Set doc version to 0.24.0

set changelog date (#2347 )
use headscale server url as domain instead of base_domain (#2338 )
2026-01-11 20:00:28 +01:00 · 2025-01-17 17:31:29 +01:00 · 2025-01-17 12:01:06 +01:00 · 2025-01-16 18:05:20 +01:00 · 2025-01-16 18:05:05 +01:00 · 2025-01-16 18:04:54 +01:00
176 changed files with 10859 additions and 8333 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,10 +1,10 @@
 * @juanfont @kradalby

-*.md @ohdearaugustin
-*.yml @ohdearaugustin
-*.yaml @ohdearaugustin
-Dockerfile* @ohdearaugustin
-.goreleaser.yaml @ohdearaugustin
-/docs/ @ohdearaugustin
-/.github/workflows/ @ohdearaugustin
-/.github/renovate.json @ohdearaugustin
+*.md @ohdearaugustin @nblock
+*.yml @ohdearaugustin @nblock
+*.yaml @ohdearaugustin @nblock
+Dockerfile* @ohdearaugustin @nblock
+.goreleaser.yaml @ohdearaugustin @nblock
+/docs/ @ohdearaugustin @nblock
+/.github/workflows/ @ohdearaugustin @nblock
+/.github/renovate.json @ohdearaugustin @nblock
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,7 +13,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  build:
+  build-nix:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
@@ -36,7 +36,7 @@ jobs:
      - uses: DeterminateSystems/magic-nix-cache-action@main
        if: steps.changed-files.outputs.files == 'true'

-      - name: Run build
+      - name: Run nix build
        id: build
        if: steps.changed-files.outputs.files == 'true'
        run: |
@@ -69,3 +69,27 @@ jobs:
        with:
          name: headscale-linux
          path: result/bin/headscale
+  build-cross:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        env:
+          - "GOARCH=arm   GOOS=linux GOARM=5"
+          - "GOARCH=arm   GOOS=linux GOARM=6"
+          - "GOARCH=arm   GOOS=linux GOARM=7"
+          - "GOARCH=arm64 GOOS=linux"
+          - "GOARCH=386   GOOS=linux"
+          - "GOARCH=amd64 GOOS=linux"
+          - "GOARCH=arm64 GOOS=darwin"
+          - "GOARCH=amd64 GOOS=darwin"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Run go cross compile
+        run: env ${{ matrix.env }} nix develop --command -- go build -o "headscale" ./cmd/headscale
+      - uses: actions/upload-artifact@v4
+        with:
+          name: "headscale-${{ matrix.env }}"
+          path: "headscale"
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -0,0 +1,51 @@
+name: Deploy docs
+
+on:
+  push:
+    branches:
+      # Main branch for development docs
+      - main
+
+      # Doc maintenance branches
+      - doc/[0-9]+.[0-9]+.[0-9]+
+    tags:
+      # Stable release tags
+      - v[0-9]+.[0-9]+.[0-9]+
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Setup cache
+        uses: actions/cache@v4
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - name: Setup dependencies
+        run: pip install -r docs/requirements.txt
+      - name: Configure git
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+      - name: Deploy development docs
+        if: github.ref == 'refs/heads/main'
+        run: mike deploy --push development unstable
+      - name: Deploy stable docs from doc branches
+        if: startsWith(github.ref, 'refs/heads/doc/')
+        run: mike deploy --push ${GITHUB_REF_NAME##*/}
+      - name: Deploy stable docs from tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        # This assumes that only newer tags are pushed
+        run: mike deploy --push --update-aliases ${GITHUB_REF_NAME#v} stable latest
--- a/.github/workflows/docs-test.yml
+++ b/.github/workflows/docs-test.yml
@@ -13,11 +13,11 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        with:
          python-version: 3.x
      - name: Setup cache
-        uses: actions/cache@v2
+        uses: actions/cache@v4
        with:
          key: ${{ github.ref }}
          path: .cache
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,52 +0,0 @@
-name: Build documentation
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - name: Setup cache
-        uses: actions/cache@v2
-        with:
-          key: ${{ github.ref }}
-          path: .cache
-      - name: Setup dependencies
-        run: pip install -r docs/requirements.txt
-      - name: Build docs
-        run: mkdocs build --strict
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: ./site
-
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    permissions:
-      pages: write
-      id-token: write
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Configure Pages
-        uses: actions/configure-pages@v4
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
--- a/.github/workflows/gh-actions-updater.yaml
+++ b/.github/workflows/gh-actions-updater.yaml
@@ -7,6 +7,7 @@ on:

 jobs:
  build:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,7 @@ on:

 jobs:
  goreleaser:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -6,6 +6,7 @@ on:

 jobs:
  close-issues:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    permissions:
      issues: write
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -1,4 +1,7 @@
 name: Integration Tests
+# To debug locally on a branch, and when needing secrets
+# change this to include `push` so the build is ran on
+# the main repository.
 on: [pull_request]
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -21,6 +24,8 @@ jobs:
          - TestPolicyUpdateWhileRunningWithCLIInDatabase
          - TestOIDCAuthenticationPingAll
          - TestOIDCExpireNodesBasedOnTokenExpiry
+          - TestOIDC024UserCreation
+          - TestOIDCAuthenticationWithPKCE
          - TestAuthWebFlowAuthenticationPingAll
          - TestAuthWebFlowLogoutAndRelogin
          - TestUserCommand
@@ -30,17 +35,19 @@ jobs:
          - TestPreAuthKeyCorrectUserLoggedInCommand
          - TestApiKeyCommand
          - TestNodeTagCommand
-          - TestNodeAdvertiseTagNoACLCommand
-          - TestNodeAdvertiseTagWithACLCommand
+          - TestNodeAdvertiseTagCommand
          - TestNodeCommand
          - TestNodeExpireCommand
          - TestNodeRenameCommand
          - TestNodeMoveCommand
          - TestPolicyCommand
          - TestPolicyBrokenConfigCommand
+          - TestDERPVerifyEndpoint
          - TestResolveMagicDNS
+          - TestResolveMagicDNSExtraRecordsPath
          - TestValidateResolvConf
          - TestDERPServerScenario
+          - TestDERPServerWebsocketScenario
          - TestPingAllByIP
          - TestPingAllByIPPublicDERP
          - TestAuthKeyLogoutAndRelogin
@@ -49,6 +56,7 @@ jobs:
          - TestEphemeral2006DeletedTooQuickly
          - TestPingAllByHostname
          - TestTaildrop
+          - TestUpdateHostnameFromClient
          - TestExpireNode
          - TestNodeOnlineStatus
          - TestPingAllByIPManyUpDown
@@ -67,6 +75,16 @@ jobs:
          - TestSSHIsBlockedInACL
          - TestSSHUserOnlyIsolation
        database: [postgres, sqlite]
+    env:
+      # Github does not allow us to access secrets in pull requests,
+      # so this env var is used to check if we have the secret or not.
+      # If we have the secrets, meaning we are running on push in a fork,
+      # there might be secrets available for more debugging.
+      # If TS_OAUTH_CLIENT_ID and TS_OAUTH_SECRET is set, then the job
+      # will join a debug tailscale network, set up SSH and a tmux session.
+      # The SSH will be configured to use the SSH key of the Github user
+      # that triggered the build.
+      HAS_TAILSCALE_SECRET: ${{ secrets.TS_OAUTH_CLIENT_ID }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -82,6 +100,16 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
+      - name: Tailscale
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: tailscale/github-action@v2
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:gh
+      - name: Setup SSH server for Actor
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/setup-sshd-actor@master
      - uses: DeterminateSystems/nix-installer-action@main
        if: steps.changed-files.outputs.files == 'true'
      - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -121,3 +149,6 @@ jobs:
        with:
          name: ${{ matrix.test }}-${{matrix.database}}-pprof
          path: "control_logs/*.pprof.tar"
+      - name: Setup a blocking tmux session
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/block-with-tmux-action@master
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -34,4 +34,10 @@ jobs:

      - name: Run tests
        if: steps.changed-files.outputs.files == 'true'
+        env:
+          # As of 2025-01-06, these env vars was not automatically
+          # set anymore which breaks the initdb for postgres on
+          # some of the database migration tests.
+          LC_ALL: "en_US.UTF-8"
+          LC_CTYPE: "en_US.UTF-8"
        run: nix develop --command -- gotestsum
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -6,6 +6,7 @@ on:

 jobs:
  lockfile:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -27,6 +27,7 @@ linters:
    - nolintlint
    - musttag # causes issues with imported libs
    - depguard
+    - exportloopref

    # We should strive to enable these:
    - wrapcheck
@@ -56,9 +57,14 @@ linters-settings:
      - ok
      - c
      - tt
+      - tx
+      - rx

  gocritic:
    disabled-checks:
      - appendAssign
      # TODO(kradalby): Remove this
      - ifElseChain
+
+  nlreturn:
+    block-size: 4
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -154,7 +154,7 @@ kos:
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable{{ else }}unstable-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
      - "{{ .Tag }}-debug"
      - '{{ trimprefix .Tag "v" }}-debug'
      - "sha-{{ .ShortCommit }}-debug"
@@ -177,7 +177,7 @@ kos:
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable{{ else }}unstable-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
      - "{{ .Tag }}-debug"
      - '{{ trimprefix .Tag "v" }}-debug'
      - "sha-{{ .ShortCommit }}-debug"
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,6 +1,4 @@
 .github/workflows/test-integration-v2*
-docs/dns-records.md
-docs/running-headscale-container.md
-docs/running-headscale-linux-manual.md
-docs/running-headscale-linux.md
-docs/running-headscale-openbsd.md
+docs/about/features.md
+docs/ref/configuration.md
+docs/ref/remote-cli.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -62,7 +62,7 @@ event.

 Instances of abusive, harassing, or otherwise unacceptable behavior
 may be reported to the community leaders responsible for enforcement
-at our Discord channel. All complaints
+on our [Discord server](https://discord.gg/c84AZQhmpx). All complaints
 will be reviewed and investigated promptly and fairly.

 All community leaders are obligated to respect the privacy and
--- a/Dockerfile.derper
+++ b/Dockerfile.derper
@@ -0,0 +1,19 @@
+# For testing purposes only
+
+FROM golang:alpine AS build-env
+
+WORKDIR /go/src
+
+RUN apk add --no-cache git
+ARG VERSION_BRANCH=main
+RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
+WORKDIR /go/src/tailscale
+
+ARG TARGETARCH
+RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+ENTRYPOINT [ "/usr/local/bin/derper" ]
--- a/Dockerfile.integration
+++ b/Dockerfile.integration
@@ -8,7 +8,7 @@ ENV GOPATH /go
 WORKDIR /go/src/headscale

 RUN apt-get update \
-  && apt-get install --no-install-recommends --yes less jq \
+  && apt-get install --no-install-recommends --yes less jq sqlite3 dnsutils \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get clean
 RUN mkdir -p /var/run/headscale
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -28,7 +28,9 @@ ARG VERSION_GIT_HASH=""
 ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

-RUN GOARCH=$TARGETARCH go install -ldflags="\
+ARG BUILD_TAGS=""
+
+RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
      -X tailscale.com/version.longStamp=$VERSION_LONG \
      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
--- a/20
+++ b/20
@@ -22,7 +22,7 @@ build:
 dev: lint test build

 test:
-	gotestsum -- -short -coverprofile=coverage.out ./...
+	gotestsum -- -short -race -coverprofile=coverage.out ./...

 test_integration:
 	docker run \
@@ -33,15 +33,25 @@ test_integration:
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v $$PWD/control_logs:/tmp/control \
 		golang:1 \
-		go run gotest.tools/gotestsum@latest -- -failfast ./... -timeout 120m -parallel 8
+		go run gotest.tools/gotestsum@latest -- -race -failfast ./... -timeout 120m -parallel 8

 lint:
 	golangci-lint run --fix --timeout 10m

-fmt:
+fmt: fmt-go fmt-prettier fmt-proto
+
+fmt-prettier:
 	prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-	golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
-	clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i $(PROTO_SOURCES)
+	prettier --write --print-width 80 --prose-wrap always CHANGELOG.md
+
+fmt-go:
+	# TODO(kradalby): Reeval if we want to use 88 in the future.
+	# golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
+	gofumpt -l -w .
+	golangci-lint run --fix
+
+fmt-proto:
+	clang-format -i $(PROTO_SOURCES)

 proto-lint:
 	cd proto/ && go run github.com/bufbuild/buf/cmd/buf lint
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@

 An open source, self-hosted implementation of the Tailscale control server.

-Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat.
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat.

 **Note:** Always select the same GitHub tag as the released version you use
 to ensure you have the correct example configuration and documentation.
@@ -46,38 +46,18 @@ buttons available in the repo.

 ## Features

- Full "base" support of Tailscale's features
- Configurable DNS
-  - [Split DNS](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console)
- Node registration
-  - Single-Sign-On (via Open ID Connect)
-  - Pre authenticated key
- Taildrop (File Sharing)
- [Access control lists](https://tailscale.com/kb/1018/acls/)
- [MagicDNS](https://tailscale.com/kb/1081/magicdns)
- Dual stack (IPv4 and IPv6)
- Routing advertising (including exit nodes)
- Ephemeral nodes
- Embedded [DERP server](https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp)
+Please see ["Features" in the documentation](https://headscale.net/stable/about/features/).

 ## Client OS support

-| OS      | Supports headscale                                                                                 |
-| ------- | -------------------------------------------------------------------------------------------------- |
-| Linux   | Yes                                                                                                |
-| OpenBSD | Yes                                                                                                |
-| FreeBSD | Yes                                                                                                |
-| Windows | Yes (see [docs](./docs/windows-client.md) and `/windows` on your headscale for more information)   |
-| Android | Yes (see [docs](./docs/android-client.md))                                                         |
-| macOS   | Yes (see [docs](./docs/apple-client.md#macos) and `/apple` on your headscale for more information) |
-| iOS     | Yes (see [docs](./docs/apple-client.md#ios) and `/apple` on your headscale for more information)   |
+Please see ["Client and operating system support" in the documentation](https://headscale.net/stable/about/clients/).

 ## Running headscale

 **Please note that we do not support nor encourage the use of reverse proxies
 and container to run Headscale.**

-Please have a look at the [`documentation`](https://headscale.net/).
+Please have a look at the [`documentation`](https://headscale.net/stable/).

 ## Talks

@@ -99,7 +79,7 @@ Please read the [CONTRIBUTING.md](./CONTRIBUTING.md) file.
 ### Requirements

 To contribute to headscale you would need the latest version of [Go](https://golang.org)
-and [Buf](https://buf.build)(Protobuf generator).
+and [Buf](https://buf.build) (Protobuf generator).

 We recommend using [Nix](https://nixos.org/) to setup a development environment. This can
 be done with `nix develop`, which will install the tools and give you a shell.
--- a/cmd/headscale/cli/mockoidc.go
+++ b/cmd/headscale/cli/mockoidc.go
@@ -1,8 +1,10 @@
 package cli

 import (
+	"encoding/json"
 	"fmt"
 	"net"
+	"net/http"
 	"os"
 	"strconv"
 	"time"
@@ -64,6 +66,19 @@ func mockOIDC() error {
 		accessTTL = newTTL
 	}

+	userStr := os.Getenv("MOCKOIDC_USERS")
+	if userStr == "" {
+		return fmt.Errorf("MOCKOIDC_USERS not defined")
+	}
+
+	var users []mockoidc.MockUser
+	err := json.Unmarshal([]byte(userStr), &users)
+	if err != nil {
+		return fmt.Errorf("unmarshalling users: %w", err)
+	}
+
+	log.Info().Interface("users", users).Msg("loading users from JSON")
+
 	log.Info().Msgf("Access token TTL: %s", accessTTL)

 	port, err := strconv.Atoi(portStr)
@@ -71,7 +86,7 @@ func mockOIDC() error {
 		return err
 	}

-	mock, err := getMockOIDC(clientID, clientSecret)
+	mock, err := getMockOIDC(clientID, clientSecret, users)
 	if err != nil {
 		return err
 	}
@@ -93,12 +108,18 @@ func mockOIDC() error {
 	return nil
 }

-func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, error) {
+func getMockOIDC(clientID string, clientSecret string, users []mockoidc.MockUser) (*mockoidc.MockOIDC, error) {
 	keypair, err := mockoidc.NewKeypair(nil)
 	if err != nil {
 		return nil, err
 	}

+	userQueue := mockoidc.UserQueue{}
+
+	for _, user := range users {
+		userQueue.Push(&user)
+	}
+
 	mock := mockoidc.MockOIDC{
 		ClientID:                      clientID,
 		ClientSecret:                  clientSecret,
@@ -107,9 +128,19 @@ func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, erro
 		CodeChallengeMethodsSupported: []string{"plain", "S256"},
 		Keypair:                       keypair,
 		SessionStore:                  mockoidc.NewSessionStore(),
-		UserQueue:                     &mockoidc.UserQueue{},
+		UserQueue:                     &userQueue,
 		ErrorQueue:                    &mockoidc.ErrorQueue{},
 	}

+	mock.AddMiddleware(func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			log.Info().Msgf("Request: %+v", r)
+			h.ServeHTTP(w, r)
+			if r.Response != nil {
+				log.Info().Msgf("Response: %+v", r.Response)
+			}
+		})
+	})
+
 	return &mock, nil
 }
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -39,33 +39,33 @@ func init() {

 	err := registerNodeCmd.MarkFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	registerNodeCmd.Flags().StringP("key", "k", "", "Key")
 	err = registerNodeCmd.MarkFlagRequired("key")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(registerNodeCmd)

 	expireNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = expireNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(expireNodeCmd)

 	renameNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = renameNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(renameNodeCmd)

 	deleteNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = deleteNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(deleteNodeCmd)

@@ -73,7 +73,7 @@ func init() {

 	err = moveNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}

 	moveNodeCmd.Flags().StringP("user", "u", "", "New user")
@@ -85,7 +85,7 @@ func init() {

 	err = moveNodeCmd.MarkFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(moveNodeCmd)

@@ -93,7 +93,7 @@ func init() {

 	err = tagCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	tagCmd.Flags().
 		StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -7,10 +7,10 @@ import (
 	"strconv"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"tailscale.com/net/tsaddr"
 )

 const (
@@ -25,21 +25,21 @@ func init() {
 	enableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
 	err := enableRouteCmd.MarkFlagRequired("route")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	routesCmd.AddCommand(enableRouteCmd)

 	disableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
 	err = disableRouteCmd.MarkFlagRequired("route")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	routesCmd.AddCommand(disableRouteCmd)

 	deleteRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
 	err = deleteRouteCmd.MarkFlagRequired("route")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	routesCmd.AddCommand(deleteRouteCmd)
 }
@@ -245,7 +245,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {

 			continue
 		}
-		if prefix == types.ExitRouteV4 || prefix == types.ExitRouteV6 {
+		if tsaddr.IsExitRoute(prefix) {
 			isPrimaryStr = "-"
 		} else {
 			isPrimaryStr = strconv.FormatBool(route.GetIsPrimary())
--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"errors"
 	"fmt"
+	"net/url"

 	survey "github.com/AlecAivazis/survey/v2"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
@@ -12,12 +13,46 @@ import (
 	"google.golang.org/grpc/status"
 )

+func usernameAndIDFlag(cmd *cobra.Command) {
+	cmd.Flags().Int64P("identifier", "i", -1, "User identifier (ID)")
+	cmd.Flags().StringP("name", "n", "", "Username")
+}
+
+// usernameAndIDFromFlag returns the username and ID from the flags of the command.
+// If both are empty, it will exit the program with an error.
+func usernameAndIDFromFlag(cmd *cobra.Command) (uint64, string) {
+	username, _ := cmd.Flags().GetString("name")
+	identifier, _ := cmd.Flags().GetInt64("identifier")
+	if username == "" && identifier < 0 {
+		err := errors.New("--name or --identifier flag is required")
+		ErrorOutput(
+			err,
+			fmt.Sprintf(
+				"Cannot rename user: %s",
+				status.Convert(err).Message(),
+			),
+			"",
+		)
+	}
+
+	return uint64(identifier), username
+}
+
 func init() {
 	rootCmd.AddCommand(userCmd)
 	userCmd.AddCommand(createUserCmd)
+	createUserCmd.Flags().StringP("display-name", "d", "", "Display name")
+	createUserCmd.Flags().StringP("email", "e", "", "Email")
+	createUserCmd.Flags().StringP("picture-url", "p", "", "Profile picture URL")
 	userCmd.AddCommand(listUsersCmd)
+	usernameAndIDFlag(listUsersCmd)
+	listUsersCmd.Flags().StringP("email", "e", "", "Email")
 	userCmd.AddCommand(destroyUserCmd)
+	usernameAndIDFlag(destroyUserCmd)
 	userCmd.AddCommand(renameUserCmd)
+	usernameAndIDFlag(renameUserCmd)
+	renameUserCmd.Flags().StringP("new-name", "r", "", "New username")
+	renameNodeCmd.MarkFlagRequired("new-name")
 }

 var errMissingParameter = errors.New("missing parameters")
@@ -52,6 +87,28 @@ var createUserCmd = &cobra.Command{

 		request := &v1.CreateUserRequest{Name: userName}

+		if displayName, _ := cmd.Flags().GetString("display-name"); displayName != "" {
+			request.DisplayName = displayName
+		}
+
+		if email, _ := cmd.Flags().GetString("email"); email != "" {
+			request.Email = email
+		}
+
+		if pictureURL, _ := cmd.Flags().GetString("picture-url"); pictureURL != "" {
+			if _, err := url.Parse(pictureURL); err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Invalid Picture URL: %s",
+						err,
+					),
+					output,
+				)
+			}
+			request.PictureUrl = pictureURL
+		}
+
 		log.Trace().Interface("request", request).Msg("Sending CreateUser request")
 		response, err := client.CreateUser(ctx, request)
 		if err != nil {
@@ -70,30 +127,23 @@ var createUserCmd = &cobra.Command{
 }

 var destroyUserCmd = &cobra.Command{
-	Use:     "destroy NAME",
+	Use:     "destroy --identifier ID or --name NAME",
 	Short:   "Destroys a user",
 	Aliases: []string{"delete"},
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errMissingParameter
-		}
-
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		userName := args[0]
-
-		request := &v1.GetUserRequest{
-			Name: userName,
+		id, username := usernameAndIDFromFlag(cmd)
+		request := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
 		}

 		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		_, err := client.GetUser(ctx, request)
+		users, err := client.ListUsers(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -102,13 +152,24 @@ var destroyUserCmd = &cobra.Command{
 			)
 		}

+		if len(users.GetUsers()) != 1 {
+			err := fmt.Errorf("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		user := users.GetUsers()[0]
+
 		confirm := false
 		force, _ := cmd.Flags().GetBool("force")
 		if !force {
 			prompt := &survey.Confirm{
 				Message: fmt.Sprintf(
-					"Do you want to remove the user '%s' and any associated preauthkeys?",
-					userName,
+					"Do you want to remove the user %q (%d) and any associated preauthkeys?",
+					user.GetName(), user.GetId(),
 				),
 			}
 			err := survey.AskOne(prompt, &confirm)
@@ -118,7 +179,7 @@ var destroyUserCmd = &cobra.Command{
 		}

 		if confirm || force {
-			request := &v1.DeleteUserRequest{Name: userName}
+			request := &v1.DeleteUserRequest{Id: user.GetId()}

 			response, err := client.DeleteUser(ctx, request)
 			if err != nil {
@@ -151,6 +212,23 @@ var listUsersCmd = &cobra.Command{

 		request := &v1.ListUsersRequest{}

+		id, _ := cmd.Flags().GetInt64("identifier")
+		username, _ := cmd.Flags().GetString("name")
+		email, _ := cmd.Flags().GetString("email")
+
+		// filter by one param at most
+		switch {
+		case id > 0:
+			request.Id = uint64(id)
+			break
+		case username != "":
+			request.Name = username
+			break
+		case email != "":
+			request.Email = email
+			break
+		}
+
 		response, err := client.ListUsers(ctx, request)
 		if err != nil {
 			ErrorOutput(
@@ -164,13 +242,15 @@ var listUsersCmd = &cobra.Command{
 			SuccessOutput(response.GetUsers(), "", output)
 		}

-		tableData := pterm.TableData{{"ID", "Name", "Created"}}
+		tableData := pterm.TableData{{"ID", "Name", "Username", "Email", "Created"}}
 		for _, user := range response.GetUsers() {
 			tableData = append(
 				tableData,
 				[]string{
-					user.GetId(),
+					fmt.Sprintf("%d", user.GetId()),
+					user.GetDisplayName(),
 					user.GetName(),
+					user.GetEmail(),
 					user.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
 				},
 			)
@@ -187,17 +267,9 @@ var listUsersCmd = &cobra.Command{
 }

 var renameUserCmd = &cobra.Command{
-	Use:     "rename OLD_NAME NEW_NAME",
+	Use:     "rename",
 	Short:   "Renames a user",
 	Aliases: []string{"mv"},
-	Args: func(cmd *cobra.Command, args []string) error {
-		expectedArguments := 2
-		if len(args) < expectedArguments {
-			return errMissingParameter
-		}
-
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

@@ -205,12 +277,38 @@ var renameUserCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()

-		request := &v1.RenameUserRequest{
-			OldName: args[0],
-			NewName: args[1],
+		id, username := usernameAndIDFromFlag(cmd)
+		listReq := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
 		}

-		response, err := client.RenameUser(ctx, request)
+		users, err := client.ListUsers(ctx, listReq)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		if len(users.GetUsers()) != 1 {
+			err := fmt.Errorf("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		newName, _ := cmd.Flags().GetString("new-name")
+
+		renameReq := &v1.RenameUserRequest{
+			OldId:   id,
+			NewName: newName,
+		}
+
+		response, err := client.RenameUser(ctx, renameReq)
 		if err != nil {
 			ErrorOutput(
 				err,
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -58,8 +58,8 @@ noise:
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 prefixes:
-  v6: fd7a:115c:a1e0::/48
  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48

  # Strategy used for allocation of IPs to nodes, available options:
  # - sequential (default): assigns the next free IP from the previous given IP.
@@ -168,6 +168,11 @@ database:
    # https://www.sqlite.org/wal.html
    write_ahead_log: true

+    # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+    # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+    # Set to 0 to disable automatic checkpointing.
+    wal_autocheckpoint: 1000
+
  # # Postgres config
  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
  # See database.type for more information.
@@ -209,7 +214,7 @@ tls_letsencrypt_cache_dir: /var/lib/headscale/cache

 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
-# See [docs/tls.md](docs/tls.md) for more information
+# See: docs/ref/tls.md for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
 # verification endpoint, and it will be listening on:
@@ -260,7 +265,6 @@ policy:
 # all the fields under `dns` should be set to empty values.
 dns:
  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
-  # Only works if there is at least a nameserver defined.
  magic_dns: true

  # Defines the base domain to create the hostnames for MagicDNS.
@@ -297,8 +301,8 @@ dns:
  search_domains: []

  # Extra DNS records
-  # so far only A-records are supported (on the tailscale side)
-  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
+  # so far only A and AAAA records are supported (on the tailscale side)
+  # See: docs/ref/dns.md
  extra_records: []
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
@@ -306,15 +310,10 @@ dns:
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
-
-  # DEPRECATED
-  # Use the username as part of the DNS name for nodes, with this option enabled:
-  # node1.username.example.com
-  # while when this is disabled:
-  # node1.example.com
-  # This is a legacy option as Headscale has have this wrongly implemented
-  # while in upstream Tailscale, the username is not included.
-  use_username_in_magic_dns: false
+  #
+  # Alternatively, extra DNS records can be loaded from a JSON file.
+  # Headscale processes this file on each change.
+  # extra_records_path: /var/lib/headscale/extra-records.json

 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
@@ -365,12 +364,30 @@ unix_socket_permission: "0770"
 #   allowed_users:
 #     - alice@example.com
 #
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   user: `first-name.last-name.example.com`
+#   # Optional: PKCE (Proof Key for Code Exchange) configuration
+#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+#   # by preventing authorization code interception attacks
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   pkce:
+#     # Enable or disable PKCE support (default: false)
+#     enabled: false
+#     # PKCE method to use:
+#     # - plain: Use plain code verifier
+#     # - S256: Use SHA256 hashed code verifier (default, recommended)
+#     method: S256
 #
-#   strip_email_domain: true
+#   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
+#   # by taking the username from the legacy user and matching it with the username
+#   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
+#   # to force them using the unique identifier from the OIDC and to give them a
+#   # proper display name and picture if available.
+#   # Note that this will only work if the username from the legacy user is the same
+#   # and there is a possibility for account takeover should a username have changed
+#   # with the provider.
+#   # Disabling this feature will cause all new logins to be created as new users.
+#   # Note this option will be removed in the future and should be set to false
+#   # on all new installations, or when all users have logged in with OIDC once.
+#   map_legacy_users: true

 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
--- a/docs/about/clients.md
+++ b/docs/about/clients.md
@@ -0,0 +1,16 @@
+# Client and operating system support
+
+We aim to support the [**last 10 releases** of the Tailscale client](https://tailscale.com/changelog#client) on all
+provided operating systems and platforms. Some platforms might require additional configuration to connect with
+headscale.
+
+| OS      | Supports headscale                                                                                    |
+| ------- | ----------------------------------------------------------------------------------------------------- |
+| Linux   | Yes                                                                                                   |
+| OpenBSD | Yes                                                                                                   |
+| FreeBSD | Yes                                                                                                   |
+| Windows | Yes (see [docs](../usage/connect/windows.md) and `/windows` on your headscale for more information)   |
+| Android | Yes (see [docs](../usage/connect/android.md))                                                         |
+| macOS   | Yes (see [docs](../usage/connect/apple.md#macos) and `/apple` on your headscale for more information) |
+| iOS     | Yes (see [docs](../usage/connect/apple.md#ios) and `/apple` on your headscale for more information)   |
+| tvOS    | Yes (see [docs](../usage/connect/apple.md#tvos) and `/apple` on your headscale for more information)  |
--- a/docs/about/contributing.md
+++ b/docs/about/contributing.md
@@ -0,0 +1,3 @@
+{%
+    include-markdown "../../CONTRIBUTING.md"
+%}
--- a/docs/about/faq.md
+++ b/docs/about/faq.md
@@ -0,0 +1,68 @@
+# Frequently Asked Questions
+
+## What is the design goal of headscale?
+
+Headscale aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
+control server.
+Headscale's goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
+open-source organisation.
+
+## How can I contribute?
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Please see [Contributing](contributing.md) for more information.
+
+## Why is 'acknowledged contribution' the chosen model?
+
+Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
+
+We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
+
+## When/Why is Feature X going to be implemented?
+
+We don't know. We might be working on it. If you're interested in contributing, please post a feature request about it.
+
+Please be aware that there are a number of reasons why we might not accept specific contributions:
+
+- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
+- Given that we are reverse-engineering Tailscale to satisfy our own curiosity, we might be interested in implementing the feature ourselves.
+- You are not sending unit and integration tests with it.
+
+## Do you support Y method of deploying headscale?
+
+We currently support deploying headscale using our binaries and the DEB packages. Visit our [installation guide using
+official releases](../setup/install/official.md) for more information.
+
+In addition to that, you may use packages provided by the community or from distributions. Learn more in the
+[installation guide using community packages](../setup/install/community.md).
+
+For convenience, we also [build Docker images with headscale](../setup/install/container.md). But **please be aware that
+we don't officially support deploying headscale using Docker**. On our [Discord server](https://discord.gg/c84AZQhmpx)
+we have a "docker-issues" channel where you can ask for Docker-specific help to the community.
+
+## Which database should I use?
+
+We recommend the use of SQLite as database for headscale:
+
+- SQLite is simple to setup and easy to use
+- It scales well for all of headscale's usecases
+- Development and testing happens primarily on SQLite
+- PostgreSQL is still supported, but is considered to be in "maintenance mode"
+
+The headscale project itself does not provide a tool to migrate from PostgreSQL to SQLite. Please have a look at [the
+related tools documentation](../ref/integration/tools.md) for migration tooling provided by the community.
+
+## Why is my reverse proxy not working with headscale?
+
+We don't know. We don't use reverse proxies with headscale ourselves, so we don't have any experience with them. We have
+[community documentation](../ref/integration/reverse-proxy.md) on how to configure various reverse proxies, and a
+dedicated "reverse-proxy-issues" channel on our [Discord server](https://discord.gg/c84AZQhmpx) where you can ask for
+help to the community.
+
+## Can I use headscale and tailscale on the same machine?
+
+Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported.
--- a/docs/about/features.md
+++ b/docs/about/features.md
@@ -0,0 +1,32 @@
+# Features
+
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale control server. Headscale's goal is
+to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. This page
+provides on overview of headscale's feature and compatibility with the Tailscale control server:
+
+- [x] Full "base" support of Tailscale's features
+- [x] Node registration
+    - [x] Interactive
+    - [x] Pre authenticated key
+- [x] [DNS](https://tailscale.com/kb/1054/dns)
+    - [x] [MagicDNS](https://tailscale.com/kb/1081/magicdns)
+    - [x] [Global and restricted nameservers (split DNS)](https://tailscale.com/kb/1054/dns#nameservers)
+    - [x] [search domains](https://tailscale.com/kb/1054/dns#search-domains)
+    - [x] [Extra DNS records (headscale only)](../ref/dns.md#setting-extra-dns-records)
+- [x] [Taildrop (File Sharing)](https://tailscale.com/kb/1106/taildrop)
+- [x] Routing advertising (including exit nodes)
+- [x] Dual stack (IPv4 and IPv6)
+- [x] Ephemeral nodes
+- [x] Embedded [DERP server](https://tailscale.com/kb/1232/derp-servers)
+- [x] Access control lists ([GitHub label "policy"](https://github.com/juanfont/headscale/labels/policy%20%F0%9F%93%9D))
+    - [x] ACL management via API
+    - [x] `autogroup:internet`
+    - [ ] `autogroup:self`
+    - [ ] `autogroup:member`
+* [ ] Node registration using Single-Sign-On (OpenID Connect) ([GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC))
+    - [x] Basic registration
+    - [ ] Update user profile from identity provider
+    - [ ] Dynamic ACL support
+    - [ ] OIDC groups cannot be used in ACLs
+- [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))
+- [ ] [Serve](https://tailscale.com/kb/1312/serve) ([#1234](https://github.com/juanfont/headscale/issues/1921))
--- a/docs/about/help.md
+++ b/docs/about/help.md
@@ -0,0 +1,5 @@
+# Getting help
+
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for announcements and community support.
+
+Please report bugs via [GitHub issues](https://github.com/juanfont/headscale/issues)
--- a/docs/about/releases.md
+++ b/docs/about/releases.md
@@ -0,0 +1,9 @@
+# Releases
+
+All headscale releases are available on the [GitHub release page](https://github.com/juanfont/headscale/releases). Those
+releases are available as binaries for various platforms and architectures, packages for Debian based systems and source
+code archives. Container images are available on [Docker Hub](https://hub.docker.com/r/headscale/headscale).
+
+An Atom/RSS feed of headscale releases is available [here](https://github.com/juanfont/headscale/releases.atom).
+
+See the "announcements" channel on our [Discord server](https://discord.gg/c84AZQhmpx) for news about headscale.
--- a/docs/about/sponsor.md
+++ b/docs/about/sponsor.md
@@ -0,0 +1,4 @@
+# Sponsor
+
+If you like to support the development of headscale, please consider a donation via
+[ko-fi.com/headscale](https://ko-fi.com/headscale). Thank you!
--- a/docs/dns-records.md
+++ b/docs/dns-records.md
@@ -1,92 +0,0 @@
-# Setting custom DNS records
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing how a user can set custom DNS records with `headscale`s magic dns.
-An example use case is to serve apps on the same host via a reverse proxy like NGINX, in this case a Prometheus monitoring stack. This allows to nicely access the service with "http://grafana.myvpn.example.com" instead of the hostname and portnum combination "http://hostname-in-magic-dns.myvpn.example.com:3000".
-
-## Setup
-
-### 1. Change the configuration
-
-1. Change the `config.yaml` to contain the desired records like so:
-
-    ```yaml
-    dns:
-      ...
-      extra_records:
-        - name: "prometheus.myvpn.example.com"
-          type: "A"
-          value: "100.64.0.3"
-
-        - name: "grafana.myvpn.example.com"
-          type: "A"
-          value: "100.64.0.3"
-      ...
-    ```
-
-1. Restart your headscale instance.
-
-    !!! warning
-
-        Beware of the limitations listed later on!
-
-### 2. Verify that the records are set
-
-You can use a DNS querying tool of your choice on one of your hosts to verify that your newly set records are actually available in MagicDNS, here we used [`dig`](https://man.archlinux.org/man/dig.1.en):
-
-```
-$ dig grafana.myvpn.example.com
-
-; <<>> DiG 9.18.10 <<>> grafana.myvpn.example.com
-;; global options: +cmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44054
-;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
-
-;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags:; udp: 65494
-;; QUESTION SECTION:
-;grafana.myvpn.example.com.         IN      A
-
-;; ANSWER SECTION:
-grafana.myvpn.example.com.  593     IN      A       100.64.0.3
-
-;; Query time: 0 msec
-;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
-;; WHEN: Sat Dec 31 11:46:55 CET 2022
-;; MSG SIZE  rcvd: 66
-```
-
-### 3. Optional: Setup the reverse proxy
-
-The motivating example here was to be able to access internal monitoring services on the same host without specifying a port:
-
-```
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name grafana.myvpn.example.com;
-
-    location / {
-        proxy_pass http://localhost:3000;
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-}
-```
-
-## Limitations
-
-[Not all types of records are supported](https://github.com/tailscale/tailscale/blob/6edf357b96b28ee1be659a70232c0135b2ffedfd/ipn/ipnlocal/local.go#L2989-L3007), especially no CNAME records.
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -1,57 +0,0 @@
---
-hide:
-  - navigation
---
-
-# Frequently Asked Questions
-
-## What is the design goal of headscale?
-
-`headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
-control server.
-`headscale`'s goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
-open-source organisation.
-
-## How can I contribute?
-
-Headscale is "Open Source, acknowledged contribution", this means that any
-contribution will have to be discussed with the Maintainers before being submitted.
-
-Headscale is open to code contributions for bug fixes without discussion.
-
-If you find mistakes in the documentation, please also submit a fix to the documentation.
-
-## Why is 'acknowledged contribution' the chosen model?
-
-Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
-
-We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
-
-## When/Why is Feature X going to be implemented?
-
-We don't know. We might be working on it. If you're interested in contributing, please post a feature request about it.
-
-Please be aware that there are a number of reasons why we might not accept specific contributions:
-
- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
- Given that we are reverse-engineering Tailscale to satisfy our own curiosity, we might be interested in implementing the feature ourselves.
- You are not sending unit and integration tests with it.
-
-## Do you support Y method of deploying Headscale?
-
-We currently support deploying `headscale` using our binaries and the DEB packages. Both can be found in the
-[GitHub releases page](https://github.com/juanfont/headscale/releases).
-
-In addition to that, there are semi-official RPM packages by the Fedora infra team https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/
-
-For convenience, we also build Docker images with `headscale`. But **please be aware that we don't officially support deploying `headscale` using Docker**. We have a [Discord channel](https://discord.com/channels/896711691637780480/1070619770942148618) where you can ask for Docker-specific help to the community.
-
-## Why is my reverse proxy not working with Headscale?
-
-We don't know. We don't use reverse proxies with `headscale` ourselves, so we don't have any experience with them. We have [community documentation](https://headscale.net/reverse-proxy/) on how to configure various reverse proxies, and a dedicated [Discord channel](https://discord.com/channels/896711691637780480/1070619818346164324) where you can ask for help to the community.
-
-## Can I use headscale and tailscale on the same machine?
-
-Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported.
--- a/docs/images/headscale-sealos-grpc-url.png
+++ b/docs/images/headscale-sealos-grpc-url.png
--- a/docs/images/headscale-sealos-url.png
+++ b/docs/images/headscale-sealos-url.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -4,13 +4,13 @@ hide:
  - toc
 ---

-# headscale
+# Welcome to headscale

-`headscale` is an open source, self-hosted implementation of the Tailscale control server.
+Headscale is an open source, self-hosted implementation of the Tailscale control server.

-This page contains the documentation for the latest version of headscale. Please also check our [FAQ](faq.md).
+This page contains the documentation for the latest version of headscale. Please also check our [FAQ](./about/faq.md).

-Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat and community support.
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat and community support.

 ## Design goal

@@ -23,16 +23,15 @@ open-source organisation.

 ## Supporting headscale

-If you like `headscale` and find it useful, there is a sponsorship and donation
-buttons available in the repo.
+Please see [Sponsor](about/sponsor.md) for more information.

 ## Contributing

 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.

-Please see [CONTRIBUTING.md](https://github.com/juanfont/headscale/blob/main/CONTRIBUTING.md) for more information.
+Please see [Contributing](about/contributing.md) for more information.

 ## About

-`headscale` is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).
+Headscale is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).
--- a/docs/packaging/postinstall.sh
+++ b/docs/packaging/postinstall.sh
@@ -6,8 +6,10 @@
 HEADSCALE_EXE="/usr/bin/headscale"
 BSD_HIER=""
 HEADSCALE_RUN_DIR="/var/run/headscale"
+HEADSCALE_HOME_DIR="/var/lib/headscale"
 HEADSCALE_USER="headscale"
 HEADSCALE_GROUP="headscale"
+HEADSCALE_SHELL="/usr/sbin/nologin"

 ensure_sudo() {
 	if [ "$(id -u)" = "0" ]; then
@@ -29,7 +31,7 @@ ensure_headscale_path() {

 create_headscale_user() {
 	printf "PostInstall: Adding headscale user %s\n" "$HEADSCALE_USER"
-	useradd -s /bin/sh -c "headscale default user" headscale
+	useradd -s "$HEADSCALE_SHELL" -d "$HEADSCALE_HOME_DIR" -c "headscale default user" "$HEADSCALE_USER"
 }

 create_headscale_group() {
--- a/docs/ref/acls.md
+++ b/docs/ref/acls.md
@@ -36,27 +36,30 @@ servers.
 - billing.internal
 - router.internal

-![ACL implementation example](images/headscale-acl-network.png)
+![ACL implementation example](../images/headscale-acl-network.png)

 ## ACL setup

-Note: Users will be created automatically when users authenticate with the
-Headscale server.
-
 ACLs have to be written in [huJSON](https://github.com/tailscale/hujson).

-When registering the servers we will need to add the flag
-`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is
-registering the server should be allowed to do it. Since anyone can add tags to
-a server they can register, the check of the tags is done on headscale server
-and only valid tags are applied. A tag is valid if the user that is
+When [registering the servers](../usage/getting-started.md#register-a-node) we
+will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
+that is registering the server should be allowed to do it. Since anyone can add
+tags to a server they can register, the check of the tags is done on headscale
+server and only valid tags are applied. A tag is valid if the user that is
 registering it is allowed to do it.

-To use ACLs in headscale, you must edit your `config.yaml` file. In there you will find a `policy.path` parameter. This will need to point to your ACL file. More info on how these policies are written can be found [here](https://tailscale.com/kb/1018/acls/).
+To use ACLs in headscale, you must edit your `config.yaml` file. In there you will find a `policy.path` parameter. This
+will need to point to your ACL file. More info on how these policies are written can be found
+[here](https://tailscale.com/kb/1018/acls/).
+
+Please reload or restart Headscale after updating the ACL file. Headscale may be reloaded either via its systemd service
+(`sudo systemctl reload headscale`) or by sending a SIGHUP signal (`sudo kill -HUP $(pidof headscale)`) to the main
+process. Headscale logs the result of ACL policy processing after each reload.

 Here are the ACL's to implement the same permissions as above:

-```json
+```json title="acl.json"
 {
  // groups are collections of users having a common scope. A user can be in multiple groups
  // groups cannot be composed of groups
@@ -87,7 +90,7 @@ Here are the ACL's to implement the same permissions as above:
  // to define a single host, use a /32 mask. You cannot use DNS entries here,
  // as they're prone to be hijacked by replacing their IP addresses.
  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
-  "Hosts": {
+  "hosts": {
    "postgresql.internal": "10.20.0.2/32",
    "webservers.internal": "10.20.10.1/29"
  },
--- a/docs/ref/configuration.md
+++ b/docs/ref/configuration.md
@@ -0,0 +1,39 @@
+# Configuration
+
+- Headscale loads its configuration from a YAML file
+- It searches for `config.yaml` in the following paths:
+    - `/etc/headscale`
+    - `$HOME/.headscale`
+    - the current working directory
+- Use the command line flag `-c`, `--config` to load the configuration from a different path
+- Validate the configuration file with: `headscale configtest`
+
+!!! example "Get the [example configuration from the GitHub repository](https://github.com/juanfont/headscale/blob/main/config-example.yaml)"
+
+    Always select the [same GitHub tag](https://github.com/juanfont/headscale/tags) as the released version you use to
+    ensure you have the correct example configuration. The `main` branch might contain unreleased changes.
+
+    === "View on GitHub"
+
+        * Development version: <https://github.com/juanfont/headscale/blob/main/config-example.yaml>
+        * Version {{ headscale.version }}: <https://github.com/juanfont/headscale/blob/v{{ headscale.version }}/config-example.yaml>
+
+    === "Download with `wget`"
+
+        ```shell
+        # Development version
+        wget -O config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
+
+        # Version {{ headscale.version }}
+        wget -O config.yaml https://raw.githubusercontent.com/juanfont/headscale/v{{ headscale.version }}/config-example.yaml
+        ```
+
+    === "Download with `curl`"
+
+        ```shell
+        # Development version
+        curl -o config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
+
+        # Version {{ headscale.version }}
+        curl -o config.yaml https://raw.githubusercontent.com/juanfont/headscale/v{{ headscale.version }}/config-example.yaml
+        ```
--- a/docs/ref/dns.md
+++ b/docs/ref/dns.md
@@ -0,0 +1,112 @@
+# DNS
+
+Headscale supports [most DNS features](../about/features.md) from Tailscale. DNS related settings can be configured
+within `dns` section of the [configuration file](./configuration.md).
+
+## Setting extra DNS records
+
+Headscale allows to set extra DNS records which are made available via
+[MagicDNS](https://tailscale.com/kb/1081/magicdns). Extra DNS records can be configured either via static entries in the
+[configuration file](./configuration.md) or from a JSON file that Headscale continuously watches for changes:
+
+* Use the `dns.extra_records` option in the [configuration file](./configuration.md) for entries that are static and
+  don't change while Headscale is running. Those entries are processed when Headscale is starting up and changes to the
+  configuration require a restart of Headscale.
+* For dynamic DNS records that may be added, updated or removed while Headscale is running or DNS records that are
+  generated by scripts the option `dns.extra_records_path` in the [configuration file](./configuration.md) is useful.
+  Set it to the absolute path of the JSON file containing DNS records and Headscale processes this file as it detects
+  changes.
+
+An example use case is to serve multiple apps on the same host via a reverse proxy like NGINX, in this case a Prometheus
+monitoring stack. This allows to nicely access the service with "http://grafana.myvpn.example.com" instead of the
+hostname and port combination "http://hostname-in-magic-dns.myvpn.example.com:3000".
+
+!!! warning "Limitations"
+
+    Currently, [only A and AAAA records are processed by Tailscale](https://github.com/tailscale/tailscale/blob/v1.78.3/ipn/ipnlocal/local.go#L4461-L4479).
+
+
+1.  Configure extra DNS records using one of the available configuration options:
+
+    === "Static entries, via `dns.extra_records`"
+
+        ```yaml title="config.yaml"
+        dns:
+          ...
+          extra_records:
+            - name: "grafana.myvpn.example.com"
+              type: "A"
+              value: "100.64.0.3"
+
+            - name: "prometheus.myvpn.example.com"
+              type: "A"
+              value: "100.64.0.3"
+          ...
+        ```
+
+        Restart your headscale instance.
+
+    === "Dynamic entries, via `dns.extra_records_path`"
+
+        ```json title="extra-records.json"
+        [
+          {
+            "name": "grafana.myvpn.example.com",
+            "type": "A",
+            "value": "100.64.0.3"
+          },
+          {
+            "name": "prometheus.myvpn.example.com",
+            "type": "A",
+            "value": "100.64.0.3"
+          }
+        ]
+        ```
+
+        Headscale picks up changes to the above JSON file automatically.
+
+        !!! tip "Good to know"
+
+            * The `dns.extra_records_path` option in the [configuration file](./configuration.md) needs to reference the
+              JSON file containing extra DNS records.
+            * Be sure to "sort keys" and produce a stable output in case you generate the JSON file with a script.
+              Headscale uses a checksum to detect changes to the file and a stable output avoids unnecessary processing.
+
+1.  Verify that DNS records are properly set using the DNS querying tool of your choice:
+
+    === "Query with dig"
+
+        ```shell
+        dig +short grafana.myvpn.example.com
+        100.64.0.3
+        ```
+
+    === "Query with drill"
+
+        ```shell
+        drill -Q grafana.myvpn.example.com
+        100.64.0.3
+        ```
+
+1.  Optional: Setup the reverse proxy
+
+    The motivating example here was to be able to access internal monitoring services on the same host without
+    specifying a port, depicted as NGINX configuration snippet:
+
+    ```nginx title="nginx.conf"
+    server {
+        listen 80;
+        listen [::]:80;
+
+        server_name grafana.myvpn.example.com;
+
+        location / {
+            proxy_pass http://localhost:3000;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+    }
+    ```
--- a/docs/ref/exit-node.md
+++ b/docs/ref/exit-node.md
--- a/docs/ref/integration/reverse-proxy.md
+++ b/docs/ref/integration/reverse-proxy.md
@@ -3,7 +3,7 @@
 !!! warning "Community documentation"

    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
+    written by community members. It is _not_ verified by headscale developers.

    **It might be outdated and it might miss necessary steps**.

@@ -23,7 +23,7 @@ Running headscale behind a cloudflare proxy or cloudflare tunnel is not supporte

 Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.

-```yaml
+```yaml title="config.yaml"
 server_url: https://<YOUR_SERVER_NAME> # This should be the FQDN at which headscale will be served
 listen_addr: 0.0.0.0:8080
 metrics_listen_addr: 0.0.0.0:9090
@@ -35,7 +35,7 @@ tls_key_path: ""

 The following example configuration can be used in your nginx setup, substituting values as necessary. `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `http://localhost:8080`.

-```Nginx
+```nginx title="nginx.conf"
 map $http_upgrade $connection_upgrade {
    default      upgrade;
    ''           close;
@@ -113,7 +113,7 @@ spec:

 The following Caddyfile is all that is necessary to use Caddy as a reverse proxy for headscale, in combination with the `config.yaml` specifications above to disable headscale's built in TLS. Replace values as necessary - `<YOUR_SERVER_NAME>` should be the FQDN at which headscale will be served, and `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `localhost:8080`.

-```
+```none title="Caddyfile"
 <YOUR_SERVER_NAME> {
    reverse_proxy <IP:PORT>
 }
@@ -121,13 +121,13 @@ The following Caddyfile is all that is necessary to use Caddy as a reverse proxy

 Caddy v2 will [automatically](https://caddyserver.com/docs/automatic-https) provision a certificate for your domain/subdomain, force HTTPS, and proxy websockets - no further configuration is necessary.

-For a slightly more complex configuration which utilizes Docker containers to manage Caddy, Headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.
+For a slightly more complex configuration which utilizes Docker containers to manage Caddy, headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.

 ## Apache

-The following minimal Apache config will proxy traffic to the Headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
+The following minimal Apache config will proxy traffic to the headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.

-```
+```apache title="apache.conf"
 <VirtualHost *:443>
 	ServerName <YOUR_SERVER_NAME>

--- a/docs/ref/integration/tools.md
+++ b/docs/ref/integration/tools.md
@@ -0,0 +1,13 @@
+# Tools related to headscale
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the headscale authors and are written by community members.
+
+This page collects third-party tools and scripts related to headscale.
+
+| Name                  | Repository Link                                                 | Description                                       |
+| --------------------- | --------------------------------------------------------------- | ------------------------------------------------- |
+| tailscale-manager     | [Github](https://github.com/singlestore-labs/tailscale-manager) | Dynamically manage Tailscale route advertisements |
+| headscalebacktosqlite | [Github](https://github.com/bigbozza/headscalebacktosqlite)     | Migrate headscale from PostgreSQL back to SQLite  |
--- a/docs/ref/integration/web-ui.md
+++ b/docs/ref/integration/web-ui.md
@@ -0,0 +1,19 @@
+# Web interfaces for headscale
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the headscale authors and are written by community members.
+
+Headscale doesn't provide a built-in web interface but users may pick one from the available options.
+
+| Name            | Repository Link                                         | Description                                                                         |
+| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple headscale web UI for small-scale deployments.                              |
+| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server           |
+| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend environment required                         |
+| Headplane       | [GitHub](https://github.com/tale/headplane)             | An advanced Tailscale inspired frontend for headscale                               |
+| headscale-admin | [Github](https://github.com/GoodiesHQ/headscale-admin)  | Headscale-Admin is meant to be a simple, modern web interface for headscale         |
+| ouroboros       | [Github](https://github.com/yellowsink/ouroboros)       | Ouroboros is designed for users to manage their own devices, rather than for admins |
+
+You can ask for support on our [Discord server](https://discord.gg/c84AZQhmpx) in the "web-interfaces" channel.
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -1,4 +1,4 @@
-# Configuring Headscale to use OIDC authentication
+# Configuring headscale to use OIDC authentication

 In order to authenticate users through a centralized solution one must enable the OIDC integration.

@@ -11,7 +11,7 @@ Known limitations:

 In your `config.yaml`, customize this to your liking:

-```yaml
+```yaml title="config.yaml"
 oidc:
  # Block further startup until the OIDC provider is healthy and available
  only_start_if_oidc_is_available: true
@@ -45,6 +45,18 @@ oidc:
  allowed_users:
    - alice@example.com

+  # Optional: PKCE (Proof Key for Code Exchange) configuration
+  # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+  # by preventing authorization code interception attacks
+  # See https://datatracker.ietf.org/doc/html/rfc7636
+  pkce:
+    # Enable or disable PKCE support (default: false)
+    enabled: false
+    # PKCE method to use:
+    # - plain: Use plain code verifier
+    # - S256: Use SHA256 hashed code verifier (default, recommended)
+    method: S256
+
  # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
  # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
  # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
@@ -54,9 +66,9 @@ oidc:

 ## Azure AD example

-In order to integrate Headscale with Azure Active Directory, we'll need to provision an App Registration with the correct scopes and redirect URI. Here with Terraform:
+In order to integrate headscale with Azure Active Directory, we'll need to provision an App Registration with the correct scopes and redirect URI. Here with Terraform:

-```hcl
+```hcl title="terraform.hcl"
 resource "azuread_application" "headscale" {
  display_name = "Headscale"

@@ -84,7 +96,7 @@ resource "azuread_application" "headscale" {
    }
  }
  web {
-    # Points at your running Headscale instance
+    # Points at your running headscale instance
    redirect_uris = ["https://headscale.example.com/oidc/callback"]

    implicit_grant {
@@ -125,9 +137,9 @@ output "headscale_client_secret" {
 }
 ```

-And in your Headscale `config.yaml`:
+And in your headscale `config.yaml`:

-```yaml
+```yaml title="config.yaml"
 oidc:
  issuer: "https://login.microsoftonline.com/<tenant-UUID>/v2.0"
  client_id: "<client-id-from-terraform>"
@@ -144,7 +156,7 @@ oidc:

 ## Google OAuth Example

-In order to integrate Headscale with Google, you'll need to have a [Google Cloud Console](https://console.cloud.google.com) account.
+In order to integrate headscale with Google, you'll need to have a [Google Cloud Console](https://console.cloud.google.com) account.

 Google OAuth has a [verification process](https://support.google.com/cloud/answer/9110914?hl=en) if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie `@example.com`), you don't need to go through the verification process.

@@ -158,17 +170,16 @@ However if you don't have a domain, or need to add users outside of your domain,
 4. Click `Create Credentials` -> `OAuth client ID`
 5. Under `Application Type`, choose `Web Application`
 6. For `Name`, enter whatever you like
-7. Under `Authorised redirect URIs`, use `https://example.com/oidc/callback`, replacing example.com with your Headscale URL.
+7. Under `Authorised redirect URIs`, use `https://example.com/oidc/callback`, replacing example.com with your headscale URL.
 8. Click `Save` at the bottom of the form
 9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
 10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
-
-```yaml
-oidc:
-  issuer: "https://accounts.google.com"
-  client_id: ""
-  client_secret: ""
-  scope: ["openid", "profile", "email"]
-```
+    ```yaml title="config.yaml"
+    oidc:
+      issuer: "https://accounts.google.com"
+      client_id: ""
+      client_secret: ""
+      scope: ["openid", "profile", "email"]
+    ```

 You can also use `allowed_domains` and `allowed_users` to restrict the users who can authenticate.
--- a/docs/ref/remote-cli.md
+++ b/docs/ref/remote-cli.md
@@ -0,0 +1,105 @@
+# Controlling headscale with remote CLI
+
+This documentation has the goal of showing a user how-to control a headscale instance
+from a remote machine with the `headscale` command line binary.
+
+## Prerequisite
+
+- A workstation to run `headscale` (any supported platform, e.g. Linux).
+- A headscale server with gRPC enabled.
+- Connections to the gRPC port (default: `50443`) are allowed.
+- Remote access requires an encrypted connection via TLS.
+- An API key to authenticate with the headscale server.
+
+## Create an API key
+
+We need to create an API key to authenticate with the remote headscale server when using it from our workstation.
+
+To create an API key, log into your headscale server and generate a key:
+
+```shell
+headscale apikeys create --expiration 90d
+```
+
+Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
+if the key is lost, expire the old one, and create a new key.
+
+To list the keys currently associated with the server:
+
+```shell
+headscale apikeys list
+```
+
+and to expire a key:
+
+```shell
+headscale apikeys expire --prefix "<PREFIX>"
+```
+
+## Download and configure headscale
+
+1.  Download the [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases). Make
+    sure to use the same version as on the server.
+
+1.  Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
+
+1.  Make `headscale` executable:
+
+    ```shell
+    chmod +x /usr/local/bin/headscale
+    ```
+
+1.  Provide the connection parameters for the remote headscale server either via a minimal YAML configuration file or via
+    environment variables:
+
+    === "Minimal YAML configuration file"
+
+        ```yaml title="config.yaml"
+        cli:
+            address: <HEADSCALE_ADDRESS>:<PORT>
+            api_key: <API_KEY_FROM_PREVIOUS_STEP>
+        ```
+
+    === "Environment variables"
+
+        ```shell
+        export HEADSCALE_CLI_ADDRESS="<HEADSCALE_ADDRESS>:<PORT>"
+        export HEADSCALE_CLI_API_KEY="<API_KEY_FROM_PREVIOUS_STEP>"
+        ```
+
+        !!! bug
+
+            Headscale currently requires at least an empty configuration file when environment variables are used to
+            specify connection details. See [issue 2193](https://github.com/juanfont/headscale/issues/2193) for more
+            information.
+
+    This instructs the `headscale` binary to connect to a remote instance at `<HEADSCALE_ADDRESS>:<PORT>`, instead of
+    connecting to the local instance.
+
+1.  Test the connection
+
+    Let us run the headscale command to verify that we can connect by listing our nodes:
+
+    ```shell
+    headscale nodes list
+    ```
+
+    You should now be able to see a list of your nodes from your workstation, and you can
+    now control the headscale server from your workstation.
+
+## Behind a proxy
+
+It is possible to run the gRPC remote endpoint behind a reverse proxy, like Nginx, and have it run on the _same_ port as headscale.
+
+While this is _not a supported_ feature, an example on how this can be set up on
+[NixOS is shown here](https://github.com/kradalby/dotfiles/blob/4489cdbb19cddfbfae82cd70448a38fde5a76711/machines/headscale.oracldn/headscale.nix#L61-L91).
+
+## Troubleshooting
+
+- Make sure you have the _same_ headscale version on your server and workstation.
+- Ensure that connections to the gRPC port are allowed.
+- Verify that your TLS certificate is valid and trusted.
+- If you don't have access to a trusted certificate (e.g. from Let's Encrypt), either:
+    - Add your self-signed certificate to the trust store of your OS _or_
+    - Disable certificate verification by either setting `cli.insecure: true` in the configuration file or by setting
+      `HEADSCALE_CLI_INSECURE=1` via an environment variable. We do **not** recommend to disable certificate validation.
--- a/docs/ref/tls.md
+++ b/docs/ref/tls.md
@@ -4,16 +4,18 @@

 Headscale can be configured to expose its web service via TLS. To configure the certificate and key file manually, set the `tls_cert_path` and `tls_cert_path` configuration parameters. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.

-```yaml
+```yaml title="config.yaml"
 tls_cert_path: ""
 tls_key_path: ""
 ```

+The certificate should contain the full chain, else some clients, like the Tailscale Android client, will reject it.
+
 ## Let's Encrypt / ACME

 To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.

-```yaml
+```yaml title="config.yaml"
 tls_letsencrypt_hostname: ""
 tls_letsencrypt_listen: ":http"
 tls_letsencrypt_cache_dir: ".cache"
@@ -47,7 +49,7 @@ Headscale uses [autocert](https://pkg.go.dev/golang.org/x/crypto/acme/autocert),

 If you want to validate that certificate renewal completed successfully, this can be done either manually, or through external monitoring software. Two examples of doing this manually:

-1. Open the URL for your Headscale server in your browser of choice, and manually inspecting the expiry date of the certificate you receive.
+1. Open the URL for your headscale server in your browser of choice, and manually inspecting the expiry date of the certificate you receive.
 2. Or, check remotely from CLI using `openssl`:

 ```bash
--- a/docs/remote-cli.md
+++ b/docs/remote-cli.md
@@ -1,100 +0,0 @@
-# Controlling `headscale` with remote CLI
-
-## Prerequisite
-
- A workstation to run `headscale` (could be Linux, macOS, other supported platforms)
- A `headscale` server (version `0.13.0` or newer)
- Access to create API keys (local access to the `headscale` server)
- `headscale` _must_ be served over TLS/HTTPS
-  - Remote access does _not_ support unencrypted traffic.
- Port `50443` must be open in the firewall (or port overridden by `grpc_listen_addr` option)
-
-## Goal
-
-This documentation has the goal of showing a user how-to set control a `headscale` instance
-from a remote machine with the `headscale` command line binary.
-
-## Create an API key
-
-We need to create an API key to authenticate our remote `headscale` when using it from our workstation.
-
-To create a API key, log into your `headscale` server and generate a key:
-
-```shell
-headscale apikeys create --expiration 90d
-```
-
-Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
-if the key is lost, expire the old one, and create a new key.
-
-To list the keys currently assosicated with the server:
-
-```shell
-headscale apikeys list
-```
-
-and to expire a key:
-
-```shell
-headscale apikeys expire --prefix "<PREFIX>"
-```
-
-## Download and configure `headscale`
-
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
-
-2. Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
-
-3. Make `headscale` executable:
-
-   ```shell
-   chmod +x /usr/local/bin/headscale
-   ```
-
-4. Configure the CLI through environment variables
-
-   ```shell
-   export HEADSCALE_CLI_ADDRESS="<HEADSCALE ADDRESS>:<PORT>"
-   export HEADSCALE_CLI_API_KEY="<API KEY FROM PREVIOUS STAGE>"
-   ```
-
-   for example:
-
-   ```shell
-   export HEADSCALE_CLI_ADDRESS="headscale.example.com:50443"
-   export HEADSCALE_CLI_API_KEY="abcde12345"
-   ```
-
-   This will tell the `headscale` binary to connect to a remote instance, instead of looking
-   for a local instance (which is what it does on the server).
-
-   The API key is needed to make sure that you are allowed to access the server. The key is _not_
-   needed when running directly on the server, as the connection is local.
-
-5. Test the connection
-
-   Let us run the headscale command to verify that we can connect by listing our nodes:
-
-   ```shell
-   headscale nodes list
-   ```
-
-   You should now be able to see a list of your nodes from your workstation, and you can
-   now control the `headscale` server from your workstation.
-
-## Behind a proxy
-
-It is possible to run the gRPC remote endpoint behind a reverse proxy, like Nginx, and have it run on the _same_ port as `headscale`.
-
-While this is _not a supported_ feature, an example on how this can be set up on
-[NixOS is shown here](https://github.com/kradalby/dotfiles/blob/4489cdbb19cddfbfae82cd70448a38fde5a76711/machines/headscale.oracldn/headscale.nix#L61-L91).
-
-## Troubleshooting
-
-Checklist:
-
- Make sure you have the _same_ `headscale` version on your server and workstation
- Make sure you use version `0.13.0` or newer.
- Verify that your TLS certificate is valid and trusted
-  - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS or
-  - Set `HEADSCALE_CLI_INSECURE` to 0 in your environment
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,4 +1,6 @@
-cairosvg~=2.7.1
-mkdocs-material~=9.5.18
-mkdocs-minify-plugin~=0.7.1
-pillow~=10.1.0
+mike~=2.1
+mkdocs-include-markdown-plugin~=7.1
+mkdocs-macros-plugin~=1.3
+mkdocs-material[imaging]~=9.5
+mkdocs-minify-plugin~=0.7
+mkdocs-redirects~=1.2
--- a/docs/running-headscale-linux-manual.md
+++ b/docs/running-headscale-linux-manual.md
@@ -1,163 +0,0 @@
-# Running headscale on Linux
-
-!!! warning "Outdated and advanced"
-
-    This documentation is considered the "legacy"/advanced/manual version of the documentation, you most likely do not
-    want to use this documentation and rather look at the [distro specific documentation](./running-headscale-linux.md).
-
-## Goal
-
-This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
-In additional to the "get up and running section", there is an optional [systemd section](#running-headscale-in-the-background-with-systemd)
-describing how to make `headscale` run properly in a server environment.
-
-## Configure and run `headscale`
-
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
-
-    ```shell
-    wget --output-document=/usr/local/bin/headscale \
-    https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
-    ```
-
-1. Make `headscale` executable:
-
-    ```shell
-    chmod +x /usr/local/bin/headscale
-    ```
-
-1. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
-
-    ```shell
-    # Directory for configuration
-
-    mkdir -p /etc/headscale
-
-    # Directory for Database, and other variable data (like certificates)
-    mkdir -p /var/lib/headscale
-    # or if you create a headscale user:
-    useradd \
-      --create-home \
-      --home-dir /var/lib/headscale/ \
-      --system \
-      --user-group \
-      --shell /usr/sbin/nologin \
-      headscale
-    ```
-
-1. Create a `headscale` configuration:
-
-    ```shell
-    touch /etc/headscale/config.yaml
-    ```
-
-    **(Strongly Recommended)** Download a copy of the [example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-1. Start the headscale server:
-
-    ```shell
-    headscale serve
-    ```
-
-    This command will start `headscale` in the current terminal session.
-
-    ---
-
-    To continue the tutorial, open a new terminal and let it run in the background.
-    Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
-
-    To run `headscale` in the background, please follow the steps in the [systemd section](#running-headscale-in-the-background-with-systemd) before continuing.
-
-1. Verify `headscale` is running:
-  Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-1. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-    ```shell
-    headscale users create myfirstuser
-    ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-Register the machine:
-
-```shell
-headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-headscale preauthkeys create --user myfirstuser --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Running `headscale` in the background with systemd
-
-This section demonstrates how to run `headscale` as a service in the background with [systemd](https://systemd.io/).
-This should work on most modern Linux distributions.
-
-1. Copy [headscale's systemd service file](./packaging/headscale.systemd.service) to
-   `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
-   to be modified: `ExecStart`, `WorkingDirectory`, `ReadWritePaths`.
-
-    Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
-
-    ```shell
-    usermod -a -G headscale current_user
-    ```
-
-    or run all headscale commands as the headscale user:
-
-    ```shell
-    su - headscale
-    ```
-
-1. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
-
-    ```yaml
-    unix_socket: /var/run/headscale/headscale.sock
-    ```
-
-1. Reload systemd to load the new configuration file:
-
-    ```shell
-    systemctl daemon-reload
-    ```
-
-1. Enable and start the new `headscale` service:
-
-    ```shell
-    systemctl enable --now headscale
-    ```
-
-1. Verify the headscale service:
-
-    ```shell
-    systemctl status headscale
-    ```
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-`headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-linux.md
+++ b/docs/running-headscale-linux.md
@@ -1,97 +0,0 @@
-# Running headscale on Linux
-
-## Requirements
-
- Ubuntu 20.04 or newer, Debian 11 or newer.
-
-## Goal
-
-Get Headscale up and running.
-
-This includes running Headscale with systemd.
-
-## Migrating from manual install
-
-If you are migrating from the old manual install, the best thing would be to remove
-the files installed by following [the guide in reverse](./running-headscale-linux-manual.md).
-
-You should _not_ delete the database (`/var/lib/headscale/db.sqlite`) and the
-configuration (`/etc/headscale/config.yaml`).
-
-## Installation
-
-1. Download the [latest Headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).
-
-    ```shell
-    HEADSCALE_VERSION="" # See above URL for latest version, e.g. "X.Y.Z" (NOTE: do not add the "v" prefix!)
-    HEADSCALE_ARCH="" # Your system architecture, e.g. "amd64"
-    wget --output-document=headscale.deb \
-      "https://github.com/juanfont/headscale/releases/download/v${HEADSCALE_VERSION}/headscale_${HEADSCALE_VERSION}_linux_${HEADSCALE_ARCH}.deb"
-    ```
-
-1. Install Headscale:
-
-    ```shell
-    sudo apt install ./headscale.deb
-    ```
-
-1. Enable Headscale service, this will start Headscale at boot:
-
-    ```shell
-    sudo systemctl enable headscale
-    ```
-
-1. Configure Headscale by editing the configuration file:
-
-    ```shell
-    nano /etc/headscale/config.yaml
-    ```
-
-1. Start Headscale:
-
-    ```shell
-    sudo systemctl start headscale
-    ```
-
-1. Check that Headscale is running as intended:
-
-    ```shell
-    systemctl status headscale
-    ```
-
-## Using Headscale
-
-### Create a user
-
-```shell
-headscale users create myfirstuser
-```
-
-### Register a machine (normal login)
-
-On a client machine, run the `tailscale` login command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL>
-```
-
-Register the machine:
-
-```shell
-headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-headscale preauthkeys create --user myfirstuser --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that is used to
-connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
--- a/docs/running-headscale-openbsd.md
+++ b/docs/running-headscale-openbsd.md
@@ -1,202 +0,0 @@
-# Running headscale on OpenBSD
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing a user how-to install and run `headscale` on OpenBSD.
-In addition to the "get up and running section", there is an optional [rc.d section](#running-headscale-in-the-background-with-rcd)
-describing how to make `headscale` run properly in a server environment.
-
-## Install `headscale`
-
-1. Install from ports
-
-    You can install headscale from ports by running `pkg_add headscale`.
-
-1. Install from source
-
-    ```shell
-    # Install prerequistes
-    pkg_add go
-
-    git clone https://github.com/juanfont/headscale.git
-
-    cd headscale
-
-    # optionally checkout a release
-    # option a. you can find official release at https://github.com/juanfont/headscale/releases/latest
-    # option b. get latest tag, this may be a beta release
-    latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
-
-    git checkout $latestTag
-
-    go build -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$latestTag" github.com/juanfont/headscale
-
-    # make it executable
-    chmod a+x headscale
-
-    # copy it to /usr/local/sbin
-    cp headscale /usr/local/sbin
-    ```
-
-1. Install from source via cross compile
-
-    ```shell
-    # Install prerequistes
-    # 1. go v1.20+: headscale newer than 0.21 needs go 1.20+ to compile
-    # 2. gmake: Makefile in the headscale repo is written in GNU make syntax
-
-    git clone https://github.com/juanfont/headscale.git
-
-    cd headscale
-
-    # optionally checkout a release
-    # option a. you can find official release at https://github.com/juanfont/headscale/releases/latest
-    # option b. get latest tag, this may be a beta release
-    latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
-
-    git checkout $latestTag
-
-    make build GOOS=openbsd
-
-    # copy headscale to openbsd machine and put it in /usr/local/sbin
-    ```
-
-## Configure and run `headscale`
-
-1. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
-
-    ```shell
-    # Directory for configuration
-
-    mkdir -p /etc/headscale
-
-    # Directory for database, and other variable data (like certificates)
-    mkdir -p /var/lib/headscale
-    ```
-
-1. Create a `headscale` configuration:
-
-    ```shell
-    touch /etc/headscale/config.yaml
-    ```
-
-**(Strongly Recommended)** Download a copy of the [example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-1. Start the headscale server:
-
-    ```shell
-    headscale serve
-    ```
-
-    This command will start `headscale` in the current terminal session.
-
-    ***
-
-    To continue the tutorial, open a new terminal and let it run in the background.
-    Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux).
-
-    To run `headscale` in the background, please follow the steps in the [rc.d section](#running-headscale-in-the-background-with-rcd) before continuing.
-
-1. Verify `headscale` is running:
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-1. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-    ```shell
-    headscale users create myfirstuser
-    ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-Register the machine:
-
-```shell
-headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-headscale preauthkeys create --user myfirstuser --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Running `headscale` in the background with rc.d
-
-This section demonstrates how to run `headscale` as a service in the background with [rc.d](https://man.openbsd.org/rc.d).
-
-1. Create a rc.d service at `/etc/rc.d/headscale` containing:
-
-    ```shell
-    #!/bin/ksh
-
-    daemon="/usr/local/sbin/headscale"
-    daemon_logger="daemon.info"
-    daemon_user="root"
-    daemon_flags="serve"
-    daemon_timeout=60
-
-    . /etc/rc.d/rc.subr
-
-    rc_bg=YES
-    rc_reload=NO
-
-    rc_cmd $1
-    ```
-
-1. `/etc/rc.d/headscale` needs execute permission:
-
-    ```shell
-    chmod a+x /etc/rc.d/headscale
-    ```
-
-1. Start `headscale` service:
-
-    ```shell
-    rcctl start headscale
-    ```
-
-1. Make `headscale` service start at boot:
-
-    ```shell
-    rcctl enable headscale
-    ```
-
-1. Verify the headscale service:
-
-    ```shell
-    rcctl check headscale
-    ```
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-    `headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-sealos.md
+++ b/docs/running-headscale-sealos.md
@@ -1,136 +0,0 @@
-# Running headscale on Sealos
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing a user how-to run `headscale` on Sealos.
-
-## Running headscale server
-
-1. Click the following prebuilt template:
-
-   [![](https://cdn.jsdelivr.net/gh/labring-actions/templates@main/Deploy-on-Sealos.svg)](https://cloud.sealos.io/?openapp=system-template%3FtemplateName%3Dheadscale)
-
-2. Click "Deploy Application" on the template page to start deployment. Upon completion, two applications appear: Headscale, and its [visual interface](https://github.com/GoodiesHQ/headscale-admin).
-3. Once deployment concludes, click 'Details' on the Headscale application page to navigate to the application's details.
-4. Wait for the application's status to switch to running. For accessing the headscale server, the Public Address associated with port 8080 is the address of the headscale server. To access the Headscale console, simply append `/admin/` to the Headscale public URL.
-
-   ![](./images/headscale-sealos-url.png)
-
-5. Click on 'Terminal' button on the right side of the details to access the Terminal of the headscale application. then create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-   ```bash
-   headscale users create myfirstuser
-   ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```bash
-# replace <YOUR_HEADSCALE_URL> with the public domain provided by Sealos
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-To register a machine when running headscale in [Sealos](https://sealos.io), click on 'Terminal' button on the right side of the headscale application's detail page to access the Terminal of the headscale application, then take the headscale command:
-
-```bash
-headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-click on 'Terminal' button on the right side of the headscale application's detail page to access the Terminal of the headscale application, then generate a key using the command line:
-
-```bash
-headscale preauthkeys create --user myfirstuser --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```bash
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Controlling headscale with remote CLI
-
-This documentation has the goal of showing a user how-to set control a headscale instance from a remote machine with the headscale command line binary.
-
-### Create an API key
-
-We need to create an API key to authenticate our remote headscale when using it from our workstation.
-
-To create a API key, click on 'Terminal' button on the right side of the headscale application's detail page to access the Terminal of the headscale application, then generate a key:
-
-```bash
-headscale apikeys create --expiration 90d
-```
-
-Copy the output of the command and save it for later. Please note that you can not retrieve a key again, if the key is lost, expire the old one, and create a new key.
-
-To list the keys currently assosicated with the server:
-
-```bash
-headscale apikeys list
-```
-
-and to expire a key:
-
-```bash
-headscale apikeys expire --prefix "<PREFIX>"
-```
-
-### Download and configure `headscale` client
-
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
-
-2. Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
-
-3. Make `headscale` executable:
-
-```shell
-chmod +x /usr/local/bin/headscale
-```
-
-4. Configure the CLI through Environment Variables
-
-```shell
-export HEADSCALE_CLI_ADDRESS="<HEADSCALE ADDRESS>:443"
-export HEADSCALE_CLI_API_KEY="<API KEY FROM PREVIOUS STAGE>"
-```
-
-In the headscale application's detail page, The Public Address corresponding to port 50443 corresponds to the value of <HEADSCALE ADDRESS>.
-
-![](./images/headscale-sealos-grpc-url.png)
-
-for example:
-
-```shell
-export HEADSCALE_CLI_ADDRESS="pwnjnnly.cloud.sealos.io:443"
-export HEADSCALE_CLI_API_KEY="abcde12345"
-```
-
-This will tell the `headscale` binary to connect to a remote instance, instead of looking
-for a local instance.
-
-The API key is needed to make sure that your are allowed to access the server. The key is _not_
-needed when running directly on the server, as the connection is local.
-
-1. Test the connection
-
-Let us run the headscale command to verify that we can connect by listing our nodes:
-
-```shell
-headscale nodes list
-```
-
-You should now be able to see a list of your nodes from your workstation, and you can
-now control the `headscale` server from your workstation.
-
-> Reference: [Headscale Deployment and Usage Guide: Mastering Tailscale's Self-Hosting Basics](https://icloudnative.io/en/posts/how-to-set-up-or-migrate-headscale/)
--- a/docs/setup/install/community.md
+++ b/docs/setup/install/community.md
@@ -0,0 +1,55 @@
+# Community packages
+
+Several Linux distributions and community members provide packages for headscale. Those packages may be used instead of
+the [official releases](./official.md) provided by the headscale maintainers. Such packages offer improved integration
+for their targeted operating system and usually:
+
+- setup a dedicated user account to run headscale
+- provide a default configuration
+- install headscale as system service
+
+!!! warning "Community packages might be outdated"
+
+    The packages mentioned on this page might be outdated or unmaintained. Use the [official releases](./official.md) to
+    get the current stable version or to test pre-releases.
+
+    [![Packaging status](https://repology.org/badge/vertical-allrepos/headscale.svg)](https://repology.org/project/headscale/versions)
+
+## Arch Linux
+
+Arch Linux offers a package for headscale, install via:
+
+```shell
+pacman -S headscale
+```
+
+The [AUR package `headscale-git`](https://aur.archlinux.org/packages/headscale-git) can be used to build the current
+development version.
+
+## Fedora, RHEL, CentOS
+
+A third-party repository for various RPM based distributions is available at:
+<https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/>. The site provides detailed setup and installation
+instructions.
+
+## Nix, NixOS
+
+A Nix package is available as: `headscale`. See the [NixOS package site for installation
+details](https://search.nixos.org/packages?show=headscale).
+
+## Gentoo
+
+```shell
+emerge --ask net-vpn/headscale
+```
+
+Gentoo specific documentation is available [here](https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/Headscale).
+
+## OpenBSD
+
+Headscale is available in ports. The port installs headscale as system service with `rc.d` and provides usage
+instructions upon installation.
+
+```shell
+pkg_add headscale
+```
--- a/docs/running-headscale-container.md
+++ b/docs/running-headscale-container.md
@@ -3,46 +3,36 @@
 !!! warning "Community documentation"

    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
+    written by community members. It is _not_ verified by headscale developers.

    **It might be outdated and it might miss necessary steps**.

-## Goal
-
-This documentation has the goal of showing a user how-to set up and run `headscale` in a container.
+This documentation has the goal of showing a user how-to set up and run headscale in a container.
 [Docker](https://www.docker.com) is used as the reference container implementation, but there is no reason that it should
 not work with alternatives like [Podman](https://podman.io). The Docker image can be found on Docker Hub [here](https://hub.docker.com/r/headscale/headscale).

-## Configure and run `headscale`
+## Configure and run headscale

-1. Prepare a directory on the host Docker node in your directory of choice, used to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+1.  Prepare a directory on the host Docker node in your directory of choice, used to hold headscale configuration and the [SQLite](https://www.sqlite.org/) database:

    ```shell
    mkdir -p ./headscale/config
    cd ./headscale
    ```

-1. **(Strongly Recommended)** Download a copy of the [example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
+1.  Download the example configuration for your chosen version and save it as: `/etc/headscale/config.yaml`. Adjust the
+    configuration to suit your local environment. See [Configuration](../../ref/configuration.md) for details.

-    - Using `wget`:
-
-        ```shell
-        wget -O ./config/config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
-        ```
-
-    - Using `curl`:
-
-        ```shell
-        curl https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml -o ./config/config.yaml
-        ```
-
-    Modify the config file to your preferences before launching Docker container.
+    ```shell
+    sudo mkdir -p /etc/headscale
+    sudo nano /etc/headscale/config.yaml
+    ```

    Alternatively, you can mount `/var/lib` and `/var/run` from your host system by adding
    `--volume $(pwd)/lib:/var/lib/headscale` and `--volume $(pwd)/run:/var/run/headscale`
    in the next step.

-1. Start the headscale server while working in the host headscale directory:
+1.  Start the headscale server while working in the host headscale directory:

    ```shell
    docker run \
@@ -58,29 +48,30 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca
    Note: use `0.0.0.0:8080:8080` instead of `127.0.0.1:8080:8080` if you want to expose the container externally.

    This command will mount `config/` under `/etc/headscale`, forward port 8080 out of the container so the
-    `headscale` instance becomes available and then detach so headscale runs in the background.
+    headscale instance becomes available and then detach so headscale runs in the background.

    Example `docker-compose.yaml`

-      ```yaml
-      version: "3.7"
+    ```yaml
+    version: "3.7"

-      services:
-        headscale:
-          image: headscale/headscale:<VERSION>
-          restart: unless-stopped
-          container_name: headscale
-          ports:
-            - "127.0.0.1:8080:8080"
-            - "127.0.0.1:9090:9090"
-          volumes:
-            # Please change <CONFIG_PATH> to the fullpath of the config folder just created
-            - <CONFIG_PATH>:/etc/headscale
-          command: serve
-      ```
+    services:
+      headscale:
+        image: headscale/headscale:<VERSION>
+        restart: unless-stopped
+        container_name: headscale
+        ports:
+          - "127.0.0.1:8080:8080"
+          - "127.0.0.1:9090:9090"
+        volumes:
+          # Please change <CONFIG_PATH> to the fullpath of the config folder just created
+          - <CONFIG_PATH>:/etc/headscale
+        command: serve
+    ```

-1. Verify `headscale` is running:
-   Follow the container logs:
+1.  Verify headscale is running:
+
+    Follow the container logs:

    ```shell
    docker logs --follow headscale
@@ -92,16 +83,16 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca
    docker ps
    ```

-    Verify `headscale` is available:
+    Verify headscale is available:

    ```shell
    curl http://127.0.0.1:9090/metrics
    ```

-1. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+1.  Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):

    ```shell
-    docker exec headscale \
+    docker exec -it headscale \
      headscale users create myfirstuser
    ```

@@ -113,10 +104,10 @@ On a client machine, execute the `tailscale` login command:
 tailscale up --login-server YOUR_HEADSCALE_URL
 ```

-To register a machine when running `headscale` in a container, take the headscale command and pass it to the container:
+To register a machine when running headscale in a container, take the headscale command and pass it to the container:

 ```shell
-docker exec headscale \
+docker exec -it headscale \
  headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
 ```

@@ -125,11 +116,11 @@ docker exec headscale \
 Generate a key using the command line:

 ```shell
-docker exec headscale \
+docker exec -it headscale \
  headscale preauthkeys create --user myfirstuser --reusable --expiration 24h
 ```

-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+This will return a pre-authenticated key that can be used to connect a node to headscale during the `tailscale` command:

 ```shell
 tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
@@ -161,4 +152,4 @@ You can also execute commands directly, such as `ls /ko-app` in this example:
 docker run headscale/headscale:x.x.x-debug ls /ko-app
 ```

-Using `docker exec` allows you to run commands in an existing container.
+Using `docker exec -it` allows you to run commands in an existing container.
--- a/docs/setup/install/official.md
+++ b/docs/setup/install/official.md
@@ -0,0 +1,117 @@
+# Official releases
+
+Official releases for headscale are available as binaries for various platforms and DEB packages for Debian and Ubuntu.
+Both are available on the [GitHub releases page](https://github.com/juanfont/headscale/releases).
+
+## Using packages for Debian/Ubuntu (recommended)
+
+It is recommended to use our DEB packages to install headscale on a Debian based system as those packages configure a
+user to run headscale, provide a default configuration and ship with a systemd service file. Supported distributions are
+Ubuntu 20.04 or newer, Debian 11 or newer.
+
+1.  Download the [latest headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).
+
+    ```shell
+    HEADSCALE_VERSION="" # See above URL for latest version, e.g. "X.Y.Z" (NOTE: do not add the "v" prefix!)
+    HEADSCALE_ARCH="" # Your system architecture, e.g. "amd64"
+    wget --output-document=headscale.deb \
+     "https://github.com/juanfont/headscale/releases/download/v${HEADSCALE_VERSION}/headscale_${HEADSCALE_VERSION}_linux_${HEADSCALE_ARCH}.deb"
+    ```
+
+1.  Install headscale:
+
+    ```shell
+    sudo apt install ./headscale.deb
+    ```
+
+1.  [Configure headscale by editing the configuration file](../../ref/configuration.md):
+
+    ```shell
+    sudo nano /etc/headscale/config.yaml
+    ```
+
+1.  Enable and start the headscale service:
+
+    ```shell
+    sudo systemctl enable --now headscale
+    ```
+
+1.  Verify that headscale is running as intended:
+
+    ```shell
+    sudo systemctl status headscale
+    ```
+
+## Using standalone binaries (advanced)
+
+!!! warning "Advanced"
+
+    This installation method is considered advanced as one needs to take care of the headscale user and the systemd
+    service themselves. If possible, use the [DEB packages](#using-packages-for-debianubuntu-recommended) or a
+    [community package](./community.md) instead.
+
+This section describes the installation of headscale according to the [Requirements and
+assumptions](../requirements.md#assumptions). Headscale is run by a dedicated user and the service itself is managed by
+systemd.
+
+1.  Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+
+    ```shell
+    sudo wget --output-document=/usr/local/bin/headscale \
+    https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+    ```
+
+1.  Make `headscale` executable:
+
+    ```shell
+    sudo chmod +x /usr/local/bin/headscale
+    ```
+
+1.  Add a dedicated user to run headscale:
+
+    ```shell
+    sudo useradd \
+     --create-home \
+     --home-dir /var/lib/headscale/ \
+     --system \
+     --user-group \
+     --shell /usr/sbin/nologin \
+     headscale
+    ```
+
+1.  Download the example configuration for your chosen version and save it as: `/etc/headscale/config.yaml`. Adjust the
+    configuration to suit your local environment. See [Configuration](../../ref/configuration.md) for details.
+
+    ```shell
+    sudo mkdir -p /etc/headscale
+    sudo nano /etc/headscale/config.yaml
+    ```
+
+1.  Copy [headscale's systemd service file](../../packaging/headscale.systemd.service) to
+    `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
+    to be modified: `ExecStart`, `WorkingDirectory`, `ReadWritePaths`.
+
+1.  In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a path that is writable by the
+    `headscale` user or group:
+
+    ```yaml title="config.yaml"
+    unix_socket: /var/run/headscale/headscale.sock
+    ```
+
+1.  Reload systemd to load the new configuration file:
+
+    ```shell
+    systemctl daemon-reload
+    ```
+
+1.  Enable and start the new headscale service:
+
+    ```shell
+    systemctl enable --now headscale
+    ```
+
+1.  Verify that headscale is running as intended:
+
+    ```shell
+    systemctl status headscale
+    ```
--- a/docs/setup/install/source.md
+++ b/docs/setup/install/source.md
@@ -0,0 +1,63 @@
+# Build from source
+
+!!! warning "Community documentation"
+
+    This page is not actively maintained by the headscale authors and is
+    written by community members. It is _not_ verified by headscale developers.
+
+    **It might be outdated and it might miss necessary steps**.
+
+Headscale can be built from source using the latest version of [Go](https://golang.org) and [Buf](https://buf.build)
+(Protobuf generator). See the [Contributing section in the GitHub
+README](https://github.com/juanfont/headscale#contributing) for more information.
+
+## OpenBSD
+
+### Install from source
+
+```shell
+# Install prerequisites
+pkg_add go
+
+git clone https://github.com/juanfont/headscale.git
+
+cd headscale
+
+# optionally checkout a release
+# option a. you can find official release at https://github.com/juanfont/headscale/releases/latest
+# option b. get latest tag, this may be a beta release
+latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+git checkout $latestTag
+
+go build -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$latestTag" github.com/juanfont/headscale
+
+# make it executable
+chmod a+x headscale
+
+# copy it to /usr/local/sbin
+cp headscale /usr/local/sbin
+```
+
+### Install from source via cross compile
+
+```shell
+# Install prerequisites
+# 1. go v1.20+: headscale newer than 0.21 needs go 1.20+ to compile
+# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
+
+git clone https://github.com/juanfont/headscale.git
+
+cd headscale
+
+# optionally checkout a release
+# option a. you can find official release at https://github.com/juanfont/headscale/releases/latest
+# option b. get latest tag, this may be a beta release
+latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+git checkout $latestTag
+
+make build GOOS=openbsd
+
+# copy headscale to openbsd machine and put it in /usr/local/sbin
+```
--- a/docs/setup/requirements.md
+++ b/docs/setup/requirements.md
@@ -0,0 +1,28 @@
+# Requirements
+
+Headscale should just work as long as the following requirements are met:
+
+- A server with a public IP address for headscale. A dual-stack setup with a public IPv4 and a public IPv6 address is
+  recommended.
+- Headscale is served via HTTPS on port 443[^1].
+- A reasonably modern Linux or BSD based operating system.
+- A dedicated user account to run headscale.
+- A little bit of command line knowledge to configure and operate headscale.
+
+## Assumptions
+
+The headscale documentation and the provided examples are written with a few assumptions in mind:
+
+- Headscale is running as system service via a dedicated user `headscale`.
+- The [configuration](../ref/configuration.md) is loaded from `/etc/headscale/config.yaml`.
+- SQLite is used as database.
+- The data directory for headscale (used for private keys, ACLs, SQLite database, …) is located in `/var/lib/headscale`.
+- URLs and values that need to be replaced by the user are either denoted as `<VALUE_TO_CHANGE>` or use placeholder
+  values such as `headscale.example.com`.
+
+Please adjust to your local environment accordingly.
+
+[^1]:
+    The Tailscale client assumes HTTPS on port 443 in certain situations. Serving headscale either via HTTP or via HTTPS
+    on a port other than 443 is possible but sticking with HTTPS on port 443 is strongly recommended for production
+    setups. See [issue 2164](https://github.com/juanfont/headscale/issues/2164) for more information.
--- a/docs/setup/upgrade.md
+++ b/docs/setup/upgrade.md
@@ -0,0 +1,10 @@
+# Upgrade an existing installation
+
+Update an existing headscale installation to a new version:
+
+- Read the announcement on the [GitHub releases](https://github.com/juanfont/headscale/releases) page for the new
+  version. It lists the changes of the release along with possible breaking changes.
+- **Create a backup of your database.**
+- Update headscale to the new version, preferably by following the same installation method.
+- Compare and update the [configuration](../ref/configuration.md) file.
+- Restart headscale.
--- a/docs/usage/connect/android.md
+++ b/docs/usage/connect/android.md
@@ -1,8 +1,6 @@
 # Connecting an Android client

-## Goal
-
-This documentation has the goal of showing how a user can use the official Android [Tailscale](https://tailscale.com) client with `headscale`.
+This documentation has the goal of showing how a user can use the official Android [Tailscale](https://tailscale.com) client with headscale.

 ## Installation

--- a/docs/usage/connect/apple.md
+++ b/docs/usage/connect/apple.md
@@ -1,8 +1,6 @@
 # Connecting an Apple client

-## Goal
-
-This documentation has the goal of showing how a user can use the official iOS and macOS [Tailscale](https://tailscale.com) clients with `headscale`.
+This documentation has the goal of showing how a user can use the official iOS and macOS [Tailscale](https://tailscale.com) clients with headscale.

 !!! info "Instructions on your headscale instance"

@@ -17,14 +15,10 @@ Install the official Tailscale iOS client from the [App Store](https://apps.appl

 ### Configuring the headscale URL

- Open Tailscale and make sure you are _not_ logged in to any account
- Open Settings on the iOS device
- Scroll down to the `third party apps` section, under `Game Center` or `TV Provider`
- Find Tailscale and select it
-  - If the iOS device was previously logged into Tailscale, switch the `Reset Keychain` toggle to `on`
- Enter the URL of your headscale instance (e.g `https://headscale.example.com`) under `Alternate Coordination Server URL`
- Restart the app by closing it from the iOS app switcher, open the app and select the regular sign in option
-  _(non-SSO)_. It should open up to the headscale authentication page.
+- Open the Tailscale app
+- Click the account icon in the top-right corner and select `Log in…`.
+- Tap the top-right options menu button and select `Use custom coordination server`.
+- Enter your instance url (e.g `https://headscale.example.com`)
 - Enter your credentials and log in. Headscale should now be working on your iOS device.

 ## macOS
@@ -45,7 +39,27 @@ tailscale login --login-server <YOUR_HEADSCALE_URL>

 #### GUI

- ALT + Click the Tailscale icon in the menu and hover over the Debug menu
+- Option + Click the Tailscale icon in the menu and hover over the Debug menu
 - Under `Custom Login Server`, select `Add Account...`
 - Enter the URL of your headscale instance (e.g `https://headscale.example.com`) and press `Add Account`
 - Follow the login procedure in the browser
+
+## tvOS
+
+### Installation
+
+Install the official Tailscale tvOS client from the [App Store](https://apps.apple.com/app/tailscale/id1470499037).
+
+!!! danger
+
+    **Don't** open the Tailscale App after installation!
+
+### Configuring the headscale URL
+
+- Open Settings (the Apple tvOS settings) > Apps > Tailscale
+- Under `ALTERNATE COORDINATION SERVER URL`, select `URL`
+- Enter the URL of your headscale instance (e.g `https://headscale.example.com`) and press `OK`
+- Return to the tvOS Home screen
+- Open Tailscale
+- Click the button `Install VPN configuration` and confirm the appearing popup by clicking the `Allow` button
+- Scan the QR code and follow the login procedure
--- a/docs/usage/connect/windows.md
+++ b/docs/usage/connect/windows.md
@@ -1,8 +1,6 @@
 # Connecting a Windows client

-## Goal
-
-This documentation has the goal of showing how a user can use the official Windows [Tailscale](https://tailscale.com) client with `headscale`.
+This documentation has the goal of showing how a user can use the official Windows [Tailscale](https://tailscale.com) client with headscale.

 !!! info "Instructions on your headscale instance"

@@ -45,7 +43,7 @@ If you are seeing repeated messages like:
 [GIN] 2022/02/10 - 16:39:34 | 200 |    1.105306ms |       127.0.0.1 | POST     "/machine/redacted"
 ```

-in your `headscale` output, turn on `DEBUG` logging and look for:
+in your headscale output, turn on `DEBUG` logging and look for:

 ```
 2022-02-11T00:59:29Z DBG Machine registration has expired. Sending a authurl to register machine=redacted
--- a/docs/usage/getting-started.md
+++ b/docs/usage/getting-started.md
@@ -0,0 +1,134 @@
+# Getting started
+
+This page helps you get started with headscale and provides a few usage examples for the headscale command line tool
+`headscale`.
+
+!!! note "Prerequisites"
+
+    * Headscale is installed and running as system service. Read the [setup section](../setup/requirements.md) for
+      installation instructions.
+    * The configuration file exists and is adjusted to suit your environment, see
+      [Configuration](../ref/configuration.md) for details.
+    * Headscale is reachable from the Internet. Verify this by opening client specific setup instructions in your
+      browser, e.g. https://headscale.example.com/windows
+    * The Tailscale client is installed, see [Client and operating system support](../about/clients.md) for more
+      information.
+
+## Getting help
+
+The `headscale` command line tool provides built-in help. To show available commands along with their arguments and
+options, run:
+
+=== "Native"
+
+    ```shell
+    # Show help
+    headscale help
+
+    # Show help for a specific command
+    headscale <COMMAND> --help
+    ```
+
+=== "Container"
+
+    ```shell
+    # Show help
+    docker exec -it headscale \
+      headscale help
+
+    # Show help for a specific command
+    docker exec -it headscale \
+      headscale <COMMAND> --help
+    ```
+
+## Manage users
+
+In headscale, a node (also known as machine or device) is always assigned to a specific user, a
+[tailnet](https://tailscale.com/kb/1136/tailnet/). Such users can be managed with the `headscale users` command. Invoke
+the built-in help for more information: `headscale users --help`.
+
+### Create a user
+
+=== "Native"
+
+    ```shell
+    headscale users create <USER>
+    ```
+
+=== "Container"
+
+    ```shell
+    docker exec -it headscale \
+      headscale users create <USER>
+    ```
+
+### List existing users
+
+=== "Native"
+
+    ```shell
+    headscale users list
+    ```
+
+=== "Container"
+
+    ```shell
+    docker exec -it headscale \
+      headscale users list
+    ```
+
+## Register a node
+
+One has to register a node first to use headscale as coordination with Tailscale. The following examples work for the
+Tailscale client on Linux/BSD operating systems. Alternatively, follow the instructions to connect
+[Android](connect/android.md), [Apple](connect/apple.md) or [Windows](connect/windows.md) devices.
+
+### Normal, interactive login
+
+On a client machine, run the `tailscale up` command and provide the FQDN of your headscale instance as argument:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL>
+```
+
+Usually, a browser window with further instructions is opened and contains the value for `<YOUR_MACHINE_KEY>`. Approve
+and register the node on your headscale server:
+
+=== "Native"
+
+    ```shell
+    headscale nodes register --user <USER> --key <YOUR_MACHINE_KEY>
+    ```
+
+=== "Container"
+
+    ```shell
+    docker exec -it headscale \
+      headscale nodes register --user <USER> --key <YOUR_MACHINE_KEY>
+    ```
+
+### Using a preauthkey
+
+It is also possible to generate a preauthkey and register a node non-interactively. First, generate a preauthkey on the
+headscale instance. By default, the key is valid for one hour and can only be used once (see `headscale preauthkeys
+--help` for other options):
+
+=== "Native"
+
+    ```shell
+    headscale preauthkeys create --user <USER>
+    ```
+
+=== "Container"
+
+    ```shell
+    docker exec -it headscale \
+      headscale preauthkeys create --user <USER>
+    ```
+
+The command returns the preauthkey on success which is used to connect a node to the headscale instance via the
+`tailscale up` command:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
+```
--- a/docs/web-ui.md
+++ b/docs/web-ui.md
@@ -1,15 +0,0 @@
-# Headscale web interface
-
-!!! warning "Community contributions"
-
-    This page contains community contributions. The projects listed here are not
-    maintained by the Headscale authors and are written by community members.
-
-| Name            | Repository Link                                         | Description                                                                 | Status |
-| --------------- | ------------------------------------------------------- | --------------------------------------------------------------------------- | ------ |
-| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple Headscale web UI for small-scale deployments.                      | Alpha  |
-| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server   | Alpha  |
-| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend enviroment required                 | Alpha  |
-| headscale-admin | [Github](https://github.com/GoodiesHQ/headscale-admin)  | Headscale-Admin is meant to be a simple, modern web interface for Headscale | Beta   |
-
-You can ask for support on our dedicated [Discord channel](https://discord.com/channels/896711691637780480/1105842846386356294).
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1726238386,
-        "narHash": "sha256-3//V84fYaGVncFImitM6lSAliRdrGayZLdxWlpcuGk0=",
+        "lastModified": 1736420959,
+        "narHash": "sha256-dMGNa5UwdtowEqQac+Dr0d2tFO/60ckVgdhZU9q2E2o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "01f064c99c792715054dc7a70e4c1626dbbec0c3",
+        "rev": "32af3611f6f05655ca166a0b1f47b57c762b5192",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -21,7 +21,7 @@
      overlay = _: prev: let
        pkgs = nixpkgs.legacyPackages.${prev.system};
        buildGo = pkgs.buildGo123Module;
-      in rec {
+      in {
        headscale = buildGo rec {
          pname = "headscale";
          version = headscaleVersion;
@@ -31,8 +31,8 @@
          checkFlags = ["-short"];

          # When updating go.mod or go.sum, a new sha will need to be calculated,
-          # update this if you have a mismatch after doing a change to thos files.
-          vendorHash = "sha256-+8dOxPG/Q+wuHgRwwWqdphHOuop0W9dVyClyQuh7aRc=";
+          # update this if you have a mismatch after doing a change to those files.
+          vendorHash = "sha256-SBfeixT8DQOrK2SWmHHSOBtzRdSZs+pwomHpw6Jd+qc=";

          subPackages = ["cmd/headscale"];

@@ -41,22 +41,38 @@

        protoc-gen-grpc-gateway = buildGo rec {
          pname = "grpc-gateway";
-          version = "2.22.0";
+          version = "2.24.0";

          src = pkgs.fetchFromGitHub {
            owner = "grpc-ecosystem";
            repo = "grpc-gateway";
            rev = "v${version}";
-            sha256 = "sha256-I1w3gfV06J8xG1xJ+XuMIGkV2/Ofszo7SCC+z4Xb6l4=";
+            sha256 = "sha256-lUEoqXJF1k4/il9bdDTinkUV5L869njZNYqObG/mHyA=";
          };

-          vendorHash = "sha256-S4hcD5/BSGxM2qdJHMxOkxsJ5+Ks6m4lKHSS9+yZ17c=";
+          vendorHash = "sha256-Ttt7bPKU+TMKRg5550BS6fsPwYp0QJqcZ7NLrhttSdw=";

          nativeBuildInputs = [pkgs.installShellFiles];

          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
        };

+        protobuf-language-server = buildGo rec {
+          pname = "protobuf-language-server";
+          version = "2546944";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "lasorda";
+            repo = "protobuf-language-server";
+            rev = "${version}";
+            sha256 = "sha256-Cbr3ktT86RnwUntOiDKRpNTClhdyrKLTQG2ZEd6fKDc=";
+          };
+
+          vendorHash = "sha256-PfT90dhfzJZabzLTb1D69JCO+kOh2khrlpF5mCDeypk=";
+
+          subPackages = ["."];
+        };
+
        # Upstream does not override buildGoModule properly,
        # importing a specific module, so comment out for now.
        # golangci-lint = prev.golangci-lint.override {
@@ -102,6 +118,7 @@
          ko
          yq-go
          ripgrep
+          postgresql

          # 'dot' is needed for pprof graphs
          # go tool pprof -http=: <source>
@@ -114,6 +131,7 @@
          protoc-gen-grpc-gateway
          buf
          clang-tools # clang-format
+          protobuf-language-server
        ];

      # Add entry to build a docker image with headscale
@@ -190,7 +208,7 @@
            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-            ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
+            ${pkgs.clang-tools}/bin/clang-format -i ${./.}
          '';
      };
    });
--- a/gen/go/headscale/v1/apikey.pb.go
+++ b/gen/go/headscale/v1/apikey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/apikey.proto

@@ -35,11 +35,9 @@ type ApiKey struct {

 func (x *ApiKey) Reset() {
 	*x = ApiKey{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ApiKey) String() string {
@@ -50,7 +48,7 @@ func (*ApiKey) ProtoMessage() {}

 func (x *ApiKey) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -110,11 +108,9 @@ type CreateApiKeyRequest struct {

 func (x *CreateApiKeyRequest) Reset() {
 	*x = CreateApiKeyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CreateApiKeyRequest) String() string {
@@ -125,7 +121,7 @@ func (*CreateApiKeyRequest) ProtoMessage() {}

 func (x *CreateApiKeyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -157,11 +153,9 @@ type CreateApiKeyResponse struct {

 func (x *CreateApiKeyResponse) Reset() {
 	*x = CreateApiKeyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CreateApiKeyResponse) String() string {
@@ -172,7 +166,7 @@ func (*CreateApiKeyResponse) ProtoMessage() {}

 func (x *CreateApiKeyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -204,11 +198,9 @@ type ExpireApiKeyRequest struct {

 func (x *ExpireApiKeyRequest) Reset() {
 	*x = ExpireApiKeyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ExpireApiKeyRequest) String() string {
@@ -219,7 +211,7 @@ func (*ExpireApiKeyRequest) ProtoMessage() {}

 func (x *ExpireApiKeyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -249,11 +241,9 @@ type ExpireApiKeyResponse struct {

 func (x *ExpireApiKeyResponse) Reset() {
 	*x = ExpireApiKeyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ExpireApiKeyResponse) String() string {
@@ -264,7 +254,7 @@ func (*ExpireApiKeyResponse) ProtoMessage() {}

 func (x *ExpireApiKeyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -287,11 +277,9 @@ type ListApiKeysRequest struct {

 func (x *ListApiKeysRequest) Reset() {
 	*x = ListApiKeysRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListApiKeysRequest) String() string {
@@ -302,7 +290,7 @@ func (*ListApiKeysRequest) ProtoMessage() {}

 func (x *ListApiKeysRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -327,11 +315,9 @@ type ListApiKeysResponse struct {

 func (x *ListApiKeysResponse) Reset() {
 	*x = ListApiKeysResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListApiKeysResponse) String() string {
@@ -342,7 +328,7 @@ func (*ListApiKeysResponse) ProtoMessage() {}

 func (x *ListApiKeysResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -374,11 +360,9 @@ type DeleteApiKeyRequest struct {

 func (x *DeleteApiKeyRequest) Reset() {
 	*x = DeleteApiKeyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteApiKeyRequest) String() string {
@@ -389,7 +373,7 @@ func (*DeleteApiKeyRequest) ProtoMessage() {}

 func (x *DeleteApiKeyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -419,11 +403,9 @@ type DeleteApiKeyResponse struct {

 func (x *DeleteApiKeyResponse) Reset() {
 	*x = DeleteApiKeyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_apikey_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_apikey_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteApiKeyResponse) String() string {
@@ -434,7 +416,7 @@ func (*DeleteApiKeyResponse) ProtoMessage() {}

 func (x *DeleteApiKeyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_apikey_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -542,116 +524,6 @@ func file_headscale_v1_apikey_proto_init() {
 	if File_headscale_v1_apikey_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_apikey_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*ApiKey); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*CreateApiKeyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*CreateApiKeyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*ExpireApiKeyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*ExpireApiKeyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*ListApiKeysRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*ListApiKeysResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteApiKeyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_apikey_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteApiKeyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
--- a/gen/go/headscale/v1/device.pb.go
+++ b/gen/go/headscale/v1/device.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/device.proto

@@ -32,11 +32,9 @@ type Latency struct {

 func (x *Latency) Reset() {
 	*x = Latency{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *Latency) String() string {
@@ -47,7 +45,7 @@ func (*Latency) ProtoMessage() {}

 func (x *Latency) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -91,11 +89,9 @@ type ClientSupports struct {

 func (x *ClientSupports) Reset() {
 	*x = ClientSupports{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ClientSupports) String() string {
@@ -106,7 +102,7 @@ func (*ClientSupports) ProtoMessage() {}

 func (x *ClientSupports) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -177,11 +173,9 @@ type ClientConnectivity struct {

 func (x *ClientConnectivity) Reset() {
 	*x = ClientConnectivity{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ClientConnectivity) String() string {
@@ -192,7 +186,7 @@ func (*ClientConnectivity) ProtoMessage() {}

 func (x *ClientConnectivity) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -252,11 +246,9 @@ type GetDeviceRequest struct {

 func (x *GetDeviceRequest) Reset() {
 	*x = GetDeviceRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetDeviceRequest) String() string {
@@ -267,7 +259,7 @@ func (*GetDeviceRequest) ProtoMessage() {}

 func (x *GetDeviceRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -318,11 +310,9 @@ type GetDeviceResponse struct {

 func (x *GetDeviceResponse) Reset() {
 	*x = GetDeviceResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetDeviceResponse) String() string {
@@ -333,7 +323,7 @@ func (*GetDeviceResponse) ProtoMessage() {}

 func (x *GetDeviceResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -498,11 +488,9 @@ type DeleteDeviceRequest struct {

 func (x *DeleteDeviceRequest) Reset() {
 	*x = DeleteDeviceRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteDeviceRequest) String() string {
@@ -513,7 +501,7 @@ func (*DeleteDeviceRequest) ProtoMessage() {}

 func (x *DeleteDeviceRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -543,11 +531,9 @@ type DeleteDeviceResponse struct {

 func (x *DeleteDeviceResponse) Reset() {
 	*x = DeleteDeviceResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteDeviceResponse) String() string {
@@ -558,7 +544,7 @@ func (*DeleteDeviceResponse) ProtoMessage() {}

 func (x *DeleteDeviceResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -583,11 +569,9 @@ type GetDeviceRoutesRequest struct {

 func (x *GetDeviceRoutesRequest) Reset() {
 	*x = GetDeviceRoutesRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetDeviceRoutesRequest) String() string {
@@ -598,7 +582,7 @@ func (*GetDeviceRoutesRequest) ProtoMessage() {}

 func (x *GetDeviceRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -631,11 +615,9 @@ type GetDeviceRoutesResponse struct {

 func (x *GetDeviceRoutesResponse) Reset() {
 	*x = GetDeviceRoutesResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetDeviceRoutesResponse) String() string {
@@ -646,7 +628,7 @@ func (*GetDeviceRoutesResponse) ProtoMessage() {}

 func (x *GetDeviceRoutesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -686,11 +668,9 @@ type EnableDeviceRoutesRequest struct {

 func (x *EnableDeviceRoutesRequest) Reset() {
 	*x = EnableDeviceRoutesRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *EnableDeviceRoutesRequest) String() string {
@@ -701,7 +681,7 @@ func (*EnableDeviceRoutesRequest) ProtoMessage() {}

 func (x *EnableDeviceRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -741,11 +721,9 @@ type EnableDeviceRoutesResponse struct {

 func (x *EnableDeviceRoutesResponse) Reset() {
 	*x = EnableDeviceRoutesResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_device_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_device_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *EnableDeviceRoutesResponse) String() string {
@@ -756,7 +734,7 @@ func (*EnableDeviceRoutesResponse) ProtoMessage() {}

 func (x *EnableDeviceRoutesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_device_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -960,140 +938,6 @@ func file_headscale_v1_device_proto_init() {
 	if File_headscale_v1_device_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_device_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Latency); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*ClientSupports); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*ClientConnectivity); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*GetDeviceRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*GetDeviceResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteDeviceRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteDeviceResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*GetDeviceRoutesRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*GetDeviceRoutesResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*EnableDeviceRoutesRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_device_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*EnableDeviceRoutesResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/headscale.proto

@@ -37,347 +37,336 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
 	0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xcf, 0x1a, 0x0a,
+	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xe9, 0x19, 0x0a,
 	0x10, 0x48, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
-	0x65, 0x12, 0x63, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1c, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x55,
-	0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65,
-	0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x15, 0x12, 0x13, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x2f,
-	0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x68, 0x0a, 0x0a, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
-	0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x3a,
-	0x01, 0x2a, 0x22, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72,
-	0x12, 0x82, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12,
-	0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52,
-	0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x65, 0x12, 0x68, 0x0a, 0x0a, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12,
+	0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43,
+	0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
 	0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x31, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x2b, 0x22, 0x29, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6f, 0x6c, 0x64, 0x5f, 0x6e, 0x61,
-	0x6d, 0x65, 0x7d, 0x2f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x2f, 0x7b, 0x6e, 0x65, 0x77, 0x5f,
-	0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x6c, 0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55,
-	0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x15, 0x2a, 0x13,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6e, 0x61,
-	0x6d, 0x65, 0x7d, 0x12, 0x62, 0x0a, 0x09, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73,
-	0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x14, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x0e, 0x12, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f,
-	0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x80, 0x01, 0x0a, 0x10, 0x43, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4,
-	0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a, 0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x12, 0x87, 0x01, 0x0a, 0x10, 0x45,
-	0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x12,
-	0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45,
-	0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x24,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x3a, 0x01, 0x2a, 0x22, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f,
-	0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78,
-	0x70, 0x69, 0x72, 0x65, 0x12, 0x7a, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75,
-	0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73,
-	0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1a, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x14, 0x12, 0x12, 0x2f, 0x61,
-	0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79,
-	0x12, 0x7d, 0x0a, 0x0f, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4e,
-	0x6f, 0x64, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f,
-	0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72,
-	0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a, 0x22, 0x12, 0x2f, 0x61, 0x70,
-	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x12,
-	0x66, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12,
-	0x16, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e,
-	0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x6e, 0x0a, 0x07, 0x53, 0x65, 0x74, 0x54, 0x61,
-	0x67, 0x73, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x26, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x20, 0x3a, 0x01, 0x2a, 0x22, 0x1b, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69,
-	0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67, 0x73, 0x12, 0x74, 0x0a, 0x0c, 0x52, 0x65, 0x67, 0x69, 0x73,
-	0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4e,
-	0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1d,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, 0x6f, 0x0a,
-	0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74,
-	0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68,
+	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x3a, 0x01, 0x2a, 0x22, 0x0c, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x80, 0x01, 0x0a, 0x0a,
+	0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65,
+	0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d,
+	0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2f, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x29, 0x22, 0x27, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75,
+	0x73, 0x65, 0x72, 0x2f, 0x7b, 0x6f, 0x6c, 0x64, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x65, 0x6e,
+	0x61, 0x6d, 0x65, 0x2f, 0x7b, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x6a,
+	0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x12, 0x1f, 0x2e, 0x68,
 	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65,
-	0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x2a, 0x16, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x76,
-	0x0a, 0x0a, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69,
-	0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70,
-	0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1f, 0x22, 0x1d, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
-	0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x81, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x6e, 0x61, 0x6d,
-	0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4e, 0x6f, 0x64, 0x65,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x30, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x2a,
-	0x22, 0x28, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b,
-	0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x2f,
-	0x7b, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x62, 0x0a, 0x09, 0x4c, 0x69,
-	0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73,
+	0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c,
+	0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x2a, 0x11, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x75, 0x73, 0x65, 0x72, 0x2f, 0x7b, 0x69, 0x64, 0x7d, 0x12, 0x62, 0x0a, 0x09, 0x4c, 0x69,
+	0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73,
 	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73,
 	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x14, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x0e,
-	0x12, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x12, 0x6e,
-	0x0a, 0x08, 0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1d, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f,
-	0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64,
-	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x1d, 0x22, 0x1b, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f,
-	0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x80,
-	0x01, 0x0a, 0x0f, 0x42, 0x61, 0x63, 0x6b, 0x66, 0x69, 0x6c, 0x6c, 0x4e, 0x6f, 0x64, 0x65, 0x49,
-	0x50, 0x73, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x12, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x80,
+	0x01, 0x0a, 0x10, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68,
+	0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68,
+	0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
+	0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a, 0x22, 0x12, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65,
+	0x79, 0x12, 0x87, 0x01, 0x0a, 0x10, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41,
+	0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41,
+	0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70,
+	0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x3a, 0x01, 0x2a,
+	0x22, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74,
+	0x68, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x7a, 0x0a, 0x0f, 0x4c,
+	0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x24,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69,
+	0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b,
+	0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1a, 0x82, 0xd3, 0xe4,
+	0x93, 0x02, 0x14, 0x12, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65,
+	0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x12, 0x7d, 0x0a, 0x0f, 0x44, 0x65, 0x62, 0x75, 0x67,
+	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43,
+	0x72, 0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a,
+	0x01, 0x2a, 0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x62, 0x75,
+	0x67, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x12, 0x66, 0x0a, 0x07, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64,
+	0x65, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47,
+	0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e,
+	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x12, 0x16, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
+	0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x6e,
+	0x0a, 0x07, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x26, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x20, 0x3a, 0x01,
+	0x2a, 0x22, 0x1b, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f,
+	0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67, 0x73, 0x12, 0x74,
+	0x0a, 0x0c, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x21,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x17, 0x22, 0x15, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x72, 0x65, 0x67, 0x69,
+	0x73, 0x74, 0x65, 0x72, 0x12, 0x6f, 0x0a, 0x0a, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f,
+	0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1e, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x18, 0x2a, 0x16, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64,
+	0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x76, 0x0a, 0x0a, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e,
+	0x6f, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1f, 0x22, 0x1d,
+	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f,
+	0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x81, 0x01,
+	0x0a, 0x0a, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x12, 0x1f, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61,
+	0x6d, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e,
+	0x61, 0x6d, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x30, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x2a, 0x22, 0x28, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
+	0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x2f, 0x7b, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
+	0x7d, 0x12, 0x62, 0x0a, 0x09, 0x4c, 0x69, 0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x12, 0x1e,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69,
+	0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69,
+	0x73, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x14, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x0e, 0x12, 0x0c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x12, 0x71, 0x0a, 0x08, 0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64,
+	0x65, 0x12, 0x1d, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x4d, 0x6f, 0x76, 0x65, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x26, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x20, 0x3a, 0x01, 0x2a, 0x22, 0x1b, 0x2f, 0x61, 0x70,
+	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f,
+	0x69, 0x64, 0x7d, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x12, 0x80, 0x01, 0x0a, 0x0f, 0x42, 0x61, 0x63,
+	0x6b, 0x66, 0x69, 0x6c, 0x6c, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x50, 0x73, 0x12, 0x24, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x61, 0x63, 0x6b,
+	0x66, 0x69, 0x6c, 0x6c, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x50, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
 	0x31, 0x2e, 0x42, 0x61, 0x63, 0x6b, 0x66, 0x69, 0x6c, 0x6c, 0x4e, 0x6f, 0x64, 0x65, 0x49, 0x50,
-	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x61, 0x63, 0x6b, 0x66, 0x69, 0x6c, 0x6c,
-	0x4e, 0x6f, 0x64, 0x65, 0x49, 0x50, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x62, 0x61, 0x63, 0x6b, 0x66, 0x69, 0x6c, 0x6c, 0x69, 0x70,
-	0x73, 0x12, 0x64, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1e,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
-	0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
-	0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x7c, 0x0a, 0x0b, 0x45, 0x6e, 0x61, 0x62, 0x6c,
-	0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4,
-	0x93, 0x02, 0x22, 0x22, 0x20, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65,
-	0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c,
-	0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
-	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x23, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d,
-	0x2f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x7f, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x4e,
-	0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65,
-	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74,
-	0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x25, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1f, 0x12, 0x1d, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69,
-	0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x75, 0x0a, 0x0b, 0x44, 0x65, 0x6c,
-	0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
-	0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x21, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x1b, 0x2a, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d,
-	0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x1a, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f,
+	0x62, 0x61, 0x63, 0x6b, 0x66, 0x69, 0x6c, 0x6c, 0x69, 0x70, 0x73, 0x12, 0x64, 0x0a, 0x09, 0x47,
+	0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x12, 0x7c, 0x0a, 0x0b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x20, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f, 0x7b, 0x72,
+	0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12,
+	0x80, 0x01, 0x0a, 0x0c, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
 	0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75,
+	0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a,
-	0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b,
-	0x65, 0x79, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b,
-	0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65,
-	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70,
-	0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x6a, 0x0a, 0x0b, 0x4c,
-	0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70,
-	0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
-	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x12, 0x76, 0x0a, 0x0c, 0x44, 0x65, 0x6c, 0x65, 0x74,
-	0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x70, 0x69,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
-	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1f,
-	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x19, 0x2a, 0x17, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
-	0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x7b, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x7d, 0x12,
-	0x64, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1e, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x50,
+	0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x23, 0x22,
+	0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f,
+	0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x64, 0x69, 0x73, 0x61, 0x62,
+	0x6c, 0x65, 0x12, 0x7f, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75,
+	0x74, 0x65, 0x73, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4e, 0x6f, 0x64, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x25, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x1f, 0x12, 0x1d, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f,
+	0x64, 0x65, 0x2f, 0x7b, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75,
+	0x74, 0x65, 0x73, 0x12, 0x75, 0x0a, 0x0b, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75,
+	0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x21, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1b, 0x2a,
+	0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2f,
+	0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72,
+	0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
+	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65,
+	0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x61,
+	0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x12, 0x77, 0x0a, 0x0c,
+	0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69,
+	0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45,
+	0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15,
+	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65,
+	0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69,
+	0x4b, 0x65, 0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65,
+	0x79, 0x12, 0x76, 0x0a, 0x0c, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65,
+	0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1f, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x19,
+	0x2a, 0x17, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79,
+	0x2f, 0x7b, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x7d, 0x12, 0x64, 0x0a, 0x09, 0x47, 0x65, 0x74,
+	0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12,
+	0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
+	0x67, 0x0a, 0x09, 0x53, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1e, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x50,
 	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x50,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x67, 0x0a, 0x09, 0x53, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x12, 0x1e, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x53, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x53, 0x65, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x1a, 0x0e,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x29,
-	0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61,
-	0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f,
-	0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x74, 0x50,
+	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x1a, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
+	0x31, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f,
+	0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var file_headscale_v1_headscale_proto_goTypes = []any{
-	(*GetUserRequest)(nil),           // 0: headscale.v1.GetUserRequest
-	(*CreateUserRequest)(nil),        // 1: headscale.v1.CreateUserRequest
-	(*RenameUserRequest)(nil),        // 2: headscale.v1.RenameUserRequest
-	(*DeleteUserRequest)(nil),        // 3: headscale.v1.DeleteUserRequest
-	(*ListUsersRequest)(nil),         // 4: headscale.v1.ListUsersRequest
-	(*CreatePreAuthKeyRequest)(nil),  // 5: headscale.v1.CreatePreAuthKeyRequest
-	(*ExpirePreAuthKeyRequest)(nil),  // 6: headscale.v1.ExpirePreAuthKeyRequest
-	(*ListPreAuthKeysRequest)(nil),   // 7: headscale.v1.ListPreAuthKeysRequest
-	(*DebugCreateNodeRequest)(nil),   // 8: headscale.v1.DebugCreateNodeRequest
-	(*GetNodeRequest)(nil),           // 9: headscale.v1.GetNodeRequest
-	(*SetTagsRequest)(nil),           // 10: headscale.v1.SetTagsRequest
-	(*RegisterNodeRequest)(nil),      // 11: headscale.v1.RegisterNodeRequest
-	(*DeleteNodeRequest)(nil),        // 12: headscale.v1.DeleteNodeRequest
-	(*ExpireNodeRequest)(nil),        // 13: headscale.v1.ExpireNodeRequest
-	(*RenameNodeRequest)(nil),        // 14: headscale.v1.RenameNodeRequest
-	(*ListNodesRequest)(nil),         // 15: headscale.v1.ListNodesRequest
-	(*MoveNodeRequest)(nil),          // 16: headscale.v1.MoveNodeRequest
-	(*BackfillNodeIPsRequest)(nil),   // 17: headscale.v1.BackfillNodeIPsRequest
-	(*GetRoutesRequest)(nil),         // 18: headscale.v1.GetRoutesRequest
-	(*EnableRouteRequest)(nil),       // 19: headscale.v1.EnableRouteRequest
-	(*DisableRouteRequest)(nil),      // 20: headscale.v1.DisableRouteRequest
-	(*GetNodeRoutesRequest)(nil),     // 21: headscale.v1.GetNodeRoutesRequest
-	(*DeleteRouteRequest)(nil),       // 22: headscale.v1.DeleteRouteRequest
-	(*CreateApiKeyRequest)(nil),      // 23: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),      // 24: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),       // 25: headscale.v1.ListApiKeysRequest
-	(*DeleteApiKeyRequest)(nil),      // 26: headscale.v1.DeleteApiKeyRequest
-	(*GetPolicyRequest)(nil),         // 27: headscale.v1.GetPolicyRequest
-	(*SetPolicyRequest)(nil),         // 28: headscale.v1.SetPolicyRequest
-	(*GetUserResponse)(nil),          // 29: headscale.v1.GetUserResponse
-	(*CreateUserResponse)(nil),       // 30: headscale.v1.CreateUserResponse
-	(*RenameUserResponse)(nil),       // 31: headscale.v1.RenameUserResponse
-	(*DeleteUserResponse)(nil),       // 32: headscale.v1.DeleteUserResponse
-	(*ListUsersResponse)(nil),        // 33: headscale.v1.ListUsersResponse
-	(*CreatePreAuthKeyResponse)(nil), // 34: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil), // 35: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),  // 36: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateNodeResponse)(nil),  // 37: headscale.v1.DebugCreateNodeResponse
-	(*GetNodeResponse)(nil),          // 38: headscale.v1.GetNodeResponse
-	(*SetTagsResponse)(nil),          // 39: headscale.v1.SetTagsResponse
-	(*RegisterNodeResponse)(nil),     // 40: headscale.v1.RegisterNodeResponse
-	(*DeleteNodeResponse)(nil),       // 41: headscale.v1.DeleteNodeResponse
-	(*ExpireNodeResponse)(nil),       // 42: headscale.v1.ExpireNodeResponse
-	(*RenameNodeResponse)(nil),       // 43: headscale.v1.RenameNodeResponse
-	(*ListNodesResponse)(nil),        // 44: headscale.v1.ListNodesResponse
-	(*MoveNodeResponse)(nil),         // 45: headscale.v1.MoveNodeResponse
-	(*BackfillNodeIPsResponse)(nil),  // 46: headscale.v1.BackfillNodeIPsResponse
-	(*GetRoutesResponse)(nil),        // 47: headscale.v1.GetRoutesResponse
-	(*EnableRouteResponse)(nil),      // 48: headscale.v1.EnableRouteResponse
-	(*DisableRouteResponse)(nil),     // 49: headscale.v1.DisableRouteResponse
-	(*GetNodeRoutesResponse)(nil),    // 50: headscale.v1.GetNodeRoutesResponse
-	(*DeleteRouteResponse)(nil),      // 51: headscale.v1.DeleteRouteResponse
-	(*CreateApiKeyResponse)(nil),     // 52: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),     // 53: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),      // 54: headscale.v1.ListApiKeysResponse
-	(*DeleteApiKeyResponse)(nil),     // 55: headscale.v1.DeleteApiKeyResponse
-	(*GetPolicyResponse)(nil),        // 56: headscale.v1.GetPolicyResponse
-	(*SetPolicyResponse)(nil),        // 57: headscale.v1.SetPolicyResponse
+	(*CreateUserRequest)(nil),        // 0: headscale.v1.CreateUserRequest
+	(*RenameUserRequest)(nil),        // 1: headscale.v1.RenameUserRequest
+	(*DeleteUserRequest)(nil),        // 2: headscale.v1.DeleteUserRequest
+	(*ListUsersRequest)(nil),         // 3: headscale.v1.ListUsersRequest
+	(*CreatePreAuthKeyRequest)(nil),  // 4: headscale.v1.CreatePreAuthKeyRequest
+	(*ExpirePreAuthKeyRequest)(nil),  // 5: headscale.v1.ExpirePreAuthKeyRequest
+	(*ListPreAuthKeysRequest)(nil),   // 6: headscale.v1.ListPreAuthKeysRequest
+	(*DebugCreateNodeRequest)(nil),   // 7: headscale.v1.DebugCreateNodeRequest
+	(*GetNodeRequest)(nil),           // 8: headscale.v1.GetNodeRequest
+	(*SetTagsRequest)(nil),           // 9: headscale.v1.SetTagsRequest
+	(*RegisterNodeRequest)(nil),      // 10: headscale.v1.RegisterNodeRequest
+	(*DeleteNodeRequest)(nil),        // 11: headscale.v1.DeleteNodeRequest
+	(*ExpireNodeRequest)(nil),        // 12: headscale.v1.ExpireNodeRequest
+	(*RenameNodeRequest)(nil),        // 13: headscale.v1.RenameNodeRequest
+	(*ListNodesRequest)(nil),         // 14: headscale.v1.ListNodesRequest
+	(*MoveNodeRequest)(nil),          // 15: headscale.v1.MoveNodeRequest
+	(*BackfillNodeIPsRequest)(nil),   // 16: headscale.v1.BackfillNodeIPsRequest
+	(*GetRoutesRequest)(nil),         // 17: headscale.v1.GetRoutesRequest
+	(*EnableRouteRequest)(nil),       // 18: headscale.v1.EnableRouteRequest
+	(*DisableRouteRequest)(nil),      // 19: headscale.v1.DisableRouteRequest
+	(*GetNodeRoutesRequest)(nil),     // 20: headscale.v1.GetNodeRoutesRequest
+	(*DeleteRouteRequest)(nil),       // 21: headscale.v1.DeleteRouteRequest
+	(*CreateApiKeyRequest)(nil),      // 22: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),      // 23: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),       // 24: headscale.v1.ListApiKeysRequest
+	(*DeleteApiKeyRequest)(nil),      // 25: headscale.v1.DeleteApiKeyRequest
+	(*GetPolicyRequest)(nil),         // 26: headscale.v1.GetPolicyRequest
+	(*SetPolicyRequest)(nil),         // 27: headscale.v1.SetPolicyRequest
+	(*CreateUserResponse)(nil),       // 28: headscale.v1.CreateUserResponse
+	(*RenameUserResponse)(nil),       // 29: headscale.v1.RenameUserResponse
+	(*DeleteUserResponse)(nil),       // 30: headscale.v1.DeleteUserResponse
+	(*ListUsersResponse)(nil),        // 31: headscale.v1.ListUsersResponse
+	(*CreatePreAuthKeyResponse)(nil), // 32: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil), // 33: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),  // 34: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateNodeResponse)(nil),  // 35: headscale.v1.DebugCreateNodeResponse
+	(*GetNodeResponse)(nil),          // 36: headscale.v1.GetNodeResponse
+	(*SetTagsResponse)(nil),          // 37: headscale.v1.SetTagsResponse
+	(*RegisterNodeResponse)(nil),     // 38: headscale.v1.RegisterNodeResponse
+	(*DeleteNodeResponse)(nil),       // 39: headscale.v1.DeleteNodeResponse
+	(*ExpireNodeResponse)(nil),       // 40: headscale.v1.ExpireNodeResponse
+	(*RenameNodeResponse)(nil),       // 41: headscale.v1.RenameNodeResponse
+	(*ListNodesResponse)(nil),        // 42: headscale.v1.ListNodesResponse
+	(*MoveNodeResponse)(nil),         // 43: headscale.v1.MoveNodeResponse
+	(*BackfillNodeIPsResponse)(nil),  // 44: headscale.v1.BackfillNodeIPsResponse
+	(*GetRoutesResponse)(nil),        // 45: headscale.v1.GetRoutesResponse
+	(*EnableRouteResponse)(nil),      // 46: headscale.v1.EnableRouteResponse
+	(*DisableRouteResponse)(nil),     // 47: headscale.v1.DisableRouteResponse
+	(*GetNodeRoutesResponse)(nil),    // 48: headscale.v1.GetNodeRoutesResponse
+	(*DeleteRouteResponse)(nil),      // 49: headscale.v1.DeleteRouteResponse
+	(*CreateApiKeyResponse)(nil),     // 50: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),     // 51: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),      // 52: headscale.v1.ListApiKeysResponse
+	(*DeleteApiKeyResponse)(nil),     // 53: headscale.v1.DeleteApiKeyResponse
+	(*GetPolicyResponse)(nil),        // 54: headscale.v1.GetPolicyResponse
+	(*SetPolicyResponse)(nil),        // 55: headscale.v1.SetPolicyResponse
 }
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
-	0,  // 0: headscale.v1.HeadscaleService.GetUser:input_type -> headscale.v1.GetUserRequest
-	1,  // 1: headscale.v1.HeadscaleService.CreateUser:input_type -> headscale.v1.CreateUserRequest
-	2,  // 2: headscale.v1.HeadscaleService.RenameUser:input_type -> headscale.v1.RenameUserRequest
-	3,  // 3: headscale.v1.HeadscaleService.DeleteUser:input_type -> headscale.v1.DeleteUserRequest
-	4,  // 4: headscale.v1.HeadscaleService.ListUsers:input_type -> headscale.v1.ListUsersRequest
-	5,  // 5: headscale.v1.HeadscaleService.CreatePreAuthKey:input_type -> headscale.v1.CreatePreAuthKeyRequest
-	6,  // 6: headscale.v1.HeadscaleService.ExpirePreAuthKey:input_type -> headscale.v1.ExpirePreAuthKeyRequest
-	7,  // 7: headscale.v1.HeadscaleService.ListPreAuthKeys:input_type -> headscale.v1.ListPreAuthKeysRequest
-	8,  // 8: headscale.v1.HeadscaleService.DebugCreateNode:input_type -> headscale.v1.DebugCreateNodeRequest
-	9,  // 9: headscale.v1.HeadscaleService.GetNode:input_type -> headscale.v1.GetNodeRequest
-	10, // 10: headscale.v1.HeadscaleService.SetTags:input_type -> headscale.v1.SetTagsRequest
-	11, // 11: headscale.v1.HeadscaleService.RegisterNode:input_type -> headscale.v1.RegisterNodeRequest
-	12, // 12: headscale.v1.HeadscaleService.DeleteNode:input_type -> headscale.v1.DeleteNodeRequest
-	13, // 13: headscale.v1.HeadscaleService.ExpireNode:input_type -> headscale.v1.ExpireNodeRequest
-	14, // 14: headscale.v1.HeadscaleService.RenameNode:input_type -> headscale.v1.RenameNodeRequest
-	15, // 15: headscale.v1.HeadscaleService.ListNodes:input_type -> headscale.v1.ListNodesRequest
-	16, // 16: headscale.v1.HeadscaleService.MoveNode:input_type -> headscale.v1.MoveNodeRequest
-	17, // 17: headscale.v1.HeadscaleService.BackfillNodeIPs:input_type -> headscale.v1.BackfillNodeIPsRequest
-	18, // 18: headscale.v1.HeadscaleService.GetRoutes:input_type -> headscale.v1.GetRoutesRequest
-	19, // 19: headscale.v1.HeadscaleService.EnableRoute:input_type -> headscale.v1.EnableRouteRequest
-	20, // 20: headscale.v1.HeadscaleService.DisableRoute:input_type -> headscale.v1.DisableRouteRequest
-	21, // 21: headscale.v1.HeadscaleService.GetNodeRoutes:input_type -> headscale.v1.GetNodeRoutesRequest
-	22, // 22: headscale.v1.HeadscaleService.DeleteRoute:input_type -> headscale.v1.DeleteRouteRequest
-	23, // 23: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
-	24, // 24: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
-	25, // 25: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
-	26, // 26: headscale.v1.HeadscaleService.DeleteApiKey:input_type -> headscale.v1.DeleteApiKeyRequest
-	27, // 27: headscale.v1.HeadscaleService.GetPolicy:input_type -> headscale.v1.GetPolicyRequest
-	28, // 28: headscale.v1.HeadscaleService.SetPolicy:input_type -> headscale.v1.SetPolicyRequest
-	29, // 29: headscale.v1.HeadscaleService.GetUser:output_type -> headscale.v1.GetUserResponse
-	30, // 30: headscale.v1.HeadscaleService.CreateUser:output_type -> headscale.v1.CreateUserResponse
-	31, // 31: headscale.v1.HeadscaleService.RenameUser:output_type -> headscale.v1.RenameUserResponse
-	32, // 32: headscale.v1.HeadscaleService.DeleteUser:output_type -> headscale.v1.DeleteUserResponse
-	33, // 33: headscale.v1.HeadscaleService.ListUsers:output_type -> headscale.v1.ListUsersResponse
-	34, // 34: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
-	35, // 35: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
-	36, // 36: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	37, // 37: headscale.v1.HeadscaleService.DebugCreateNode:output_type -> headscale.v1.DebugCreateNodeResponse
-	38, // 38: headscale.v1.HeadscaleService.GetNode:output_type -> headscale.v1.GetNodeResponse
-	39, // 39: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
-	40, // 40: headscale.v1.HeadscaleService.RegisterNode:output_type -> headscale.v1.RegisterNodeResponse
-	41, // 41: headscale.v1.HeadscaleService.DeleteNode:output_type -> headscale.v1.DeleteNodeResponse
-	42, // 42: headscale.v1.HeadscaleService.ExpireNode:output_type -> headscale.v1.ExpireNodeResponse
-	43, // 43: headscale.v1.HeadscaleService.RenameNode:output_type -> headscale.v1.RenameNodeResponse
-	44, // 44: headscale.v1.HeadscaleService.ListNodes:output_type -> headscale.v1.ListNodesResponse
-	45, // 45: headscale.v1.HeadscaleService.MoveNode:output_type -> headscale.v1.MoveNodeResponse
-	46, // 46: headscale.v1.HeadscaleService.BackfillNodeIPs:output_type -> headscale.v1.BackfillNodeIPsResponse
-	47, // 47: headscale.v1.HeadscaleService.GetRoutes:output_type -> headscale.v1.GetRoutesResponse
-	48, // 48: headscale.v1.HeadscaleService.EnableRoute:output_type -> headscale.v1.EnableRouteResponse
-	49, // 49: headscale.v1.HeadscaleService.DisableRoute:output_type -> headscale.v1.DisableRouteResponse
-	50, // 50: headscale.v1.HeadscaleService.GetNodeRoutes:output_type -> headscale.v1.GetNodeRoutesResponse
-	51, // 51: headscale.v1.HeadscaleService.DeleteRoute:output_type -> headscale.v1.DeleteRouteResponse
-	52, // 52: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
-	53, // 53: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
-	54, // 54: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
-	55, // 55: headscale.v1.HeadscaleService.DeleteApiKey:output_type -> headscale.v1.DeleteApiKeyResponse
-	56, // 56: headscale.v1.HeadscaleService.GetPolicy:output_type -> headscale.v1.GetPolicyResponse
-	57, // 57: headscale.v1.HeadscaleService.SetPolicy:output_type -> headscale.v1.SetPolicyResponse
-	29, // [29:58] is the sub-list for method output_type
-	0,  // [0:29] is the sub-list for method input_type
+	0,  // 0: headscale.v1.HeadscaleService.CreateUser:input_type -> headscale.v1.CreateUserRequest
+	1,  // 1: headscale.v1.HeadscaleService.RenameUser:input_type -> headscale.v1.RenameUserRequest
+	2,  // 2: headscale.v1.HeadscaleService.DeleteUser:input_type -> headscale.v1.DeleteUserRequest
+	3,  // 3: headscale.v1.HeadscaleService.ListUsers:input_type -> headscale.v1.ListUsersRequest
+	4,  // 4: headscale.v1.HeadscaleService.CreatePreAuthKey:input_type -> headscale.v1.CreatePreAuthKeyRequest
+	5,  // 5: headscale.v1.HeadscaleService.ExpirePreAuthKey:input_type -> headscale.v1.ExpirePreAuthKeyRequest
+	6,  // 6: headscale.v1.HeadscaleService.ListPreAuthKeys:input_type -> headscale.v1.ListPreAuthKeysRequest
+	7,  // 7: headscale.v1.HeadscaleService.DebugCreateNode:input_type -> headscale.v1.DebugCreateNodeRequest
+	8,  // 8: headscale.v1.HeadscaleService.GetNode:input_type -> headscale.v1.GetNodeRequest
+	9,  // 9: headscale.v1.HeadscaleService.SetTags:input_type -> headscale.v1.SetTagsRequest
+	10, // 10: headscale.v1.HeadscaleService.RegisterNode:input_type -> headscale.v1.RegisterNodeRequest
+	11, // 11: headscale.v1.HeadscaleService.DeleteNode:input_type -> headscale.v1.DeleteNodeRequest
+	12, // 12: headscale.v1.HeadscaleService.ExpireNode:input_type -> headscale.v1.ExpireNodeRequest
+	13, // 13: headscale.v1.HeadscaleService.RenameNode:input_type -> headscale.v1.RenameNodeRequest
+	14, // 14: headscale.v1.HeadscaleService.ListNodes:input_type -> headscale.v1.ListNodesRequest
+	15, // 15: headscale.v1.HeadscaleService.MoveNode:input_type -> headscale.v1.MoveNodeRequest
+	16, // 16: headscale.v1.HeadscaleService.BackfillNodeIPs:input_type -> headscale.v1.BackfillNodeIPsRequest
+	17, // 17: headscale.v1.HeadscaleService.GetRoutes:input_type -> headscale.v1.GetRoutesRequest
+	18, // 18: headscale.v1.HeadscaleService.EnableRoute:input_type -> headscale.v1.EnableRouteRequest
+	19, // 19: headscale.v1.HeadscaleService.DisableRoute:input_type -> headscale.v1.DisableRouteRequest
+	20, // 20: headscale.v1.HeadscaleService.GetNodeRoutes:input_type -> headscale.v1.GetNodeRoutesRequest
+	21, // 21: headscale.v1.HeadscaleService.DeleteRoute:input_type -> headscale.v1.DeleteRouteRequest
+	22, // 22: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
+	23, // 23: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
+	24, // 24: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
+	25, // 25: headscale.v1.HeadscaleService.DeleteApiKey:input_type -> headscale.v1.DeleteApiKeyRequest
+	26, // 26: headscale.v1.HeadscaleService.GetPolicy:input_type -> headscale.v1.GetPolicyRequest
+	27, // 27: headscale.v1.HeadscaleService.SetPolicy:input_type -> headscale.v1.SetPolicyRequest
+	28, // 28: headscale.v1.HeadscaleService.CreateUser:output_type -> headscale.v1.CreateUserResponse
+	29, // 29: headscale.v1.HeadscaleService.RenameUser:output_type -> headscale.v1.RenameUserResponse
+	30, // 30: headscale.v1.HeadscaleService.DeleteUser:output_type -> headscale.v1.DeleteUserResponse
+	31, // 31: headscale.v1.HeadscaleService.ListUsers:output_type -> headscale.v1.ListUsersResponse
+	32, // 32: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
+	33, // 33: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
+	34, // 34: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
+	35, // 35: headscale.v1.HeadscaleService.DebugCreateNode:output_type -> headscale.v1.DebugCreateNodeResponse
+	36, // 36: headscale.v1.HeadscaleService.GetNode:output_type -> headscale.v1.GetNodeResponse
+	37, // 37: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
+	38, // 38: headscale.v1.HeadscaleService.RegisterNode:output_type -> headscale.v1.RegisterNodeResponse
+	39, // 39: headscale.v1.HeadscaleService.DeleteNode:output_type -> headscale.v1.DeleteNodeResponse
+	40, // 40: headscale.v1.HeadscaleService.ExpireNode:output_type -> headscale.v1.ExpireNodeResponse
+	41, // 41: headscale.v1.HeadscaleService.RenameNode:output_type -> headscale.v1.RenameNodeResponse
+	42, // 42: headscale.v1.HeadscaleService.ListNodes:output_type -> headscale.v1.ListNodesResponse
+	43, // 43: headscale.v1.HeadscaleService.MoveNode:output_type -> headscale.v1.MoveNodeResponse
+	44, // 44: headscale.v1.HeadscaleService.BackfillNodeIPs:output_type -> headscale.v1.BackfillNodeIPsResponse
+	45, // 45: headscale.v1.HeadscaleService.GetRoutes:output_type -> headscale.v1.GetRoutesResponse
+	46, // 46: headscale.v1.HeadscaleService.EnableRoute:output_type -> headscale.v1.EnableRouteResponse
+	47, // 47: headscale.v1.HeadscaleService.DisableRoute:output_type -> headscale.v1.DisableRouteResponse
+	48, // 48: headscale.v1.HeadscaleService.GetNodeRoutes:output_type -> headscale.v1.GetNodeRoutesResponse
+	49, // 49: headscale.v1.HeadscaleService.DeleteRoute:output_type -> headscale.v1.DeleteRouteResponse
+	50, // 50: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
+	51, // 51: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
+	52, // 52: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
+	53, // 53: headscale.v1.HeadscaleService.DeleteApiKey:output_type -> headscale.v1.DeleteApiKeyResponse
+	54, // 54: headscale.v1.HeadscaleService.GetPolicy:output_type -> headscale.v1.GetPolicyResponse
+	55, // 55: headscale.v1.HeadscaleService.SetPolicy:output_type -> headscale.v1.SetPolicyResponse
+	28, // [28:56] is the sub-list for method output_type
+	0,  // [0:28] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
--- a/gen/go/headscale/v1/headscale.pb.gw.go
+++ b/gen/go/headscale/v1/headscale.pb.gw.go
--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -19,7 +19,6 @@ import (
 const _ = grpc.SupportPackageIsVersion7

 const (
-	HeadscaleService_GetUser_FullMethodName          = "/headscale.v1.HeadscaleService/GetUser"
 	HeadscaleService_CreateUser_FullMethodName       = "/headscale.v1.HeadscaleService/CreateUser"
 	HeadscaleService_RenameUser_FullMethodName       = "/headscale.v1.HeadscaleService/RenameUser"
 	HeadscaleService_DeleteUser_FullMethodName       = "/headscale.v1.HeadscaleService/DeleteUser"
@@ -55,7 +54,6 @@ const (
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type HeadscaleServiceClient interface {
 	// --- User start ---
-	GetUser(ctx context.Context, in *GetUserRequest, opts ...grpc.CallOption) (*GetUserResponse, error)
 	CreateUser(ctx context.Context, in *CreateUserRequest, opts ...grpc.CallOption) (*CreateUserResponse, error)
 	RenameUser(ctx context.Context, in *RenameUserRequest, opts ...grpc.CallOption) (*RenameUserResponse, error)
 	DeleteUser(ctx context.Context, in *DeleteUserRequest, opts ...grpc.CallOption) (*DeleteUserResponse, error)
@@ -99,15 +97,6 @@ func NewHeadscaleServiceClient(cc grpc.ClientConnInterface) HeadscaleServiceClie
 	return &headscaleServiceClient{cc}
 }

-func (c *headscaleServiceClient) GetUser(ctx context.Context, in *GetUserRequest, opts ...grpc.CallOption) (*GetUserResponse, error) {
-	out := new(GetUserResponse)
-	err := c.cc.Invoke(ctx, HeadscaleService_GetUser_FullMethodName, in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *headscaleServiceClient) CreateUser(ctx context.Context, in *CreateUserRequest, opts ...grpc.CallOption) (*CreateUserResponse, error) {
 	out := new(CreateUserResponse)
 	err := c.cc.Invoke(ctx, HeadscaleService_CreateUser_FullMethodName, in, out, opts...)
@@ -365,7 +354,6 @@ func (c *headscaleServiceClient) SetPolicy(ctx context.Context, in *SetPolicyReq
 // for forward compatibility
 type HeadscaleServiceServer interface {
 	// --- User start ---
-	GetUser(context.Context, *GetUserRequest) (*GetUserResponse, error)
 	CreateUser(context.Context, *CreateUserRequest) (*CreateUserResponse, error)
 	RenameUser(context.Context, *RenameUserRequest) (*RenameUserResponse, error)
 	DeleteUser(context.Context, *DeleteUserRequest) (*DeleteUserResponse, error)
@@ -406,9 +394,6 @@ type HeadscaleServiceServer interface {
 type UnimplementedHeadscaleServiceServer struct {
 }

-func (UnimplementedHeadscaleServiceServer) GetUser(context.Context, *GetUserRequest) (*GetUserResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetUser not implemented")
-}
 func (UnimplementedHeadscaleServiceServer) CreateUser(context.Context, *CreateUserRequest) (*CreateUserResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreateUser not implemented")
 }
@@ -506,24 +491,6 @@ func RegisterHeadscaleServiceServer(s grpc.ServiceRegistrar, srv HeadscaleServic
 	s.RegisterService(&HeadscaleService_ServiceDesc, srv)
 }

-func _HeadscaleService_GetUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(GetUserRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).GetUser(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: HeadscaleService_GetUser_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).GetUser(ctx, req.(*GetUserRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _HeadscaleService_CreateUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(CreateUserRequest)
 	if err := dec(in); err != nil {
@@ -1035,10 +1002,6 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 	ServiceName: "headscale.v1.HeadscaleService",
 	HandlerType: (*HeadscaleServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
-		{
-			MethodName: "GetUser",
-			Handler:    _HeadscaleService_GetUser_Handler,
-		},
 		{
 			MethodName: "CreateUser",
 			Handler:    _HeadscaleService_CreateUser_Handler,
--- a/gen/go/headscale/v1/node.pb.go
+++ b/gen/go/headscale/v1/node.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/node.proto

@@ -99,11 +99,9 @@ type Node struct {

 func (x *Node) Reset() {
 	*x = Node{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *Node) String() string {
@@ -114,7 +112,7 @@ func (*Node) ProtoMessage() {}

 func (x *Node) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -259,11 +257,9 @@ type RegisterNodeRequest struct {

 func (x *RegisterNodeRequest) Reset() {
 	*x = RegisterNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RegisterNodeRequest) String() string {
@@ -274,7 +270,7 @@ func (*RegisterNodeRequest) ProtoMessage() {}

 func (x *RegisterNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -313,11 +309,9 @@ type RegisterNodeResponse struct {

 func (x *RegisterNodeResponse) Reset() {
 	*x = RegisterNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RegisterNodeResponse) String() string {
@@ -328,7 +322,7 @@ func (*RegisterNodeResponse) ProtoMessage() {}

 func (x *RegisterNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -360,11 +354,9 @@ type GetNodeRequest struct {

 func (x *GetNodeRequest) Reset() {
 	*x = GetNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetNodeRequest) String() string {
@@ -375,7 +367,7 @@ func (*GetNodeRequest) ProtoMessage() {}

 func (x *GetNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -407,11 +399,9 @@ type GetNodeResponse struct {

 func (x *GetNodeResponse) Reset() {
 	*x = GetNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetNodeResponse) String() string {
@@ -422,7 +412,7 @@ func (*GetNodeResponse) ProtoMessage() {}

 func (x *GetNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -455,11 +445,9 @@ type SetTagsRequest struct {

 func (x *SetTagsRequest) Reset() {
 	*x = SetTagsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *SetTagsRequest) String() string {
@@ -470,7 +458,7 @@ func (*SetTagsRequest) ProtoMessage() {}

 func (x *SetTagsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -509,11 +497,9 @@ type SetTagsResponse struct {

 func (x *SetTagsResponse) Reset() {
 	*x = SetTagsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *SetTagsResponse) String() string {
@@ -524,7 +510,7 @@ func (*SetTagsResponse) ProtoMessage() {}

 func (x *SetTagsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -556,11 +542,9 @@ type DeleteNodeRequest struct {

 func (x *DeleteNodeRequest) Reset() {
 	*x = DeleteNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteNodeRequest) String() string {
@@ -571,7 +555,7 @@ func (*DeleteNodeRequest) ProtoMessage() {}

 func (x *DeleteNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -601,11 +585,9 @@ type DeleteNodeResponse struct {

 func (x *DeleteNodeResponse) Reset() {
 	*x = DeleteNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteNodeResponse) String() string {
@@ -616,7 +598,7 @@ func (*DeleteNodeResponse) ProtoMessage() {}

 func (x *DeleteNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -641,11 +623,9 @@ type ExpireNodeRequest struct {

 func (x *ExpireNodeRequest) Reset() {
 	*x = ExpireNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ExpireNodeRequest) String() string {
@@ -656,7 +636,7 @@ func (*ExpireNodeRequest) ProtoMessage() {}

 func (x *ExpireNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -688,11 +668,9 @@ type ExpireNodeResponse struct {

 func (x *ExpireNodeResponse) Reset() {
 	*x = ExpireNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ExpireNodeResponse) String() string {
@@ -703,7 +681,7 @@ func (*ExpireNodeResponse) ProtoMessage() {}

 func (x *ExpireNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -736,11 +714,9 @@ type RenameNodeRequest struct {

 func (x *RenameNodeRequest) Reset() {
 	*x = RenameNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RenameNodeRequest) String() string {
@@ -751,7 +727,7 @@ func (*RenameNodeRequest) ProtoMessage() {}

 func (x *RenameNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -790,11 +766,9 @@ type RenameNodeResponse struct {

 func (x *RenameNodeResponse) Reset() {
 	*x = RenameNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RenameNodeResponse) String() string {
@@ -805,7 +779,7 @@ func (*RenameNodeResponse) ProtoMessage() {}

 func (x *RenameNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -837,11 +811,9 @@ type ListNodesRequest struct {

 func (x *ListNodesRequest) Reset() {
 	*x = ListNodesRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[13]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListNodesRequest) String() string {
@@ -852,7 +824,7 @@ func (*ListNodesRequest) ProtoMessage() {}

 func (x *ListNodesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[13]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -884,11 +856,9 @@ type ListNodesResponse struct {

 func (x *ListNodesResponse) Reset() {
 	*x = ListNodesResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[14]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListNodesResponse) String() string {
@@ -899,7 +869,7 @@ func (*ListNodesResponse) ProtoMessage() {}

 func (x *ListNodesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[14]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -932,11 +902,9 @@ type MoveNodeRequest struct {

 func (x *MoveNodeRequest) Reset() {
 	*x = MoveNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[15]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *MoveNodeRequest) String() string {
@@ -947,7 +915,7 @@ func (*MoveNodeRequest) ProtoMessage() {}

 func (x *MoveNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[15]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -986,11 +954,9 @@ type MoveNodeResponse struct {

 func (x *MoveNodeResponse) Reset() {
 	*x = MoveNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[16]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *MoveNodeResponse) String() string {
@@ -1001,7 +967,7 @@ func (*MoveNodeResponse) ProtoMessage() {}

 func (x *MoveNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[16]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1036,11 +1002,9 @@ type DebugCreateNodeRequest struct {

 func (x *DebugCreateNodeRequest) Reset() {
 	*x = DebugCreateNodeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[17]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[17]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DebugCreateNodeRequest) String() string {
@@ -1051,7 +1015,7 @@ func (*DebugCreateNodeRequest) ProtoMessage() {}

 func (x *DebugCreateNodeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[17]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1104,11 +1068,9 @@ type DebugCreateNodeResponse struct {

 func (x *DebugCreateNodeResponse) Reset() {
 	*x = DebugCreateNodeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[18]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[18]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DebugCreateNodeResponse) String() string {
@@ -1119,7 +1081,7 @@ func (*DebugCreateNodeResponse) ProtoMessage() {}

 func (x *DebugCreateNodeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[18]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1151,11 +1113,9 @@ type BackfillNodeIPsRequest struct {

 func (x *BackfillNodeIPsRequest) Reset() {
 	*x = BackfillNodeIPsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[19]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[19]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *BackfillNodeIPsRequest) String() string {
@@ -1166,7 +1126,7 @@ func (*BackfillNodeIPsRequest) ProtoMessage() {}

 func (x *BackfillNodeIPsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[19]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1198,11 +1158,9 @@ type BackfillNodeIPsResponse struct {

 func (x *BackfillNodeIPsResponse) Reset() {
 	*x = BackfillNodeIPsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_node_proto_msgTypes[20]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_node_proto_msgTypes[20]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *BackfillNodeIPsResponse) String() string {
@@ -1213,7 +1171,7 @@ func (*BackfillNodeIPsResponse) ProtoMessage() {}

 func (x *BackfillNodeIPsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_node_proto_msgTypes[20]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1445,260 +1403,6 @@ func file_headscale_v1_node_proto_init() {
 	}
 	file_headscale_v1_preauthkey_proto_init()
 	file_headscale_v1_user_proto_init()
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_node_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Node); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*RegisterNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*RegisterNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*GetNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*GetNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*SetTagsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*SetTagsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*ExpireNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*ExpireNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[11].Exporter = func(v any, i int) any {
-			switch v := v.(*RenameNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[12].Exporter = func(v any, i int) any {
-			switch v := v.(*RenameNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[13].Exporter = func(v any, i int) any {
-			switch v := v.(*ListNodesRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[14].Exporter = func(v any, i int) any {
-			switch v := v.(*ListNodesResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[15].Exporter = func(v any, i int) any {
-			switch v := v.(*MoveNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[16].Exporter = func(v any, i int) any {
-			switch v := v.(*MoveNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[17].Exporter = func(v any, i int) any {
-			switch v := v.(*DebugCreateNodeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[18].Exporter = func(v any, i int) any {
-			switch v := v.(*DebugCreateNodeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[19].Exporter = func(v any, i int) any {
-			switch v := v.(*BackfillNodeIPsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_node_proto_msgTypes[20].Exporter = func(v any, i int) any {
-			switch v := v.(*BackfillNodeIPsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
--- a/gen/go/headscale/v1/policy.pb.go
+++ b/gen/go/headscale/v1/policy.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/policy.proto

@@ -31,11 +31,9 @@ type SetPolicyRequest struct {

 func (x *SetPolicyRequest) Reset() {
 	*x = SetPolicyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_policy_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_policy_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *SetPolicyRequest) String() string {
@@ -46,7 +44,7 @@ func (*SetPolicyRequest) ProtoMessage() {}

 func (x *SetPolicyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_policy_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -79,11 +77,9 @@ type SetPolicyResponse struct {

 func (x *SetPolicyResponse) Reset() {
 	*x = SetPolicyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_policy_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_policy_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *SetPolicyResponse) String() string {
@@ -94,7 +90,7 @@ func (*SetPolicyResponse) ProtoMessage() {}

 func (x *SetPolicyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_policy_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -131,11 +127,9 @@ type GetPolicyRequest struct {

 func (x *GetPolicyRequest) Reset() {
 	*x = GetPolicyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_policy_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_policy_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetPolicyRequest) String() string {
@@ -146,7 +140,7 @@ func (*GetPolicyRequest) ProtoMessage() {}

 func (x *GetPolicyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_policy_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -172,11 +166,9 @@ type GetPolicyResponse struct {

 func (x *GetPolicyResponse) Reset() {
 	*x = GetPolicyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_policy_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_policy_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetPolicyResponse) String() string {
@@ -187,7 +179,7 @@ func (*GetPolicyResponse) ProtoMessage() {}

 func (x *GetPolicyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_policy_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -281,56 +273,6 @@ func file_headscale_v1_policy_proto_init() {
 	if File_headscale_v1_policy_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_policy_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*SetPolicyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_policy_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*SetPolicyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_policy_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*GetPolicyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_policy_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*GetPolicyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
--- a/gen/go/headscale/v1/preauthkey.pb.go
+++ b/gen/go/headscale/v1/preauthkey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/preauthkey.proto

@@ -39,11 +39,9 @@ type PreAuthKey struct {

 func (x *PreAuthKey) Reset() {
 	*x = PreAuthKey{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *PreAuthKey) String() string {
@@ -54,7 +52,7 @@ func (*PreAuthKey) ProtoMessage() {}

 func (x *PreAuthKey) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -146,11 +144,9 @@ type CreatePreAuthKeyRequest struct {

 func (x *CreatePreAuthKeyRequest) Reset() {
 	*x = CreatePreAuthKeyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CreatePreAuthKeyRequest) String() string {
@@ -161,7 +157,7 @@ func (*CreatePreAuthKeyRequest) ProtoMessage() {}

 func (x *CreatePreAuthKeyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -221,11 +217,9 @@ type CreatePreAuthKeyResponse struct {

 func (x *CreatePreAuthKeyResponse) Reset() {
 	*x = CreatePreAuthKeyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CreatePreAuthKeyResponse) String() string {
@@ -236,7 +230,7 @@ func (*CreatePreAuthKeyResponse) ProtoMessage() {}

 func (x *CreatePreAuthKeyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -269,11 +263,9 @@ type ExpirePreAuthKeyRequest struct {

 func (x *ExpirePreAuthKeyRequest) Reset() {
 	*x = ExpirePreAuthKeyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ExpirePreAuthKeyRequest) String() string {
@@ -284,7 +276,7 @@ func (*ExpirePreAuthKeyRequest) ProtoMessage() {}

 func (x *ExpirePreAuthKeyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -321,11 +313,9 @@ type ExpirePreAuthKeyResponse struct {

 func (x *ExpirePreAuthKeyResponse) Reset() {
 	*x = ExpirePreAuthKeyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ExpirePreAuthKeyResponse) String() string {
@@ -336,7 +326,7 @@ func (*ExpirePreAuthKeyResponse) ProtoMessage() {}

 func (x *ExpirePreAuthKeyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -361,11 +351,9 @@ type ListPreAuthKeysRequest struct {

 func (x *ListPreAuthKeysRequest) Reset() {
 	*x = ListPreAuthKeysRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListPreAuthKeysRequest) String() string {
@@ -376,7 +364,7 @@ func (*ListPreAuthKeysRequest) ProtoMessage() {}

 func (x *ListPreAuthKeysRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -408,11 +396,9 @@ type ListPreAuthKeysResponse struct {

 func (x *ListPreAuthKeysResponse) Reset() {
 	*x = ListPreAuthKeysResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListPreAuthKeysResponse) String() string {
@@ -423,7 +409,7 @@ func (*ListPreAuthKeysResponse) ProtoMessage() {}

 func (x *ListPreAuthKeysResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_preauthkey_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -550,92 +536,6 @@ func file_headscale_v1_preauthkey_proto_init() {
 	if File_headscale_v1_preauthkey_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_preauthkey_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*PreAuthKey); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_preauthkey_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*CreatePreAuthKeyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_preauthkey_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*CreatePreAuthKeyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_preauthkey_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*ExpirePreAuthKeyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_preauthkey_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*ExpirePreAuthKeyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_preauthkey_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*ListPreAuthKeysRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_preauthkey_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*ListPreAuthKeysResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
--- a/gen/go/headscale/v1/routes.pb.go
+++ b/gen/go/headscale/v1/routes.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/routes.proto

@@ -39,11 +39,9 @@ type Route struct {

 func (x *Route) Reset() {
 	*x = Route{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *Route) String() string {
@@ -54,7 +52,7 @@ func (*Route) ProtoMessage() {}

 func (x *Route) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -140,11 +138,9 @@ type GetRoutesRequest struct {

 func (x *GetRoutesRequest) Reset() {
 	*x = GetRoutesRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetRoutesRequest) String() string {
@@ -155,7 +151,7 @@ func (*GetRoutesRequest) ProtoMessage() {}

 func (x *GetRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -180,11 +176,9 @@ type GetRoutesResponse struct {

 func (x *GetRoutesResponse) Reset() {
 	*x = GetRoutesResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetRoutesResponse) String() string {
@@ -195,7 +189,7 @@ func (*GetRoutesResponse) ProtoMessage() {}

 func (x *GetRoutesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -227,11 +221,9 @@ type EnableRouteRequest struct {

 func (x *EnableRouteRequest) Reset() {
 	*x = EnableRouteRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *EnableRouteRequest) String() string {
@@ -242,7 +234,7 @@ func (*EnableRouteRequest) ProtoMessage() {}

 func (x *EnableRouteRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -272,11 +264,9 @@ type EnableRouteResponse struct {

 func (x *EnableRouteResponse) Reset() {
 	*x = EnableRouteResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *EnableRouteResponse) String() string {
@@ -287,7 +277,7 @@ func (*EnableRouteResponse) ProtoMessage() {}

 func (x *EnableRouteResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -312,11 +302,9 @@ type DisableRouteRequest struct {

 func (x *DisableRouteRequest) Reset() {
 	*x = DisableRouteRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DisableRouteRequest) String() string {
@@ -327,7 +315,7 @@ func (*DisableRouteRequest) ProtoMessage() {}

 func (x *DisableRouteRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -357,11 +345,9 @@ type DisableRouteResponse struct {

 func (x *DisableRouteResponse) Reset() {
 	*x = DisableRouteResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DisableRouteResponse) String() string {
@@ -372,7 +358,7 @@ func (*DisableRouteResponse) ProtoMessage() {}

 func (x *DisableRouteResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -397,11 +383,9 @@ type GetNodeRoutesRequest struct {

 func (x *GetNodeRoutesRequest) Reset() {
 	*x = GetNodeRoutesRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetNodeRoutesRequest) String() string {
@@ -412,7 +396,7 @@ func (*GetNodeRoutesRequest) ProtoMessage() {}

 func (x *GetNodeRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -444,11 +428,9 @@ type GetNodeRoutesResponse struct {

 func (x *GetNodeRoutesResponse) Reset() {
 	*x = GetNodeRoutesResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *GetNodeRoutesResponse) String() string {
@@ -459,7 +441,7 @@ func (*GetNodeRoutesResponse) ProtoMessage() {}

 func (x *GetNodeRoutesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -491,11 +473,9 @@ type DeleteRouteRequest struct {

 func (x *DeleteRouteRequest) Reset() {
 	*x = DeleteRouteRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteRouteRequest) String() string {
@@ -506,7 +486,7 @@ func (*DeleteRouteRequest) ProtoMessage() {}

 func (x *DeleteRouteRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -536,11 +516,9 @@ type DeleteRouteResponse struct {

 func (x *DeleteRouteResponse) Reset() {
 	*x = DeleteRouteResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_routes_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_routes_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteRouteResponse) String() string {
@@ -551,7 +529,7 @@ func (*DeleteRouteResponse) ProtoMessage() {}

 func (x *DeleteRouteResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -678,140 +656,6 @@ func file_headscale_v1_routes_proto_init() {
 		return
 	}
 	file_headscale_v1_node_proto_init()
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_routes_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Route); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*GetRoutesRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*GetRoutesResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*EnableRouteRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*EnableRouteResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*DisableRouteRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*DisableRouteResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*GetNodeRoutesRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*GetNodeRoutesResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteRouteRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_routes_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteRouteResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
--- a/gen/go/headscale/v1/user.pb.go
+++ b/gen/go/headscale/v1/user.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.2
 // 	protoc        (unknown)
 // source: headscale/v1/user.proto

@@ -26,18 +26,21 @@ type User struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Id        string                 `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
-	Name      string                 `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
-	CreatedAt *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
+	Id            uint64                 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Name          string                 `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	CreatedAt     *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
+	DisplayName   string                 `protobuf:"bytes,4,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`
+	Email         string                 `protobuf:"bytes,5,opt,name=email,proto3" json:"email,omitempty"`
+	ProviderId    string                 `protobuf:"bytes,6,opt,name=provider_id,json=providerId,proto3" json:"provider_id,omitempty"`
+	Provider      string                 `protobuf:"bytes,7,opt,name=provider,proto3" json:"provider,omitempty"`
+	ProfilePicUrl string                 `protobuf:"bytes,8,opt,name=profile_pic_url,json=profilePicUrl,proto3" json:"profile_pic_url,omitempty"`
 }

 func (x *User) Reset() {
 	*x = User{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *User) String() string {
@@ -48,7 +51,7 @@ func (*User) ProtoMessage() {}

 func (x *User) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_user_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -63,11 +66,11 @@ func (*User) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_user_proto_rawDescGZIP(), []int{0}
 }

-func (x *User) GetId() string {
+func (x *User) GetId() uint64 {
 	if x != nil {
 		return x.Id
 	}
-	return ""
+	return 0
 }

 func (x *User) GetName() string {
@@ -84,98 +87,39 @@ func (x *User) GetCreatedAt() *timestamppb.Timestamp {
 	return nil
 }

-type GetUserRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
-}
-
-func (x *GetUserRequest) Reset() {
-	*x = GetUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *GetUserRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*GetUserRequest) ProtoMessage() {}
-
-func (x *GetUserRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use GetUserRequest.ProtoReflect.Descriptor instead.
-func (*GetUserRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{1}
-}
-
-func (x *GetUserRequest) GetName() string {
+func (x *User) GetDisplayName() string {
 	if x != nil {
-		return x.Name
+		return x.DisplayName
 	}
 	return ""
 }

-type GetUserResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	User *User `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"`
-}
-
-func (x *GetUserResponse) Reset() {
-	*x = GetUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *GetUserResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*GetUserResponse) ProtoMessage() {}
-
-func (x *GetUserResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use GetUserResponse.ProtoReflect.Descriptor instead.
-func (*GetUserResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{2}
-}
-
-func (x *GetUserResponse) GetUser() *User {
+func (x *User) GetEmail() string {
 	if x != nil {
-		return x.User
+		return x.Email
 	}
-	return nil
+	return ""
+}
+
+func (x *User) GetProviderId() string {
+	if x != nil {
+		return x.ProviderId
+	}
+	return ""
+}
+
+func (x *User) GetProvider() string {
+	if x != nil {
+		return x.Provider
+	}
+	return ""
+}
+
+func (x *User) GetProfilePicUrl() string {
+	if x != nil {
+		return x.ProfilePicUrl
+	}
+	return ""
 }

 type CreateUserRequest struct {
@@ -183,16 +127,17 @@ type CreateUserRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Name        string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	DisplayName string `protobuf:"bytes,2,opt,name=display_name,json=displayName,proto3" json:"display_name,omitempty"`
+	Email       string `protobuf:"bytes,3,opt,name=email,proto3" json:"email,omitempty"`
+	PictureUrl  string `protobuf:"bytes,4,opt,name=picture_url,json=pictureUrl,proto3" json:"picture_url,omitempty"`
 }

 func (x *CreateUserRequest) Reset() {
 	*x = CreateUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CreateUserRequest) String() string {
@@ -202,8 +147,8 @@ func (x *CreateUserRequest) String() string {
 func (*CreateUserRequest) ProtoMessage() {}

 func (x *CreateUserRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[1]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -215,7 +160,7 @@ func (x *CreateUserRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use CreateUserRequest.ProtoReflect.Descriptor instead.
 func (*CreateUserRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{3}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{1}
 }

 func (x *CreateUserRequest) GetName() string {
@@ -225,6 +170,27 @@ func (x *CreateUserRequest) GetName() string {
 	return ""
 }

+func (x *CreateUserRequest) GetDisplayName() string {
+	if x != nil {
+		return x.DisplayName
+	}
+	return ""
+}
+
+func (x *CreateUserRequest) GetEmail() string {
+	if x != nil {
+		return x.Email
+	}
+	return ""
+}
+
+func (x *CreateUserRequest) GetPictureUrl() string {
+	if x != nil {
+		return x.PictureUrl
+	}
+	return ""
+}
+
 type CreateUserResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -235,11 +201,9 @@ type CreateUserResponse struct {

 func (x *CreateUserResponse) Reset() {
 	*x = CreateUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *CreateUserResponse) String() string {
@@ -249,8 +213,8 @@ func (x *CreateUserResponse) String() string {
 func (*CreateUserResponse) ProtoMessage() {}

 func (x *CreateUserResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[2]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -262,7 +226,7 @@ func (x *CreateUserResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use CreateUserResponse.ProtoReflect.Descriptor instead.
 func (*CreateUserResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{4}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{2}
 }

 func (x *CreateUserResponse) GetUser() *User {
@@ -277,17 +241,15 @@ type RenameUserRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	OldName string `protobuf:"bytes,1,opt,name=old_name,json=oldName,proto3" json:"old_name,omitempty"`
+	OldId   uint64 `protobuf:"varint,1,opt,name=old_id,json=oldId,proto3" json:"old_id,omitempty"`
 	NewName string `protobuf:"bytes,2,opt,name=new_name,json=newName,proto3" json:"new_name,omitempty"`
 }

 func (x *RenameUserRequest) Reset() {
 	*x = RenameUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RenameUserRequest) String() string {
@@ -297,8 +259,8 @@ func (x *RenameUserRequest) String() string {
 func (*RenameUserRequest) ProtoMessage() {}

 func (x *RenameUserRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[3]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -310,14 +272,14 @@ func (x *RenameUserRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use RenameUserRequest.ProtoReflect.Descriptor instead.
 func (*RenameUserRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{5}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{3}
 }

-func (x *RenameUserRequest) GetOldName() string {
+func (x *RenameUserRequest) GetOldId() uint64 {
 	if x != nil {
-		return x.OldName
+		return x.OldId
 	}
-	return ""
+	return 0
 }

 func (x *RenameUserRequest) GetNewName() string {
@@ -337,11 +299,9 @@ type RenameUserResponse struct {

 func (x *RenameUserResponse) Reset() {
 	*x = RenameUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *RenameUserResponse) String() string {
@@ -351,8 +311,8 @@ func (x *RenameUserResponse) String() string {
 func (*RenameUserResponse) ProtoMessage() {}

 func (x *RenameUserResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[4]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -364,7 +324,7 @@ func (x *RenameUserResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use RenameUserResponse.ProtoReflect.Descriptor instead.
 func (*RenameUserResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{6}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{4}
 }

 func (x *RenameUserResponse) GetUser() *User {
@@ -379,16 +339,14 @@ type DeleteUserRequest struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Id uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
 }

 func (x *DeleteUserRequest) Reset() {
 	*x = DeleteUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteUserRequest) String() string {
@@ -398,8 +356,8 @@ func (x *DeleteUserRequest) String() string {
 func (*DeleteUserRequest) ProtoMessage() {}

 func (x *DeleteUserRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[5]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -411,14 +369,14 @@ func (x *DeleteUserRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeleteUserRequest.ProtoReflect.Descriptor instead.
 func (*DeleteUserRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{7}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{5}
 }

-func (x *DeleteUserRequest) GetName() string {
+func (x *DeleteUserRequest) GetId() uint64 {
 	if x != nil {
-		return x.Name
+		return x.Id
 	}
-	return ""
+	return 0
 }

 type DeleteUserResponse struct {
@@ -429,11 +387,9 @@ type DeleteUserResponse struct {

 func (x *DeleteUserResponse) Reset() {
 	*x = DeleteUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *DeleteUserResponse) String() string {
@@ -443,8 +399,8 @@ func (x *DeleteUserResponse) String() string {
 func (*DeleteUserResponse) ProtoMessage() {}

 func (x *DeleteUserResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[6]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -456,22 +412,24 @@ func (x *DeleteUserResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeleteUserResponse.ProtoReflect.Descriptor instead.
 func (*DeleteUserResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{8}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{6}
 }

 type ListUsersRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
+
+	Id    uint64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Name  string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Email string `protobuf:"bytes,3,opt,name=email,proto3" json:"email,omitempty"`
 }

 func (x *ListUsersRequest) Reset() {
 	*x = ListUsersRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListUsersRequest) String() string {
@@ -481,8 +439,8 @@ func (x *ListUsersRequest) String() string {
 func (*ListUsersRequest) ProtoMessage() {}

 func (x *ListUsersRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[7]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -494,7 +452,28 @@ func (x *ListUsersRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ListUsersRequest.ProtoReflect.Descriptor instead.
 func (*ListUsersRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{9}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *ListUsersRequest) GetId() uint64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *ListUsersRequest) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *ListUsersRequest) GetEmail() string {
+	if x != nil {
+		return x.Email
+	}
+	return ""
 }

 type ListUsersResponse struct {
@@ -507,11 +486,9 @@ type ListUsersResponse struct {

 func (x *ListUsersResponse) Reset() {
 	*x = ListUsersResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_user_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_headscale_v1_user_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }

 func (x *ListUsersResponse) String() string {
@@ -521,8 +498,8 @@ func (x *ListUsersResponse) String() string {
 func (*ListUsersResponse) ProtoMessage() {}

 func (x *ListUsersResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_user_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	mi := &file_headscale_v1_user_proto_msgTypes[8]
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -534,7 +511,7 @@ func (x *ListUsersResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ListUsersResponse.ProtoReflect.Descriptor instead.
 func (*ListUsersResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_user_proto_rawDescGZIP(), []int{10}
+	return file_headscale_v1_user_proto_rawDescGZIP(), []int{8}
 }

 func (x *ListUsersResponse) GetUsers() []*User {
@@ -551,47 +528,59 @@ var file_headscale_v1_user_proto_rawDesc = []byte{
 	0x73, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x68, 0x65, 0x61, 0x64, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
-	0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x65, 0x0a, 0x04, 0x55, 0x73, 0x65, 0x72,
-	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
-	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f,
-	0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x22,
-	0x24, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x39, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72,
+	0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x83, 0x02, 0x0a, 0x04, 0x55, 0x73, 0x65,
+	0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69,
+	0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64,
+	0x5f, 0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74,
+	0x12, 0x21, 0x0a, 0x0c, 0x64, 0x69, 0x73, 0x70, 0x6c, 0x61, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x69, 0x73, 0x70, 0x6c, 0x61, 0x79, 0x4e,
+	0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f,
+	0x76, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a,
+	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72,
+	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x26, 0x0a, 0x0f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c,
+	0x65, 0x5f, 0x70, 0x69, 0x63, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0d, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x69, 0x63, 0x55, 0x72, 0x6c, 0x22, 0x81,
+	0x01, 0x0a, 0x11, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x64, 0x69, 0x73, 0x70,
+	0x6c, 0x61, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
+	0x64, 0x69, 0x73, 0x70, 0x6c, 0x61, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65,
+	0x6d, 0x61, 0x69, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69,
+	0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x69, 0x63, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x75, 0x72, 0x6c,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x69, 0x63, 0x74, 0x75, 0x72, 0x65, 0x55,
+	0x72, 0x6c, 0x22, 0x3c, 0x0a, 0x12, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72,
 	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72,
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
 	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72,
-	0x22, 0x27, 0x0a, 0x11, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x3c, 0x0a, 0x12, 0x43, 0x72, 0x65,
-	0x61, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0x26, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65,
-	0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x22, 0x49, 0x0a, 0x11, 0x52, 0x65, 0x6e, 0x61, 0x6d,
-	0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08,
-	0x6f, 0x6c, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
-	0x6f, 0x6c, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6e, 0x65, 0x77, 0x5f, 0x6e,
-	0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6e, 0x65, 0x77, 0x4e, 0x61,
-	0x6d, 0x65, 0x22, 0x3c, 0x0a, 0x12, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72,
-	0x22, 0x27, 0x0a, 0x11, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x14, 0x0a, 0x12, 0x44, 0x65, 0x6c,
-	0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x12, 0x0a, 0x10, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x22, 0x3d, 0x0a, 0x11, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x28, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72,
-	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x05, 0x75, 0x73, 0x65,
-	0x72, 0x73, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
-	0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x22, 0x45, 0x0a, 0x11, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x15, 0x0a, 0x06, 0x6f, 0x6c, 0x64, 0x5f, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x05, 0x6f, 0x6c, 0x64, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08,
+	0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
+	0x6e, 0x65, 0x77, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x3c, 0x0a, 0x12, 0x52, 0x65, 0x6e, 0x61, 0x6d,
+	0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x26, 0x0a,
+	0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52,
+	0x04, 0x75, 0x73, 0x65, 0x72, 0x22, 0x23, 0x0a, 0x11, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x55,
+	0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64, 0x22, 0x14, 0x0a, 0x12, 0x44, 0x65,
+	0x6c, 0x65, 0x74, 0x65, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x4c, 0x0a, 0x10, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04,
+	0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x6d, 0x61, 0x69,
+	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x22, 0x3d,
+	0x0a, 0x11, 0x4c, 0x69, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x28, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x12, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x52, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x42, 0x29, 0x5a,
+	0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e,
+	0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67,
+	0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -606,32 +595,29 @@ func file_headscale_v1_user_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_user_proto_rawDescData
 }

-var file_headscale_v1_user_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_headscale_v1_user_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_headscale_v1_user_proto_goTypes = []any{
 	(*User)(nil),                  // 0: headscale.v1.User
-	(*GetUserRequest)(nil),        // 1: headscale.v1.GetUserRequest
-	(*GetUserResponse)(nil),       // 2: headscale.v1.GetUserResponse
-	(*CreateUserRequest)(nil),     // 3: headscale.v1.CreateUserRequest
-	(*CreateUserResponse)(nil),    // 4: headscale.v1.CreateUserResponse
-	(*RenameUserRequest)(nil),     // 5: headscale.v1.RenameUserRequest
-	(*RenameUserResponse)(nil),    // 6: headscale.v1.RenameUserResponse
-	(*DeleteUserRequest)(nil),     // 7: headscale.v1.DeleteUserRequest
-	(*DeleteUserResponse)(nil),    // 8: headscale.v1.DeleteUserResponse
-	(*ListUsersRequest)(nil),      // 9: headscale.v1.ListUsersRequest
-	(*ListUsersResponse)(nil),     // 10: headscale.v1.ListUsersResponse
-	(*timestamppb.Timestamp)(nil), // 11: google.protobuf.Timestamp
+	(*CreateUserRequest)(nil),     // 1: headscale.v1.CreateUserRequest
+	(*CreateUserResponse)(nil),    // 2: headscale.v1.CreateUserResponse
+	(*RenameUserRequest)(nil),     // 3: headscale.v1.RenameUserRequest
+	(*RenameUserResponse)(nil),    // 4: headscale.v1.RenameUserResponse
+	(*DeleteUserRequest)(nil),     // 5: headscale.v1.DeleteUserRequest
+	(*DeleteUserResponse)(nil),    // 6: headscale.v1.DeleteUserResponse
+	(*ListUsersRequest)(nil),      // 7: headscale.v1.ListUsersRequest
+	(*ListUsersResponse)(nil),     // 8: headscale.v1.ListUsersResponse
+	(*timestamppb.Timestamp)(nil), // 9: google.protobuf.Timestamp
 }
 var file_headscale_v1_user_proto_depIdxs = []int32{
-	11, // 0: headscale.v1.User.created_at:type_name -> google.protobuf.Timestamp
-	0,  // 1: headscale.v1.GetUserResponse.user:type_name -> headscale.v1.User
-	0,  // 2: headscale.v1.CreateUserResponse.user:type_name -> headscale.v1.User
-	0,  // 3: headscale.v1.RenameUserResponse.user:type_name -> headscale.v1.User
-	0,  // 4: headscale.v1.ListUsersResponse.users:type_name -> headscale.v1.User
-	5,  // [5:5] is the sub-list for method output_type
-	5,  // [5:5] is the sub-list for method input_type
-	5,  // [5:5] is the sub-list for extension type_name
-	5,  // [5:5] is the sub-list for extension extendee
-	0,  // [0:5] is the sub-list for field type_name
+	9, // 0: headscale.v1.User.created_at:type_name -> google.protobuf.Timestamp
+	0, // 1: headscale.v1.CreateUserResponse.user:type_name -> headscale.v1.User
+	0, // 2: headscale.v1.RenameUserResponse.user:type_name -> headscale.v1.User
+	0, // 3: headscale.v1.ListUsersResponse.users:type_name -> headscale.v1.User
+	4, // [4:4] is the sub-list for method output_type
+	4, // [4:4] is the sub-list for method input_type
+	4, // [4:4] is the sub-list for extension type_name
+	4, // [4:4] is the sub-list for extension extendee
+	0, // [0:4] is the sub-list for field type_name
 }

 func init() { file_headscale_v1_user_proto_init() }
@@ -639,147 +625,13 @@ func file_headscale_v1_user_proto_init() {
 	if File_headscale_v1_user_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_headscale_v1_user_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*User); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*GetUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*GetUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*CreateUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*CreateUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*RenameUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*RenameUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*ListUsersRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_headscale_v1_user_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*ListUsersResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_headscale_v1_user_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   11,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/gen/openapiv2/headscale/v1/headscale.swagger.json
+++ b/gen/openapiv2/headscale/v1/headscale.swagger.json
@@ -484,10 +484,12 @@
            "format": "uint64"
          },
          {
-            "name": "user",
-            "in": "query",
-            "required": false,
-            "type": "string"
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/HeadscaleServiceMoveNodeBody"
+            }
          }
        ],
        "tags": [
@@ -774,11 +776,33 @@
            }
          }
        },
+        "parameters": [
+          {
+            "name": "id",
+            "in": "query",
+            "required": false,
+            "type": "string",
+            "format": "uint64"
+          },
+          {
+            "name": "name",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          },
+          {
+            "name": "email",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
        "tags": [
          "HeadscaleService"
        ]
      },
      "post": {
+        "summary": "--- User start ---",
        "operationId": "HeadscaleService_CreateUser",
        "responses": {
          "200": {
@@ -809,36 +833,7 @@
        ]
      }
    },
-    "/api/v1/user/{name}": {
-      "get": {
-        "summary": "--- User start ---",
-        "operationId": "HeadscaleService_GetUser",
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1GetUserResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/rpcStatus"
-            }
-          }
-        },
-        "parameters": [
-          {
-            "name": "name",
-            "in": "path",
-            "required": true,
-            "type": "string"
-          }
-        ],
-        "tags": [
-          "HeadscaleService"
-        ]
-      },
+    "/api/v1/user/{id}": {
      "delete": {
        "operationId": "HeadscaleService_DeleteUser",
        "responses": {
@@ -857,10 +852,11 @@
        },
        "parameters": [
          {
-            "name": "name",
+            "name": "id",
            "in": "path",
            "required": true,
-            "type": "string"
+            "type": "string",
+            "format": "uint64"
          }
        ],
        "tags": [
@@ -868,7 +864,7 @@
        ]
      }
    },
-    "/api/v1/user/{oldName}/rename/{newName}": {
+    "/api/v1/user/{oldId}/rename/{newName}": {
      "post": {
        "operationId": "HeadscaleService_RenameUser",
        "responses": {
@@ -887,10 +883,11 @@
        },
        "parameters": [
          {
-            "name": "oldName",
+            "name": "oldId",
            "in": "path",
            "required": true,
-            "type": "string"
+            "type": "string",
+            "format": "uint64"
          },
          {
            "name": "newName",
@@ -906,6 +903,14 @@
    }
  },
  "definitions": {
+    "HeadscaleServiceMoveNodeBody": {
+      "type": "object",
+      "properties": {
+        "user": {
+          "type": "string"
+        }
+      }
+    },
    "HeadscaleServiceSetTagsBody": {
      "type": "object",
      "properties": {
@@ -1034,6 +1039,15 @@
      "properties": {
        "name": {
          "type": "string"
+        },
+        "displayName": {
+          "type": "string"
+        },
+        "email": {
+          "type": "string"
+        },
+        "pictureUrl": {
+          "type": "string"
        }
      }
    },
@@ -1168,14 +1182,6 @@
        }
      }
    },
-    "v1GetUserResponse": {
-      "type": "object",
-      "properties": {
-        "user": {
-          "$ref": "#/definitions/v1User"
-        }
-      }
-    },
    "v1ListApiKeysResponse": {
      "type": "object",
      "properties": {
@@ -1443,7 +1449,8 @@
      "type": "object",
      "properties": {
        "id": {
-          "type": "string"
+          "type": "string",
+          "format": "uint64"
        },
        "name": {
          "type": "string"
@@ -1451,6 +1458,21 @@
        "createdAt": {
          "type": "string",
          "format": "date-time"
+        },
+        "displayName": {
+          "type": "string"
+        },
+        "email": {
+          "type": "string"
+        },
+        "providerId": {
+          "type": "string"
+        },
+        "provider": {
+          "type": "string"
+        },
+        "profilePicUrl": {
+          "type": "string"
        }
      }
    }
--- a/go.mod
+++ b/go.mod
@@ -1,53 +1,81 @@
 module github.com/juanfont/headscale

-go 1.23.0
+go 1.23.1

 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
+	github.com/cenkalti/backoff/v4 v4.3.0
+	github.com/chasefleming/elem-go v0.30.0
+	github.com/coder/websocket v1.8.12
 	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
-	github.com/deckarep/golang-set/v2 v2.6.0
+	github.com/fsnotify/fsnotify v1.8.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-gormigrate/gormigrate/v2 v2.1.2
+	github.com/go-gormigrate/gormigrate/v2 v2.1.3
 	github.com/gofrs/uuid/v5 v5.3.0
 	github.com/google/go-cmp v0.6.0
 	github.com/gorilla/mux v1.8.1
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0
 	github.com/jagottsicher/termcolor v1.0.2
-	github.com/klauspost/compress v1.17.9
+	github.com/klauspost/compress v1.17.11
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/ory/dockertest/v3 v3.11.0
-	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/pkg/profile v1.7.0
-	github.com/prometheus/client_golang v1.20.2
-	github.com/prometheus/common v0.58.0
-	github.com/pterm/pterm v0.12.79
+	github.com/prometheus/client_golang v1.20.5
+	github.com/prometheus/common v0.61.0
+	github.com/pterm/pterm v0.12.80
 	github.com/puzpuzpuz/xsync/v3 v3.4.0
 	github.com/rs/zerolog v1.33.0
 	github.com/samber/lo v1.47.0
 	github.com/sasha-s/go-deadlock v0.3.5
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.20.0-alpha.6
-	github.com/stretchr/testify v1.9.0
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
-	github.com/tailscale/tailsql v0.0.0-20240418235827-820559f382c1
+	github.com/stretchr/testify v1.10.0
+	github.com/tailscale/hujson v0.0.0-20241010212012-29efb4a0184b
+	github.com/tailscale/tailsql v0.0.0-20241211062219-bf96884c6a49
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.26.0
-	golang.org/x/exp v0.0.0-20240823005443-9b4947da3948
-	golang.org/x/net v0.28.0
-	golang.org/x/oauth2 v0.22.0
-	golang.org/x/sync v0.8.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1
-	google.golang.org/grpc v1.66.0
-	google.golang.org/protobuf v1.34.2
+	golang.org/x/crypto v0.31.0
+	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e
+	golang.org/x/net v0.32.0
+	golang.org/x/oauth2 v0.24.0
+	golang.org/x/sync v0.10.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484
+	google.golang.org/grpc v1.69.0
+	google.golang.org/protobuf v1.36.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v3 v3.0.1
-	gorm.io/driver/postgres v1.5.9
-	gorm.io/gorm v1.25.11
-	tailscale.com v1.72.1
+	gorm.io/driver/postgres v1.5.11
+	gorm.io/gorm v1.25.12
+	tailscale.com v1.79.0-pre
+	zgo.at/zcache/v2 v2.1.0
+	zombiezen.com/go/postgrestest v1.0.1
+)
+
+// NOTE: modernc sqlite has a fragile dependency
+// chain and it is important that they are updated
+// in lockstep to ensure that they do not break
+// some architectures and similar at runtime:
+// https://github.com/juanfont/headscale/issues/2188
+//
+// Fragile libc dependency:
+// https://pkg.go.dev/modernc.org/sqlite#hdr-Fragile_modernc_org_libc_dependency
+// https://gitlab.com/cznic/sqlite/-/issues/177
+//
+// To upgrade, determine the new SQLite version to
+// be used, and consult the `go.mod` file:
+// https://gitlab.com/cznic/sqlite/-/blob/master/go.mod
+// to find
+// the appropriate `libc` version, then upgrade them
+// together, e.g:
+// go get modernc.org/libc@v1.55.3 modernc.org/sqlite@v1.33.1
+require (
+	modernc.org/libc v1.55.3 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.8.0 // indirect
+	modernc.org/sqlite v1.33.1 // indirect
 )

 require (
@@ -61,38 +89,35 @@ require (
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
-	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.45.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/coder/websocket v1.8.12 // indirect
 	github.com/containerd/console v1.0.4 // indirect
-	github.com/containerd/continuity v0.4.3 // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
-	github.com/creachadair/mds v0.14.5 // indirect
+	github.com/creachadair/mds v0.20.0 // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240123200102-b75a8a7d7eb0 // indirect
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
-	github.com/docker/cli v27.2.0+incompatible // indirect
-	github.com/docker/docker v27.2.0+incompatible // indirect
+	github.com/docker/cli v27.4.0+incompatible // indirect
+	github.com/docker/docker v27.4.0+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/fgprof v0.9.5 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
 	github.com/gaissmai/bart v0.11.1 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
@@ -100,7 +125,7 @@ require (
 	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
@@ -110,7 +135,7 @@ require (
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
-	github.com/google/pprof v0.0.0-20240829160300-da1f7e9f2b25 // indirect
+	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
@@ -118,13 +143,13 @@ require (
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
-	github.com/illarion/gonotify v1.0.1 // indirect
+	github.com/illarion/gonotify/v2 v2.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/insomniacslk/dhcp v0.0.0-20240129002554-15c9b8791914 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.6.0 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgx/v5 v5.7.1 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -134,6 +159,7 @@ require (
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -146,14 +172,15 @@ require (
 	github.com/miekg/dns v1.1.58 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/runc v1.1.14 // indirect
+	github.com/opencontainers/runc v1.2.3 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect
+	github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 // indirect
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -162,7 +189,7 @@ require (
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
@@ -175,15 +202,14 @@ require (
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
 	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 // indirect
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
-	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 // indirect
+	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
 	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
-	github.com/tailscale/setec v0.0.0-20240314234648-9da8e7407257 // indirect
-	github.com/tailscale/squibble v0.0.0-20240418235321-9ee0eeb78185 // indirect
+	github.com/tailscale/setec v0.0.0-20240930150730-e6eb93658ed3 // indirect
+	github.com/tailscale/squibble v0.0.0-20240909231413-32a80b9743f7 // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3 // indirect
 	github.com/tcnksm/go-httpstat v0.2.0 // indirect
 	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
-	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -192,19 +218,15 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.24.0 // indirect
+	golang.org/x/tools v0.28.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 // indirect
-	modernc.org/libc v1.60.1 // indirect
-	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.8.0 // indirect
-	modernc.org/sqlite v1.32.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -18,8 +18,8 @@ github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1r
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
+github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/MarvinJWendt/testza v0.1.0/go.mod h1:7AxNvlfeHP7Z/hDQ5JtE3OKYT3XFUeLCDE2DQninSqs=
 github.com/MarvinJWendt/testza v0.2.1/go.mod h1:God7bhG8n6uQxwdScay+gjm9/LnO4D3kkcZX4hv9Rp8=
 github.com/MarvinJWendt/testza v0.2.8/go.mod h1:nwIcjmr0Zz+Rcwfh3/4UhBp7ePKVhuBExvZqnKYWlII=
@@ -42,44 +42,44 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1L
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkUiF/RuIk=
-github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
-github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 h1:OCs21ST2LrepDfD3lwlQiOqIGp6JiEUqG84GzTDoyJs=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4/go.mod h1:usURWEKSNNAcAZuzRn/9ZYPT8aZQkR7xcCtunK/LkJo=
-github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
-github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.9 h1:ugD6qzjYtB7zM5PN/ZIeaAIyefPaD82G8+SJopgvUpw=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.9/go.mod h1:YD0aYBWCrPENpHolhKw2XDlTIWae2GKXT1T4o6N6hiM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.9 h1:/90OR2XbSYfXucBMJ4U14wrjlfleq/0SB6dZDPncgmo=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.9/go.mod h1:dN/Of9/fNZet7UrQQ6kTDo/VSwKPIq94vjlU16bRARc=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.9 h1:iEAeF6YC3l4FzlJPP9H3Ko1TXpdjdqWffxXjp8SY6uk=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.9/go.mod h1:kjsXoK23q9Z/tLBrckZLLyvjhZoS+AGrzqzUfEClvMM=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.47.7 h1:o0ASbVwUAIrfp/WcCac+6jioZt4Hd8k/1X8u7GJ/QeM=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.47.7/go.mod h1:vADO6Jn+Rq4nDtfwNjhgR84qkZwiC6FqCaXdw/kYwjA=
+github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
+github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
+github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
+github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7/go.mod h1:mxV05U+4JiHqIpGqqYXOHLPKUC6bDXC44bsUhNjOEwY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 h1:f9RyWNtS8oH7cZlbn+/JNPpjUk5+5fLd5lM9M0i49Ys=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5/go.mod h1:h5CoMZV2VF297/VLhRhO1WF+XYWOzXo+4HsObA4HjBQ=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.45.0 h1:IOdss+igJDFdic9w3WKwxGCmHqUxydvIhJOm9LJ32Dk=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.45.0/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
-github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.6/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
@@ -90,6 +90,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chasefleming/elem-go v0.30.0 h1:BlhV1ekv1RbFiM8XZUQeln1Ikb4D+bu2eDO4agREvok=
+github.com/chasefleming/elem-go v0.30.0/go.mod h1:hz73qILBIKnTgOujnSMtEj20/epI+f6vg71RUilJAA4=
 github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
 github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs=
 github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
@@ -99,8 +101,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
-github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
-github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
+github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok=
+github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
@@ -108,16 +110,16 @@ github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3C
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
-github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
-github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
+github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
+github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
 github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creachadair/mds v0.14.5 h1:2amuO4yCbQkaAyDoLO5iCbwbTRQZz4EpRhOejQbf4+8=
-github.com/creachadair/mds v0.14.5/go.mod h1:4vrFYUzTXMJpMBU+OA292I6IUxKWCCfZkgXg+/kBZMo=
+github.com/creachadair/mds v0.20.0 h1:bXQO154c2TDgCY+rRmdIfUqjeqGYejmZ/QayeTNwbp8=
+github.com/creachadair/mds v0.20.0/go.mod h1:4b//mUiL8YldH6TImXjmW45myzTLNS1LLjOmrk888eg=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
@@ -128,16 +130,14 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dblohm7/wingoes v0.0.0-20240123200102-b75a8a7d7eb0 h1:vrC07UZcgPzu/OjWsmQKMGg3LoPSz9jh/pQXIrHjUj4=
 github.com/dblohm7/wingoes v0.0.0-20240123200102-b75a8a7d7eb0/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
-github.com/deckarep/golang-set/v2 v2.6.0 h1:XfcQbWM1LlMB8BsJ8N9vW5ehnnPVIw0je80NsVHagjM=
-github.com/deckarep/golang-set/v2 v2.6.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v27.2.0+incompatible h1:yHD1QEB1/0vr5eBNpu8tncu8gWxg8EydFPOSKHzXSMM=
-github.com/docker/cli v27.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
-github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v27.4.0+incompatible h1:/nJzWkcI1MDMN+U+px/YXnQWJqnu4J+QKGTfD6ptiTc=
+github.com/docker/cli v27.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v27.4.0+incompatible h1:I9z7sQ5qyzO0BfAb9IMOawRkAGxhYsidKiTMcm0DU+A=
+github.com/docker/docker v27.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -155,8 +155,8 @@ github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY=
 github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
@@ -167,8 +167,8 @@ github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
-github.com/go-gormigrate/gormigrate/v2 v2.1.2 h1:F/d1hpHbRAvKezziV2CC5KUE82cVe9zTgHSBoOOZ4CY=
-github.com/go-gormigrate/gormigrate/v2 v2.1.2/go.mod h1:9nHVX6z3FCMCQPA7PThGcA55t22yKQfK/Dnsf5i7hUo=
+github.com/go-gormigrate/gormigrate/v2 v2.1.3 h1:ei3Vq/rpPI/jCJY9mRHJAKg5vU+EhZyWhBAkaAomQuw=
+github.com/go-gormigrate/gormigrate/v2 v2.1.3/go.mod h1:VJ9FIOBAur+NmQ8c4tDVwOuiJcgupTG105FexPFrXzA=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
@@ -177,13 +177,17 @@ github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-viper/mapstructure/v2 v2.1.0 h1:gHnMa2Y/pIxElCH2GlZZ1lZSsn6XMtufpGyP1XxdC/w=
-github.com/go-viper/mapstructure/v2 v2.1.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
@@ -222,8 +226,8 @@ github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdF
 github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/pprof v0.0.0-20240829160300-da1f7e9f2b25 h1:sEDPKUw6iPjczdu33njxFjO6tYa9bfc0z/QyB/zSsBw=
-github.com/google/pprof v0.0.0-20240829160300-da1f7e9f2b25/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad h1:a6HEuzUHeKH6hwfN/ZoQgRgVIWFJljSWa/zetS2WTvg=
+github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -240,8 +244,8 @@ github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kX
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -252,8 +256,8 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
-github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwsoio=
-github.com/illarion/gonotify v1.0.1/go.mod h1:zt5pmDofZpU1f8aqlK0+95eQhoEAn/d4G4B/FjVW4jE=
+github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vyxM+9A=
+github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/insomniacslk/dhcp v0.0.0-20240129002554-15c9b8791914 h1:kD8PseueGeYiid/Mmcv17Q0Qqicc4F46jcX22L/e/Hs=
@@ -262,10 +266,10 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
-github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs=
+github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jagottsicher/termcolor v1.0.2 h1:fo0c51pQSuLBN1+yVX2ZE+hE+P7ULb/TY8eRowJnrsM=
 github.com/jagottsicher/termcolor v1.0.2/go.mod h1:RcH8uFwF/0wbEdQmi83rjmlJ+QOKdMSE9Rc1BEB7zFo=
 github.com/jellydator/ttlcache/v3 v3.1.0 h1:0gPFG0IHHP6xyUyXq+JaD8fwkDCqgqwohXNJBcYE71g=
@@ -288,8 +292,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
@@ -311,6 +315,7 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
+github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
@@ -344,6 +349,8 @@ github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
+github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -358,18 +365,17 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w=
-github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA=
+github.com/opencontainers/runc v1.2.3 h1:fxE7amCzfZflJO2lHXf4y/y8M1BoAqp+FVmG19oYB80=
+github.com/opencontainers/runc v1.2.3/go.mod h1:nSxcWUydXrsBZVYNSkTjoQ/N6rcyTtn+1SD5D4+kRIM=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/ory/dockertest/v3 v3.11.0 h1:OiHcxKAvSDUwsEVh2BjxQQc/5EHz9n0va9awCtNGuyA=
 github.com/ory/dockertest/v3 v3.11.0/go.mod h1:VIPxS1gwT9NpPOrfD3rACs8Y9Z7yhzO4SB194iUDnUI=
-github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
-github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
-github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 h1:Dx7Ovyv/SFnMFw3fD4oEoeorXc6saIiQ23LrGLth0Gw=
 github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
+github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 h1:ah1dvbqPMN5+ocrg/ZSgZ6k8bOk+kcZQ7fnyx6UvOm4=
+github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
 github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ=
 github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
@@ -388,13 +394,13 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
 github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
-github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg=
-github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.58.0 h1:N+N8vY4/23r6iYfD3UQZUoJPnUYAo7v6LG5XZxjZTXo=
-github.com/prometheus/common v0.58.0/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0=
+github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
+github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/pterm/pterm v0.12.27/go.mod h1:PhQ89w4i95rhgE+xedAoqous6K9X+r6aSOI2eFF7DZI=
@@ -404,8 +410,8 @@ github.com/pterm/pterm v0.12.31/go.mod h1:32ZAWZVXD7ZfG0s8qqHXePte42kdz8ECtRyEej
 github.com/pterm/pterm v0.12.33/go.mod h1:x+h2uL+n7CP/rel9+bImHD5lF3nM9vJj80k9ybiiTTE=
 github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5bUw8T8=
 github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s=
-github.com/pterm/pterm v0.12.79 h1:lH3yrYMhdpeqX9y5Ep1u7DejyHy7NSQg9qrBjF9dFT4=
-github.com/pterm/pterm v0.12.79/go.mod h1:1v/gzOF1N0FsjbgTHZ1wVycRkKiatFvJSJC4IGaQAAo=
+github.com/pterm/pterm v0.12.80 h1:mM55B+GnKUnLMUSqhdINe4s6tOuVQIetQ3my8JGyAIg=
+github.com/pterm/pterm v0.12.80/go.mod h1:c6DeF9bSnOSeFPZlfs4ZRAFcf5SCoTwvwQ5xaKGQlHo=
 github.com/puzpuzpuz/xsync/v3 v3.4.0 h1:DuVBAdXuGFHv8adVXjWWZ63pJq+NRXOWVXlKDBZ+mJ4=
 github.com/puzpuzpuz/xsync/v3 v3.4.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
@@ -414,8 +420,8 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
@@ -458,8 +464,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
@@ -470,24 +476,24 @@ github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 h1:rXZGg
 github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
-github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
+github.com/tailscale/hujson v0.0.0-20241010212012-29efb4a0184b h1:MNaGusDfB1qxEsl6iVb33Gbe777IKzPP5PDta0xGC8M=
+github.com/tailscale/hujson v0.0.0-20241010212012-29efb4a0184b/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
+github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
+github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/setec v0.0.0-20240314234648-9da8e7407257 h1:6WsbDYsikRNmmbfZoRoyIEA9tfl0aspPAE0t7nBj2B4=
-github.com/tailscale/setec v0.0.0-20240314234648-9da8e7407257/go.mod h1:hrq01/0LUDZf4mMkcZ7Ovmy33jvCi4RpESpb9kPxV6E=
-github.com/tailscale/squibble v0.0.0-20240418235321-9ee0eeb78185 h1:zT+qB+2Ghulj50d5Wq6h6vQYqD2sPdhy4FF6+FHedVE=
-github.com/tailscale/squibble v0.0.0-20240418235321-9ee0eeb78185/go.mod h1:LoIjI6z/6efr9ebISQ5l2vjQmjc8QJrAYZdy3Ec3sVs=
-github.com/tailscale/tailsql v0.0.0-20240418235827-820559f382c1 h1:wmsnxEEuRlgK7Bhdkmm0JGrjjc0JoHZThLLo0WXXbLs=
-github.com/tailscale/tailsql v0.0.0-20240418235827-820559f382c1/go.mod h1:XN193fbz9RR/5stlWPMMIZR+TTa1BUkDJm5Azwzxwgw=
+github.com/tailscale/setec v0.0.0-20240930150730-e6eb93658ed3 h1:Zk341hE1rcVUcDwA9XKmed2acHGGlbeFQzje6gvkuFo=
+github.com/tailscale/setec v0.0.0-20240930150730-e6eb93658ed3/go.mod h1:nexjfRM8veJVJ5PTbqYI2YrUj/jbk3deffEHO3DH9Q4=
+github.com/tailscale/squibble v0.0.0-20240909231413-32a80b9743f7 h1:nfklwaP8uNz2IbUygSKOQ1aDzzRRRLaIbPpnQWUUMGc=
+github.com/tailscale/squibble v0.0.0-20240909231413-32a80b9743f7/go.mod h1:YH/J7n7jNZOq10nTxxPANv2ha/Eg47/6J5b7NnOYAhQ=
+github.com/tailscale/tailsql v0.0.0-20241211062219-bf96884c6a49 h1:QFXXdoiYFiUS7a6DH7zE6Uacz3wMzH/1/VvWLnR9To4=
+github.com/tailscale/tailsql v0.0.0-20241211062219-bf96884c6a49/go.mod h1:IX3F8T6iILmg94hZGkkOf6rmjIHJCXNVqxOpiSUwHQQ=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 h1:RNpJrXfI5u6e+uzyIzvmnXbhmhdRkVf//90sMBH3lso=
-github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3 h1:dmoPb3dG27tZgMtrvqfD/LW4w7gA6BSWl8prCPNmkCQ=
+github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -502,8 +508,6 @@ github.com/u-root/u-root v0.12.0 h1:K0AuBFriwr0w/PGS3HawiAw89e3+MU7ks80GpghAsNs=
 github.com/u-root/u-root v0.12.0/go.mod h1:FYjTOh4IkIZHhjsd17lb8nYW6udgXdJhG1c0r6u0arI=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
-github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
@@ -522,6 +526,16 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJu
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
+go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
+go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
+go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
+go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
+go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
+go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc=
+go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8=
+go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
+go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
@@ -537,13 +551,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA=
-golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
-golang.org/x/exp/typeparams v0.0.0-20240119083558-1b970713d09a h1:8qmSSA8Gz/1kTrCe0nqR0R3Gb/NDhykzWw2q2mWZydM=
-golang.org/x/exp/typeparams v0.0.0-20240119083558-1b970713d09a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e h1:4qufH0hlUYs6AO6XmZC3GqfDPGSXHVXUFR6OND+iJX4=
+golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
+golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
+golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
 golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -554,8 +568,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
-golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -568,11 +582,11 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -581,8 +595,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -614,8 +628,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -623,8 +637,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -632,8 +646,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -647,8 +661,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
-golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
+golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -662,19 +676,19 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc=
-google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484 h1:ChAdCYNQFDk5fYvFZMywKLIijG7TC2m1C2CMEu11G3o=
+google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484/go.mod h1:KRUmxRI4JmbpAm8gcZM4Jsffi859fo5LQjILwuqj9z8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484 h1:Z7FRVJPSMaHQxD0uXU8WdgFh8PseLM8Q8NzhnpMrBhQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c=
-google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI=
+google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
+google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ=
+google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -689,32 +703,32 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/postgres v1.5.9 h1:DkegyItji119OlcaLjqN11kHoUgZ/j13E0jkJZgD6A8=
-gorm.io/driver/postgres v1.5.9/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
-gorm.io/gorm v1.25.11 h1:/Wfyg1B/je1hnDx3sMkX+gAlxrlZpn6X0BXRlwXlvHg=
-gorm.io/gorm v1.25.11/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
+gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
+gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
+gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
+gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs=
-honnef.co/go/tools v0.4.7/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0=
+honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I=
+honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ=
 modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
-modernc.org/ccgo/v4 v4.21.0 h1:kKPI3dF7RIag8YcToh5ZwDcVMIv6VGa0ED5cvh0LMW4=
-modernc.org/ccgo/v4 v4.21.0/go.mod h1:h6kt6H/A2+ew/3MW/p6KEoQmrq/i3pr0J/SiwiaF/g0=
+modernc.org/ccgo/v4 v4.19.2 h1:lwQZgvboKD0jBwdaeVCTouxhxAyN6iawF3STraAal8Y=
+modernc.org/ccgo/v4 v4.19.2/go.mod h1:ysS3mxiMV38XGRTTcgo0DQTeTmAO4oCmJl1nX9VFI3s=
 modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
 modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
-modernc.org/gc/v2 v2.5.0 h1:bJ9ChznK1L1mUtAQtxi0wi5AtAs5jQuw4PrPHO5pb6M=
-modernc.org/gc/v2 v2.5.0/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
+modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
+modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
 modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 h1:5D53IMaUuA5InSeMu9eJtlQXS2NxAhyWQvkKEgXZhHI=
 modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
-modernc.org/libc v1.60.1 h1:at373l8IFRTkJIkAU85BIuUoBM4T1b51ds0E1ovPG2s=
-modernc.org/libc v1.60.1/go.mod h1:xJuobKuNxKH3RUatS7GjR+suWj+5c2K7bi4m/S5arOY=
+modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U=
+modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
 modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
 modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
@@ -723,13 +737,17 @@ modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
 modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
 modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
 modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
-modernc.org/sqlite v1.32.0 h1:6BM4uGza7bWypsw4fdLRsLxut6bHe4c58VeqjRgST8s=
-modernc.org/sqlite v1.32.0/go.mod h1:UqoylwmTb9F+IqXERT8bW9zzOWN8qwAIcLdzeBZs4hA=
+modernc.org/sqlite v1.33.1 h1:trb6Z3YYoeM9eDL1O8do81kP+0ejv+YzgyFo+Gwy0nM=
+modernc.org/sqlite v1.33.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
 modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.72.1 h1:hk82jek36ph2S3Tfsh57NVWKEm/pZ9nfUonvlowpfaA=
-tailscale.com v1.72.1/go.mod h1:v7OHtg0KLAnhOVf81Z8WrjNefj238QbFhgkWJQoKxbs=
+tailscale.com v1.79.0-pre h1:iJ4+ox4kxadiTJRlybF+9Co+CEDIa1dflMPuxUb5gRg=
+tailscale.com v1.79.0-pre/go.mod h1:aNv7W0AEQtUsDOByv8mGZAk5ZGT49gQ3vIaPaol1RCc=
+zgo.at/zcache/v2 v2.1.0 h1:USo+ubK+R4vtjw4viGzTe/zjXyPw6R7SK/RL3epBBxs=
+zgo.at/zcache/v2 v2.1.0/go.mod h1:gyCeoLVo01QjDZynjime8xUGHHMbsLiPyUTBpDGd4Gk=
+zombiezen.com/go/postgrestest v1.0.1 h1:aXoADQAJmZDU3+xilYVut0pHhgc0sF8ZspPW9gFNwP4=
+zombiezen.com/go/postgrestest v1.0.1/go.mod h1:marlZezr+k2oSJrvXHnZUs1olHqpE9czlz8ZYkVxliQ=
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@@ -18,7 +18,6 @@ import (
 	"syscall"
 	"time"

-	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/davecgh/go-spew/spew"
 	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware"
@@ -28,12 +27,12 @@ import (
 	"github.com/juanfont/headscale/hscontrol/db"
 	"github.com/juanfont/headscale/hscontrol/derp"
 	derpServer "github.com/juanfont/headscale/hscontrol/derp/server"
+	"github.com/juanfont/headscale/hscontrol/dns"
 	"github.com/juanfont/headscale/hscontrol/mapper"
 	"github.com/juanfont/headscale/hscontrol/notifier"
 	"github.com/juanfont/headscale/hscontrol/policy"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
-	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
 	"github.com/pkg/profile"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -41,7 +40,6 @@ import (
 	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
-	"golang.org/x/oauth2"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -57,6 +55,7 @@ import (
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/util/dnsname"
+	zcache "zgo.at/zcache/v2"
 )

 var (
@@ -90,15 +89,16 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *derpServer.DERPServer

-	ACLPolicy *policy.ACLPolicy
+	polManOnce     sync.Once
+	polMan         policy.PolicyManager
+	extraRecordMan *dns.ExtraRecordsMan

 	mapper       *mapper.Mapper
 	nodeNotifier *notifier.Notifier

-	oidcProvider *oidc.Provider
-	oauth2Config *oauth2.Config
+	registrationCache *zcache.Cache[string, types.Node]

-	registrationCache *cache.Cache
+	authProvider AuthProvider

 	pollNetMapStreamWG sync.WaitGroup
 }
@@ -123,7 +123,7 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 		return nil, fmt.Errorf("failed to read or create Noise protocol private key: %w", err)
 	}

-	registrationCache := cache.New(
+	registrationCache := zcache.New[string, types.Node](
 		registerCacheExpiration,
 		registerCacheCleanup,
 	)
@@ -138,7 +138,9 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {

 	app.db, err = db.NewHeadscaleDatabase(
 		cfg.Database,
-		cfg.BaseDomain)
+		cfg.BaseDomain,
+		registrationCache,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -154,18 +156,37 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 		}
 	})

+	if err = app.loadPolicyManager(); err != nil {
+		return nil, fmt.Errorf("failed to load ACL policy: %w", err)
+	}
+
+	var authProvider AuthProvider
+	authProvider = NewAuthProviderWeb(cfg.ServerURL)
 	if cfg.OIDC.Issuer != "" {
-		err = app.initOIDC()
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		oidcProvider, err := NewAuthProviderOIDC(
+			ctx,
+			cfg.ServerURL,
+			&cfg.OIDC,
+			app.db,
+			app.nodeNotifier,
+			app.ipAlloc,
+			app.polMan,
+		)
 		if err != nil {
 			if cfg.OIDC.OnlyStartIfOIDCIsAvailable {
 				return nil, err
 			} else {
 				log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
 			}
+		} else {
+			authProvider = oidcProvider
 		}
 	}
+	app.authProvider = authProvider

-	if app.cfg.DNSConfig != nil && app.cfg.DNSConfig.Proxied { // if MagicDNS
+	if app.cfg.TailcfgDNSConfig != nil && app.cfg.TailcfgDNSConfig.Proxied { // if MagicDNS
 		// TODO(kradalby): revisit why this takes a list.

 		var magicDNSDomains []dnsname.FQDN
@@ -177,11 +198,11 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 		}

 		// we might have routes already from Split DNS
-		if app.cfg.DNSConfig.Routes == nil {
-			app.cfg.DNSConfig.Routes = make(map[string][]*dnstype.Resolver)
+		if app.cfg.TailcfgDNSConfig.Routes == nil {
+			app.cfg.TailcfgDNSConfig.Routes = make(map[string][]*dnstype.Resolver)
 		}
 		for _, d := range magicDNSDomains {
-			app.cfg.DNSConfig.Routes[d.WithoutTrailingDot()] = nil
+			app.cfg.TailcfgDNSConfig.Routes[d.WithoutTrailingDot()] = nil
 		}
 	}

@@ -218,23 +239,38 @@ func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
 	http.Redirect(w, req, target, http.StatusFound)
 }

-// expireExpiredNodes expires nodes that have an explicit expiry set
-// after that expiry time has passed.
-func (h *Headscale) expireExpiredNodes(ctx context.Context, every time.Duration) {
-	ticker := time.NewTicker(every)
+func (h *Headscale) scheduledTasks(ctx context.Context) {
+	expireTicker := time.NewTicker(updateInterval)
+	defer expireTicker.Stop()

-	lastCheck := time.Unix(0, 0)
-	var update types.StateUpdate
-	var changed bool
+	lastExpiryCheck := time.Unix(0, 0)
+
+	derpTicker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
+	defer derpTicker.Stop()
+	// If we dont want auto update, just stop the ticker
+	if !h.cfg.DERP.AutoUpdate {
+		derpTicker.Stop()
+	}
+
+	var extraRecordsUpdate <-chan []tailcfg.DNSRecord
+	if h.extraRecordMan != nil {
+		extraRecordsUpdate = h.extraRecordMan.UpdateCh()
+	} else {
+		extraRecordsUpdate = make(chan []tailcfg.DNSRecord)
+	}

 	for {
 		select {
 		case <-ctx.Done():
-			ticker.Stop()
+			log.Info().Caller().Msg("scheduled task worker is shutting down.")
 			return
-		case <-ticker.C:
+
+		case <-expireTicker.C:
+			var update types.StateUpdate
+			var changed bool
+
 			if err := h.db.Write(func(tx *gorm.DB) error {
-				lastCheck, update, changed = db.ExpireExpiredNodes(tx, lastCheck)
+				lastExpiryCheck, update, changed = db.ExpireExpiredNodes(tx, lastExpiryCheck)

 				return nil
 			}); err != nil {
@@ -248,24 +284,8 @@ func (h *Headscale) expireExpiredNodes(ctx context.Context, every time.Duration)
 				ctx := types.NotifyCtx(context.Background(), "expire-expired", "na")
 				h.nodeNotifier.NotifyAll(ctx, update)
 			}
-		}
-	}
-}

-// scheduledDERPMapUpdateWorker refreshes the DERPMap stored on the global object
-// at a set interval.
-func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
-	log.Info().
-		Dur("frequency", h.cfg.DERP.UpdateFrequency).
-		Msg("Setting up a DERPMap update worker")
-	ticker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
-
-	for {
-		select {
-		case <-cancelChan:
-			return
-
-		case <-ticker.C:
+		case <-derpTicker.C:
 			log.Info().Msg("Fetching DERPMap updates")
 			h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
 			if h.cfg.DERP.ServerEnabled && h.cfg.DERP.AutomaticallyAddEmbeddedDerpRegion {
@@ -278,6 +298,19 @@ func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
 				Type:    types.StateDERPUpdated,
 				DERPMap: h.DERPMap,
 			})
+
+		case records, ok := <-extraRecordsUpdate:
+			if !ok {
+				continue
+			}
+			h.cfg.TailcfgDNSConfig.ExtraRecords = records
+
+			ctx := types.NotifyCtx(context.Background(), "dns-extrarecord", "all")
+			h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
+				// TODO(kradalby): We can probably do better than sending a full update here,
+				// but for now this will ensure that all of the nodes get the new records.
+				Type: types.StateFullUpdate,
+			})
 		}
 	}
 }
@@ -425,14 +458,15 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router := mux.NewRouter()
 	router.Use(prometheusMiddleware)

-	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost)
+	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost, http.MethodGet)

 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
 	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
-	router.HandleFunc("/register/{mkey}", h.RegisterWebAPI).Methods(http.MethodGet)
+	router.HandleFunc("/register/{mkey}", h.authProvider.RegisterHandler).Methods(http.MethodGet)

-	router.HandleFunc("/oidc/register/{mkey}", h.RegisterOIDC).Methods(http.MethodGet)
-	router.HandleFunc("/oidc/callback", h.OIDCCallback).Methods(http.MethodGet)
+	if provider, ok := h.authProvider.(*AuthProviderOIDC); ok {
+		router.HandleFunc("/oidc/callback", provider.OIDCCallbackHandler).Methods(http.MethodGet)
+	}
 	router.HandleFunc("/apple", h.AppleConfigMessage).Methods(http.MethodGet)
 	router.HandleFunc("/apple/{platform}", h.ApplePlatformConfig).
 		Methods(http.MethodGet)
@@ -443,9 +477,12 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
 		Methods(http.MethodGet)

+	router.HandleFunc("/verify", h.VerifyHandler).Methods(http.MethodPost)
+
 	if h.cfg.DERP.ServerEnabled {
 		router.HandleFunc("/derp", h.DERPServer.DERPHandler)
 		router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)
+		router.HandleFunc("/derp/latency-check", derpServer.DERPProbeHandler)
 		router.HandleFunc("/bootstrap-dns", derpServer.DERPBootstrapDNSHandler(h.DERPMap))
 	}

@@ -458,6 +495,52 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	return router
 }

+// TODO(kradalby): Do a variant of this, and polman which only updates the node that has changed.
+// Maybe we should attempt a new in memory state and not go via the DB?
+func usersChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) error {
+	users, err := db.ListUsers()
+	if err != nil {
+		return err
+	}
+
+	changed, err := polMan.SetUsers(users)
+	if err != nil {
+		return err
+	}
+
+	if changed {
+		ctx := types.NotifyCtx(context.Background(), "acl-users-change", "all")
+		notif.NotifyAll(ctx, types.StateUpdate{
+			Type: types.StateFullUpdate,
+		})
+	}
+
+	return nil
+}
+
+// TODO(kradalby): Do a variant of this, and polman which only updates the node that has changed.
+// Maybe we should attempt a new in memory state and not go via the DB?
+func nodesChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) error {
+	nodes, err := db.ListNodes()
+	if err != nil {
+		return err
+	}
+
+	changed, err := polMan.SetNodes(nodes)
+	if err != nil {
+		return err
+	}
+
+	if changed {
+		ctx := types.NotifyCtx(context.Background(), "acl-nodes-change", "all")
+		notif.NotifyAll(ctx, types.StateUpdate{
+			Type: types.StateFullUpdate,
+		})
+	}
+
+	return nil
+}
+
 // Serve launches the HTTP and gRPC server service Headscale and the API.
 func (h *Headscale) Serve() error {
 	if profilingEnabled {
@@ -473,19 +556,13 @@ func (h *Headscale) Serve() error {
 		}
 	}

-	var err error
-
-	if err = h.loadACLPolicy(); err != nil {
-		return fmt.Errorf("failed to load ACL policy: %w", err)
-	}
-
 	if dumpConfig {
 		spew.Dump(h.cfg)
 	}

 	// Fetch an initial DERP Map before we start serving
 	h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
-	h.mapper = mapper.NewMapper(h.db, h.cfg, h.DERPMap, h.nodeNotifier)
+	h.mapper = mapper.NewMapper(h.db, h.cfg, h.DERPMap, h.nodeNotifier, h.polMan)

 	if h.cfg.DERP.ServerEnabled {
 		// When embedded DERP is enabled we always need a STUN server
@@ -505,12 +582,6 @@ func (h *Headscale) Serve() error {
 		go h.DERPServer.ServeSTUN()
 	}

-	if h.cfg.DERP.AutoUpdate {
-		derpMapCancelChannel := make(chan struct{})
-		defer func() { derpMapCancelChannel <- struct{}{} }()
-		go h.scheduledDERPMapUpdateWorker(derpMapCancelChannel)
-	}
-
 	if len(h.DERPMap.Regions) == 0 {
 		return errEmptyInitialDERPMap
 	}
@@ -528,9 +599,21 @@ func (h *Headscale) Serve() error {
 		h.ephemeralGC.Schedule(node.ID, h.cfg.EphemeralNodeInactivityTimeout)
 	}

-	expireNodeCtx, expireNodeCancel := context.WithCancel(context.Background())
-	defer expireNodeCancel()
-	go h.expireExpiredNodes(expireNodeCtx, updateInterval)
+	if h.cfg.DNSConfig.ExtraRecordsPath != "" {
+		h.extraRecordMan, err = dns.NewExtraRecordsManager(h.cfg.DNSConfig.ExtraRecordsPath)
+		if err != nil {
+			return fmt.Errorf("setting up extrarecord manager: %w", err)
+		}
+		h.cfg.TailcfgDNSConfig.ExtraRecords = h.extraRecordMan.Records()
+		go h.extraRecordMan.Run()
+		defer h.extraRecordMan.Close()
+	}
+
+	// Start all scheduled tasks, e.g. expiring nodes, derp updates and
+	// records updates
+	scheduleCtx, scheduleCancel := context.WithCancel(context.Background())
+	defer scheduleCancel()
+	go h.scheduledTasks(scheduleCtx)

 	if zl.GlobalLevel() == zl.TraceLevel {
 		zerolog.RespLog = true
@@ -755,12 +838,25 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received SIGHUP, reloading ACL and Config")

-				// TODO(kradalby): Reload config on SIGHUP
-				if err := h.loadACLPolicy(); err != nil {
-					log.Error().Err(err).Msg("failed to reload ACL policy")
+				if h.cfg.Policy.IsEmpty() {
+					continue
 				}

-				if h.ACLPolicy != nil {
+				if err := h.loadPolicyManager(); err != nil {
+					log.Error().Err(err).Msg("failed to reload Policy")
+				}
+
+				pol, err := h.policyBytes()
+				if err != nil {
+					log.Error().Err(err).Msg("failed to get policy blob")
+				}
+
+				changed, err := h.polMan.SetPolicy(pol)
+				if err != nil {
+					log.Error().Err(err).Msg("failed to set new policy")
+				}
+
+				if changed {
 					log.Info().
 						Msg("ACL policy successfully reloaded, notifying nodes of change")

@@ -775,7 +871,7 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received signal to stop, shutting down gracefully")

-				expireNodeCancel()
+				scheduleCancel()
 				h.ephemeralGC.Close()

 				// Gracefully shut down servers
@@ -979,27 +1075,50 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
 	return &machineKey, nil
 }

-func (h *Headscale) loadACLPolicy() error {
-	var (
-		pol *policy.ACLPolicy
-		err error
-	)
-
+// policyBytes returns the appropriate policy for the
+// current configuration as a []byte array.
+func (h *Headscale) policyBytes() ([]byte, error) {
 	switch h.cfg.Policy.Mode {
 	case types.PolicyModeFile:
 		path := h.cfg.Policy.Path

 		// It is fine to start headscale without a policy file.
 		if len(path) == 0 {
-			return nil
+			return nil, nil
 		}

 		absPath := util.AbsolutePathFromConfigPath(path)
-		pol, err = policy.LoadACLPolicyFromPath(absPath)
+		policyFile, err := os.Open(absPath)
 		if err != nil {
-			return fmt.Errorf("failed to load ACL policy from file: %w", err)
+			return nil, err
+		}
+		defer policyFile.Close()
+
+		return io.ReadAll(policyFile)
+
+	case types.PolicyModeDB:
+		p, err := h.db.GetPolicy()
+		if err != nil {
+			if errors.Is(err, types.ErrPolicyNotFound) {
+				return nil, nil
+			}
+
+			return nil, err
 		}

+		if p.Data == "" {
+			return nil, nil
+		}
+
+		return []byte(p.Data), err
+	}
+
+	return nil, fmt.Errorf("unsupported policy mode: %s", h.cfg.Policy.Mode)
+}
+
+func (h *Headscale) loadPolicyManager() error {
+	var errOut error
+	h.polManOnce.Do(func() {
 		// Validate and reject configuration that would error when applied
 		// when creating a map response. This requires nodes, so there is still
 		// a scenario where they might be allowed if the server has no nodes
@@ -1010,42 +1129,35 @@ func (h *Headscale) loadACLPolicy() error {
 		// allowed to be written to the database.
 		nodes, err := h.db.ListNodes()
 		if err != nil {
-			return fmt.Errorf("loading nodes from database to validate policy: %w", err)
+			errOut = fmt.Errorf("loading nodes from database to validate policy: %w", err)
+			return
+		}
+		users, err := h.db.ListUsers()
+		if err != nil {
+			errOut = fmt.Errorf("loading users from database to validate policy: %w", err)
+			return
 		}

-		_, err = pol.CompileFilterRules(nodes)
+		pol, err := h.policyBytes()
 		if err != nil {
-			return fmt.Errorf("verifying policy rules: %w", err)
+			errOut = fmt.Errorf("loading policy bytes: %w", err)
+			return
+		}
+
+		h.polMan, err = policy.NewPolicyManager(pol, users, nodes)
+		if err != nil {
+			errOut = fmt.Errorf("creating policy manager: %w", err)
+			return
 		}

 		if len(nodes) > 0 {
-			_, err = pol.CompileSSHPolicy(nodes[0], nodes)
+			_, err = h.polMan.SSHPolicy(nodes[0])
 			if err != nil {
-				return fmt.Errorf("verifying SSH rules: %w", err)
+				errOut = fmt.Errorf("verifying SSH rules: %w", err)
+				return
 			}
 		}
+	})

-	case types.PolicyModeDB:
-		p, err := h.db.GetPolicy()
-		if err != nil {
-			if errors.Is(err, types.ErrPolicyNotFound) {
-				return nil
-			}
-
-			return fmt.Errorf("failed to get policy from database: %w", err)
-		}
-
-		pol, err = policy.LoadACLPolicyFromBytes([]byte(p.Data))
-		if err != nil {
-			return fmt.Errorf("failed to parse policy: %w", err)
-		}
-	default:
-		log.Fatal().
-			Str("mode", string(h.cfg.Policy.Mode)).
-			Msg("Unknown ACL policy mode")
-	}
-
-	h.ACLPolicy = pol
-
-	return nil
+	return errOut
 }
--- a/hscontrol/auth.go
+++ b/hscontrol/auth.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 	"time"

 	"github.com/juanfont/headscale/hscontrol/db"
@@ -19,6 +18,11 @@ import (
 	"tailscale.com/types/ptr"
 )

+type AuthProvider interface {
+	RegisterHandler(http.ResponseWriter, *http.Request)
+	AuthURL(key.MachinePublic) string
+}
+
 func logAuthFunc(
 	registerRequest tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
@@ -125,7 +129,6 @@ func (h *Headscale) handleRegister(
 		h.registrationCache.Set(
 			machineKey.String(),
 			newNode,
-			registerCacheExpiration,
 		)

 		h.handleNewNode(writer, regReq, machineKey)
@@ -164,7 +167,7 @@ func (h *Headscale) handleRegister(
 			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
 			if !regReq.Expiry.IsZero() &&
 				regReq.Expiry.UTC().Before(now) {
-				h.handleNodeLogOut(writer, *node, machineKey)
+				h.handleNodeLogOut(writer, *node)

 				return
 			}
@@ -172,7 +175,7 @@ func (h *Headscale) handleRegister(
 			// If node is not expired, and it is register, we have a already accepted this node,
 			// let it proceed with a valid registration
 			if !node.IsExpired() {
-				h.handleNodeWithValidRegistration(writer, *node, machineKey)
+				h.handleNodeWithValidRegistration(writer, *node)

 				return
 			}
@@ -185,7 +188,6 @@ func (h *Headscale) handleRegister(
 				writer,
 				regReq,
 				*node,
-				machineKey,
 			)

 			return
@@ -198,7 +200,6 @@ func (h *Headscale) handleRegister(
 				writer,
 				regReq,
 				*node,
-				machineKey,
 			)

 			return
@@ -226,7 +227,6 @@ func (h *Headscale) handleRegister(
 		h.registrationCache.Set(
 			machineKey.String(),
 			*node,
-			registerCacheExpiration,
 		)

 		return
@@ -384,9 +384,15 @@ func (h *Headscale) handleAuthKey(

 			return
 		}
+
+		err = nodesChangedHook(h.db, h.polMan, h.nodeNotifier)
+		if err != nil {
+			http.Error(writer, "Internal server error", http.StatusInternalServerError)
+			return
+		}
 	}

-	h.db.Write(func(tx *gorm.DB) error {
+	err = h.db.Write(func(tx *gorm.DB) error {
 		return db.UsePreAuthKey(tx, pak)
 	})
 	if err != nil {
@@ -447,17 +453,7 @@ func (h *Headscale) handleNewNode(
 	// The node registration is new, redirect the client to the registration URL
 	logTrace("The node seems to be new, sending auth url")

-	if h.oauth2Config != nil {
-		resp.AuthURL = fmt.Sprintf(
-			"%s/oidc/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String(),
-		)
-	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String())
-	}
+	resp.AuthURL = h.authProvider.AuthURL(machineKey)

 	respBody, err := json.Marshal(resp)
 	if err != nil {
@@ -480,7 +476,6 @@ func (h *Headscale) handleNewNode(
 func (h *Headscale) handleNodeLogOut(
 	writer http.ResponseWriter,
 	node types.Node,
-	machineKey key.MachinePublic,
 ) {
 	resp := tailcfg.RegisterResponse{}

@@ -563,7 +558,6 @@ func (h *Headscale) handleNodeLogOut(
 func (h *Headscale) handleNodeWithValidRegistration(
 	writer http.ResponseWriter,
 	node types.Node,
-	machineKey key.MachinePublic,
 ) {
 	resp := tailcfg.RegisterResponse{}

@@ -609,7 +603,6 @@ func (h *Headscale) handleNodeKeyRefresh(
 	writer http.ResponseWriter,
 	registerRequest tailcfg.RegisterRequest,
 	node types.Node,
-	machineKey key.MachinePublic,
 ) {
 	resp := tailcfg.RegisterResponse{}

@@ -685,15 +678,7 @@ func (h *Headscale) handleNodeExpiredOrLoggedOut(
 		Str("node_key_old", regReq.OldNodeKey.ShortString()).
 		Msg("Node registration has expired or logged out. Sending a auth url to register")

-	if h.oauth2Config != nil {
-		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String())
-	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String())
-	}
+	resp.AuthURL = h.authProvider.AuthURL(machineKey)

 	respBody, err := json.Marshal(resp)
 	if err != nil {
--- a/hscontrol/db/db.go
+++ b/hscontrol/db/db.go
@@ -3,6 +3,7 @@ package db
 import (
 	"context"
 	"database/sql"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/netip"
@@ -19,8 +20,15 @@ import (
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
+	"gorm.io/gorm/schema"
+	"tailscale.com/util/set"
+	"zgo.at/zcache/v2"
 )

+func init() {
+	schema.RegisterSerializer("text", TextSerialiser{})
+}
+
 var errDatabaseNotSupported = errors.New("database type not supported")

 // KV is a key-value store in a psql table. For future use...
@@ -31,7 +39,9 @@ type KV struct {
 }

 type HSDatabase struct {
-	DB *gorm.DB
+	DB       *gorm.DB
+	cfg      *types.DatabaseConfig
+	regCache *zcache.Cache[string, types.Node]

 	baseDomain string
 }
@@ -41,6 +51,7 @@ type HSDatabase struct {
 func NewHeadscaleDatabase(
 	cfg types.DatabaseConfig,
 	baseDomain string,
+	regCache *zcache.Cache[string, types.Node],
 ) (*HSDatabase, error) {
 	dbConn, err := openDB(cfg)
 	if err != nil {
@@ -189,7 +200,7 @@ func NewHeadscaleDatabase(

 						type NodeAux struct {
 							ID            uint64
-							EnabledRoutes types.IPPrefixes
+							EnabledRoutes []netip.Prefix `gorm:"serializer:json"`
 						}

 						nodesAux := []NodeAux{}
@@ -212,7 +223,7 @@ func NewHeadscaleDatabase(
 								}

 								err = tx.Preload("Node").
-									Where("node_id = ? AND prefix = ?", node.ID, types.IPPrefix(prefix)).
+									Where("node_id = ? AND prefix = ?", node.ID, prefix).
 									First(&types.Route{}).
 									Error
 								if err == nil {
@@ -227,7 +238,7 @@ func NewHeadscaleDatabase(
 									NodeID:     node.ID,
 									Advertised: true,
 									Enabled:    true,
-									Prefix:     types.IPPrefix(prefix),
+									Prefix:     prefix,
 								}
 								if err := tx.Create(&route).Error; err != nil {
 									log.Error().Err(err).Msg("Error creating route")
@@ -256,9 +267,6 @@ func NewHeadscaleDatabase(

 						for item, node := range nodes {
 							if node.GivenName == "" {
-								normalizedHostname, err := util.NormalizeToFQDNRulesConfigFromViper(
-									node.Hostname,
-								)
 								if err != nil {
 									log.Error().
 										Caller().
@@ -268,7 +276,7 @@ func NewHeadscaleDatabase(
 								}

 								err = tx.Model(nodes[item]).Updates(types.Node{
-									GivenName: normalizedHostname,
+									GivenName: node.Hostname,
 								}).Error
 								if err != nil {
 									log.Error().
@@ -291,7 +299,12 @@ func NewHeadscaleDatabase(
 						return err
 					}

-					err = tx.AutoMigrate(&types.PreAuthKeyACLTag{})
+					type preAuthKeyACLTag struct {
+						ID           uint64 `gorm:"primary_key"`
+						PreAuthKeyID uint64
+						Tag          string
+					}
+					err = tx.AutoMigrate(&preAuthKeyACLTag{})
 					if err != nil {
 						return err
 					}
@@ -413,6 +426,101 @@ func NewHeadscaleDatabase(
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			// denormalise the ACL tags for preauth keys back onto
+			// the preauth key table. We dont normalise or reuse and
+			// it is just a bunch of work for extra work.
+			{
+				ID: "202409271400",
+				Migrate: func(tx *gorm.DB) error {
+					preauthkeyTags := map[uint64]set.Set[string]{}
+
+					type preAuthKeyACLTag struct {
+						ID           uint64 `gorm:"primary_key"`
+						PreAuthKeyID uint64
+						Tag          string
+					}
+
+					var aclTags []preAuthKeyACLTag
+					if err := tx.Find(&aclTags).Error; err != nil {
+						return err
+					}
+
+					// Store the current tags.
+					for _, tag := range aclTags {
+						if preauthkeyTags[tag.PreAuthKeyID] == nil {
+							preauthkeyTags[tag.PreAuthKeyID] = set.SetOf([]string{tag.Tag})
+						} else {
+							preauthkeyTags[tag.PreAuthKeyID].Add(tag.Tag)
+						}
+					}
+
+					// Add tags column and restore the tags.
+					_ = tx.Migrator().AddColumn(&types.PreAuthKey{}, "tags")
+					for keyID, tags := range preauthkeyTags {
+						s := tags.Slice()
+						j, err := json.Marshal(s)
+						if err != nil {
+							return err
+						}
+						if err := tx.Model(&types.PreAuthKey{}).Where("id = ?", keyID).Update("tags", string(j)).Error; err != nil {
+							return err
+						}
+					}
+
+					// Drop the old table.
+					_ = tx.Migrator().DropTable(&preAuthKeyACLTag{})
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
+			{
+				// Pick up new user fields used for OIDC and to
+				// populate the user with more interesting information.
+				ID: "202407191627",
+				Migrate: func(tx *gorm.DB) error {
+					err := tx.AutoMigrate(&types.User{})
+					if err != nil {
+						return err
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
+			{
+				// The unique constraint of Name has been dropped
+				// in favour of a unique together of name and
+				// provider identity.
+				ID: "202408181235",
+				Migrate: func(tx *gorm.DB) error {
+					err := tx.AutoMigrate(&types.User{})
+					if err != nil {
+						return err
+					}
+
+					// Set up indexes and unique constraints outside of GORM, it does not support
+					// conditional unique constraints.
+					// This ensures the following:
+					// - A user name and provider_identifier is unique
+					// - A provider_identifier is unique
+					// - A user name is unique if there is no provider_identifier is not set
+					for _, idx := range []string{
+						"DROP INDEX IF EXISTS idx_provider_identifier",
+						"DROP INDEX IF EXISTS idx_name_provider_identifier",
+						"CREATE UNIQUE INDEX IF NOT EXISTS idx_provider_identifier ON users (provider_identifier) WHERE provider_identifier IS NOT NULL;",
+						"CREATE UNIQUE INDEX IF NOT EXISTS idx_name_provider_identifier ON users (name,provider_identifier);",
+						"CREATE UNIQUE INDEX IF NOT EXISTS idx_name_no_provider_identifier ON users (name) WHERE provider_identifier IS NULL;",
+					} {
+						err = tx.Exec(idx).Error
+						if err != nil {
+							return fmt.Errorf("creating username index: %w", err)
+						}
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)

@@ -421,7 +529,9 @@ func NewHeadscaleDatabase(
 	}

 	db := HSDatabase{
-		DB: dbConn,
+		DB:       dbConn,
+		cfg:      &cfg,
+		regCache: regCache,

 		baseDomain: baseDomain,
 	}
@@ -469,10 +579,10 @@ func openDB(cfg types.DatabaseConfig) (*gorm.DB, error) {
 		}

 		if cfg.Sqlite.WriteAheadLog {
-			if err := db.Exec(`
+			if err := db.Exec(fmt.Sprintf(`
 				PRAGMA journal_mode=WAL;
-				PRAGMA wal_autocheckpoint=0;
-				`).Error; err != nil {
+				PRAGMA wal_autocheckpoint=%d;
+				`, cfg.Sqlite.WALAutoCheckPoint)).Error; err != nil {
 				return nil, fmt.Errorf("setting WAL mode: %w", err)
 			}
 		}
@@ -621,6 +731,10 @@ func (hsdb *HSDatabase) Close() error {
 		return err
 	}

+	if hsdb.cfg.Type == types.DatabaseSqlite && hsdb.cfg.Sqlite.WriteAheadLog {
+		db.Exec("VACUUM")
+	}
+
 	return db.Close()
 }

--- a/hscontrol/db/db_test.go
+++ b/hscontrol/db/db_test.go
@@ -1,23 +1,31 @@
 package db

 import (
+	"database/sql"
 	"fmt"
 	"io"
 	"net/netip"
 	"os"
 	"path/filepath"
+	"slices"
+	"sort"
+	"strings"
 	"testing"
+	"time"

 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
+	"zgo.at/zcache/v2"
 )

 func TestMigrations(t *testing.T) {
-	ipp := func(p string) types.IPPrefix {
-		return types.IPPrefix(netip.MustParsePrefix(p))
+	ipp := func(p string) netip.Prefix {
+		return netip.MustParsePrefix(p)
 	}
 	r := func(id uint64, p string, a, e, i bool) types.Route {
 		return types.Route{
@@ -39,7 +47,7 @@ func TestMigrations(t *testing.T) {
 				routes, err := Read(h.DB, func(rx *gorm.DB) (types.Routes, error) {
 					return GetRoutes(rx)
 				})
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Len(t, routes, 10)
 				want := types.Routes{
@@ -54,9 +62,7 @@ func TestMigrations(t *testing.T) {
 					r(31, "::/0", true, false, false),
 					r(32, "192.168.0.24/32", true, true, true),
 				}
-				if diff := cmp.Diff(want, routes, cmpopts.IgnoreFields(types.Route{}, "Model", "Node"), cmp.Comparer(func(x, y types.IPPrefix) bool {
-					return x == y
-				})); diff != "" {
+				if diff := cmp.Diff(want, routes, cmpopts.IgnoreFields(types.Route{}, "Model", "Node"), util.PrefixComparer); diff != "" {
 					t.Errorf("TestMigrations() mismatch (-want +got):\n%s", diff)
 				}
 			},
@@ -67,7 +73,7 @@ func TestMigrations(t *testing.T) {
 				routes, err := Read(h.DB, func(rx *gorm.DB) (types.Routes, error) {
 					return GetRoutes(rx)
 				})
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Len(t, routes, 4)
 				want := types.Routes{
@@ -101,13 +107,96 @@ func TestMigrations(t *testing.T) {
 					r(13, "::/0", true, true, false),
 					r(13, "10.18.80.2/32", true, true, true),
 				}
-				if diff := cmp.Diff(want, routes, cmpopts.IgnoreFields(types.Route{}, "Model", "Node"), cmp.Comparer(func(x, y types.IPPrefix) bool {
-					return x == y
-				})); diff != "" {
+				if diff := cmp.Diff(want, routes, cmpopts.IgnoreFields(types.Route{}, "Model", "Node"), util.PrefixComparer); diff != "" {
 					t.Errorf("TestMigrations() mismatch (-want +got):\n%s", diff)
 				}
 			},
 		},
+		// at 14:15:06 ❯ go run ./cmd/headscale preauthkeys list
+		// ID | Key      | Reusable | Ephemeral | Used  | Expiration | Created    | Tags
+		// 1  | 09b28f.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:derp
+		// 2  | 3112b9.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:derp
+		// 3  | 7c23b9.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:derp,tag:merp
+		// 4  | f20155.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:test
+		// 5  | b212b9.. | false    | false     | false | 2024-09-27 | 2024-09-27 | tag:test,tag:woop,tag:dedu
+		{
+			dbPath: "testdata/0-23-0-to-0-24-0-preauthkey-tags-table.sqlite",
+			wantFunc: func(t *testing.T, h *HSDatabase) {
+				keys, err := Read(h.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
+					kratest, err := ListPreAuthKeysByUser(rx, 1) // kratest
+					if err != nil {
+						return nil, err
+					}
+
+					testkra, err := ListPreAuthKeysByUser(rx, 2) // testkra
+					if err != nil {
+						return nil, err
+					}
+
+					return append(kratest, testkra...), nil
+				})
+				require.NoError(t, err)
+
+				assert.Len(t, keys, 5)
+				want := []types.PreAuthKey{
+					{
+						ID:   1,
+						Tags: []string{"tag:derp"},
+					},
+					{
+						ID:   2,
+						Tags: []string{"tag:derp"},
+					},
+					{
+						ID:   3,
+						Tags: []string{"tag:derp", "tag:merp"},
+					},
+					{
+						ID:   4,
+						Tags: []string{"tag:test"},
+					},
+					{
+						ID:   5,
+						Tags: []string{"tag:test", "tag:woop", "tag:dedu"},
+					},
+				}
+
+				if diff := cmp.Diff(want, keys, cmp.Comparer(func(a, b []string) bool {
+					sort.Sort(sort.StringSlice(a))
+					sort.Sort(sort.StringSlice(b))
+					return slices.Equal(a, b)
+				}), cmpopts.IgnoreFields(types.PreAuthKey{}, "Key", "UserID", "User", "CreatedAt", "Expiration")); diff != "" {
+					t.Errorf("TestMigrations() mismatch (-want +got):\n%s", diff)
+				}
+
+				if h.DB.Migrator().HasTable("pre_auth_key_acl_tags") {
+					t.Errorf("TestMigrations() table pre_auth_key_acl_tags should not exist")
+				}
+			},
+		},
+		{
+			dbPath: "testdata/0-23-0-to-0-24-0-no-more-special-types.sqlite",
+			wantFunc: func(t *testing.T, h *HSDatabase) {
+				nodes, err := Read(h.DB, func(rx *gorm.DB) (types.Nodes, error) {
+					return ListNodes(rx)
+				})
+				require.NoError(t, err)
+
+				for _, node := range nodes {
+					assert.Falsef(t, node.MachineKey.IsZero(), "expected non zero machinekey")
+					assert.Contains(t, node.MachineKey.String(), "mkey:")
+					assert.Falsef(t, node.NodeKey.IsZero(), "expected non zero nodekey")
+					assert.Contains(t, node.NodeKey.String(), "nodekey:")
+					assert.Falsef(t, node.DiscoKey.IsZero(), "expected non zero discokey")
+					assert.Contains(t, node.DiscoKey.String(), "discokey:")
+					assert.NotNil(t, node.IPv4)
+					assert.NotNil(t, node.IPv4)
+					assert.Len(t, node.Endpoints, 1)
+					assert.NotNil(t, node.Hostinfo)
+					assert.NotNil(t, node.MachineKey)
+				}
+			},
+		},
 	}

 	for _, tt := range tests {
@@ -122,7 +211,7 @@ func TestMigrations(t *testing.T) {
 				Sqlite: types.SqliteConfig{
 					Path: dbPath,
 				},
-			}, "")
+			}, "", emptyCache())
 			if err != nil && tt.wantErr != err.Error() {
 				t.Errorf("TestMigrations() unexpected error = %v, wantErr %v", err, tt.wantErr)
 			}
@@ -166,3 +255,123 @@ func testCopyOfDatabase(src string) (string, error) {
 	_, err = io.Copy(destination, source)
 	return dst, err
 }
+
+func emptyCache() *zcache.Cache[string, types.Node] {
+	return zcache.New[string, types.Node](time.Minute, time.Hour)
+}
+
+// requireConstraintFailed checks if the error is a constraint failure with
+// either SQLite and PostgreSQL error messages.
+func requireConstraintFailed(t *testing.T, err error) {
+	t.Helper()
+	require.Error(t, err)
+	if !strings.Contains(err.Error(), "UNIQUE constraint failed:") && !strings.Contains(err.Error(), "violates unique constraint") {
+		require.Failf(t, "expected error to contain a constraint failure, got: %s", err.Error())
+	}
+}
+
+func TestConstraints(t *testing.T) {
+	tests := []struct {
+		name string
+		run  func(*testing.T, *gorm.DB)
+	}{
+		{
+			name: "no-duplicate-username-if-no-oidc",
+			run: func(t *testing.T, db *gorm.DB) {
+				_, err := CreateUser(db, types.User{Name: "user1"})
+				require.NoError(t, err)
+				_, err = CreateUser(db, types.User{Name: "user1"})
+				requireConstraintFailed(t, err)
+			},
+		},
+		{
+			name: "no-oidc-duplicate-username-and-id",
+			run: func(t *testing.T, db *gorm.DB) {
+				user := types.User{
+					Model: gorm.Model{ID: 1},
+					Name:  "user1",
+				}
+				user.ProviderIdentifier = sql.NullString{String: "http://test.com/user1", Valid: true}
+
+				err := db.Save(&user).Error
+				require.NoError(t, err)
+
+				user = types.User{
+					Model: gorm.Model{ID: 2},
+					Name:  "user1",
+				}
+				user.ProviderIdentifier = sql.NullString{String: "http://test.com/user1", Valid: true}
+
+				err = db.Save(&user).Error
+				requireConstraintFailed(t, err)
+			},
+		},
+		{
+			name: "no-oidc-duplicate-id",
+			run: func(t *testing.T, db *gorm.DB) {
+				user := types.User{
+					Model: gorm.Model{ID: 1},
+					Name:  "user1",
+				}
+				user.ProviderIdentifier = sql.NullString{String: "http://test.com/user1", Valid: true}
+
+				err := db.Save(&user).Error
+				require.NoError(t, err)
+
+				user = types.User{
+					Model: gorm.Model{ID: 2},
+					Name:  "user1.1",
+				}
+				user.ProviderIdentifier = sql.NullString{String: "http://test.com/user1", Valid: true}
+
+				err = db.Save(&user).Error
+				requireConstraintFailed(t, err)
+			},
+		},
+		{
+			name: "allow-duplicate-username-cli-then-oidc",
+			run: func(t *testing.T, db *gorm.DB) {
+				_, err := CreateUser(db, types.User{Name: "user1"}) // Create CLI username
+				require.NoError(t, err)
+
+				user := types.User{
+					Name:               "user1",
+					ProviderIdentifier: sql.NullString{String: "http://test.com/user1", Valid: true},
+				}
+
+				err = db.Save(&user).Error
+				require.NoError(t, err)
+			},
+		},
+		{
+			name: "allow-duplicate-username-oidc-then-cli",
+			run: func(t *testing.T, db *gorm.DB) {
+				user := types.User{
+					Name:               "user1",
+					ProviderIdentifier: sql.NullString{String: "http://test.com/user1", Valid: true},
+				}
+
+				err := db.Save(&user).Error
+				require.NoError(t, err)
+
+				_, err = CreateUser(db, types.User{Name: "user1"}) // Create CLI username
+				require.NoError(t, err)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name+"-postgres", func(t *testing.T) {
+			db := newPostgresTestDB(t)
+			tt.run(t, db.DB.Debug())
+		})
+		t.Run(tt.name+"-sqlite", func(t *testing.T) {
+			db, err := newSQLiteTestDB()
+			if err != nil {
+				t.Fatalf("creating database: %s", err)
+			}
+
+			tt.run(t, db.DB.Debug())
+		})
+	}
+}
--- a/hscontrol/db/ip.go
+++ b/hscontrol/db/ip.go
@@ -14,6 +14,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"go4.org/netipx"
 	"gorm.io/gorm"
+	"tailscale.com/net/tsaddr"
 )

 // IPAllocator is a singleton responsible for allocating
@@ -190,8 +191,9 @@ func (i *IPAllocator) next(prev netip.Addr, prefix *netip.Prefix) (*netip.Addr,
 			return nil, ErrCouldNotAllocateIP
 		}

-		// Check if the IP has already been allocated.
-		if set.Contains(ip) {
+		// Check if the IP has already been allocated
+		// or if it is a IP reserved by Tailscale.
+		if set.Contains(ip) || isTailscaleReservedIP(ip) {
 			switch i.strategy {
 			case types.IPAllocationStrategySequential:
 				ip = ip.Next()
@@ -248,6 +250,12 @@ func randomNext(pfx netip.Prefix) (netip.Addr, error) {
 	return ip, nil
 }

+func isTailscaleReservedIP(ip netip.Addr) bool {
+	return tsaddr.ChromeOSVMRange().Contains(ip) ||
+		tsaddr.TailscaleServiceIP() == ip ||
+		tsaddr.TailscaleServiceIPv6() == ip
+}
+
 // BackfillNodeIPs will take a database transaction, and
 // iterate through all of the current nodes in headscale
 // and ensure it has IP addresses according to the current
--- a/hscontrol/db/ip_test.go
+++ b/hscontrol/db/ip_test.go
@@ -1,7 +1,6 @@
 package db

 import (
-	"database/sql"
 	"fmt"
 	"net/netip"
 	"strings"
@@ -12,6 +11,10 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"tailscale.com/net/tsaddr"
+	"tailscale.com/types/ptr"
 )

 var mpp = func(pref string) *netip.Prefix {
@@ -291,15 +294,7 @@ func TestBackfillIPAddresses(t *testing.T) {
 		v4 := fmt.Sprintf("100.64.0.%d", i)
 		v6 := fmt.Sprintf("fd7a:115c:a1e0::%d", i)
 		return &types.Node{
-			IPv4DatabaseField: sql.NullString{
-				Valid:  true,
-				String: v4,
-			},
 			IPv4: nap(v4),
-			IPv6DatabaseField: sql.NullString{
-				Valid:  true,
-				String: v6,
-			},
 			IPv6: nap(v6),
 		}
 	}
@@ -331,15 +326,7 @@ func TestBackfillIPAddresses(t *testing.T) {

 			want: types.Nodes{
 				&types.Node{
-					IPv4DatabaseField: sql.NullString{
-						Valid:  true,
-						String: "100.64.0.1",
-					},
 					IPv4: nap("100.64.0.1"),
-					IPv6DatabaseField: sql.NullString{
-						Valid:  true,
-						String: "fd7a:115c:a1e0::1",
-					},
 					IPv6: nap("fd7a:115c:a1e0::1"),
 				},
 			},
@@ -364,15 +351,7 @@ func TestBackfillIPAddresses(t *testing.T) {

 			want: types.Nodes{
 				&types.Node{
-					IPv4DatabaseField: sql.NullString{
-						Valid:  true,
-						String: "100.64.0.1",
-					},
 					IPv4: nap("100.64.0.1"),
-					IPv6DatabaseField: sql.NullString{
-						Valid:  true,
-						String: "fd7a:115c:a1e0::1",
-					},
 					IPv6: nap("fd7a:115c:a1e0::1"),
 				},
 			},
@@ -397,10 +376,6 @@ func TestBackfillIPAddresses(t *testing.T) {

 			want: types.Nodes{
 				&types.Node{
-					IPv4DatabaseField: sql.NullString{
-						Valid:  true,
-						String: "100.64.0.1",
-					},
 					IPv4: nap("100.64.0.1"),
 				},
 			},
@@ -425,10 +400,6 @@ func TestBackfillIPAddresses(t *testing.T) {

 			want: types.Nodes{
 				&types.Node{
-					IPv6DatabaseField: sql.NullString{
-						Valid:  true,
-						String: "fd7a:115c:a1e0::1",
-					},
 					IPv6: nap("fd7a:115c:a1e0::1"),
 				},
 			},
@@ -474,13 +445,9 @@ func TestBackfillIPAddresses(t *testing.T) {

 	comps := append(util.Comparers, cmpopts.IgnoreFields(types.Node{},
 		"ID",
-		"MachineKeyDatabaseField",
-		"NodeKeyDatabaseField",
-		"DiscoKeyDatabaseField",
 		"User",
 		"UserID",
 		"Endpoints",
-		"HostinfoDatabaseField",
 		"Hostinfo",
 		"Routes",
 		"CreatedAt",
@@ -491,7 +458,12 @@ func TestBackfillIPAddresses(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			db := tt.dbFunc()

-			alloc, err := NewIPAllocator(db, tt.prefix4, tt.prefix6, types.IPAllocationStrategySequential)
+			alloc, err := NewIPAllocator(
+				db,
+				tt.prefix4,
+				tt.prefix6,
+				types.IPAllocationStrategySequential,
+			)
 			if err != nil {
 				t.Fatalf("failed to set up ip alloc: %s", err)
 			}
@@ -514,3 +486,31 @@ func TestBackfillIPAddresses(t *testing.T) {
 		})
 	}
 }
+
+func TestIPAllocatorNextNoReservedIPs(t *testing.T) {
+	alloc, err := NewIPAllocator(
+		db,
+		ptr.To(tsaddr.CGNATRange()),
+		ptr.To(tsaddr.TailscaleULARange()),
+		types.IPAllocationStrategySequential,
+	)
+	if err != nil {
+		t.Fatalf("failed to set up ip alloc: %s", err)
+	}
+
+	// Validate that we do not give out 100.100.100.100
+	nextQuad100, err := alloc.next(na("100.100.100.99"), ptr.To(tsaddr.CGNATRange()))
+	require.NoError(t, err)
+	assert.Equal(t, na("100.100.100.101"), *nextQuad100)
+
+	// Validate that we do not give out fd7a:115c:a1e0::53
+	nextQuad100v6, err := alloc.next(na("fd7a:115c:a1e0::52"), ptr.To(tsaddr.TailscaleULARange()))
+	require.NoError(t, err)
+	assert.Equal(t, na("fd7a:115c:a1e0::54"), *nextQuad100v6)
+
+	// Validate that we do not give out fd7a:115c:a1e0::53
+	nextChrome, err := alloc.next(na("100.115.91.255"), ptr.To(tsaddr.CGNATRange()))
+	t.Logf("chrome: %s", nextChrome.String())
+	require.NoError(t, err)
+	assert.Equal(t, na("100.115.94.0"), *nextChrome)
+}
--- a/hscontrol/db/node.go
+++ b/hscontrol/db/node.go
@@ -1,16 +1,17 @@
 package db

 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/netip"
+	"slices"
 	"sort"
 	"sync"
 	"time"

 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
-	"github.com/patrickmn/go-cache"
 	"github.com/puzpuzpuz/xsync/v3"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
@@ -90,15 +91,15 @@ func (hsdb *HSDatabase) ListEphemeralNodes() (types.Nodes, error) {
 	})
 }

-func (hsdb *HSDatabase) getNode(user string, name string) (*types.Node, error) {
+func (hsdb *HSDatabase) getNode(uid types.UserID, name string) (*types.Node, error) {
 	return Read(hsdb.DB, func(rx *gorm.DB) (*types.Node, error) {
-		return getNode(rx, user, name)
+		return getNode(rx, uid, name)
 	})
 }

 // getNode finds a Node by name and user and returns the Node struct.
-func getNode(tx *gorm.DB, user string, name string) (*types.Node, error) {
-	nodes, err := ListNodesByUser(tx, user)
+func getNode(tx *gorm.DB, uid types.UserID, name string) (*types.Node, error) {
+	nodes, err := ListNodesByUser(tx, uid)
 	if err != nil {
 		return nil, err
 	}
@@ -206,21 +207,26 @@ func SetTags(
 ) error {
 	if len(tags) == 0 {
 		// if no tags are provided, we remove all forced tags
-		if err := tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("forced_tags", types.StringList{}).Error; err != nil {
+		if err := tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("forced_tags", "[]").Error; err != nil {
 			return fmt.Errorf("failed to remove tags for node in the database: %w", err)
 		}

 		return nil
 	}

-	var newTags types.StringList
+	var newTags []string
 	for _, tag := range tags {
-		if !util.StringOrPrefixListContains(newTags, tag) {
+		if !slices.Contains(newTags, tag) {
 			newTags = append(newTags, tag)
 		}
 	}

-	if err := tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("forced_tags", newTags).Error; err != nil {
+	b, err := json.Marshal(newTags)
+	if err != nil {
+		return err
+	}
+
+	if err := tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("forced_tags", string(b)).Error; err != nil {
 		return fmt.Errorf("failed to update tags for node in the database: %w", err)
 	}

@@ -239,7 +245,7 @@ func RenameNode(tx *gorm.DB,
 		return fmt.Errorf("renaming node: %w", err)
 	}

-	uniq, err := isUnqiueName(tx, newName)
+	uniq, err := isUniqueName(tx, newName)
 	if err != nil {
 		return fmt.Errorf("checking if name is unique: %w", err)
 	}
@@ -313,26 +319,17 @@ func SetLastSeen(tx *gorm.DB, nodeID types.NodeID, lastSeen time.Time) error {
 	return tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("last_seen", lastSeen).Error
 }

-func RegisterNodeFromAuthCallback(
-	tx *gorm.DB,
-	cache *cache.Cache,
+func (hsdb *HSDatabase) RegisterNodeFromAuthCallback(
 	mkey key.MachinePublic,
-	userName string,
+	userID types.UserID,
 	nodeExpiry *time.Time,
 	registrationMethod string,
 	ipv4 *netip.Addr,
 	ipv6 *netip.Addr,
 ) (*types.Node, error) {
-	log.Debug().
-		Str("machine_key", mkey.ShortString()).
-		Str("userName", userName).
-		Str("registrationMethod", registrationMethod).
-		Str("expiresAt", fmt.Sprintf("%v", nodeExpiry)).
-		Msg("Registering node from API/CLI or auth callback")
-
-	if nodeInterface, ok := cache.Get(mkey.String()); ok {
-		if registrationNode, ok := nodeInterface.(types.Node); ok {
-			user, err := GetUser(tx, userName)
+	return Write(hsdb.DB, func(tx *gorm.DB) (*types.Node, error) {
+		if node, ok := hsdb.regCache.Get(mkey.String()); ok {
+			user, err := GetUserByID(tx, userID)
 			if err != nil {
 				return nil, fmt.Errorf(
 					"failed to find user in register node from auth callback, %w",
@@ -340,37 +337,42 @@ func RegisterNodeFromAuthCallback(
 				)
 			}

+			log.Debug().
+				Str("machine_key", mkey.ShortString()).
+				Str("username", user.Username()).
+				Str("registrationMethod", registrationMethod).
+				Str("expiresAt", fmt.Sprintf("%v", nodeExpiry)).
+				Msg("Registering node from API/CLI or auth callback")
+
 			// Registration of expired node with different user
-			if registrationNode.ID != 0 &&
-				registrationNode.UserID != user.ID {
+			if node.ID != 0 &&
+				node.UserID != user.ID {
 				return nil, ErrDifferentRegisteredUser
 			}

-			registrationNode.UserID = user.ID
-			registrationNode.User = *user
-			registrationNode.RegisterMethod = registrationMethod
+			node.UserID = user.ID
+			node.User = *user
+			node.RegisterMethod = registrationMethod

 			if nodeExpiry != nil {
-				registrationNode.Expiry = nodeExpiry
+				node.Expiry = nodeExpiry
 			}

 			node, err := RegisterNode(
 				tx,
-				registrationNode,
+				node,
 				ipv4, ipv6,
 			)

 			if err == nil {
-				cache.Delete(mkey.String())
+				hsdb.regCache.Delete(mkey.String())
 			}

 			return node, err
-		} else {
-			return nil, ErrCouldNotConvertNodeInterface
 		}
-	}

-	return nil, ErrNodeNotFoundRegistrationCache
+		return nil, ErrNodeNotFoundRegistrationCache
+	})
 }

 func (hsdb *HSDatabase) RegisterNode(node types.Node, ipv4 *netip.Addr, ipv6 *netip.Addr) (*types.Node, error) {
@@ -385,7 +387,7 @@ func RegisterNode(tx *gorm.DB, node types.Node, ipv4 *netip.Addr, ipv6 *netip.Ad
 		Str("node", node.Hostname).
 		Str("machine_key", node.MachineKey.ShortString()).
 		Str("node_key", node.NodeKey.ShortString()).
-		Str("user", node.User.Name).
+		Str("user", node.User.Username()).
 		Msg("Registering node")

 	// If the node exists and it already has IP(s), we just save it
@@ -401,7 +403,7 @@ func RegisterNode(tx *gorm.DB, node types.Node, ipv4 *netip.Addr, ipv6 *netip.Ad
 			Str("node", node.Hostname).
 			Str("machine_key", node.MachineKey.ShortString()).
 			Str("node_key", node.NodeKey.ShortString()).
-			Str("user", node.User.Name).
+			Str("user", node.User.Username()).
 			Msg("Node authorized again")

 		return &node, nil
@@ -538,34 +540,24 @@ func IsRoutesEnabled(tx *gorm.DB, node *types.Node, routeStr string) bool {

 func (hsdb *HSDatabase) enableRoutes(
 	node *types.Node,
-	routeStrs ...string,
+	newRoutes ...netip.Prefix,
 ) (*types.StateUpdate, error) {
 	return Write(hsdb.DB, func(tx *gorm.DB) (*types.StateUpdate, error) {
-		return enableRoutes(tx, node, routeStrs...)
+		return enableRoutes(tx, node, newRoutes...)
 	})
 }

 // enableRoutes enables new routes based on a list of new routes.
 func enableRoutes(tx *gorm.DB,
-	node *types.Node, routeStrs ...string,
+	node *types.Node, newRoutes ...netip.Prefix,
 ) (*types.StateUpdate, error) {
-	newRoutes := make([]netip.Prefix, len(routeStrs))
-	for index, routeStr := range routeStrs {
-		route, err := netip.ParsePrefix(routeStr)
-		if err != nil {
-			return nil, err
-		}
-
-		newRoutes[index] = route
-	}
-
 	advertisedRoutes, err := GetAdvertisedRoutes(tx, node)
 	if err != nil {
 		return nil, err
 	}

 	for _, newRoute := range newRoutes {
-		if !util.StringOrPrefixListContains(advertisedRoutes, newRoute) {
+		if !slices.Contains(advertisedRoutes, newRoute) {
 			return nil, fmt.Errorf(
 				"route (%s) is not available on node %s: %w",
 				node.Hostname,
@@ -578,7 +570,7 @@ func enableRoutes(tx *gorm.DB,
 	for _, prefix := range newRoutes {
 		route := types.Route{}
 		err := tx.Preload("Node").
-			Where("node_id = ? AND prefix = ?", node.ID, types.IPPrefix(prefix)).
+			Where("node_id = ? AND prefix = ?", node.ID, prefix.String()).
 			First(&route).Error
 		if err == nil {
 			route.Enabled = true
@@ -607,12 +599,6 @@ func enableRoutes(tx *gorm.DB,

 	node.Routes = nRoutes

-	log.Trace().
-		Caller().
-		Str("node", node.Hostname).
-		Strs("routes", routeStrs).
-		Msg("enabling routes")
-
 	return &types.StateUpdate{
 		Type:        types.StatePeerChanged,
 		ChangeNodes: []types.NodeID{node.ID},
@@ -621,18 +607,16 @@ func enableRoutes(tx *gorm.DB,
 }

 func generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
-	normalizedHostname, err := util.NormalizeToFQDNRulesConfigFromViper(
-		suppliedName,
-	)
-	if err != nil {
-		return "", err
+	suppliedName = util.ConvertWithFQDNRules(suppliedName)
+	if len(suppliedName) > util.LabelHostnameLength {
+		return "", types.ErrHostnameTooLong
 	}

 	if randomSuffix {
 		// Trim if a hostname will be longer than 63 chars after adding the hash.
 		trimmedHostnameLength := util.LabelHostnameLength - NodeGivenNameHashLength - NodeGivenNameTrimSize
-		if len(normalizedHostname) > trimmedHostnameLength {
-			normalizedHostname = normalizedHostname[:trimmedHostnameLength]
+		if len(suppliedName) > trimmedHostnameLength {
+			suppliedName = suppliedName[:trimmedHostnameLength]
 		}

 		suffix, err := util.GenerateRandomStringDNSSafe(NodeGivenNameHashLength)
@@ -640,13 +624,13 @@ func generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
 			return "", err
 		}

-		normalizedHostname += "-" + suffix
+		suppliedName += "-" + suffix
 	}

-	return normalizedHostname, nil
+	return suppliedName, nil
 }

-func isUnqiueName(tx *gorm.DB, name string) (bool, error) {
+func isUniqueName(tx *gorm.DB, name string) (bool, error) {
 	nodes := types.Nodes{}
 	if err := tx.
 		Where("given_name = ?", name).Find(&nodes).Error; err != nil {
@@ -665,7 +649,7 @@ func ensureUniqueGivenName(
 		return "", err
 	}

-	unique, err := isUnqiueName(tx, givenName)
+	unique, err := isUniqueName(tx, givenName)
 	if err != nil {
 		return "", err
 	}
--- a/hscontrol/db/node_test.go
+++ b/hscontrol/db/node_test.go
@@ -6,7 +6,6 @@ import (
 	"math/big"
 	"net/netip"
 	"regexp"
-	"sort"
 	"strconv"
 	"sync"
 	"testing"
@@ -18,21 +17,23 @@ import (
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/puzpuzpuz/xsync/v3"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"gopkg.in/check.v1"
 	"gorm.io/gorm"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/ptr"
 )

 func (s *Suite) TestGetNode(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "testnode")
+	_, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.NotNil)

 	nodeKey := key.NewNode()
@@ -50,15 +51,15 @@ func (s *Suite) TestGetNode(c *check.C) {
 	trx := db.DB.Save(node)
 	c.Assert(trx.Error, check.IsNil)

-	_, err = db.getNode("test", "testnode")
+	_, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.IsNil)
 }

 func (s *Suite) TestGetNodeByID(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	_, err = db.GetNodeByID(0)
@@ -84,10 +85,10 @@ func (s *Suite) TestGetNodeByID(c *check.C) {
 }

 func (s *Suite) TestGetNodeByAnyNodeKey(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	_, err = db.GetNodeByID(0)
@@ -115,7 +116,7 @@ func (s *Suite) TestGetNodeByAnyNodeKey(c *check.C) {
 }

 func (s *Suite) TestHardDeleteNode(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

 	nodeKey := key.NewNode()
@@ -135,15 +136,15 @@ func (s *Suite) TestHardDeleteNode(c *check.C) {
 	_, err = db.DeleteNode(&node, xsync.NewMapOf[types.NodeID, bool]())
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode(user.Name, "testnode3")
+	_, err = db.getNode(types.UserID(user.ID), "testnode3")
 	c.Assert(err, check.NotNil)
 }

 func (s *Suite) TestListPeers(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	_, err = db.GetNodeByID(0)
@@ -187,9 +188,9 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 	stor := make([]base, 0)

 	for _, name := range []string{"test", "admin"} {
-		user, err := db.CreateUser(name)
+		user, err := db.CreateUser(types.User{Name: name})
 		c.Assert(err, check.IsNil)
-		pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+		pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 		c.Assert(err, check.IsNil)
 		stor = append(stor, base{user, pak})
 	}
@@ -201,7 +202,7 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 		nodeKey := key.NewNode()
 		machineKey := key.NewMachine()

-		v4 := netip.MustParseAddr(fmt.Sprintf("100.64.0.%v", strconv.Itoa(index+1)))
+		v4 := netip.MustParseAddr(fmt.Sprintf("100.64.0.%d", index+1))
 		node := types.Node{
 			ID:             types.NodeID(index),
 			MachineKey:     machineKey.Public(),
@@ -239,6 +240,8 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {

 	adminNode, err := db.GetNodeByID(1)
 	c.Logf("Node(%v), user: %v", adminNode.Hostname, adminNode.User)
+	c.Assert(adminNode.IPv4, check.NotNil)
+	c.Assert(adminNode.IPv6, check.IsNil)
 	c.Assert(err, check.IsNil)

 	testNode, err := db.GetNodeByID(2)
@@ -247,26 +250,28 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {

 	adminPeers, err := db.ListPeers(adminNode.ID)
 	c.Assert(err, check.IsNil)
+	c.Assert(len(adminPeers), check.Equals, 9)

 	testPeers, err := db.ListPeers(testNode.ID)
 	c.Assert(err, check.IsNil)
+	c.Assert(len(testPeers), check.Equals, 9)

-	adminRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, adminNode, adminPeers)
+	adminRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, adminNode, adminPeers, []types.User{*stor[0].user, *stor[1].user})
 	c.Assert(err, check.IsNil)

-	testRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, testNode, testPeers)
+	testRules, _, err := policy.GenerateFilterAndSSHRulesForTests(aclPolicy, testNode, testPeers, []types.User{*stor[0].user, *stor[1].user})
 	c.Assert(err, check.IsNil)

 	peersOfAdminNode := policy.FilterNodesByACL(adminNode, adminPeers, adminRules)
 	peersOfTestNode := policy.FilterNodesByACL(testNode, testPeers, testRules)
-
+	c.Log(peersOfAdminNode)
 	c.Log(peersOfTestNode)
+
 	c.Assert(len(peersOfTestNode), check.Equals, 9)
 	c.Assert(peersOfTestNode[0].Hostname, check.Equals, "testnode1")
 	c.Assert(peersOfTestNode[1].Hostname, check.Equals, "testnode3")
 	c.Assert(peersOfTestNode[3].Hostname, check.Equals, "testnode5")

-	c.Log(peersOfAdminNode)
 	c.Assert(len(peersOfAdminNode), check.Equals, 9)
 	c.Assert(peersOfAdminNode[0].Hostname, check.Equals, "testnode2")
 	c.Assert(peersOfAdminNode[2].Hostname, check.Equals, "testnode4")
@@ -274,13 +279,13 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 }

 func (s *Suite) TestExpireNode(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "testnode")
+	_, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.NotNil)

 	nodeKey := key.NewNode()
@@ -298,7 +303,7 @@ func (s *Suite) TestExpireNode(c *check.C) {
 	}
 	db.DB.Save(node)

-	nodeFromDB, err := db.getNode("test", "testnode")
+	nodeFromDB, err := db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.IsNil)
 	c.Assert(nodeFromDB, check.NotNil)

@@ -308,20 +313,20 @@ func (s *Suite) TestExpireNode(c *check.C) {
 	err = db.NodeSetExpiry(nodeFromDB.ID, now)
 	c.Assert(err, check.IsNil)

-	nodeFromDB, err = db.getNode("test", "testnode")
+	nodeFromDB, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.IsNil)

 	c.Assert(nodeFromDB.IsExpired(), check.Equals, true)
 }

 func (s *Suite) TestSetTags(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "testnode")
+	_, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.NotNil)

 	nodeKey := key.NewNode()
@@ -344,28 +349,28 @@ func (s *Suite) TestSetTags(c *check.C) {
 	sTags := []string{"tag:test", "tag:foo"}
 	err = db.SetTags(node.ID, sTags)
 	c.Assert(err, check.IsNil)
-	node, err = db.getNode("test", "testnode")
+	node, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.IsNil)
-	c.Assert(node.ForcedTags, check.DeepEquals, types.StringList(sTags))
+	c.Assert(node.ForcedTags, check.DeepEquals, sTags)

 	// assign duplicate tags, expect no errors but no doubles in DB
 	eTags := []string{"tag:bar", "tag:test", "tag:unknown", "tag:test"}
 	err = db.SetTags(node.ID, eTags)
 	c.Assert(err, check.IsNil)
-	node, err = db.getNode("test", "testnode")
+	node, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.IsNil)
 	c.Assert(
 		node.ForcedTags,
 		check.DeepEquals,
-		types.StringList([]string{"tag:bar", "tag:test", "tag:unknown"}),
+		[]string{"tag:bar", "tag:test", "tag:unknown"},
 	)

 	// test removing tags
 	err = db.SetTags(node.ID, []string{})
 	c.Assert(err, check.IsNil)
-	node, err = db.getNode("test", "testnode")
+	node, err = db.getNode(types.UserID(user.ID), "testnode")
 	c.Assert(err, check.IsNil)
-	c.Assert(node.ForcedTags, check.DeepEquals, types.StringList([]string{}))
+	c.Assert(node.ForcedTags, check.DeepEquals, []string{})
 }

 func TestHeadscale_generateGivenName(t *testing.T) {
@@ -388,6 +393,15 @@ func TestHeadscale_generateGivenName(t *testing.T) {
 			want:    regexp.MustCompile("^testnode$"),
 			wantErr: false,
 		},
+		{
+			name: "UPPERCASE node name generation",
+			args: args{
+				suppliedName: "TestNode",
+				randomSuffix: false,
+			},
+			want:    regexp.MustCompile("^testnode$"),
+			wantErr: false,
+		},
 		{
 			name: "node name with 53 chars",
 			args: args{
@@ -528,34 +542,34 @@ func TestAutoApproveRoutes(t *testing.T) {
 	}
 }`,
 			routes: []netip.Prefix{
-				netip.MustParsePrefix("0.0.0.0/0"),
-				netip.MustParsePrefix("::/0"),
+				tsaddr.AllIPv4(),
+				tsaddr.AllIPv6(),
 				netip.MustParsePrefix("10.10.0.0/16"),
 				netip.MustParsePrefix("10.11.0.0/24"),
 			},
 			want: []netip.Prefix{
-				netip.MustParsePrefix("::/0"),
-				netip.MustParsePrefix("10.11.0.0/24"),
+				tsaddr.AllIPv4(),
 				netip.MustParsePrefix("10.10.0.0/16"),
-				netip.MustParsePrefix("0.0.0.0/0"),
+				netip.MustParsePrefix("10.11.0.0/24"),
+				tsaddr.AllIPv6(),
 			},
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			adb, err := newTestDB()
-			assert.NoError(t, err)
+			adb, err := newSQLiteTestDB()
+			require.NoError(t, err)
 			pol, err := policy.LoadACLPolicyFromBytes([]byte(tt.acl))

-			assert.NoError(t, err)
-			assert.NotNil(t, pol)
+			require.NoError(t, err)
+			require.NotNil(t, pol)

-			user, err := adb.CreateUser("test")
-			assert.NoError(t, err)
+			user, err := adb.CreateUser(types.User{Name: "test"})
+			require.NoError(t, err)

-			pak, err := adb.CreatePreAuthKey(user.Name, false, false, nil, nil)
-			assert.NoError(t, err)
+			pak, err := adb.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
+			require.NoError(t, err)

 			nodeKey := key.NewNode()
 			machineKey := key.NewMachine()
@@ -577,26 +591,33 @@ func TestAutoApproveRoutes(t *testing.T) {
 			}

 			trx := adb.DB.Save(&node)
-			assert.NoError(t, trx.Error)
+			require.NoError(t, trx.Error)

 			sendUpdate, err := adb.SaveNodeRoutes(&node)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.False(t, sendUpdate)

 			node0ByID, err := adb.GetNodeByID(0)
+			require.NoError(t, err)
+
+			users, err := adb.ListUsers()
+			assert.NoError(t, err)
+
+			nodes, err := adb.ListNodes()
+			assert.NoError(t, err)
+
+			pm, err := policy.NewPolicyManager([]byte(tt.acl), users, nodes)
 			assert.NoError(t, err)

 			// TODO(kradalby): Check state update
-			err = adb.EnableAutoApprovedRoutes(pol, node0ByID)
-			assert.NoError(t, err)
+			err = adb.EnableAutoApprovedRoutes(pm, node0ByID)
+			require.NoError(t, err)

 			enabledRoutes, err := adb.GetEnabledRoutes(node0ByID)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Len(t, enabledRoutes, len(tt.want))

-			sort.Slice(enabledRoutes, func(i, j int) bool {
-				return util.ComparePrefix(enabledRoutes[i], enabledRoutes[j]) > 0
-			})
+			tsaddr.SortPrefixes(enabledRoutes)

 			if diff := cmp.Diff(tt.want, enabledRoutes, util.Comparers...); diff != "" {
 				t.Errorf("unexpected enabled routes (-want +got):\n%s", diff)
@@ -680,19 +701,19 @@ func generateRandomNumber(t *testing.T, max int64) int64 {
 }

 func TestListEphemeralNodes(t *testing.T) {
-	db, err := newTestDB()
+	db, err := newSQLiteTestDB()
 	if err != nil {
 		t.Fatalf("creating db: %s", err)
 	}

-	user, err := db.CreateUser("test")
-	assert.NoError(t, err)
+	user, err := db.CreateUser(types.User{Name: "test"})
+	require.NoError(t, err)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
-	assert.NoError(t, err)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
+	require.NoError(t, err)

-	pakEph, err := db.CreatePreAuthKey(user.Name, false, true, nil, nil)
-	assert.NoError(t, err)
+	pakEph, err := db.CreatePreAuthKey(types.UserID(user.ID), false, true, nil, nil)
+	require.NoError(t, err)

 	node := types.Node{
 		ID:             0,
@@ -715,16 +736,16 @@ func TestListEphemeralNodes(t *testing.T) {
 	}

 	err = db.DB.Save(&node).Error
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	err = db.DB.Save(&nodeEph).Error
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	nodes, err := db.ListNodes()
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	ephemeralNodes, err := db.ListEphemeralNodes()
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	assert.Len(t, nodes, 2)
 	assert.Len(t, ephemeralNodes, 1)
@@ -736,16 +757,16 @@ func TestListEphemeralNodes(t *testing.T) {
 }

 func TestRenameNode(t *testing.T) {
-	db, err := newTestDB()
+	db, err := newSQLiteTestDB()
 	if err != nil {
 		t.Fatalf("creating db: %s", err)
 	}

-	user, err := db.CreateUser("test")
-	assert.NoError(t, err)
+	user, err := db.CreateUser(types.User{Name: "test"})
+	require.NoError(t, err)

-	user2, err := db.CreateUser("test2")
-	assert.NoError(t, err)
+	user2, err := db.CreateUser(types.User{Name: "user2"})
+	require.NoError(t, err)

 	node := types.Node{
 		ID:             0,
@@ -766,10 +787,10 @@ func TestRenameNode(t *testing.T) {
 	}

 	err = db.DB.Save(&node).Error
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	err = db.DB.Save(&node2).Error
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	err = db.DB.Transaction(func(tx *gorm.DB) error {
 		_, err := RegisterNode(tx, node, nil, nil)
@@ -779,10 +800,10 @@ func TestRenameNode(t *testing.T) {
 		_, err = RegisterNode(tx, node2, nil, nil)
 		return err
 	})
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	nodes, err := db.ListNodes()
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	assert.Len(t, nodes, 2)

@@ -804,26 +825,26 @@ func TestRenameNode(t *testing.T) {
 	err = db.Write(func(tx *gorm.DB) error {
 		return RenameNode(tx, nodes[0].ID, "newname")
 	})
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	nodes, err = db.ListNodes()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, nodes, 2)
-	assert.Equal(t, nodes[0].Hostname, "test")
-	assert.Equal(t, nodes[0].GivenName, "newname")
+	assert.Equal(t, "test", nodes[0].Hostname)
+	assert.Equal(t, "newname", nodes[0].GivenName)

 	// Nodes can reuse name that is no longer used
 	err = db.Write(func(tx *gorm.DB) error {
 		return RenameNode(tx, nodes[1].ID, "test")
 	})
-	assert.NoError(t, err)
+	require.NoError(t, err)

 	nodes, err = db.ListNodes()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Len(t, nodes, 2)
-	assert.Equal(t, nodes[0].Hostname, "test")
-	assert.Equal(t, nodes[0].GivenName, "newname")
-	assert.Equal(t, nodes[1].GivenName, "test")
+	assert.Equal(t, "test", nodes[0].Hostname)
+	assert.Equal(t, "newname", nodes[0].GivenName)
+	assert.Equal(t, "test", nodes[1].GivenName)

 	// Nodes cannot be renamed to used names
 	err = db.Write(func(tx *gorm.DB) error {
--- a/hscontrol/db/preauth_keys.go
+++ b/hscontrol/db/preauth_keys.go
@@ -11,6 +11,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/types"
 	"gorm.io/gorm"
 	"tailscale.com/types/ptr"
+	"tailscale.com/util/set"
 )

 var (
@@ -22,31 +23,36 @@ var (
 )

 func (hsdb *HSDatabase) CreatePreAuthKey(
-	userName string,
+	uid types.UserID,
 	reusable bool,
 	ephemeral bool,
 	expiration *time.Time,
 	aclTags []string,
 ) (*types.PreAuthKey, error) {
 	return Write(hsdb.DB, func(tx *gorm.DB) (*types.PreAuthKey, error) {
-		return CreatePreAuthKey(tx, userName, reusable, ephemeral, expiration, aclTags)
+		return CreatePreAuthKey(tx, uid, reusable, ephemeral, expiration, aclTags)
 	})
 }

 // CreatePreAuthKey creates a new PreAuthKey in a user, and returns it.
 func CreatePreAuthKey(
 	tx *gorm.DB,
-	userName string,
+	uid types.UserID,
 	reusable bool,
 	ephemeral bool,
 	expiration *time.Time,
 	aclTags []string,
 ) (*types.PreAuthKey, error) {
-	user, err := GetUser(tx, userName)
+	user, err := GetUserByID(tx, uid)
 	if err != nil {
 		return nil, err
 	}

+	// Remove duplicates
+	aclTags = set.SetOf(aclTags).Slice()
+
+	// TODO(kradalby): factor out and create a reusable tag validation,
+	// check if there is one in Tailscale's lib.
 	for _, tag := range aclTags {
 		if !strings.HasPrefix(tag, "tag:") {
 			return nil, fmt.Errorf(
@@ -71,46 +77,31 @@ func CreatePreAuthKey(
 		Ephemeral:  ephemeral,
 		CreatedAt:  &now,
 		Expiration: expiration,
+		Tags:       aclTags,
 	}

 	if err := tx.Save(&key).Error; err != nil {
 		return nil, fmt.Errorf("failed to create key in the database: %w", err)
 	}

-	if len(aclTags) > 0 {
-		seenTags := map[string]bool{}
-
-		for _, tag := range aclTags {
-			if !seenTags[tag] {
-				if err := tx.Save(&types.PreAuthKeyACLTag{PreAuthKeyID: key.ID, Tag: tag}).Error; err != nil {
-					return nil, fmt.Errorf(
-						"failed to create key tag in the database: %w",
-						err,
-					)
-				}
-				seenTags[tag] = true
-			}
-		}
-	}
-
 	return &key, nil
 }

-func (hsdb *HSDatabase) ListPreAuthKeys(userName string) ([]types.PreAuthKey, error) {
+func (hsdb *HSDatabase) ListPreAuthKeys(uid types.UserID) ([]types.PreAuthKey, error) {
 	return Read(hsdb.DB, func(rx *gorm.DB) ([]types.PreAuthKey, error) {
-		return ListPreAuthKeys(rx, userName)
+		return ListPreAuthKeysByUser(rx, uid)
 	})
 }

-// ListPreAuthKeys returns the list of PreAuthKeys for a user.
-func ListPreAuthKeys(tx *gorm.DB, userName string) ([]types.PreAuthKey, error) {
-	user, err := GetUser(tx, userName)
+// ListPreAuthKeysByUser returns the list of PreAuthKeys for a user.
+func ListPreAuthKeysByUser(tx *gorm.DB, uid types.UserID) ([]types.PreAuthKey, error) {
+	user, err := GetUserByID(tx, uid)
 	if err != nil {
 		return nil, err
 	}

 	keys := []types.PreAuthKey{}
-	if err := tx.Preload("User").Preload("ACLTags").Where(&types.PreAuthKey{UserID: user.ID}).Find(&keys).Error; err != nil {
+	if err := tx.Preload("User").Where(&types.PreAuthKey{UserID: user.ID}).Find(&keys).Error; err != nil {
 		return nil, err
 	}

@@ -135,10 +126,6 @@ func GetPreAuthKey(tx *gorm.DB, user string, key string) (*types.PreAuthKey, err
 // does not exist.
 func DestroyPreAuthKey(tx *gorm.DB, pak types.PreAuthKey) error {
 	return tx.Transaction(func(db *gorm.DB) error {
-		if result := db.Unscoped().Where(types.PreAuthKeyACLTag{PreAuthKeyID: pak.ID}).Delete(&types.PreAuthKeyACLTag{}); result.Error != nil {
-			return result.Error
-		}
-
 		if result := db.Unscoped().Delete(pak); result.Error != nil {
 			return result.Error
 		}
@@ -182,7 +169,7 @@ func (hsdb *HSDatabase) ValidatePreAuthKey(k string) (*types.PreAuthKey, error)
 // If returns no error and a PreAuthKey, it can be used.
 func ValidatePreAuthKey(tx *gorm.DB, k string) (*types.PreAuthKey, error) {
 	pak := types.PreAuthKey{}
-	if result := tx.Preload("User").Preload("ACLTags").First(&pak, "key = ?", k); errors.Is(
+	if result := tx.Preload("User").First(&pak, "key = ?", k); errors.Is(
 		result.Error,
 		gorm.ErrRecordNotFound,
 	) {
--- a/hscontrol/db/preauth_keys_test.go
+++ b/hscontrol/db/preauth_keys_test.go
@@ -1,6 +1,7 @@
 package db

 import (
+	"sort"
 	"time"

 	"github.com/juanfont/headscale/hscontrol/types"
@@ -10,14 +11,14 @@ import (
 )

 func (*Suite) TestCreatePreAuthKey(c *check.C) {
-	_, err := db.CreatePreAuthKey("bogus", true, false, nil, nil)
-
+	// ID does not exist
+	_, err := db.CreatePreAuthKey(12345, true, false, nil, nil)
 	c.Assert(err, check.NotNil)

-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	key, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	key, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	// Did we get a valid key?
@@ -25,25 +26,26 @@ func (*Suite) TestCreatePreAuthKey(c *check.C) {
 	c.Assert(len(key.Key), check.Equals, 48)

 	// Make sure the User association is populated
-	c.Assert(key.User.Name, check.Equals, user.Name)
+	c.Assert(key.User.ID, check.Equals, user.ID)

-	_, err = db.ListPreAuthKeys("bogus")
+	// ID does not exist
+	_, err = db.ListPreAuthKeys(1000000)
 	c.Assert(err, check.NotNil)

-	keys, err := db.ListPreAuthKeys(user.Name)
+	keys, err := db.ListPreAuthKeys(types.UserID(user.ID))
 	c.Assert(err, check.IsNil)
 	c.Assert(len(keys), check.Equals, 1)

 	// Make sure the User association is populated
-	c.Assert((keys)[0].User.Name, check.Equals, user.Name)
+	c.Assert((keys)[0].User.ID, check.Equals, user.ID)
 }

 func (*Suite) TestExpiredPreAuthKey(c *check.C) {
-	user, err := db.CreateUser("test2")
+	user, err := db.CreateUser(types.User{Name: "test2"})
 	c.Assert(err, check.IsNil)

 	now := time.Now().Add(-5 * time.Second)
-	pak, err := db.CreatePreAuthKey(user.Name, true, false, &now, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, &now, nil)
 	c.Assert(err, check.IsNil)

 	key, err := db.ValidatePreAuthKey(pak.Key)
@@ -58,10 +60,10 @@ func (*Suite) TestPreAuthKeyDoesNotExist(c *check.C) {
 }

 func (*Suite) TestValidateKeyOk(c *check.C) {
-	user, err := db.CreateUser("test3")
+	user, err := db.CreateUser(types.User{Name: "test3"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	key, err := db.ValidatePreAuthKey(pak.Key)
@@ -70,10 +72,10 @@ func (*Suite) TestValidateKeyOk(c *check.C) {
 }

 func (*Suite) TestAlreadyUsedKey(c *check.C) {
-	user, err := db.CreateUser("test4")
+	user, err := db.CreateUser(types.User{Name: "test4"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	node := types.Node{
@@ -92,10 +94,10 @@ func (*Suite) TestAlreadyUsedKey(c *check.C) {
 }

 func (*Suite) TestReusableBeingUsedKey(c *check.C) {
-	user, err := db.CreateUser("test5")
+	user, err := db.CreateUser(types.User{Name: "test5"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	node := types.Node{
@@ -114,10 +116,10 @@ func (*Suite) TestReusableBeingUsedKey(c *check.C) {
 }

 func (*Suite) TestNotReusableNotBeingUsedKey(c *check.C) {
-	user, err := db.CreateUser("test6")
+	user, err := db.CreateUser(types.User{Name: "test6"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	key, err := db.ValidatePreAuthKey(pak.Key)
@@ -126,10 +128,10 @@ func (*Suite) TestNotReusableNotBeingUsedKey(c *check.C) {
 }

 func (*Suite) TestExpirePreauthKey(c *check.C) {
-	user, err := db.CreateUser("test3")
+	user, err := db.CreateUser(types.User{Name: "test3"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, true, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
 	c.Assert(err, check.IsNil)
 	c.Assert(pak.Expiration, check.IsNil)

@@ -143,10 +145,10 @@ func (*Suite) TestExpirePreauthKey(c *check.C) {
 }

 func (*Suite) TestNotReusableMarkedAsUsed(c *check.C) {
-	user, err := db.CreateUser("test6")
+	user, err := db.CreateUser(types.User{Name: "test6"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 	pak.Used = true
 	db.DB.Save(&pak)
@@ -156,18 +158,20 @@ func (*Suite) TestNotReusableMarkedAsUsed(c *check.C) {
 }

 func (*Suite) TestPreAuthKeyACLTags(c *check.C) {
-	user, err := db.CreateUser("test8")
+	user, err := db.CreateUser(types.User{Name: "test8"})
 	c.Assert(err, check.IsNil)

-	_, err = db.CreatePreAuthKey(user.Name, false, false, nil, []string{"badtag"})
+	_, err = db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, []string{"badtag"})
 	c.Assert(err, check.NotNil) // Confirm that malformed tags are rejected

 	tags := []string{"tag:test1", "tag:test2"}
 	tagsWithDuplicate := []string{"tag:test1", "tag:test2", "tag:test2"}
-	_, err = db.CreatePreAuthKey(user.Name, false, false, nil, tagsWithDuplicate)
+	_, err = db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, tagsWithDuplicate)
 	c.Assert(err, check.IsNil)

-	listedPaks, err := db.ListPreAuthKeys("test8")
+	listedPaks, err := db.ListPreAuthKeys(types.UserID(user.ID))
 	c.Assert(err, check.IsNil)
-	c.Assert(listedPaks[0].Proto().GetAclTags(), check.DeepEquals, tags)
+	gotTags := listedPaks[0].Proto().GetAclTags()
+	sort.Sort(sort.StringSlice(gotTags))
+	c.Assert(gotTags, check.DeepEquals, tags)
 }
--- a/hscontrol/db/routes.go
+++ b/hscontrol/db/routes.go
@@ -11,6 +11,7 @@ import (
 	"github.com/puzpuzpuz/xsync/v3"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/util/set"
 )

@@ -48,7 +49,7 @@ func getRoutesByPrefix(tx *gorm.DB, pref netip.Prefix) (types.Routes, error) {
 	err := tx.
 		Preload("Node").
 		Preload("Node.User").
-		Where("prefix = ?", types.IPPrefix(pref)).
+		Where("prefix = ?", pref.String()).
 		Find(&routes).Error
 	if err != nil {
 		return nil, err
@@ -116,13 +117,13 @@ func EnableRoute(tx *gorm.DB, id uint64) (*types.StateUpdate, error) {
 	if route.IsExitRoute() {
 		return enableRoutes(
 			tx,
-			&route.Node,
-			types.ExitRouteV4.String(),
-			types.ExitRouteV6.String(),
+			route.Node,
+			tsaddr.AllIPv4(),
+			tsaddr.AllIPv6(),
 		)
 	}

-	return enableRoutes(tx, &route.Node, netip.Prefix(route.Prefix).String())
+	return enableRoutes(tx, route.Node, netip.Prefix(route.Prefix))
 }

 func DisableRoute(tx *gorm.DB,
@@ -153,7 +154,7 @@ func DisableRoute(tx *gorm.DB,
 			return nil, err
 		}
 	} else {
-		routes, err = GetNodeRoutes(tx, &node)
+		routes, err = GetNodeRoutes(tx, node)
 		if err != nil {
 			return nil, err
 		}
@@ -200,24 +201,26 @@ func DeleteRoute(
 		return nil, err
 	}

+	if route.Node == nil {
+		// If the route is not assigned to a node, just delete it,
+		// there are no updates to be sent as no nodes are
+		// dependent on it
+		if err := tx.Unscoped().Delete(&route).Error; err != nil {
+			return nil, err
+		}
+		return nil, nil
+	}
+
 	var routes types.Routes
 	node := route.Node

 	// Tailscale requires both IPv4 and IPv6 exit routes to
 	// be enabled at the same time, as per
 	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
+	// This means that if we delete a route which is an exit route, delete both.
 	var update []types.NodeID
-	if !route.IsExitRoute() {
-		update, err = failoverRouteTx(tx, isLikelyConnected, route)
-		if err != nil {
-			return nil, nil
-		}
-
-		if err := tx.Unscoped().Delete(&route).Error; err != nil {
-			return nil, err
-		}
-	} else {
-		routes, err = GetNodeRoutes(tx, &node)
+	if route.IsExitRoute() {
+		routes, err = GetNodeRoutes(tx, node)
 		if err != nil {
 			return nil, err
 		}
@@ -232,13 +235,22 @@ func DeleteRoute(
 		if err := tx.Unscoped().Delete(&routesToDelete).Error; err != nil {
 			return nil, err
 		}
+	} else {
+		update, err = failoverRouteTx(tx, isLikelyConnected, route)
+		if err != nil {
+			return nil, nil
+		}
+
+		if err := tx.Unscoped().Delete(&route).Error; err != nil {
+			return nil, err
+		}
 	}

 	// If update is empty, it means that one was not created
 	// by failover (as a failover was not necessary), create
 	// one and return to the caller.
 	if routes == nil {
-		routes, err = GetNodeRoutes(tx, &node)
+		routes, err = GetNodeRoutes(tx, node)
 		if err != nil {
 			return nil, err
 		}
@@ -285,7 +297,7 @@ func isUniquePrefix(tx *gorm.DB, route types.Route) bool {
 	var count int64
 	tx.Model(&types.Route{}).
 		Where("prefix = ? AND node_id != ? AND advertised = ? AND enabled = ?",
-			route.Prefix,
+			route.Prefix.String(),
 			route.NodeID,
 			true, true).Count(&count)

@@ -296,7 +308,7 @@ func getPrimaryRoute(tx *gorm.DB, prefix netip.Prefix) (*types.Route, error) {
 	var route types.Route
 	err := tx.
 		Preload("Node").
-		Where("prefix = ? AND advertised = ? AND enabled = ? AND is_primary = ?", types.IPPrefix(prefix), true, true, true).
+		Where("prefix = ? AND advertised = ? AND enabled = ? AND is_primary = ?", prefix.String(), true, true, true).
 		First(&route).Error
 	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, err
@@ -391,7 +403,7 @@ func SaveNodeRoutes(tx *gorm.DB, node *types.Node) (bool, error) {
 		if !exists {
 			route := types.Route{
 				NodeID:     node.ID.Uint64(),
-				Prefix:     types.IPPrefix(prefix),
+				Prefix:     prefix,
 				Advertised: true,
 				Enabled:    false,
 			}
@@ -405,10 +417,10 @@ func SaveNodeRoutes(tx *gorm.DB, node *types.Node) (bool, error) {
 	return sendUpdate, nil
 }

-// FailoverNodeRoutesIfNeccessary takes a node and checks if the node's route
+// FailoverNodeRoutesIfNecessary takes a node and checks if the node's route
 // need to be failed over to another host.
 // If needed, the failover will be attempted.
-func FailoverNodeRoutesIfNeccessary(
+func FailoverNodeRoutesIfNecessary(
 	tx *gorm.DB,
 	isLikelyConnected *xsync.MapOf[types.NodeID, bool],
 	node *types.Node,
@@ -461,7 +473,7 @@ nodeRouteLoop:
 		return &types.StateUpdate{
 			Type:        types.StatePeerChanged,
 			ChangeNodes: chng,
-			Message:     "called from db.FailoverNodeRoutesIfNeccessary",
+			Message:     "called from db.FailoverNodeRoutesIfNecessary",
 		}, nil
 	}

@@ -597,18 +609,18 @@ func failoverRoute(
 }

 func (hsdb *HSDatabase) EnableAutoApprovedRoutes(
-	aclPolicy *policy.ACLPolicy,
+	polMan policy.PolicyManager,
 	node *types.Node,
 ) error {
 	return hsdb.Write(func(tx *gorm.DB) error {
-		return EnableAutoApprovedRoutes(tx, aclPolicy, node)
+		return EnableAutoApprovedRoutes(tx, polMan, node)
 	})
 }

 // EnableAutoApprovedRoutes enables any routes advertised by a node that match the ACL autoApprovers policy.
 func EnableAutoApprovedRoutes(
 	tx *gorm.DB,
-	aclPolicy *policy.ACLPolicy,
+	polMan policy.PolicyManager,
 	node *types.Node,
 ) error {
 	if node.IPv4 == nil && node.IPv6 == nil {
@@ -629,26 +641,21 @@ func EnableAutoApprovedRoutes(
 			continue
 		}

-		routeApprovers, err := aclPolicy.AutoApprovers.GetRouteApprovers(
-			netip.Prefix(advertisedRoute.Prefix),
-		)
-		if err != nil {
-			return fmt.Errorf("failed to resolve autoApprovers for route(%d) for node(%s %d): %w", advertisedRoute.ID, node.Hostname, node.ID, err)
-		}
+		routeApprovers := polMan.ApproversForRoute(netip.Prefix(advertisedRoute.Prefix))

 		log.Trace().
 			Str("node", node.Hostname).
-			Str("user", node.User.Name).
+			Uint("user.id", node.User.ID).
 			Strs("routeApprovers", routeApprovers).
 			Str("prefix", netip.Prefix(advertisedRoute.Prefix).String()).
 			Msg("looking up route for autoapproving")

 		for _, approvedAlias := range routeApprovers {
-			if approvedAlias == node.User.Name {
+			if approvedAlias == node.User.Username() {
 				approvedRoutes = append(approvedRoutes, advertisedRoute)
 			} else {
 				// TODO(kradalby): figure out how to get this to depend on less stuff
-				approvedIps, err := aclPolicy.ExpandAlias(types.Nodes{node}, approvedAlias)
+				approvedIps, err := polMan.ExpandAlias(approvedAlias)
 				if err != nil {
 					return fmt.Errorf("expanding alias %q for autoApprovers: %w", approvedAlias, err)
 				}
--- a/hscontrol/db/routes_test.go
+++ b/hscontrol/db/routes_test.go
@@ -27,14 +27,18 @@ var smap = func(m map[types.NodeID]bool) *xsync.MapOf[types.NodeID, bool] {
 	return s
 }

+var mp = func(p string) netip.Prefix {
+	return netip.MustParsePrefix(p)
+}
+
 func (s *Suite) TestGetRoutes(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "test_get_route_node")
+	_, err = db.getNode(types.UserID(user.ID), "test_get_route_node")
 	c.Assert(err, check.NotNil)

 	route, err := netip.ParsePrefix("10.0.0.0/24")
@@ -64,21 +68,21 @@ func (s *Suite) TestGetRoutes(c *check.C) {
 	c.Assert(len(advertisedRoutes), check.Equals, 1)

 	// TODO(kradalby): check state update
-	_, err = db.enableRoutes(&node, "192.168.0.0/24")
+	_, err = db.enableRoutes(&node, mp("192.168.0.0/24"))
 	c.Assert(err, check.NotNil)

-	_, err = db.enableRoutes(&node, "10.0.0.0/24")
+	_, err = db.enableRoutes(&node, mp("10.0.0.0/24"))
 	c.Assert(err, check.IsNil)
 }

 func (s *Suite) TestGetEnableRoutes(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "test_enable_route_node")
+	_, err = db.getNode(types.UserID(user.ID), "test_enable_route_node")
 	c.Assert(err, check.NotNil)

 	route, err := netip.ParsePrefix(
@@ -119,10 +123,10 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(noEnabledRoutes), check.Equals, 0)

-	_, err = db.enableRoutes(&node, "192.168.0.0/24")
+	_, err = db.enableRoutes(&node, mp("192.168.0.0/24"))
 	c.Assert(err, check.NotNil)

-	_, err = db.enableRoutes(&node, "10.0.0.0/24")
+	_, err = db.enableRoutes(&node, mp("10.0.0.0/24"))
 	c.Assert(err, check.IsNil)

 	enabledRoutes, err := db.GetEnabledRoutes(&node)
@@ -130,14 +134,14 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 	c.Assert(len(enabledRoutes), check.Equals, 1)

 	// Adding it twice will just let it pass through
-	_, err = db.enableRoutes(&node, "10.0.0.0/24")
+	_, err = db.enableRoutes(&node, mp("10.0.0.0/24"))
 	c.Assert(err, check.IsNil)

 	enableRoutesAfterDoubleApply, err := db.GetEnabledRoutes(&node)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(enableRoutesAfterDoubleApply), check.Equals, 1)

-	_, err = db.enableRoutes(&node, "150.0.10.0/25")
+	_, err = db.enableRoutes(&node, mp("150.0.10.0/25"))
 	c.Assert(err, check.IsNil)

 	enabledRoutesWithAdditionalRoute, err := db.GetEnabledRoutes(&node)
@@ -146,13 +150,13 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 }

 func (s *Suite) TestIsUniquePrefix(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "test_enable_route_node")
+	_, err = db.getNode(types.UserID(user.ID), "test_enable_route_node")
 	c.Assert(err, check.NotNil)

 	route, err := netip.ParsePrefix(
@@ -183,10 +187,10 @@ func (s *Suite) TestIsUniquePrefix(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(sendUpdate, check.Equals, false)

-	_, err = db.enableRoutes(&node1, route.String())
+	_, err = db.enableRoutes(&node1, route)
 	c.Assert(err, check.IsNil)

-	_, err = db.enableRoutes(&node1, route2.String())
+	_, err = db.enableRoutes(&node1, route2)
 	c.Assert(err, check.IsNil)

 	hostInfo2 := tailcfg.Hostinfo{
@@ -206,7 +210,7 @@ func (s *Suite) TestIsUniquePrefix(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(sendUpdate, check.Equals, false)

-	_, err = db.enableRoutes(&node2, route2.String())
+	_, err = db.enableRoutes(&node2, route2)
 	c.Assert(err, check.IsNil)

 	enabledRoutes1, err := db.GetEnabledRoutes(&node1)
@@ -227,13 +231,13 @@ func (s *Suite) TestIsUniquePrefix(c *check.C) {
 }

 func (s *Suite) TestDeleteRoutes(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	_, err = db.getNode("test", "test_enable_route_node")
+	_, err = db.getNode(types.UserID(user.ID), "test_enable_route_node")
 	c.Assert(err, check.NotNil)

 	prefix, err := netip.ParsePrefix(
@@ -267,10 +271,10 @@ func (s *Suite) TestDeleteRoutes(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(sendUpdate, check.Equals, false)

-	_, err = db.enableRoutes(&node1, prefix.String())
+	_, err = db.enableRoutes(&node1, prefix)
 	c.Assert(err, check.IsNil)

-	_, err = db.enableRoutes(&node1, prefix2.String())
+	_, err = db.enableRoutes(&node1, prefix2)
 	c.Assert(err, check.IsNil)

 	routes, err := db.GetNodeRoutes(&node1)
@@ -286,30 +290,25 @@ func (s *Suite) TestDeleteRoutes(c *check.C) {
 }

 var (
-	ipp    = func(s string) types.IPPrefix { return types.IPPrefix(netip.MustParsePrefix(s)) }
-	mkNode = func(nid types.NodeID) types.Node {
-		return types.Node{ID: nid}
+	ipp = func(s string) netip.Prefix { return netip.MustParsePrefix(s) }
+	np  = func(nid types.NodeID) *types.Node {
+		return &types.Node{ID: nid}
 	}
 )

-var np = func(nid types.NodeID) *types.Node {
-	no := mkNode(nid)
-	return &no
-}
-
-var r = func(id uint, nid types.NodeID, prefix types.IPPrefix, enabled, primary bool) types.Route {
+var r = func(id uint, nid types.NodeID, prefix netip.Prefix, enabled, primary bool) types.Route {
 	return types.Route{
 		Model: gorm.Model{
 			ID: id,
 		},
-		Node:      mkNode(nid),
+		Node:      np(nid),
 		Prefix:    prefix,
 		Enabled:   enabled,
 		IsPrimary: primary,
 	}
 }

-var rp = func(id uint, nid types.NodeID, prefix types.IPPrefix, enabled, primary bool) *types.Route {
+var rp = func(id uint, nid types.NodeID, prefix netip.Prefix, enabled, primary bool) *types.Route {
 	ro := r(id, nid, prefix, enabled, primary)
 	return &ro
 }
@@ -332,6 +331,7 @@ func dbForTest(t *testing.T, testName string) *HSDatabase {
 			},
 		},
 		"",
+		emptyCache(),
 	)
 	if err != nil {
 		t.Fatalf("setting up database: %s", err)
@@ -342,7 +342,7 @@ func dbForTest(t *testing.T, testName string) *HSDatabase {
 	return db
 }

-func TestFailoverNodeRoutesIfNeccessary(t *testing.T) {
+func TestFailoverNodeRoutesIfNecessary(t *testing.T) {
 	su := func(nids ...types.NodeID) *types.StateUpdate {
 		return &types.StateUpdate{
 			ChangeNodes: nids,
@@ -648,7 +648,7 @@ func TestFailoverNodeRoutesIfNeccessary(t *testing.T) {
 				want := tt.want[step]

 				got, err := Write(db.DB, func(tx *gorm.DB) (*types.StateUpdate, error) {
-					return FailoverNodeRoutesIfNeccessary(tx, smap(isConnected), node)
+					return FailoverNodeRoutesIfNecessary(tx, smap(isConnected), node)
 				})

 				if (err != nil) != tt.wantErr {
@@ -688,7 +688,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix:    ipp("10.0.0.0/24"),
-				Node:      types.Node{},
+				Node:      &types.Node{},
 				IsPrimary: false,
 			},
 			routes:  types.Routes{},
@@ -702,7 +702,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix:    ipp("0.0.0.0/0"),
-				Node:      types.Node{},
+				Node:      &types.Node{},
 				IsPrimary: true,
 			},
 			routes:  types.Routes{},
@@ -716,7 +716,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 1,
 				},
 				IsPrimary: true,
@@ -727,7 +727,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: true,
@@ -743,7 +743,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 1,
 				},
 				IsPrimary: true,
@@ -755,7 +755,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: true,
@@ -766,7 +766,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 2,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 2,
 					},
 					IsPrimary: false,
@@ -790,7 +790,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 1,
 				},
 				IsPrimary: false,
@@ -802,7 +802,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: true,
@@ -813,7 +813,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 2,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 2,
 					},
 					IsPrimary: false,
@@ -830,7 +830,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 2,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 2,
 				},
 				IsPrimary: true,
@@ -842,7 +842,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: false,
@@ -853,7 +853,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 2,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 2,
 					},
 					IsPrimary: true,
@@ -864,7 +864,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 3,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 3,
 					},
 					IsPrimary: false,
@@ -888,7 +888,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 1,
 				},
 				IsPrimary: true,
@@ -900,7 +900,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: true,
@@ -912,7 +912,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 2,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 4,
 					},
 					IsPrimary: false,
@@ -933,7 +933,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 1,
 				},
 				IsPrimary: true,
@@ -945,7 +945,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: true,
@@ -957,7 +957,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 2,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 4,
 					},
 					IsPrimary: false,
@@ -968,7 +968,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 3,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 2,
 					},
 					IsPrimary: true,
@@ -993,7 +993,7 @@ func TestFailoverRouteTx(t *testing.T) {
 					ID: 1,
 				},
 				Prefix: ipp("10.0.0.0/24"),
-				Node: types.Node{
+				Node: &types.Node{
 					ID: 1,
 				},
 				IsPrimary: true,
@@ -1005,7 +1005,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 1,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 1,
 					},
 					IsPrimary: true,
@@ -1017,7 +1017,7 @@ func TestFailoverRouteTx(t *testing.T) {
 						ID: 2,
 					},
 					Prefix: ipp("10.0.0.0/24"),
-					Node: types.Node{
+					Node: &types.Node{
 						ID: 2,
 					},
 					IsPrimary: false,
@@ -1065,12 +1065,12 @@ func TestFailoverRouteTx(t *testing.T) {
 }

 func TestFailoverRoute(t *testing.T) {
-	r := func(id uint, nid types.NodeID, prefix types.IPPrefix, enabled, primary bool) types.Route {
+	r := func(id uint, nid types.NodeID, prefix netip.Prefix, enabled, primary bool) types.Route {
 		return types.Route{
 			Model: gorm.Model{
 				ID: id,
 			},
-			Node: types.Node{
+			Node: &types.Node{
 				ID: nid,
 			},
 			Prefix:    prefix,
@@ -1078,7 +1078,7 @@ func TestFailoverRoute(t *testing.T) {
 			IsPrimary: primary,
 		}
 	}
-	rp := func(id uint, nid types.NodeID, prefix types.IPPrefix, enabled, primary bool) *types.Route {
+	rp := func(id uint, nid types.NodeID, prefix netip.Prefix, enabled, primary bool) *types.Route {
 		ro := r(id, nid, prefix, enabled, primary)
 		return &ro
 	}
@@ -1201,13 +1201,6 @@ func TestFailoverRoute(t *testing.T) {
 		},
 	}

-	cmps := append(
-		util.Comparers,
-		cmp.Comparer(func(x, y types.IPPrefix) bool {
-			return netip.Prefix(x) == netip.Prefix(y)
-		}),
-	)
-
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			gotf := failoverRoute(smap(tt.isConnected), &tt.failingRoute, tt.routes)
@@ -1231,7 +1224,7 @@ func TestFailoverRoute(t *testing.T) {
 					"old": gotf.old,
 				}

-				if diff := cmp.Diff(want, got, cmps...); diff != "" {
+				if diff := cmp.Diff(want, got, util.Comparers...); diff != "" {
 					t.Fatalf("failoverRoute unexpected result (-want +got):\n%s", diff)
 				}
 			}
--- a/hscontrol/db/suite_test.go
+++ b/hscontrol/db/suite_test.go
@@ -1,12 +1,17 @@
 package db

 import (
+	"context"
 	"log"
+	"net/url"
 	"os"
+	"strconv"
+	"strings"
 	"testing"

 	"github.com/juanfont/headscale/hscontrol/types"
 	"gopkg.in/check.v1"
+	"zombiezen.com/go/postgrestest"
 )

 func Test(t *testing.T) {
@@ -36,13 +41,15 @@ func (s *Suite) ResetDB(c *check.C) {
 	// }

 	var err error
-	db, err = newTestDB()
+	db, err = newSQLiteTestDB()
 	if err != nil {
 		c.Fatal(err)
 	}
 }

-func newTestDB() (*HSDatabase, error) {
+// TODO(kradalby): make this a t.Helper when we dont depend
+// on check test framework.
+func newSQLiteTestDB() (*HSDatabase, error) {
 	var err error
 	tmpDir, err = os.MkdirTemp("", "headscale-db-test-*")
 	if err != nil {
@@ -53,12 +60,13 @@ func newTestDB() (*HSDatabase, error) {

 	db, err = NewHeadscaleDatabase(
 		types.DatabaseConfig{
-			Type: "sqlite3",
+			Type: types.DatabaseSqlite,
 			Sqlite: types.SqliteConfig{
 				Path: tmpDir + "/headscale_test.db",
 			},
 		},
 		"",
+		emptyCache(),
 	)
 	if err != nil {
 		return nil, err
@@ -66,3 +74,53 @@ func newTestDB() (*HSDatabase, error) {

 	return db, nil
 }
+
+func newPostgresTestDB(t *testing.T) *HSDatabase {
+	t.Helper()
+
+	var err error
+	tmpDir, err = os.MkdirTemp("", "headscale-db-test-*")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	log.Printf("database path: %s", tmpDir+"/headscale_test.db")
+
+	ctx := context.Background()
+	srv, err := postgrestest.Start(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(srv.Cleanup)
+
+	u, err := srv.CreateDatabase(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("created local postgres: %s", u)
+	pu, _ := url.Parse(u)
+
+	pass, _ := pu.User.Password()
+	port, _ := strconv.Atoi(pu.Port())
+
+	db, err = NewHeadscaleDatabase(
+		types.DatabaseConfig{
+			Type: types.DatabasePostgres,
+			Postgres: types.PostgresConfig{
+				Host: pu.Hostname(),
+				User: pu.User.Username(),
+				Name: strings.TrimLeft(pu.Path, "/"),
+				Pass: pass,
+				Port: port,
+				Ssl:  "disable",
+			},
+		},
+		"",
+		emptyCache(),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return db
+}
--- a/hscontrol/db/testdata/0-23-0-to-0-24-0-no-more-special-types.sqlite
+++ b/hscontrol/db/testdata/0-23-0-to-0-24-0-no-more-special-types.sqlite
--- a/hscontrol/db/testdata/0-23-0-to-0-24-0-preauthkey-tags-table.sqlite
+++ b/hscontrol/db/testdata/0-23-0-to-0-24-0-preauthkey-tags-table.sqlite
--- a/hscontrol/db/text_serialiser.go
+++ b/hscontrol/db/text_serialiser.go
@@ -0,0 +1,99 @@
+package db
+
+import (
+	"context"
+	"encoding"
+	"fmt"
+	"reflect"
+
+	"gorm.io/gorm/schema"
+)
+
+// Got from https://github.com/xdg-go/strum/blob/main/types.go
+var textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+
+func isTextUnmarshaler(rv reflect.Value) bool {
+	return rv.Type().Implements(textUnmarshalerType)
+}
+
+func maybeInstantiatePtr(rv reflect.Value) {
+	if rv.Kind() == reflect.Ptr && rv.IsNil() {
+		np := reflect.New(rv.Type().Elem())
+		rv.Set(np)
+	}
+}
+
+func decodingError(name string, err error) error {
+	return fmt.Errorf("error decoding to %s: %w", name, err)
+}
+
+// TextSerialiser implements the Serialiser interface for fields that
+// have a type that implements encoding.TextUnmarshaler.
+type TextSerialiser struct{}
+
+func (TextSerialiser) Scan(ctx context.Context, field *schema.Field, dst reflect.Value, dbValue interface{}) (err error) {
+	fieldValue := reflect.New(field.FieldType)
+
+	// If the field is a pointer, we need to dereference it to get the actual type
+	// so we do not end with a second pointer.
+	if fieldValue.Elem().Kind() == reflect.Ptr {
+		fieldValue = fieldValue.Elem()
+	}
+
+	if dbValue != nil {
+		var bytes []byte
+		switch v := dbValue.(type) {
+		case []byte:
+			bytes = v
+		case string:
+			bytes = []byte(v)
+		default:
+			return fmt.Errorf("failed to unmarshal text value: %#v", dbValue)
+		}
+
+		if isTextUnmarshaler(fieldValue) {
+			maybeInstantiatePtr(fieldValue)
+			f := fieldValue.MethodByName("UnmarshalText")
+			args := []reflect.Value{reflect.ValueOf(bytes)}
+			ret := f.Call(args)
+			if !ret[0].IsNil() {
+				return decodingError(field.Name, ret[0].Interface().(error))
+			}
+
+			// If the underlying field is to a pointer type, we need to
+			// assign the value as a pointer to it.
+			// If it is not a pointer, we need to assign the value to the
+			// field.
+			dstField := field.ReflectValueOf(ctx, dst)
+			if dstField.Kind() == reflect.Ptr {
+				dstField.Set(fieldValue)
+			} else {
+				dstField.Set(fieldValue.Elem())
+			}
+			return nil
+		} else {
+			return fmt.Errorf("unsupported type: %T", fieldValue.Interface())
+		}
+	}
+
+	return
+}
+
+func (TextSerialiser) Value(ctx context.Context, field *schema.Field, dst reflect.Value, fieldValue interface{}) (interface{}, error) {
+	switch v := fieldValue.(type) {
+	case encoding.TextMarshaler:
+		// If the value is nil, we return nil, however, go nil values are not
+		// always comparable, particularly when reflection is involved:
+		// https://dev.to/arxeiss/in-go-nil-is-not-equal-to-nil-sometimes-jn8
+		if v == nil || (reflect.ValueOf(v).Kind() == reflect.Ptr && reflect.ValueOf(v).IsNil()) {
+			return nil, nil
+		}
+		b, err := v.MarshalText()
+		if err != nil {
+			return nil, err
+		}
+		return string(b), nil
+	default:
+		return nil, fmt.Errorf("only encoding.TextMarshaler is supported, got %t", v)
+	}
+}
--- a/hscontrol/db/users.go
+++ b/hscontrol/db/users.go
@@ -15,24 +15,19 @@ var (
 	ErrUserStillHasNodes = errors.New("user not empty: node(s) found")
 )

-func (hsdb *HSDatabase) CreateUser(name string) (*types.User, error) {
+func (hsdb *HSDatabase) CreateUser(user types.User) (*types.User, error) {
 	return Write(hsdb.DB, func(tx *gorm.DB) (*types.User, error) {
-		return CreateUser(tx, name)
+		return CreateUser(tx, user)
 	})
 }

 // CreateUser creates a new User. Returns error if could not be created
 // or another user already exists.
-func CreateUser(tx *gorm.DB, name string) (*types.User, error) {
-	err := util.CheckForFQDNRules(name)
+func CreateUser(tx *gorm.DB, user types.User) (*types.User, error) {
+	err := util.CheckForFQDNRules(user.Name)
 	if err != nil {
 		return nil, err
 	}
-	user := types.User{}
-	if err := tx.Where("name = ?", name).First(&user).Error; err == nil {
-		return nil, ErrUserExists
-	}
-	user.Name = name
 	if err := tx.Create(&user).Error; err != nil {
 		return nil, fmt.Errorf("creating user: %w", err)
 	}
@@ -40,21 +35,21 @@ func CreateUser(tx *gorm.DB, name string) (*types.User, error) {
 	return &user, nil
 }

-func (hsdb *HSDatabase) DestroyUser(name string) error {
+func (hsdb *HSDatabase) DestroyUser(uid types.UserID) error {
 	return hsdb.Write(func(tx *gorm.DB) error {
-		return DestroyUser(tx, name)
+		return DestroyUser(tx, uid)
 	})
 }

 // DestroyUser destroys a User. Returns error if the User does
 // not exist or if there are nodes associated with it.
-func DestroyUser(tx *gorm.DB, name string) error {
-	user, err := GetUser(tx, name)
+func DestroyUser(tx *gorm.DB, uid types.UserID) error {
+	user, err := GetUserByID(tx, uid)
 	if err != nil {
-		return ErrUserNotFound
+		return err
 	}

-	nodes, err := ListNodesByUser(tx, name)
+	nodes, err := ListNodesByUser(tx, uid)
 	if err != nil {
 		return err
 	}
@@ -62,7 +57,7 @@ func DestroyUser(tx *gorm.DB, name string) error {
 		return ErrUserStillHasNodes
 	}

-	keys, err := ListPreAuthKeys(tx, name)
+	keys, err := ListPreAuthKeysByUser(tx, uid)
 	if err != nil {
 		return err
 	}
@@ -80,17 +75,17 @@ func DestroyUser(tx *gorm.DB, name string) error {
 	return nil
 }

-func (hsdb *HSDatabase) RenameUser(oldName, newName string) error {
+func (hsdb *HSDatabase) RenameUser(uid types.UserID, newName string) error {
 	return hsdb.Write(func(tx *gorm.DB) error {
-		return RenameUser(tx, oldName, newName)
+		return RenameUser(tx, uid, newName)
 	})
 }

 // RenameUser renames a User. Returns error if the User does
 // not exist or if another User exists with the new name.
-func RenameUser(tx *gorm.DB, oldName, newName string) error {
+func RenameUser(tx *gorm.DB, uid types.UserID, newName string) error {
 	var err error
-	oldUser, err := GetUser(tx, oldName)
+	oldUser, err := GetUserByID(tx, uid)
 	if err != nil {
 		return err
 	}
@@ -98,32 +93,25 @@ func RenameUser(tx *gorm.DB, oldName, newName string) error {
 	if err != nil {
 		return err
 	}
-	_, err = GetUser(tx, newName)
-	if err == nil {
-		return ErrUserExists
-	}
-	if !errors.Is(err, ErrUserNotFound) {
-		return err
-	}

 	oldUser.Name = newName

-	if result := tx.Save(&oldUser); result.Error != nil {
-		return result.Error
+	if err := tx.Save(&oldUser).Error; err != nil {
+		return err
 	}

 	return nil
 }

-func (hsdb *HSDatabase) GetUser(name string) (*types.User, error) {
+func (hsdb *HSDatabase) GetUserByID(uid types.UserID) (*types.User, error) {
 	return Read(hsdb.DB, func(rx *gorm.DB) (*types.User, error) {
-		return GetUser(rx, name)
+		return GetUserByID(rx, uid)
 	})
 }

-func GetUser(tx *gorm.DB, name string) (*types.User, error) {
+func GetUserByID(tx *gorm.DB, uid types.UserID) (*types.User, error) {
 	user := types.User{}
-	if result := tx.First(&user, "name = ?", name); errors.Is(
+	if result := tx.First(&user, "id = ?", uid); errors.Is(
 		result.Error,
 		gorm.ErrRecordNotFound,
 	) {
@@ -133,54 +121,87 @@ func GetUser(tx *gorm.DB, name string) (*types.User, error) {
 	return &user, nil
 }

-func (hsdb *HSDatabase) ListUsers() ([]types.User, error) {
+func (hsdb *HSDatabase) GetUserByOIDCIdentifier(id string) (*types.User, error) {
+	return Read(hsdb.DB, func(rx *gorm.DB) (*types.User, error) {
+		return GetUserByOIDCIdentifier(rx, id)
+	})
+}
+
+func GetUserByOIDCIdentifier(tx *gorm.DB, id string) (*types.User, error) {
+	user := types.User{}
+	if result := tx.First(&user, "provider_identifier = ?", id); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return nil, ErrUserNotFound
+	}
+
+	return &user, nil
+}
+
+func (hsdb *HSDatabase) ListUsers(where ...*types.User) ([]types.User, error) {
 	return Read(hsdb.DB, func(rx *gorm.DB) ([]types.User, error) {
-		return ListUsers(rx)
+		return ListUsers(rx, where...)
 	})
 }

 // ListUsers gets all the existing users.
-func ListUsers(tx *gorm.DB) ([]types.User, error) {
+func ListUsers(tx *gorm.DB, where ...*types.User) ([]types.User, error) {
+	if len(where) > 1 {
+		return nil, fmt.Errorf("expect 0 or 1 where User structs, got %d", len(where))
+	}
+
+	var user *types.User
+	if len(where) == 1 {
+		user = where[0]
+	}
+
 	users := []types.User{}
-	if err := tx.Find(&users).Error; err != nil {
+	if err := tx.Where(user).Find(&users).Error; err != nil {
 		return nil, err
 	}

 	return users, nil
 }

-// ListNodesByUser gets all the nodes in a given user.
-func ListNodesByUser(tx *gorm.DB, name string) (types.Nodes, error) {
-	err := util.CheckForFQDNRules(name)
-	if err != nil {
-		return nil, err
-	}
-	user, err := GetUser(tx, name)
+// GetUserByName returns a user if the provided username is
+// unique, and otherwise an error.
+func (hsdb *HSDatabase) GetUserByName(name string) (*types.User, error) {
+	users, err := hsdb.ListUsers(&types.User{Name: name})
 	if err != nil {
 		return nil, err
 	}

+	if len(users) == 0 {
+		return nil, ErrUserNotFound
+	}
+
+	if len(users) != 1 {
+		return nil, fmt.Errorf("expected exactly one user, found %d", len(users))
+	}
+
+	return &users[0], nil
+}
+
+// ListNodesByUser gets all the nodes in a given user.
+func ListNodesByUser(tx *gorm.DB, uid types.UserID) (types.Nodes, error) {
 	nodes := types.Nodes{}
-	if err := tx.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Where(&types.Node{UserID: user.ID}).Find(&nodes).Error; err != nil {
+	if err := tx.Preload("AuthKey").Preload("AuthKey.User").Preload("User").Where(&types.Node{UserID: uint(uid)}).Find(&nodes).Error; err != nil {
 		return nil, err
 	}

 	return nodes, nil
 }

-func (hsdb *HSDatabase) AssignNodeToUser(node *types.Node, username string) error {
+func (hsdb *HSDatabase) AssignNodeToUser(node *types.Node, uid types.UserID) error {
 	return hsdb.Write(func(tx *gorm.DB) error {
-		return AssignNodeToUser(tx, node, username)
+		return AssignNodeToUser(tx, node, uid)
 	})
 }

 // AssignNodeToUser assigns a Node to a user.
-func AssignNodeToUser(tx *gorm.DB, node *types.Node, username string) error {
-	err := util.CheckForFQDNRules(username)
-	if err != nil {
-		return err
-	}
-	user, err := GetUser(tx, username)
+func AssignNodeToUser(tx *gorm.DB, node *types.Node, uid types.UserID) error {
+	user, err := GetUserByID(tx, uid)
 	if err != nil {
 		return err
 	}
--- a/hscontrol/db/users_test.go
+++ b/hscontrol/db/users_test.go
@@ -1,6 +1,8 @@
 package db

 import (
+	"strings"
+
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"gopkg.in/check.v1"
@@ -9,7 +11,7 @@ import (
 )

 func (s *Suite) TestCreateAndDestroyUser(c *check.C) {
-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)
 	c.Assert(user.Name, check.Equals, "test")

@@ -17,34 +19,34 @@ func (s *Suite) TestCreateAndDestroyUser(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(users), check.Equals, 1)

-	err = db.DestroyUser("test")
+	err = db.DestroyUser(types.UserID(user.ID))
 	c.Assert(err, check.IsNil)

-	_, err = db.GetUser("test")
+	_, err = db.GetUserByID(types.UserID(user.ID))
 	c.Assert(err, check.NotNil)
 }

 func (s *Suite) TestDestroyUserErrors(c *check.C) {
-	err := db.DestroyUser("test")
+	err := db.DestroyUser(9998)
 	c.Assert(err, check.Equals, ErrUserNotFound)

-	user, err := db.CreateUser("test")
+	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

-	err = db.DestroyUser("test")
+	err = db.DestroyUser(types.UserID(user.ID))
 	c.Assert(err, check.IsNil)

 	result := db.DB.Preload("User").First(&pak, "key = ?", pak.Key)
 	// destroying a user also deletes all associated preauthkeys
 	c.Assert(result.Error, check.Equals, gorm.ErrRecordNotFound)

-	user, err = db.CreateUser("test")
+	user, err = db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

-	pak, err = db.CreatePreAuthKey(user.Name, false, false, nil, nil)
+	pak, err = db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	node := types.Node{
@@ -57,12 +59,12 @@ func (s *Suite) TestDestroyUserErrors(c *check.C) {
 	trx := db.DB.Save(&node)
 	c.Assert(trx.Error, check.IsNil)

-	err = db.DestroyUser("test")
+	err = db.DestroyUser(types.UserID(user.ID))
 	c.Assert(err, check.Equals, ErrUserStillHasNodes)
 }

 func (s *Suite) TestRenameUser(c *check.C) {
-	userTest, err := db.CreateUser("test")
+	userTest, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)
 	c.Assert(userTest.Name, check.Equals, "test")

@@ -70,34 +72,39 @@ func (s *Suite) TestRenameUser(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(users), check.Equals, 1)

-	err = db.RenameUser("test", "test-renamed")
+	err = db.RenameUser(types.UserID(userTest.ID), "test-renamed")
 	c.Assert(err, check.IsNil)

-	_, err = db.GetUser("test")
-	c.Assert(err, check.Equals, ErrUserNotFound)
+	users, err = db.ListUsers(&types.User{Name: "test"})
+	c.Assert(err, check.Equals, nil)
+	c.Assert(len(users), check.Equals, 0)

-	_, err = db.GetUser("test-renamed")
+	users, err = db.ListUsers(&types.User{Name: "test-renamed"})
 	c.Assert(err, check.IsNil)
+	c.Assert(len(users), check.Equals, 1)

-	err = db.RenameUser("test-does-not-exit", "test")
+	err = db.RenameUser(99988, "test")
 	c.Assert(err, check.Equals, ErrUserNotFound)

-	userTest2, err := db.CreateUser("test2")
+	userTest2, err := db.CreateUser(types.User{Name: "test2"})
 	c.Assert(err, check.IsNil)
 	c.Assert(userTest2.Name, check.Equals, "test2")

-	err = db.RenameUser("test2", "test-renamed")
-	c.Assert(err, check.Equals, ErrUserExists)
+	want := "UNIQUE constraint failed"
+	err = db.RenameUser(types.UserID(userTest2.ID), "test-renamed")
+	if err == nil || !strings.Contains(err.Error(), want) {
+		c.Fatalf("expected failure with unique constraint, want: %q got: %q", want, err)
+	}
 }

 func (s *Suite) TestSetMachineUser(c *check.C) {
-	oldUser, err := db.CreateUser("old")
+	oldUser, err := db.CreateUser(types.User{Name: "old"})
 	c.Assert(err, check.IsNil)

-	newUser, err := db.CreateUser("new")
+	newUser, err := db.CreateUser(types.User{Name: "new"})
 	c.Assert(err, check.IsNil)

-	pak, err := db.CreatePreAuthKey(oldUser.Name, false, false, nil, nil)
+	pak, err := db.CreatePreAuthKey(types.UserID(oldUser.ID), false, false, nil, nil)
 	c.Assert(err, check.IsNil)

 	node := types.Node{
@@ -111,15 +118,15 @@ func (s *Suite) TestSetMachineUser(c *check.C) {
 	c.Assert(trx.Error, check.IsNil)
 	c.Assert(node.UserID, check.Equals, oldUser.ID)

-	err = db.AssignNodeToUser(&node, newUser.Name)
+	err = db.AssignNodeToUser(&node, types.UserID(newUser.ID))
 	c.Assert(err, check.IsNil)
 	c.Assert(node.UserID, check.Equals, newUser.ID)
 	c.Assert(node.User.Name, check.Equals, newUser.Name)

-	err = db.AssignNodeToUser(&node, "non-existing-user")
+	err = db.AssignNodeToUser(&node, 9584849)
 	c.Assert(err, check.Equals, ErrUserNotFound)

-	err = db.AssignNodeToUser(&node, newUser.Name)
+	err = db.AssignNodeToUser(&node, types.UserID(newUser.ID))
 	c.Assert(err, check.IsNil)
 	c.Assert(node.UserID, check.Equals, newUser.ID)
 	c.Assert(node.User.Name, check.Equals, newUser.Name)
--- a/hscontrol/derp/derp.go
+++ b/hscontrol/derp/derp.go
@@ -82,6 +82,9 @@ func mergeDERPMaps(derpMaps []*tailcfg.DERPMap) *tailcfg.DERPMap {

 func GetDERPMap(cfg types.DERPConfig) *tailcfg.DERPMap {
 	var derpMaps []*tailcfg.DERPMap
+	if cfg.DERPMap != nil {
+		derpMaps = append(derpMaps, cfg.DERPMap)
+	}

 	for _, path := range cfg.Paths {
 		log.Debug().
--- a/Show More
+++ b/Show More