machine")
+			util.LogErr(err, "Failed to refresh machine")
 			http.Error(
 				writer,
 				"Failed to refresh machine",
@@ -597,10 +554,7 @@ func (h *Headscale) validateMachineForOIDCCallback(
 			writer.WriteHeader(http.StatusInternalServerError)
 			_, werr := writer.Write([]byte("Could not render OIDC callback template"))
 			if werr != nil {
-				log.Error().
-					Caller().
-					Err(werr).
-					Msg("Failed to write response")
+				util.LogErr(err, "Failed to write response")
 			}
 
 			return nil, true, err
@@ -610,10 +564,7 @@ func (h *Headscale) validateMachineForOIDCCallback(
 		writer.WriteHeader(http.StatusOK)
 		_, err = writer.Write(content.Bytes())
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, true, nil
@@ -627,20 +578,18 @@ func getUserName(
 	claims *IDTokenClaims,
 	stripEmaildomain bool,
 ) (string, error) {
-	userName, err := NormalizeToFQDNRules(
+	userName, err := util.NormalizeToFQDNRules(
 		claims.Email,
 		stripEmaildomain,
 	)
 	if err != nil {
-		log.Error().Err(err).Caller().Msgf("couldn't normalize email")
+		util.LogErr(err, "couldn't normalize email")
+
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusInternalServerError)
 		_, werr := writer.Write([]byte("couldn't normalize email"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return "", err
@@ -652,11 +601,10 @@ func getUserName(
 func (h *Headscale) findOrCreateNewUserForOIDCCallback(
 	writer http.ResponseWriter,
 	userName string,
-) (*User, error) {
-	user, err := h.GetUser(userName)
-	if errors.Is(err, ErrUserNotFound) {
-		user, err = h.CreateUser(userName)
-
+) (*types.User, error) {
+	user, err := h.db.GetUser(userName)
+	if errors.Is(err, db.ErrUserNotFound) {
+		user, err = h.db.CreateUser(userName)
 		if err != nil {
 			log.Error().
 				Err(err).
@@ -666,10 +614,7 @@ func (h *Headscale) findOrCreateNewUserForOIDCCallback(
 			writer.WriteHeader(http.StatusInternalServerError)
 			_, werr := writer.Write([]byte("could not create user"))
 			if werr != nil {
-				log.Error().
-					Caller().
-					Err(werr).
-					Msg("Failed to write response")
+				util.LogErr(err, "Failed to write response")
 			}
 
 			return nil, err
@@ -684,10 +629,7 @@ func (h *Headscale) findOrCreateNewUserForOIDCCallback(
 		writer.WriteHeader(http.StatusInternalServerError)
 		_, werr := writer.Write([]byte("could not find or create user"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, err
@@ -698,28 +640,24 @@ func (h *Headscale) findOrCreateNewUserForOIDCCallback(
 
 func (h *Headscale) registerMachineForOIDCCallback(
 	writer http.ResponseWriter,
-	user *User,
+	user *types.User,
 	nodeKey *key.NodePublic,
 	expiry time.Time,
 ) error {
-	if _, err := h.RegisterMachineFromAuthCallback(
+	if _, err := h.db.RegisterMachineFromAuthCallback(
+		// TODO(kradalby): find a better way to use the cache across modules
+		h.registrationCache,
 		nodeKey.String(),
 		user.Name,
 		&expiry,
-		RegisterMethodOIDC,
+		util.RegisterMethodOIDC,
 	); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("could not register machine")
+		util.LogErr(err, "could not register machine")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusInternalServerError)
 		_, werr := writer.Write([]byte("could not register machine"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return err
@@ -747,10 +685,7 @@ func renderOIDCCallbackTemplate(
 		writer.WriteHeader(http.StatusInternalServerError)
 		_, werr := writer.Write([]byte("Could not render OIDC callback template"))
 		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
+			util.LogErr(err, "Failed to write response")
 		}
 
 		return nil, err

hscontrol/policy/acls.go

@@ -1,4 +1,4 @@
-package hscontrol
+package policy
 
 import (
 	"encoding/json"
@@ -12,29 +12,25 @@ import (
 	"strings"
 	"time"
 
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
 	"go4.org/netipx"
 	"gopkg.in/yaml.v3"
-	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )
 
-const (
-	errEmptyPolicy       = Error("empty policy")
-	errInvalidAction     = Error("invalid action")
-	errInvalidGroup      = Error("invalid group")
-	errInvalidTag        = Error("invalid tag")
-	errInvalidPortFormat = Error("invalid port format")
-	errWildcardIsNeeded  = Error("wildcard as port is required for the protocol")
+var (
+	ErrEmptyPolicy       = errors.New("empty policy")
+	ErrInvalidAction     = errors.New("invalid action")
+	ErrInvalidGroup      = errors.New("invalid group")
+	ErrInvalidTag        = errors.New("invalid tag")
+	ErrInvalidPortFormat = errors.New("invalid port format")
+	ErrWildcardIsNeeded  = errors.New("wildcard as port is required for the protocol")
 )
 
 const (
-	Base8              = 8
-	Base10             = 10
-	BitSize16          = 16
-	BitSize32          = 32
-	BitSize64          = 64
 	portRangeBegin     = 0
 	portRangeEnd       = 65535
 	expectedTokenItems = 2
@@ -57,10 +53,8 @@ const (
 	ProtocolFC       = 133 // Fibre Channel
 )
 
-var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")
-
 // LoadACLPolicyFromPath loads the ACL policy from the specify path, and generates the ACL rules.
-func (h *Headscale) LoadACLPolicyFromPath(path string) error {
+func LoadACLPolicyFromPath(path string) (*ACLPolicy, error) {
 	log.Debug().
 		Str("func", "LoadACLPolicy").
 		Str("path", path).
@@ -68,13 +62,13 @@ func (h *Headscale) LoadACLPolicyFromPath(path string) error {
 
 	policyFile, err := os.Open(path)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer policyFile.Close()
 
 	policyBytes, err := io.ReadAll(policyFile)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	log.Debug().
@@ -84,95 +78,94 @@ func (h *Headscale) LoadACLPolicyFromPath(path string) error {
 
 	switch filepath.Ext(path) {
 	case ".yml", ".yaml":
-		return h.LoadACLPolicyFromBytes(policyBytes, "yaml")
+		return LoadACLPolicyFromBytes(policyBytes, "yaml")
 	}
 
-	return h.LoadACLPolicyFromBytes(policyBytes, "hujson")
+	return LoadACLPolicyFromBytes(policyBytes, "hujson")
 }
 
-func (h *Headscale) LoadACLPolicyFromBytes(acl []byte, format string) error {
+func LoadACLPolicyFromBytes(acl []byte, format string) (*ACLPolicy, error) {
 	var policy ACLPolicy
 	switch format {
 	case "yaml":
 		err := yaml.Unmarshal(acl, &policy)
 		if err != nil {
-			return err
+			return nil, err
 		}
 
 	default:
 		ast, err := hujson.Parse(acl)
 		if err != nil {
-			return err
+			return nil, err
 		}
 
 		ast.Standardize()
 		acl = ast.Pack()
 		err = json.Unmarshal(acl, &policy)
 		if err != nil {
-			return err
+			return nil, err
 		}
 	}
 
 	if policy.IsZero() {
-		return errEmptyPolicy
+		return nil, ErrEmptyPolicy
 	}
 
-	h.aclPolicy = &policy
-
-	return h.UpdateACLRules()
+	return &policy, nil
 }
 
-func (h *Headscale) UpdateACLRules() error {
-	machines, err := h.ListMachines()
+func GenerateFilterAndSSHRules(
+	policy *ACLPolicy,
+	machine *types.Machine,
+	peers types.Machines,
+) ([]tailcfg.FilterRule, *tailcfg.SSHPolicy, error) {
+	// If there is no policy defined, we default to allow all
+	if policy == nil {
+		return tailcfg.FilterAllowAll, &tailcfg.SSHPolicy{}, nil
+	}
+
+	rules, err := policy.generateFilterRules(machine, peers)
 	if err != nil {
-		return err
+		return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err
 	}
 
-	if h.aclPolicy == nil {
-		return errEmptyPolicy
-	}
+	log.Trace().Interface("ACL", rules).Str("machine", machine.GivenName).Msg("ACL rules")
 
-	rules, err := h.aclPolicy.generateFilterRules(machines, h.cfg.OIDC.StripEmaildomain)
+	var sshPolicy *tailcfg.SSHPolicy
+	sshRules, err := policy.generateSSHRules(machine, peers)
 	if err != nil {
-		return err
+		return []tailcfg.FilterRule{}, &tailcfg.SSHPolicy{}, err
 	}
 
-	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
-	h.aclRules = rules
+	log.Trace().
+		Interface("SSH", sshRules).
+		Str("machine", machine.GivenName).
+		Msg("SSH rules")
 
-	if featureEnableSSH() {
-		sshRules, err := h.generateSSHRules()
-		if err != nil {
-			return err
-		}
-		log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
-		if h.sshPolicy == nil {
-			h.sshPolicy = &tailcfg.SSHPolicy{}
-		}
-		h.sshPolicy.Rules = sshRules
-	} else if h.aclPolicy != nil && len(h.aclPolicy.SSHs) > 0 {
-		log.Info().Msg("SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating")
+	if sshPolicy == nil {
+		sshPolicy = &tailcfg.SSHPolicy{}
 	}
+	sshPolicy.Rules = sshRules
 
-	return nil
+	return rules, sshPolicy, nil
 }
 
 // generateFilterRules takes a set of machines and an ACLPolicy and generates a
 // set of Tailscale compatible FilterRules used to allow traffic on clients.
 func (pol *ACLPolicy) generateFilterRules(
-	machines []Machine,
-	stripEmailDomain bool,
+	machine *types.Machine,
+	peers types.Machines,
 ) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
 
 	for index, acl := range pol.ACLs {
 		if acl.Action != "accept" {
-			return nil, errInvalidAction
+			return nil, ErrInvalidAction
 		}
 
 		srcIPs := []string{}
 		for srcIndex, src := range acl.Sources {
-			srcs, err := pol.getIPsFromSource(src, machines, stripEmailDomain)
+			srcs, err := pol.expandSource(src, *machine, peers)
 			if err != nil {
 				log.Error().
 					Interface("src", src).
@@ -185,7 +178,7 @@ func (pol *ACLPolicy) generateFilterRules(
 			srcIPs = append(srcIPs, srcs...)
 		}
 
-		protocols, needsWildcard, err := parseProtocol(acl.Protocol)
+		protocols, isWildcard, err := parseProtocol(acl.Protocol)
 		if err != nil {
 			log.Error().
 				Msgf("Error parsing ACL %d. protocol unknown %s", index, acl.Protocol)
@@ -194,22 +187,36 @@ func (pol *ACLPolicy) generateFilterRules(
 		}
 
 		destPorts := []tailcfg.NetPortRange{}
-		for destIndex, dest := range acl.Destinations {
-			dests, err := pol.getNetPortRangeFromDestination(
-				dest,
-				machines,
-				needsWildcard,
-				stripEmailDomain,
+		for _, dest := range acl.Destinations {
+			alias, port, err := parseDestination(dest)
+			if err != nil {
+				return nil, err
+			}
+
+			expanded, err := pol.ExpandAlias(
+				*machine,
+				peers,
+				alias,
 			)
 			if err != nil {
-				log.Error().
-					Interface("dest", dest).
-					Int("ACL index", index).
-					Int("dest index", destIndex).
-					Msgf("Error parsing ACL")
-
 				return nil, err
 			}
+
+			ports, err := expandPorts(port, isWildcard)
+			if err != nil {
+				return nil, err
+			}
+
+			dests := []tailcfg.NetPortRange{}
+			for _, dest := range expanded.Prefixes() {
+				for _, port := range *ports {
+					pr := tailcfg.NetPortRange{
+						IP:    dest.String(),
+						Ports: port,
+					}
+					dests = append(dests, pr)
+				}
+			}
 			destPorts = append(destPorts, dests...)
 		}
 
@@ -223,18 +230,46 @@ func (pol *ACLPolicy) generateFilterRules(
 	return rules, nil
 }
 
-func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
+// ReduceFilterRules takes a machine and a set of rules and removes all rules and destinations
+// that are not relevant to that particular node.
+func ReduceFilterRules(machine *types.Machine, rules []tailcfg.FilterRule) []tailcfg.FilterRule {
+	ret := []tailcfg.FilterRule{}
+
+	for _, rule := range rules {
+		// record if the rule is actually relevant for the given machine.
+		dests := []tailcfg.NetPortRange{}
+
+		for _, dest := range rule.DstPorts {
+			expanded, err := util.ParseIPSet(dest.IP, nil)
+			// Fail closed, if we cant parse it, then we should not allow
+			// access.
+			if err != nil {
+				continue
+			}
+
+			if machine.IPAddresses.InIPSet(expanded) {
+				dests = append(dests, dest)
+			}
+		}
+
+		if len(dests) > 0 {
+			ret = append(ret, tailcfg.FilterRule{
+				SrcIPs:   rule.SrcIPs,
+				DstPorts: dests,
+				IPProto:  rule.IPProto,
+			})
+		}
+	}
+
+	return ret
+}
+
+func (pol *ACLPolicy) generateSSHRules(
+	machine *types.Machine,
+	peers types.Machines,
+) ([]*tailcfg.SSHRule, error) {
 	rules := []*tailcfg.SSHRule{}
 
-	if h.aclPolicy == nil {
-		return nil, errEmptyPolicy
-	}
-
-	machines, err := h.ListMachines()
-	if err != nil {
-		return nil, err
-	}
-
 	acceptAction := tailcfg.SSHAction{
 		Message:                  "",
 		Reject:                   false,
@@ -255,7 +290,25 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 		AllowLocalPortForwarding: false,
 	}
 
-	for index, sshACL := range h.aclPolicy.SSHs {
+	for index, sshACL := range pol.SSHs {
+		var dest netipx.IPSetBuilder
+		for _, src := range sshACL.Destinations {
+			expanded, err := pol.ExpandAlias(*machine, peers, src)
+			if err != nil {
+				return nil, err
+			}
+			dest.AddSet(expanded)
+		}
+
+		destSet, err := dest.IPSet()
+		if err != nil {
+			return nil, err
+		}
+
+		if !machine.IPAddresses.InIPSet(destSet) {
+			continue
+		}
+
 		action := rejectAction
 		switch sshACL.Action {
 		case "accept":
@@ -270,9 +323,9 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 			}
 		default:
 			log.Error().
-				Msgf("Error parsing SSH %d, unknown action '%s'", index, sshACL.Action)
+				Msgf("Error parsing SSH %d, unknown action '%s', skipping", index, sshACL.Action)
 
-			return nil, err
+			continue
 		}
 
 		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
@@ -282,7 +335,7 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 					Any: true,
 				})
 			} else if isGroup(rawSrc) {
-				users, err := h.aclPolicy.getUsersInGroup(rawSrc, h.cfg.OIDC.StripEmaildomain)
+				users, err := pol.expandUsersFromGroup(rawSrc)
 				if err != nil {
 					log.Error().
 						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
@@ -296,10 +349,10 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 					})
 				}
 			} else {
-				expandedSrcs, err := h.aclPolicy.expandAlias(
-					machines,
+				expandedSrcs, err := pol.ExpandAlias(
+					*machine,
+					peers,
 					rawSrc,
-					h.cfg.OIDC.StripEmaildomain,
 				)
 				if err != nil {
 					log.Error().
@@ -346,39 +399,9 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }
 
-// getIPsFromSource returns a set of Source IPs that would be associated
-// with the given src alias.
-func (pol *ACLPolicy) getIPsFromSource(
-	src string,
-	machines []Machine,
-	stripEmaildomain bool,
-) ([]string, error) {
-	ipSet, err := pol.expandAlias(machines, src, stripEmaildomain)
-	if err != nil {
-		return []string{}, err
-	}
-
-	prefixes := []string{}
-
-	for _, prefix := range ipSet.Prefixes() {
-		prefixes = append(prefixes, prefix.String())
-	}
-
-	return prefixes, nil
-}
-
-// getNetPortRangeFromDestination returns a set of tailcfg.NetPortRange
-// which are associated with the dest alias.
-func (pol *ACLPolicy) getNetPortRangeFromDestination(
-	dest string,
-	machines []Machine,
-	needsWildcard bool,
-	stripEmaildomain bool,
-) ([]tailcfg.NetPortRange, error) {
+func parseDestination(dest string) (string, string, error) {
 	var tokens []string
 
-	log.Trace().Str("destination", dest).Msg("generating policy destination")
-
 	// Check if there is a IPv4/6:Port combination, IPv6 has more than
 	// three ":".
 	tokens = strings.Split(dest, ":")
@@ -388,21 +411,25 @@ func (pol *ACLPolicy) getNetPortRangeFromDestination(
 		maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
 		log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
 
-		if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() {
+		filteredMaybeIPv6Str := maybeIPv6Str
+		if strings.Contains(maybeIPv6Str, "/") {
+			networkParts := strings.Split(maybeIPv6Str, "/")
+			filteredMaybeIPv6Str = networkParts[0]
+		}
+
+		if maybeIPv6, err := netip.ParseAddr(filteredMaybeIPv6Str); err != nil && !maybeIPv6.Is6() {
 			log.Trace().Err(err).Msg("trying to parse as IPv6")
 
-			return nil, fmt.Errorf(
+			return "", "", fmt.Errorf(
 				"failed to parse destination, tokens %v: %w",
 				tokens,
-				errInvalidPortFormat,
+				ErrInvalidPortFormat,
 			)
 		} else {
 			tokens = []string{maybeIPv6Str, port}
 		}
 	}
 
-	log.Trace().Strs("tokens", tokens).Msg("generating policy destination")
-
 	var alias string
 	// We can have here stuff like:
 	// git-server:*
@@ -418,31 +445,7 @@ func (pol *ACLPolicy) getNetPortRangeFromDestination(
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}
 
-	expanded, err := pol.expandAlias(
-		machines,
-		alias,
-		stripEmaildomain,
-	)
-	if err != nil {
-		return nil, err
-	}
-	ports, err := expandPorts(tokens[len(tokens)-1], needsWildcard)
-	if err != nil {
-		return nil, err
-	}
-
-	dests := []tailcfg.NetPortRange{}
-	for _, dest := range expanded.Prefixes() {
-		for _, port := range *ports {
-			pr := tailcfg.NetPortRange{
-				IP:    dest.String(),
-				Ports: port,
-			}
-			dests = append(dests, pr)
-		}
-	}
-
-	return dests, nil
+	return alias, tokens[len(tokens)-1], nil
 }
 
 // parseProtocol reads the proto field of the ACL and generates a list of
@@ -495,6 +498,27 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 	}
 }
 
+// expandSource returns a set of Source IPs that would be associated
+// with the given src alias.
+func (pol *ACLPolicy) expandSource(
+	src string,
+	machine types.Machine,
+	peers types.Machines,
+) ([]string, error) {
+	ipSet, err := pol.ExpandAlias(machine, peers, src)
+	if err != nil {
+		return []string{}, err
+	}
+
+	prefixes := []string{}
+
+	for _, prefix := range ipSet.Prefixes() {
+		prefixes = append(prefixes, prefix.String())
+	}
+
+	return prefixes, nil
+}
+
 // expandalias has an input of either
 // - a user
 // - a group
@@ -503,52 +527,54 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - an ip
 // - a cidr
 // and transform these in IPAddresses.
-func (pol *ACLPolicy) expandAlias(
-	machines Machines,
+func (pol *ACLPolicy) ExpandAlias(
+	machine types.Machine,
+	peers types.Machines,
 	alias string,
-	stripEmailDomain bool,
 ) (*netipx.IPSet, error) {
 	if isWildcard(alias) {
-		return parseIPSet("*", nil)
+		return util.ParseIPSet("*", nil)
 	}
 
 	build := netipx.IPSetBuilder{}
 
+	allMachines := append(peers, machine)
+
 	log.Debug().
 		Str("alias", alias).
 		Msg("Expanding")
 
 	// if alias is a group
 	if isGroup(alias) {
-		return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
+		return pol.expandIPsFromGroup(alias, allMachines)
 	}
 
 	// if alias is a tag
 	if isTag(alias) {
-		return pol.getIPsFromTag(alias, machines, stripEmailDomain)
+		return pol.expandIPsFromTag(alias, allMachines)
 	}
 
 	// if alias is a user
-	if ips, err := pol.getIPsForUser(alias, machines, stripEmailDomain); ips != nil {
+	if ips, err := pol.expandIPsFromUser(alias, allMachines); ips != nil {
 		return ips, err
 	}
 
 	// if alias is an host
 	// Note, this is recursive.
 	if h, ok := pol.Hosts[alias]; ok {
-		log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
+		log.Trace().Str("host", h.String()).Msg("ExpandAlias got hosts entry")
 
-		return pol.expandAlias(machines, h.String(), stripEmailDomain)
+		return pol.ExpandAlias(machine, peers, h.String())
 	}
 
 	// if alias is an IP
 	if ip, err := netip.ParseAddr(alias); err == nil {
-		return pol.getIPsFromSingleIP(ip, machines)
+		return pol.expandIPsFromSingleIP(ip, allMachines)
 	}
 
 	// if alias is an IP Prefix (CIDR)
 	if prefix, err := netip.ParsePrefix(alias); err == nil {
-		return pol.getIPsFromIPPrefix(prefix, machines)
+		return pol.expandIPsFromIPPrefix(prefix, allMachines)
 	}
 
 	log.Warn().Msgf("No IPs found with the alias %v", alias)
@@ -561,16 +587,15 @@ func (pol *ACLPolicy) expandAlias(
 // we assume in this function that we only have nodes from 1 user.
 func excludeCorrectlyTaggedNodes(
 	aclPolicy *ACLPolicy,
-	nodes []Machine,
+	nodes types.Machines,
 	user string,
-	stripEmailDomain bool,
-) []Machine {
-	out := []Machine{}
+) types.Machines {
+	out := types.Machines{}
 	tags := []string{}
 	for tag := range aclPolicy.TagOwners {
-		owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
+		owners, _ := expandOwnersFromTag(aclPolicy, user)
 		ns := append(owners, user)
-		if contains(ns, user) {
+		if util.StringOrPrefixListContains(ns, user) {
 			tags = append(tags, tag)
 		}
 	}
@@ -580,7 +605,7 @@ func excludeCorrectlyTaggedNodes(
 
 		found := false
 		for _, t := range hi.RequestTags {
-			if contains(tags, t) {
+			if util.StringOrPrefixListContains(tags, t) {
 				found = true
 
 				break
@@ -597,15 +622,15 @@ func excludeCorrectlyTaggedNodes(
 	return out
 }
 
-func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
+func expandPorts(portsStr string, isWild bool) (*[]tailcfg.PortRange, error) {
 	if isWildcard(portsStr) {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
 	}
 
-	if needsWildcard {
-		return nil, errWildcardIsNeeded
+	if isWild {
+		return nil, ErrWildcardIsNeeded
 	}
 
 	ports := []tailcfg.PortRange{}
@@ -614,7 +639,7 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err
 		rang := strings.Split(portStr, "-")
 		switch len(rang) {
 		case 1:
-			port, err := strconv.ParseUint(rang[0], Base10, BitSize16)
+			port, err := strconv.ParseUint(rang[0], util.Base10, util.BitSize16)
 			if err != nil {
 				return nil, err
 			}
@@ -624,11 +649,11 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err
 			})
 
 		case expectedTokenItems:
-			start, err := strconv.ParseUint(rang[0], Base10, BitSize16)
+			start, err := strconv.ParseUint(rang[0], util.Base10, util.BitSize16)
 			if err != nil {
 				return nil, err
 			}
-			last, err := strconv.ParseUint(rang[1], Base10, BitSize16)
+			last, err := strconv.ParseUint(rang[1], util.Base10, util.BitSize16)
 			if err != nil {
 				return nil, err
 			}
@@ -638,43 +663,31 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err
 			})
 
 		default:
-			return nil, errInvalidPortFormat
+			return nil, ErrInvalidPortFormat
 		}
 	}
 
 	return &ports, nil
 }
 
-func filterMachinesByUser(machines []Machine, user string) []Machine {
-	out := []Machine{}
-	for _, machine := range machines {
-		if machine.User.Name == user {
-			out = append(out, machine)
-		}
-	}
-
-	return out
-}
-
-// getTagOwners will return a list of user. An owner can be either a user or a group
+// expandOwnersFromTag will return a list of user. An owner can be either a user or a group
 // a group cannot be composed of groups.
-func getTagOwners(
+func expandOwnersFromTag(
 	pol *ACLPolicy,
 	tag string,
-	stripEmailDomain bool,
 ) ([]string, error) {
 	var owners []string
 	ows, ok := pol.TagOwners[tag]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
-			errInvalidTag,
+			ErrInvalidTag,
 			tag,
 		)
 	}
 	for _, owner := range ows {
 		if isGroup(owner) {
-			gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
+			gs, err := pol.expandUsersFromGroup(owner)
 			if err != nil {
 				return []string{}, err
 			}
@@ -687,11 +700,10 @@ func getTagOwners(
 	return owners, nil
 }
 
-// getUsersInGroup will return the list of user inside the group
+// expandUsersFromGroup will return the list of user inside the group
 // after some validation.
-func (pol *ACLPolicy) getUsersInGroup(
+func (pol *ACLPolicy) expandUsersFromGroup(
 	group string,
-	stripEmailDomain bool,
 ) ([]string, error) {
 	users := []string{}
 	log.Trace().Caller().Interface("pol", pol).Msg("test")
@@ -700,22 +712,22 @@ func (pol *ACLPolicy) getUsersInGroup(
 		return []string{}, fmt.Errorf(
 			"group %v isn't registered. %w",
 			group,
-			errInvalidGroup,
+			ErrInvalidGroup,
 		)
 	}
 	for _, group := range aclGroups {
 		if isGroup(group) {
 			return []string{}, fmt.Errorf(
 				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
-				errInvalidGroup,
+				ErrInvalidGroup,
 			)
 		}
-		grp, err := NormalizeToFQDNRules(group, stripEmailDomain)
+		grp, err := util.NormalizeToFQDNRulesConfigFromViper(group)
 		if err != nil {
 			return []string{}, fmt.Errorf(
 				"failed to normalize group %q, err: %w",
 				group,
-				errInvalidGroup,
+				ErrInvalidGroup,
 			)
 		}
 		users = append(users, grp)
@@ -724,14 +736,13 @@ func (pol *ACLPolicy) getUsersInGroup(
 	return users, nil
 }
 
-func (pol *ACLPolicy) getIPsFromGroup(
+func (pol *ACLPolicy) expandIPsFromGroup(
 	group string,
-	machines Machines,
-	stripEmailDomain bool,
+	machines types.Machines,
 ) (*netipx.IPSet, error) {
 	build := netipx.IPSetBuilder{}
 
-	users, err := pol.getUsersInGroup(group, stripEmailDomain)
+	users, err := pol.expandUsersFromGroup(group)
 	if err != nil {
 		return &netipx.IPSet{}, err
 	}
@@ -745,29 +756,28 @@ func (pol *ACLPolicy) getIPsFromGroup(
 	return build.IPSet()
 }
 
-func (pol *ACLPolicy) getIPsFromTag(
+func (pol *ACLPolicy) expandIPsFromTag(
 	alias string,
-	machines Machines,
-	stripEmailDomain bool,
+	machines types.Machines,
 ) (*netipx.IPSet, error) {
 	build := netipx.IPSetBuilder{}
 
 	// check for forced tags
 	for _, machine := range machines {
-		if contains(machine.ForcedTags, alias) {
+		if util.StringOrPrefixListContains(machine.ForcedTags, alias) {
 			machine.IPAddresses.AppendToIPSet(&build)
 		}
 	}
 
 	// find tag owners
-	owners, err := getTagOwners(pol, alias, stripEmailDomain)
+	owners, err := expandOwnersFromTag(pol, alias)
 	if err != nil {
-		if errors.Is(err, errInvalidTag) {
+		if errors.Is(err, ErrInvalidTag) {
 			ipSet, _ := build.IPSet()
 			if len(ipSet.Prefixes()) == 0 {
 				return ipSet, fmt.Errorf(
 					"%w. %v isn't owned by a TagOwner and no forced tags are defined",
-					errInvalidTag,
+					ErrInvalidTag,
 					alias,
 				)
 			}
@@ -783,7 +793,7 @@ func (pol *ACLPolicy) getIPsFromTag(
 		machines := filterMachinesByUser(machines, user)
 		for _, machine := range machines {
 			hi := machine.GetHostInfo()
-			if contains(hi.RequestTags, alias) {
+			if util.StringOrPrefixListContains(hi.RequestTags, alias) {
 				machine.IPAddresses.AppendToIPSet(&build)
 			}
 		}
@@ -792,15 +802,14 @@ func (pol *ACLPolicy) getIPsFromTag(
 	return build.IPSet()
 }
 
-func (pol *ACLPolicy) getIPsForUser(
+func (pol *ACLPolicy) expandIPsFromUser(
 	user string,
-	machines Machines,
-	stripEmailDomain bool,
+	machines types.Machines,
 ) (*netipx.IPSet, error) {
 	build := netipx.IPSetBuilder{}
 
 	filteredMachines := filterMachinesByUser(machines, user)
-	filteredMachines = excludeCorrectlyTaggedNodes(pol, filteredMachines, user, stripEmailDomain)
+	filteredMachines = excludeCorrectlyTaggedNodes(pol, filteredMachines, user)
 
 	// shortcurcuit if we have no machines to get ips from.
 	if len(filteredMachines) == 0 {
@@ -814,11 +823,11 @@ func (pol *ACLPolicy) getIPsForUser(
 	return build.IPSet()
 }
 
-func (pol *ACLPolicy) getIPsFromSingleIP(
+func (pol *ACLPolicy) expandIPsFromSingleIP(
 	ip netip.Addr,
-	machines Machines,
+	machines types.Machines,
 ) (*netipx.IPSet, error) {
-	log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
+	log.Trace().Str("ip", ip.String()).Msg("ExpandAlias got ip")
 
 	matches := machines.FilterByIP(ip)
 
@@ -832,9 +841,9 @@ func (pol *ACLPolicy) getIPsFromSingleIP(
 	return build.IPSet()
 }
 
-func (pol *ACLPolicy) getIPsFromIPPrefix(
+func (pol *ACLPolicy) expandIPsFromIPPrefix(
 	prefix netip.Prefix,
-	machines Machines,
+	machines types.Machines,
 ) (*netipx.IPSet, error) {
 	log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
 	build := netipx.IPSetBuilder{}
@@ -866,3 +875,79 @@ func isGroup(str string) bool {
 func isTag(str string) bool {
 	return strings.HasPrefix(str, "tag:")
 }
+
+func isAutogroup(str string) bool {
+	return strings.HasPrefix(str, "autogroup:")
+}
+
+// TagsOfMachine will return the tags of the current machine.
+// Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag.
+// Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.
+func (pol *ACLPolicy) TagsOfMachine(
+	machine types.Machine,
+) ([]string, []string) {
+	validTags := make([]string, 0)
+	invalidTags := make([]string, 0)
+
+	validTagMap := make(map[string]bool)
+	invalidTagMap := make(map[string]bool)
+	for _, tag := range machine.HostInfo.RequestTags {
+		owners, err := expandOwnersFromTag(pol, tag)
+		if errors.Is(err, ErrInvalidTag) {
+			invalidTagMap[tag] = true
+
+			continue
+		}
+		var found bool
+		for _, owner := range owners {
+			if machine.User.Name == owner {
+				found = true
+			}
+		}
+		if found {
+			validTagMap[tag] = true
+		} else {
+			invalidTagMap[tag] = true
+		}
+	}
+	for tag := range invalidTagMap {
+		invalidTags = append(invalidTags, tag)
+	}
+	for tag := range validTagMap {
+		validTags = append(validTags, tag)
+	}
+
+	return validTags, invalidTags
+}
+
+func filterMachinesByUser(machines types.Machines, user string) types.Machines {
+	out := types.Machines{}
+	for _, machine := range machines {
+		if machine.User.Name == user {
+			out = append(out, machine)
+		}
+	}
+
+	return out
+}
+
+// FilterMachinesByACL returns the list of peers authorized to be accessed from a given machine.
+func FilterMachinesByACL(
+	machine *types.Machine,
+	machines types.Machines,
+	filter []tailcfg.FilterRule,
+) types.Machines {
+	result := types.Machines{}
+
+	for index, peer := range machines {
+		if peer.ID == machine.ID {
+			continue
+		}
+
+		if machine.CanAccess(filter, &machines[index]) || peer.CanAccess(filter, machine) {
+			result = append(result, peer)
+		}
+	}
+
+	return result
+}

hscontrol/policy/acls_types.go

@@ -1,4 +1,4 @@
-package hscontrol
+package policy
 
 import (
 	"encoding/json"

hscontrol/policy/matcher/matcher.go

@@ -0,0 +1,70 @@
+package matcher
+
+import (
+	"net/netip"
+
+	"github.com/juanfont/headscale/hscontrol/util"
+	"go4.org/netipx"
+	"tailscale.com/tailcfg"
+)
+
+type Match struct {
+	Srcs  *netipx.IPSet
+	Dests *netipx.IPSet
+}
+
+func MatchFromFilterRule(rule tailcfg.FilterRule) Match {
+	dests := []string{}
+	for _, dest := range rule.DstPorts {
+		dests = append(dests, dest.IP)
+	}
+
+	return MatchFromStrings(rule.SrcIPs, dests)
+}
+
+func MatchFromStrings(sources, destinations []string) Match {
+	srcs := new(netipx.IPSetBuilder)
+	dests := new(netipx.IPSetBuilder)
+
+	for _, srcIP := range sources {
+		set, _ := util.ParseIPSet(srcIP, nil)
+
+		srcs.AddSet(set)
+	}
+
+	for _, dest := range destinations {
+		set, _ := util.ParseIPSet(dest, nil)
+
+		dests.AddSet(set)
+	}
+
+	srcsSet, _ := srcs.IPSet()
+	destsSet, _ := dests.IPSet()
+
+	match := Match{
+		Srcs:  srcsSet,
+		Dests: destsSet,
+	}
+
+	return match
+}
+
+func (m *Match) SrcsContainsIPs(ips []netip.Addr) bool {
+	for _, ip := range ips {
+		if m.Srcs.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (m *Match) DestsContainsIP(ips []netip.Addr) bool {
+	for _, ip := range ips {
+		if m.Dests.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}

hscontrol/policy/matcher/matcher_test.go

@@ -0,0 +1 @@
+package matcher