Working on migrate DERP tests to scenarios

This commit simplifies the goreleaser configuration and then adds nfpm
support which allows us to build .deb and .rpm for each of the ARCH we
support.

The deb and rpm packages adds systemd services and users, creates
directories etc and should in general give the user a working
environment. We should be able to remove a lot of the complicated,
PEBCAK inducing documentation after this.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

.github/workflows/build.yml

@@ -8,9 +8,14 @@ on:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions: write-all
 
     steps:
       - uses: actions/checkout@v3
@@ -32,10 +37,34 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run build
+        id: build
         if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix build
+        run: |
+          nix build |& tee build-result
+          BUILD_STATUS="${PIPESTATUS[0]}"
 
-      - uses: actions/upload-artifact@v2
+          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
+          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
+
+          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
+          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
+
+          exit $BUILD_STATUS
+
+      - name: Nix gosum diverging
+        uses: actions/github-script@v6
+        if: failure() && steps.build.outcome == 'failure'
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.pulls.createReviewComment({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
+            })
+
+      - uses: actions/upload-artifact@v3
         if: steps.changed-files.outputs.any_changed == 'true'
         with:
           name: headscale-linux

.github/workflows/lint.yml

@@ -3,6 +3,10 @@ name: Lint
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   golangci-lint:
     runs-on: ubuntu-latest
@@ -26,7 +30,7 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.49.0
+          version: v1.51.2
 
           # Only block PRs on new problems.
           # If this is not enabled, we will end up having PRs
@@ -59,7 +63,7 @@ jobs:
 
       - name: Prettify code
         if: steps.changed-files.outputs.any_changed == 'true'
-        uses: creyD/prettier_action@v4.0
+        uses: creyD/prettier_action@v4.3
         with:
           prettier_options: >-
             --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}

.github/workflows/release-docker.yml

@@ -0,0 +1,138 @@
+---
+name: Release Docker
+
+on:
+  push:
+    tags:
+      - "*" # triggers only if push new tag version
+  workflow_dispatch:
+
+jobs:
+  docker-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Set up QEMU for multiple platforms
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: arm64,amd64
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
+            ghcr.io/${{ github.repository_owner }}/headscale
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=develop
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: .
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
+      - name: Prepare cache for next build
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+  docker-debug-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Set up QEMU for multiple platforms
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: arm64,amd64
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache-debug
+          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-debug-
+      - name: Docker meta
+        id: meta-debug
+        uses: docker/metadata-action@v3
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
+            ghcr.io/${{ github.repository_owner }}/headscale
+          flavor: |
+            suffix=-debug,onlatest=true
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=develop
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: .
+          file: Dockerfile.debug
+          tags: ${{ steps.meta-debug.outputs.tags }}
+          labels: ${{ steps.meta-debug.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=local,src=/tmp/.buildx-cache-debug
+          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
+          build-args: |
+            VERSION=${{ steps.meta-debug.outputs.version }}
+      - name: Prepare cache for next build
+        run: |
+          rm -rf /tmp/.buildx-cache-debug
+          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug

.github/workflows/release.yml

@@ -22,132 +22,3 @@ jobs:
         run: nix develop --command -- goreleaser release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  docker-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-          build-args: |
-            VERSION=${{ steps.meta.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
-  docker-debug-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-debug
-          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-debug-
-      - name: Docker meta
-        id: meta-debug
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            suffix=-debug,onlatest=true
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.debug
-          tags: ${{ steps.meta-debug.outputs.tags }}
-          labels: ${{ steps.meta-debug.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-debug
-          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
-          build-args: |
-            VERSION=${{ steps.meta-debug.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-debug
-          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug

.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml

@@ -1,11 +1,14 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
-name: Integration Test v2 - TestSSHOneNamespaceAllToAll
+name: Integration Test v2 - TestACLAllowStarDst
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,10 +41,17 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
                   -failfast \
                   -timeout 120m \
                   -parallel 1 \
-                  -run "^TestSSHOneNamespaceAllToAll$"
+                  -run "^TestACLAllowStarDst$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLAllowUser80Dst
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLAllowUser80Dst$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLAllowUserDst
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLAllowUserDst$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLDenyAllPort80
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLDenyAllPort80$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLHostsInNetMapTable
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLHostsInNetMapTable$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestAuthKeyLogoutAndRelogin
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestAuthKeyLogoutAndRelogin$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestAuthWebFlowAuthenticationPingAll
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestAuthWebFlowAuthenticationPingAll$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestAuthWebFlowLogoutAndRelogin
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestAuthWebFlowLogoutAndRelogin$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestCreateTailscale.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestCreateTailscale
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestCreateTailscale$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestEnablingRoutes.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestEnablingRoutes
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestEnablingRoutes$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestEphemeral.yaml

@@ -1,11 +1,14 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
-name: Integration Test v2 - TestNamespaceCommand
+name: Integration Test v2 - TestEphemeral
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,10 +41,17 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
                   -failfast \
                   -timeout 120m \
                   -parallel 1 \
-                  -run "^TestNamespaceCommand$"
+                  -run "^TestEphemeral$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestExpireNode.yaml

@@ -1,11 +1,14 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
-name: Integration Test v2 - TestOIDCExpireNodes
+name: Integration Test v2 - TestExpireNode
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,10 +41,17 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
                   -failfast \
                   -timeout 120m \
                   -parallel 1 \
-                  -run "^TestOIDCExpireNodes$"
+                  -run "^TestExpireNode$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestHeadscale.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestHeadscale
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestHeadscale$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestOIDCAuthenticationPingAll
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestOIDCAuthenticationPingAll$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestOIDCExpireNodesBasedOnTokenExpiry
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestOIDCExpireNodesBasedOnTokenExpiry$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestPingAllByHostname.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestPingAllByHostname
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestPingAllByHostname$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestPingAllByIP.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestPingAllByIP
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestPingAllByIP$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestPreAuthKeyCommand
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestPreAuthKeyCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestPreAuthKeyCommandReusableEphemeral
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestPreAuthKeyCommandReusableEphemeral$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestPreAuthKeyCommandWithoutExpiry
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestPreAuthKeyCommandWithoutExpiry$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestResolveMagicDNS
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestResolveMagicDNS$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestSSHIsBlockedInACL
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestSSHIsBlockedInACL$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHMultipleUsersAllToAll
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHMultipleUsersAllToAll$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestSSHNoSSHConfigured
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestSSHNoSSHConfigured$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHOneUserAllToAll
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHOneUserAllToAll$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestSSNamespaceOnlyIsolation.yaml

@@ -1,47 +0,0 @@
-
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSNamespaceOnlyIsolation
-
-on: [pull_request]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              golang:1 \
-                go test ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSNamespaceOnlyIsolation$"

.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml

@@ -0,0 +1,57 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSUserOnlyIsolation
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSUserOnlyIsolation$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestTaildrop.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestTaildrop
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestTaildrop$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml

@@ -1,4 +1,3 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
@@ -6,6 +5,10 @@ name: Integration Test v2 - TestTailscaleNodesJoiningHeadcale
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,6 +41,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -45,3 +49,9 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^TestTailscaleNodesJoiningHeadcale$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test-integration-v2-TestUserCommand.yaml

@@ -1,11 +1,14 @@
-
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
-name: Integration Test v2 - TestSSHMultipleNamespacesAllToAll
+name: Integration Test v2 - TestUserCommand
 
 on: [pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -26,8 +29,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -38,10 +41,17 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
                   -failfast \
                   -timeout 120m \
                   -parallel 1 \
-                  -run "^TestSSHMultipleNamespacesAllToAll$"
+                  -run "^TestUserCommand$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"

.github/workflows/test.yml

@@ -2,6 +2,10 @@ name: Tests
 
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest

.gitignore

@@ -14,6 +14,7 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 
+dist/
 /headscale
 config.json
 config.yaml
@@ -26,7 +27,8 @@ derp.yaml
 # Exclude Jetbrains Editors
 .idea
 
-test_output/ 
+test_output/
+control_logs/
 
 # Nix build output
 result

.golangci.yaml

@@ -29,6 +29,14 @@ linters:
     - execinquery
     - exhaustruct
     - nolintlint
+    - musttag # causes issues with imported libs
+
+    # deprecated
+    - structcheck # replaced by unused
+    - ifshort # deprecated by the owner
+    - varcheck # replaced by unused
+    - nosnakecase # replaced by revive
+    - deadcode # replaced by unused
 
     # We should strive to enable these:
     - wrapcheck

.goreleaser.yml

@@ -1,21 +1,27 @@
 ---
 before:
   hooks:
-    - go mod tidy -compat=1.19
+    - go mod tidy -compat=1.20
 
 release:
   prerelease: auto
 
 builds:
-  - id: darwin-amd64
+  - id: headscale
     main: ./cmd/headscale/headscale.go
     mod_timestamp: "{{ .CommitTimestamp }}"
     env:
       - CGO_ENABLED=0
-    goos:
-      - darwin
-    goarch:
-      - amd64
+    targets:
+      - darwin_amd64
+      - darwin_arm64
+      - freebsd_amd64
+      - linux_386
+      - linux_amd64
+      - linux_arm64
+      - linux_arm_5
+      - linux_arm_6
+      - linux_arm_7
     flags:
       - -mod=readonly
     ldflags:
@@ -23,60 +29,59 @@ builds:
     tags:
       - ts2019
 
-  - id: darwin-arm64
-    main: ./cmd/headscale/headscale.go
-    mod_timestamp: "{{ .CommitTimestamp }}"
-    env:
-      - CGO_ENABLED=0
-    goos:
-      - darwin
-    goarch:
-      - arm64
-    flags:
-      - -mod=readonly
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-    tags:
-      - ts2019
-
-  - id: linux-amd64
-    mod_timestamp: "{{ .CommitTimestamp }}"
-    env:
-      - CGO_ENABLED=0
-    goos:
-      - linux
-    goarch:
-      - amd64
-    main: ./cmd/headscale/headscale.go
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-    tags:
-      - ts2019
-
-  - id: linux-arm64
-    mod_timestamp: "{{ .CommitTimestamp }}"
-    env:
-      - CGO_ENABLED=0
-    goos:
-      - linux
-    goarch:
-      - arm64
-    main: ./cmd/headscale/headscale.go
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-    tags:
-      - ts2019
-
 archives:
   - id: golang-cross
     builds:
-      - darwin-amd64
-      - darwin-arm64
-      - linux-amd64
-      - linux-arm64
+      - darwin_amd64
+      - darwin_arm64
+      - freebsd_amd64
+      - linux_386
+      - linux_amd64
+      - linux_arm64
+      - linux_arm_5
+      - linux_arm_6
+      - linux_arm_7
     name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     format: binary
 
+nfpms:
+  # Configure nFPM for .deb and .rpm releases
+  #
+  # See https://nfpm.goreleaser.com/configuration/
+  # and https://goreleaser.com/customization/nfpm/
+  #
+  # Useful tools for debugging .debs:
+  # List file contents: dpkg -c dist/headscale...deb
+  # Package metadata: dpkg --info dist/headscale....deb
+  #
+  - builds:
+      - headscale
+    package_name: headscale
+    priority: optional
+    vendor: headscale
+    maintainer: Kristoffer Dalby <kristoffer@dalby.cc>
+    homepage: https://github.com/juanfont/headscale
+    license: BSD
+    bindir: /usr/bin
+    formats:
+      - deb
+      - rpm
+    contents:
+      - src: ./config-example.yaml
+        dst: /etc/headscale/config.yaml
+        type: config|noreplace
+        file_info:
+          mode: 0644
+      - src: ./docs/packaging/headscale.systemd.service
+        dst: /etc/systemd/system/headscale.service
+      - dst: /var/lib/headscale
+        type: dir
+      - dst: /var/run/headscale
+        type: dir
+    scripts:
+      postinstall: ./docs/packaging/postinstall.sh
+      postremove: ./docs/packaging/postremove.sh
+
 checksum:
   name_template: "checksums.txt"
 snapshot:

CHANGELOG.md

@@ -1,13 +1,44 @@
 # CHANGELOG
 
-## 0.19.0 (2022-11-26)
+## 0.22.0 (2023-XX-XX)
+
+### Changes
+
+- Add `.deb` and `.rpm` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+- Add 32-bit Arm platforms to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+- Fix longstanding bug that would prevent "\*" from working properly in ACLs (issue [#699](https://github.com/juanfont/headscale/issues/699)) [#1279](https://github.com/juanfont/headscale/pull/1279)
+- Target Go 1.20 and Tailscale 1.38 for Headscale [#1323](https://github.com/juanfont/headscale/pull/1323)
+
+## 0.21.0 (2023-03-20)
+
+### Changes
+
+- Adding "configtest" CLI command. [#1230](https://github.com/juanfont/headscale/pull/1230)
+- Add documentation on connecting with iOS to `/apple` [#1261](https://github.com/juanfont/headscale/pull/1261)
+- Update iOS compatibility and added documentation for iOS [#1264](https://github.com/juanfont/headscale/pull/1264)
+- Allow to delete routes [#1244](https://github.com/juanfont/headscale/pull/1244)
+
+## 0.20.0 (2023-02-03)
+
+### Changes
+
+- Fix wrong behaviour in exit nodes [#1159](https://github.com/juanfont/headscale/pull/1159)
+- Align behaviour of `dns_config.restricted_nameservers` to tailscale [#1162](https://github.com/juanfont/headscale/pull/1162)
+- Make OpenID Connect authenticated client expiry time configurable [#1191](https://github.com/juanfont/headscale/pull/1191)
+  - defaults to 180 days like Tailscale SaaS
+  - adds option to use the expiry time from the OpenID token for the node (see config-example.yaml)
+- Set ControlTime in Map info sent to nodes [#1195](https://github.com/juanfont/headscale/pull/1195)
+- Populate Tags field on Node updates sent [#1195](https://github.com/juanfont/headscale/pull/1195)
+
+## 0.19.0 (2023-01-29)
 
 ### BREAKING
 
 - Rename Namespace to User [#1144](https://github.com/juanfont/headscale/pull/1144)
   - **BACKUP your database before upgrading**
+- Command line flags previously taking `--namespace` or `-n` will now require `--user` or `-u`
 
-## 0.18.0 (2022-01-14)
+## 0.18.0 (2023-01-14)
 
 ### Changes
 

Dockerfile

@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.19-bullseye AS build
+FROM docker.io/golang:1.20-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale

Dockerfile.debug

@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.19-bullseye AS build
+FROM docker.io/golang:1.20-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -13,7 +13,7 @@ RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.c
 RUN test -e /go/bin/headscale
 
 # Debug image
-FROM docker.io/golang:1.19.0-bullseye
+FROM docker.io/golang:1.20.0-bullseye
 
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

README.md

@@ -75,12 +75,26 @@ one of the maintainers.
 | macOS   | Yes (see `/apple` on your headscale for more information) |
 | Windows | Yes [docs](./docs/windows-client.md)                      |
 | Android | Yes [docs](./docs/android-client.md)                      |
-| iOS     | Not yet                                                   |
+| iOS     | Yes [docs](./docs/iOS-client.md)                          |
 
 ## Running headscale
 
 Please have a look at the documentation under [`docs/`](docs/).
 
+## Graphical Control Panels
+
+Headscale provides an API for complete management of your Tailnet.
+These are community projects not directly affiliated with the Headscale project.
+
+| Name            | Repository Link                                      | Description                                            | Status |
+| --------------- | ---------------------------------------------------- | ------------------------------------------------------ | ------ |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui) | A simple Headscale web UI for small-scale deployments. | Alpha  |
+
+## Talks
+
+- Fosdem 2023 (video): [Headscale: How we are using integration testing to reimplement Tailscale](https://fosdem.org/2023/schedule/event/goheadscale/)
+  - presented by Juan Font Alonso and Kristoffer Dalby
+
 ## Disclaimer
 
 1. We have nothing to do with Tailscale, or Tailscale Inc.
@@ -211,6 +225,13 @@ make build
             <sub style="font-size:14px"><b>Nico</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/evenh>
+            <img src=https://avatars.githubusercontent.com/u/2701536?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Even Holthe/>
+            <br />
+            <sub style="font-size:14px"><b>Even Holthe</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/e-zk>
             <img src=https://avatars.githubusercontent.com/u/58356365?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=e-zk/>
@@ -239,6 +260,8 @@ make build
             <sub style="font-size:14px"><b>unreality</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ohdearaugustin>
             <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
@@ -246,8 +269,6 @@ make build
             <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mpldr>
             <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
@@ -262,6 +283,13 @@ make build
             <sub style="font-size:14px"><b>GrigoriyMikhalkin</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/christian-heusel>
+            <img src=https://avatars.githubusercontent.com/u/26827864?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Christian Heusel/>
+            <br />
+            <sub style="font-size:14px"><b>Christian Heusel</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mike-lloyd03>
             <img src=https://avatars.githubusercontent.com/u/49411532?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mike Lloyd/>
@@ -276,6 +304,8 @@ make build
             <sub style="font-size:14px"><b>Anton Schubert</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Niek>
             <img src=https://avatars.githubusercontent.com/u/213140?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Niek van der Maas/>
@@ -290,8 +320,6 @@ make build
             <sub style="font-size:14px"><b>Eugen Biegler</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/617a7a>
             <img src=https://avatars.githubusercontent.com/u/67651251?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Azz/>
@@ -299,13 +327,6 @@ make build
             <sub style="font-size:14px"><b>Azz</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/evenh>
-            <img src=https://avatars.githubusercontent.com/u/2701536?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Even Holthe/>
-            <br />
-            <sub style="font-size:14px"><b>Even Holthe</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/qbit>
             <img src=https://avatars.githubusercontent.com/u/68368?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aaron Bieber/>
@@ -327,6 +348,8 @@ make build
             <sub style="font-size:14px"><b>Laurent Marchaud</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/fdelucchijr>
             <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
@@ -334,8 +357,6 @@ make build
             <sub style="font-size:14px"><b>Fernando De Lucchi</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/OrvilleQ>
             <img src=https://avatars.githubusercontent.com/u/21377465?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Orville Q. Song/>
@@ -343,6 +364,13 @@ make build
             <sub style="font-size:14px"><b>Orville Q. Song</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/majst01>
+            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
+            <br />
+            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/hdhoang>
             <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hdhoang/>
@@ -364,6 +392,8 @@ make build
             <sub style="font-size:14px"><b>Deon Thomas</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/madjam002>
             <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
@@ -378,8 +408,6 @@ make build
             <sub style="font-size:14px"><b>ChibangLW</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mevansam>
             <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -408,13 +436,8 @@ make build
             <sub style="font-size:14px"><b>Samuel Lock</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/majst01>
-            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
-            <br />
-            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
-        </a>
-    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/kevin1sMe>
             <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
@@ -422,8 +445,13 @@ make build
             <sub style="font-size:14px"><b>kevinlin</b></sub>
         </a>
     </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/QZAiXH>
+            <img src=https://avatars.githubusercontent.com/u/23068780?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Snack/>
+            <br />
+            <sub style="font-size:14px"><b>Snack</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/artemklevtsov>
             <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -438,6 +466,22 @@ make build
             <sub style="font-size:14px"><b>Casey Marshall</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/dbevacqua>
+            <img src=https://avatars.githubusercontent.com/u/6534306?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=dbevacqua/>
+            <br />
+            <sub style="font-size:14px"><b>dbevacqua</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/joshuataylor>
+            <img src=https://avatars.githubusercontent.com/u/225131?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Josh Taylor/>
+            <br />
+            <sub style="font-size:14px"><b>Josh Taylor</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/CNLHC>
             <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
@@ -445,6 +489,13 @@ make build
             <sub style="font-size:14px"><b>LiuHanCheng</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/motiejus>
+            <img src=https://avatars.githubusercontent.com/u/107720?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Motiejus Jakštys/>
+            <br />
+            <sub style="font-size:14px"><b>Motiejus Jakštys</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/pvinis>
             <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
@@ -466,8 +517,6 @@ make build
             <sub style="font-size:14px"><b>Steven Honson</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ratsclub>
             <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
@@ -475,6 +524,8 @@ make build
             <sub style="font-size:14px"><b>Victor Freire</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/lachy2849>
             <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy2849/>
@@ -496,6 +547,13 @@ make build
             <sub style="font-size:14px"><b>Abraham Ingersoll</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/iFargle>
+            <img src=https://avatars.githubusercontent.com/u/124551390?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Albert Copeland/>
+            <br />
+            <sub style="font-size:14px"><b>Albert Copeland</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/puzpuzpuz>
             <img src=https://avatars.githubusercontent.com/u/37772591?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Andrei Pechkurov/>
@@ -503,6 +561,15 @@ make build
             <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/theryecatcher>
+            <img src=https://avatars.githubusercontent.com/u/16442416?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anoop Sundaresh/>
+            <br />
+            <sub style="font-size:14px"><b>Anoop Sundaresh</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/apognu>
             <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -510,8 +577,6 @@ make build
             <sub style="font-size:14px"><b>Antoine POPINEAU</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aofei>
             <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
@@ -533,6 +598,13 @@ make build
             <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/avirut>
+            <img src=https://avatars.githubusercontent.com/u/27095602?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Avirut Mehta/>
+            <br />
+            <sub style="font-size:14px"><b>Avirut Mehta</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/stensonb>
             <img src=https://avatars.githubusercontent.com/u/933389?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Bryan Stenson/>
@@ -540,6 +612,8 @@ make build
             <sub style="font-size:14px"><b>Bryan Stenson</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/yangchuansheng>
             <img src=https://avatars.githubusercontent.com/u/15308462?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt= Carson Yang/>
@@ -554,8 +628,13 @@ make build
             <sub style="font-size:14px"><b>kundel</b></sub>
         </a>
     </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/fatih-acar>
+            <img src=https://avatars.githubusercontent.com/u/15028881?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=fatih-acar/>
+            <br />
+            <sub style="font-size:14px"><b>fatih-acar</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/fkr>
             <img src=https://avatars.githubusercontent.com/u/51063?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Kronlage-Dammers/>
@@ -577,6 +656,15 @@ make build
             <sub style="font-size:14px"><b>JJGadgets</b></sub>
         </a>
     </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/hrtkpf>
+            <img src=https://avatars.githubusercontent.com/u/42646788?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hrtkpf/>
+            <br />
+            <sub style="font-size:14px"><b>hrtkpf</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/jimt>
             <img src=https://avatars.githubusercontent.com/u/180326?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jim Tittsler/>
@@ -584,6 +672,20 @@ make build
             <sub style="font-size:14px"><b>Jim Tittsler</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/jsiebens>
+            <img src=https://avatars.githubusercontent.com/u/499769?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Johan Siebens/>
+            <br />
+            <sub style="font-size:14px"><b>Johan Siebens</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/johnae>
+            <img src=https://avatars.githubusercontent.com/u/28332?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=John Axel Eriksson/>
+            <br />
+            <sub style="font-size:14px"><b>John Axel Eriksson</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ShadowJonathan>
             <img src=https://avatars.githubusercontent.com/u/22740616?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan de Jong/>
@@ -591,6 +693,29 @@ make build
             <sub style="font-size:14px"><b>Jonathan de Jong</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/foxtrot>
+            <img src=https://avatars.githubusercontent.com/u/4153572?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Marc/>
+            <br />
+            <sub style="font-size:14px"><b>Marc</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/magf>
+            <img src=https://avatars.githubusercontent.com/u/11992737?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Maxim Gajdaj/>
+            <br />
+            <sub style="font-size:14px"><b>Maxim Gajdaj</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mikejsavage>
+            <img src=https://avatars.githubusercontent.com/u/579299?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael Savage/>
+            <br />
+            <sub style="font-size:14px"><b>Michael Savage</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/piec>
             <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -598,8 +723,6 @@ make build
             <sub style="font-size:14px"><b>Pierre Carru</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Donran>
             <img src=https://avatars.githubusercontent.com/u/4838348?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pontus N/>
@@ -621,6 +744,8 @@ make build
             <sub style="font-size:14px"><b>rcursaru</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/renovate-bot>
             <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
@@ -635,6 +760,13 @@ make build
             <sub style="font-size:14px"><b>Ryan Fowler</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/linsomniac>
+            <img src=https://avatars.githubusercontent.com/u/466380?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sean Reifschneider/>
+            <br />
+            <sub style="font-size:14px"><b>Sean Reifschneider</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/shaananc>
             <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -642,8 +774,6 @@ make build
             <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/stefanvanburen>
             <img src=https://avatars.githubusercontent.com/u/622527?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan VanBuren/>
@@ -658,6 +788,8 @@ make build
             <sub style="font-size:14px"><b>sophware</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/m-tanner-dev0>
             <img src=https://avatars.githubusercontent.com/u/97977342?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tanner/>
@@ -686,8 +818,6 @@ make build
             <sub style="font-size:14px"><b>Tianon Gravi</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/thetillhoff>
             <img src=https://avatars.githubusercontent.com/u/25052289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Till Hoffmann/>
@@ -702,6 +832,8 @@ make build
             <sub style="font-size:14px"><b>Tjerk Woudsma</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/y0ngb1n>
             <img src=https://avatars.githubusercontent.com/u/25719408?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yang Bin/>
@@ -718,9 +850,9 @@ make build
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/newellz2>
-            <img src=https://avatars.githubusercontent.com/u/52436542?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zachary N./>
+            <img src=https://avatars.githubusercontent.com/u/52436542?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zachary Newell/>
             <br />
-            <sub style="font-size:14px"><b>Zachary N.</b></sub>
+            <sub style="font-size:14px"><b>Zachary Newell</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -730,8 +862,6 @@ make build
             <sub style="font-size:14px"><b>Zakhar Bessarab</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/zhzy0077>
             <img src=https://avatars.githubusercontent.com/u/8717471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zhiyuan Zheng/>
@@ -746,6 +876,15 @@ make build
             <sub style="font-size:14px"><b>Ziyuan Han</b></sub>
         </a>
     </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/caelansar>
+            <img src=https://avatars.githubusercontent.com/u/31852257?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=caelansar/>
+            <br />
+            <sub style="font-size:14px"><b>caelansar</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/derelm>
             <img src=https://avatars.githubusercontent.com/u/465155?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=derelm/>
@@ -753,6 +892,13 @@ make build
             <sub style="font-size:14px"><b>derelm</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/dnaq>
+            <img src=https://avatars.githubusercontent.com/u/1299717?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=dnaq/>
+            <br />
+            <sub style="font-size:14px"><b>dnaq</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/nning>
             <img src=https://avatars.githubusercontent.com/u/557430?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=henning mueller/>
@@ -767,6 +913,15 @@ make build
             <sub style="font-size:14px"><b>ignoramous</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/jimyag>
+            <img src=https://avatars.githubusercontent.com/u/69233189?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=jimyag/>
+            <br />
+            <sub style="font-size:14px"><b>jimyag</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/magichuihui>
             <img src=https://avatars.githubusercontent.com/u/10866198?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=suhelen/>
@@ -774,8 +929,6 @@ make build
             <sub style="font-size:14px"><b>suhelen</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/lion24>
             <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sharkonet/>
@@ -783,6 +936,13 @@ make build
             <sub style="font-size:14px"><b>sharkonet</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ma6174>
+            <img src=https://avatars.githubusercontent.com/u/1449133?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ma6174/>
+            <br />
+            <sub style="font-size:14px"><b>ma6174</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/manju-rn>
             <img src=https://avatars.githubusercontent.com/u/26291847?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=manju-rn/>
@@ -804,6 +964,8 @@ make build
             <sub style="font-size:14px"><b>phpmalik</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Wakeful-Cloud>
             <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>
@@ -818,5 +980,12 @@ make build
             <sub style="font-size:14px"><b>zy</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/atorregrosa-smd>
+            <img src=https://avatars.githubusercontent.com/u/78434679?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Àlex Torregrosa/>
+            <br />
+            <sub style="font-size:14px"><b>Àlex Torregrosa</b></sub>
+        </a>
+    </td>
 </tr>
 </table>

acls.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
+	"go4.org/netipx"
 	"gopkg.in/yaml.v3"
 	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
@@ -133,6 +134,14 @@ func (h *Headscale) UpdateACLRules() error {
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules
 
+	// Precompute a map of which sources can reach each destination, this is
+	// to provide quicker lookup when we calculate the peerlist for the map
+	// response to nodes.
+	aclPeerCacheMap := generateACLPeerCacheMap(rules)
+	h.aclPeerCacheMapRW.Lock()
+	h.aclPeerCacheMap = aclPeerCacheMap
+	h.aclPeerCacheMapRW.Unlock()
+
 	if featureEnableSSH() {
 		sshRules, err := h.generateSSHRules()
 		if err != nil {
@@ -150,7 +159,78 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }
 
-func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain bool) ([]tailcfg.FilterRule, error) {
+// generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
+// of which Sources ("*" and IPs) can access destinations. This is to speed up the
+// process of generating MapResponses when deciding which Peers to inform nodes about.
+func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string]map[string]struct{} {
+	aclCachePeerMap := make(map[string]map[string]struct{})
+	for _, rule := range rules {
+		for _, srcIP := range rule.SrcIPs {
+			for _, ip := range expandACLPeerAddr(srcIP) {
+				if data, ok := aclCachePeerMap[ip]; ok {
+					for _, dstPort := range rule.DstPorts {
+						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
+							data[dstIP] = struct{}{}
+						}
+					}
+				} else {
+					dstPortsMap := make(map[string]struct{}, len(rule.DstPorts))
+					for _, dstPort := range rule.DstPorts {
+						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
+							dstPortsMap[dstIP] = struct{}{}
+						}
+					}
+					aclCachePeerMap[ip] = dstPortsMap
+				}
+			}
+		}
+	}
+
+	log.Trace().Interface("ACL Cache Map", aclCachePeerMap).Msg("ACL Peer Cache Map generated")
+
+	return aclCachePeerMap
+}
+
+// expandACLPeerAddr takes a "tailcfg.FilterRule" "IP" and expands it into
+// something our cache logic can look up, which is "*" or single IP addresses.
+// This is probably quite inefficient, but it is a result of
+// "make it work, then make it fast", and a lot of the ACL stuff does not
+// work, but people have tried to make it fast.
+func expandACLPeerAddr(srcIP string) []string {
+	if ip, err := netip.ParseAddr(srcIP); err == nil {
+		return []string{ip.String()}
+	}
+
+	if cidr, err := netip.ParsePrefix(srcIP); err == nil {
+		addrs := []string{}
+
+		ipRange := netipx.RangeOfPrefix(cidr)
+
+		from := ipRange.From()
+		too := ipRange.To()
+
+		if from == too {
+			return []string{from.String()}
+		}
+
+		for from != too && from.Less(too) {
+			addrs = append(addrs, from.String())
+			from = from.Next()
+		}
+		addrs = append(addrs, too.String()) // Add the last IP address in the range
+
+		return addrs
+	}
+
+	// probably "*" or other string based "IP"
+	return []string{srcIP}
+}
+
+func generateACLRules(
+	machines []Machine,
+	aclPolicy ACLPolicy,
+	stripEmaildomain bool,
+) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
 
 	for index, acl := range aclPolicy.ACLs {
@@ -160,7 +240,7 @@ func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain
 
 		srcIPs := []string{}
 		for innerIndex, src := range acl.Sources {
-			srcs, err := generateACLPolicySrcIP(machines, aclPolicy, src, stripEmaildomain)
+			srcs, err := generateACLPolicySrc(machines, aclPolicy, src, stripEmaildomain)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
@@ -311,7 +391,7 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }
 
-func generateACLPolicySrcIP(
+func generateACLPolicySrc(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	src string,
@@ -427,6 +507,7 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - a user
 // - a group
 // - a tag
+// - a host
 // and transform these in IPAddresses.
 func expandAlias(
 	machines []Machine,

acls_test.go

@@ -1041,7 +1041,7 @@ func Test_expandAlias(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "simple host",
+			name: "simple host by ip",
 			args: args{
 				alias:            "10.0.0.1",
 				machines:         []Machine{},
@@ -1051,6 +1051,21 @@ func Test_expandAlias(t *testing.T) {
 			want:    []string{"10.0.0.1"},
 			wantErr: false,
 		},
+		{
+			name: "simple host by hostname alias",
+			args: args{
+				alias:    "testy",
+				machines: []Machine{},
+				aclPolicy: ACLPolicy{
+					Hosts: Hosts{
+						"testy": netip.MustParsePrefix("10.0.0.132/32"),
+					},
+				},
+				stripEmailDomain: true,
+			},
+			want:    []string{"10.0.0.132/32"},
+			wantErr: false,
+		},
 		{
 			name: "simple CIDR",
 			args: args{
@@ -1541,3 +1556,138 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 		})
 	}
 }
+
+func Test_expandACLPeerAddr(t *testing.T) {
+	type args struct {
+		srcIP string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []string
+	}{
+		{
+			name: "asterix",
+			args: args{
+				srcIP: "*",
+			},
+			want: []string{"*"},
+		},
+		{
+			name: "ip",
+			args: args{
+				srcIP: "10.0.0.1",
+			},
+			want: []string{"10.0.0.1"},
+		},
+		{
+			name: "ip/32",
+			args: args{
+				srcIP: "10.0.0.1/32",
+			},
+			want: []string{"10.0.0.1"},
+		},
+		{
+			name: "ip/30",
+			args: args{
+				srcIP: "10.0.0.1/30",
+			},
+			want: []string{
+				"10.0.0.0",
+				"10.0.0.1",
+				"10.0.0.2",
+				"10.0.0.3",
+			},
+		},
+		{
+			name: "ip/28",
+			args: args{
+				srcIP: "192.168.0.128/28",
+			},
+			want: []string{
+				"192.168.0.128", "192.168.0.129", "192.168.0.130",
+				"192.168.0.131", "192.168.0.132", "192.168.0.133",
+				"192.168.0.134", "192.168.0.135", "192.168.0.136",
+				"192.168.0.137", "192.168.0.138", "192.168.0.139",
+				"192.168.0.140", "192.168.0.141", "192.168.0.142",
+				"192.168.0.143",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := expandACLPeerAddr(tt.args.srcIP); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("expandACLPeerAddr() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_expandACLPeerAddrV6(t *testing.T) {
+	type args struct {
+		srcIP string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []string
+	}{
+		{
+			name: "asterix",
+			args: args{
+				srcIP: "*",
+			},
+			want: []string{"*"},
+		},
+		{
+			name: "ipfull",
+			args: args{
+				srcIP: "fd7a:115c:a1e0:ab12:4943:cd96:624c:3166",
+			},
+			want: []string{"fd7a:115c:a1e0:ab12:4943:cd96:624c:3166"},
+		},
+		{
+			name: "ipzerocompression",
+			args: args{
+				srcIP: "fd7a:115c:a1e0:ab12:4943:cd96:624c::",
+			},
+			want: []string{"fd7a:115c:a1e0:ab12:4943:cd96:624c:0"},
+		},
+		{
+			name: "ip/128",
+			args: args{
+				srcIP: "fd7a:115c:a1e0:ab12:4943:cd96:624c:3166/128",
+			},
+			want: []string{"fd7a:115c:a1e0:ab12:4943:cd96:624c:3166"},
+		},
+		{
+			name: "ip/127",
+			args: args{
+				srcIP: "fd7a:115c:a1e0:ab12:4943:cd96:624c:0000/127",
+			},
+			want: []string{
+				"fd7a:115c:a1e0:ab12:4943:cd96:624c:0",
+				"fd7a:115c:a1e0:ab12:4943:cd96:624c:1",
+			},
+		},
+		{
+			name: "ip/126",
+			args: args{
+				srcIP: "fd7a:115c:a1e0:ab12:4943:cd96:624c:0000/126",
+			},
+			want: []string{
+				"fd7a:115c:a1e0:ab12:4943:cd96:624c:0",
+				"fd7a:115c:a1e0:ab12:4943:cd96:624c:1",
+				"fd7a:115c:a1e0:ab12:4943:cd96:624c:2",
+				"fd7a:115c:a1e0:ab12:4943:cd96:624c:3",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := expandACLPeerAddr(tt.args.srcIP); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("expandACLPeerAddr() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

api_common.go

@@ -1,6 +1,8 @@
 package headscale
 
 import (
+	"time"
+
 	"github.com/rs/zerolog/log"
 	"tailscale.com/tailcfg"
 )
@@ -55,16 +57,46 @@ func (h *Headscale) generateMapResponse(
 		peers,
 	)
 
+	now := time.Now()
+
 	resp := tailcfg.MapResponse{
-		KeepAlive:    false,
-		Node:         node,
-		Peers:        nodePeers,
-		DNSConfig:    dnsConfig,
-		Domain:       h.cfg.BaseDomain,
+		KeepAlive: false,
+		Node:      node,
+
+		// TODO: Only send if updated
+		DERPMap: h.DERPMap,
+
+		// TODO: Only send if updated
+		Peers: nodePeers,
+
+		// TODO(kradalby): Implement:
+		// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L1351-L1374
+		// PeersChanged
+		// PeersRemoved
+		// PeersChangedPatch
+		// PeerSeenChange
+		// OnlineChange
+
+		// TODO: Only send if updated
+		DNSConfig: dnsConfig,
+
+		// TODO: Only send if updated
+		Domain: h.cfg.BaseDomain,
+
+		// Do not instruct clients to collect services, we do not
+		// support or do anything with them
+		CollectServices: "false",
+
+		// TODO: Only send if updated
 		PacketFilter: h.aclRules,
-		SSHPolicy:    h.sshPolicy,
-		DERPMap:      h.DERPMap,
+
 		UserProfiles: profiles,
+
+		// TODO: Only send if updated
+		SSHPolicy: h.sshPolicy,
+
+		ControlTime: &now,
+
 		Debug: &tailcfg.Debug{
 			DisableLogTail:      !h.cfg.LogTail.Enabled,
 			RandomizeClientPort: h.cfg.RandomizeClientPort,

app.go

@@ -84,9 +84,11 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer
 
-	aclPolicy *ACLPolicy
-	aclRules  []tailcfg.FilterRule
-	sshPolicy *tailcfg.SSHPolicy
+	aclPolicy         *ACLPolicy
+	aclRules          []tailcfg.FilterRule
+	aclPeerCacheMapRW sync.RWMutex
+	aclPeerCacheMap   map[string]map[string]struct{}
+	sshPolicy         *tailcfg.SSHPolicy
 
 	lastStateChange *xsync.MapOf[string, time.Time]
 
@@ -521,7 +523,7 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	apiRouter.Use(h.httpAuthenticationMiddleware)
 	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)
 
-	router.PathPrefix("/").HandlerFunc(stdoutHandler)
+	router.PathPrefix("/").HandlerFunc(notFoundHandler)
 
 	return router
 }
@@ -957,7 +959,7 @@ func (h *Headscale) getLastStateChange(users ...User) time.Time {
 	}
 }
 
-func stdoutHandler(
+func notFoundHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
@@ -969,6 +971,7 @@ func stdoutHandler(
 		Interface("url", req.URL).
 		Bytes("body", body).
 		Msg("Request did not match")
+	writer.WriteHeader(http.StatusNotFound)
 }
 
 func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {

cmd/gh-action-integration-generator/main.go

@@ -7,19 +7,29 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strings"
 	"text/template"
 )
 
 var (
+	githubWorkflowPath  = "../../.github/workflows/"
 	jobFileNameTemplate = `test-integration-v2-%s.yaml`
-	jobTemplate         = template.Must(template.New("jobTemplate").Parse(`
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+	jobTemplate         = template.Must(
+		template.New("jobTemplate").
+			Parse(`# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/
 
 name: Integration Test v2 - {{.Name}}
 
 on: [pull_request]
 
+concurrency:
+  group: {{ "${{ github.workflow }}-$${{ github.head_ref || github.run_id }}" }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -40,8 +50,8 @@ jobs:
             integration_test/
             config-example.yaml
 
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v18
+        if: {{ "${{ env.ACT }}" }} || steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run general integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
@@ -52,6 +62,7 @@ jobs:
               --name headscale-test-suite \
               --volume $PWD:$PWD -w $PWD/integration \
               --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
               golang:1 \
                 go test ./... \
                   -tags ts2019 \
@@ -59,43 +70,81 @@ jobs:
                   -timeout 120m \
                   -parallel 1 \
                   -run "^{{.Name}}$"
-`))
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+`),
+	)
 )
 
 const workflowFilePerm = 0o600
 
+func removeTests() {
+	glob := fmt.Sprintf(jobFileNameTemplate, "*")
+
+	files, err := filepath.Glob(filepath.Join(githubWorkflowPath, glob))
+	if err != nil {
+		log.Fatalf("failed to find test files")
+	}
+
+	for _, file := range files {
+		err := os.Remove(file)
+		if err != nil {
+			log.Printf("failed to remove: %s", err)
+		}
+	}
+}
+
+func findTests() []string {
+	rgBin, err := exec.LookPath("rg")
+	if err != nil {
+		log.Fatalf("failed to find rg (ripgrep) binary")
+	}
+
+	args := []string{
+		"--regexp", "func (Test.+)\\(.*",
+		"../../integration/",
+		"--replace", "$1",
+		"--sort", "path",
+		"--no-line-number",
+		"--no-filename",
+		"--no-heading",
+	}
+
+	log.Printf("executing: %s %s", rgBin, strings.Join(args, " "))
+
+	ripgrep := exec.Command(
+		rgBin,
+		args...,
+	)
+
+	result, err := ripgrep.CombinedOutput()
+	if err != nil {
+		log.Printf("out: %s", result)
+		log.Fatalf("failed to run ripgrep: %s", err)
+	}
+
+	tests := strings.Split(string(result), "\n")
+	tests = tests[:len(tests)-1]
+
+	return tests
+}
+
 func main() {
 	type testConfig struct {
 		Name string
 	}
 
-	// TODO(kradalby): automatic fetch tests at runtime
-	tests := []string{
-		"TestAuthKeyLogoutAndRelogin",
-		"TestAuthWebFlowAuthenticationPingAll",
-		"TestAuthWebFlowLogoutAndRelogin",
-		"TestCreateTailscale",
-		"TestEnablingRoutes",
-		"TestHeadscale",
-		"TestUserCommand",
-		"TestOIDCAuthenticationPingAll",
-		"TestOIDCExpireNodes",
-		"TestPingAllByHostname",
-		"TestPingAllByIP",
-		"TestPreAuthKeyCommand",
-		"TestPreAuthKeyCommandReusableEphemeral",
-		"TestPreAuthKeyCommandWithoutExpiry",
-		"TestResolveMagicDNS",
-		"TestSSHIsBlockedInACL",
-		"TestSSHMultipleUsersAllToAll",
-		"TestSSHNoSSHConfigured",
-		"TestSSHOneUserAllToAll",
-		"TestSSUserOnlyIsolation",
-		"TestTaildrop",
-		"TestTailscaleNodesJoiningHeadcale",
-	}
+	tests := findTests()
+
+	removeTests()
 
 	for _, test := range tests {
+		log.Printf("generating workflow for %s", test)
+
 		var content bytes.Buffer
 
 		if err := jobTemplate.Execute(&content, testConfig{
@@ -104,9 +153,9 @@ func main() {
 			log.Fatalf("failed to render template: %s", err)
 		}
 
-		path := "../../.github/workflows/" + fmt.Sprintf(jobFileNameTemplate, test)
+		testPath := path.Join(githubWorkflowPath, fmt.Sprintf(jobFileNameTemplate, test))
 
-		err := os.WriteFile(path, content.Bytes(), workflowFilePerm)
+		err := os.WriteFile(testPath, content.Bytes(), workflowFilePerm)
 		if err != nil {
 			log.Fatalf("failed to write github job: %s", err)
 		}

cmd/headscale/cli/configtest.go

@@ -0,0 +1,22 @@
+package cli
+
+import (
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(configTestCmd)
+}
+
+var configTestCmd = &cobra.Command{
+	Use:   "configtest",
+	Short: "Test the configuration.",
+	Long:  "Run a test of the configuration and exit.",
+	Run: func(cmd *cobra.Command, args []string) {
+		_, err := getHeadscaleApp()
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msg("Error initializing")
+		}
+	},
+}

cmd/headscale/cli/debug.go

@@ -27,7 +27,13 @@ func init() {
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
-	createNodeCmd.Flags().StringP("user", "n", "", "User")
+	createNodeCmd.Flags().StringP("user", "u", "", "User")
+
+	createNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	createNodeNamespaceFlag := createNodeCmd.Flags().Lookup("namespace")
+	createNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	createNodeNamespaceFlag.Hidden = true
+
 	err = createNodeCmd.MarkFlagRequired("user")
 	if err != nil {
 		log.Fatal().Err(err).Msg("")

cmd/headscale/cli/nodes.go

@@ -19,11 +19,23 @@ import (
 
 func init() {
 	rootCmd.AddCommand(nodeCmd)
-	listNodesCmd.Flags().StringP("user", "n", "", "Filter by user")
+	listNodesCmd.Flags().StringP("user", "u", "", "Filter by user")
 	listNodesCmd.Flags().BoolP("tags", "t", false, "Show tags")
+
+	listNodesCmd.Flags().StringP("namespace", "n", "", "User")
+	listNodesNamespaceFlag := listNodesCmd.Flags().Lookup("namespace")
+	listNodesNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	listNodesNamespaceFlag.Hidden = true
+
 	nodeCmd.AddCommand(listNodesCmd)
 
-	registerNodeCmd.Flags().StringP("user", "n", "", "User")
+	registerNodeCmd.Flags().StringP("user", "u", "", "User")
+
+	registerNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	registerNodeNamespaceFlag := registerNodeCmd.Flags().Lookup("namespace")
+	registerNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	registerNodeNamespaceFlag.Hidden = true
+
 	err := registerNodeCmd.MarkFlagRequired("user")
 	if err != nil {
 		log.Fatalf(err.Error())
@@ -63,7 +75,12 @@ func init() {
 		log.Fatalf(err.Error())
 	}
 
-	moveNodeCmd.Flags().StringP("user", "n", "", "New user")
+	moveNodeCmd.Flags().StringP("user", "u", "", "New user")
+
+	moveNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	moveNodeNamespaceFlag := moveNodeCmd.Flags().Lookup("namespace")
+	moveNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	moveNodeNamespaceFlag.Hidden = true
 
 	err = moveNodeCmd.MarkFlagRequired("user")
 	if err != nil {

cmd/headscale/cli/preauthkeys.go

@@ -20,7 +20,13 @@ const (
 
 func init() {
 	rootCmd.AddCommand(preauthkeysCmd)
-	preauthkeysCmd.PersistentFlags().StringP("user", "n", "", "User")
+	preauthkeysCmd.PersistentFlags().StringP("user", "u", "", "User")
+
+	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "User")
+	pakNamespaceFlag := preauthkeysCmd.PersistentFlags().Lookup("namespace")
+	pakNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	pakNamespaceFlag.Hidden = true
+
 	err := preauthkeysCmd.MarkPersistentFlagRequired("user")
 	if err != nil {
 		log.Fatal().Err(err).Msg("")

cmd/headscale/cli/root.go

@@ -12,10 +12,15 @@ import (
 	"github.com/tcnksm/go-latest"
 )
 
+const (
+	deprecateNamespaceMessage = "use --user"
+)
+
 var cfgFile string = ""
 
 func init() {
-	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
+	if len(os.Args) > 1 &&
+		(os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
 		return
 	}
 

cmd/headscale/cli/routes.go

@@ -3,8 +3,10 @@ package cli
 import (
 	"fmt"
 	"log"
+	"net/netip"
 	"strconv"
 
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
@@ -33,6 +35,13 @@ func init() {
 		log.Fatalf(err.Error())
 	}
 	routesCmd.AddCommand(disableRouteCmd)
+
+	deleteRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
+	err = deleteRouteCmd.MarkFlagRequired("route")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	routesCmd.AddCommand(deleteRouteCmd)
 }
 
 var routesCmd = &cobra.Command{
@@ -198,7 +207,50 @@ var disableRouteCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
+				fmt.Sprintf("Cannot disable route %d: %s", routeID, status.Convert(err).Message()),
+				output,
+			)
+
+			return
+		}
+
+		if output != "" {
+			SuccessOutput(response, "", output)
+
+			return
+		}
+	},
+}
+
+var deleteRouteCmd = &cobra.Command{
+	Use:   "delete",
+	Short: "Delete a given route",
+	Long:  `This command will delete a given route.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		routeID, err := cmd.Flags().GetUint64("route")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting machine id from flag: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.DeleteRoute(ctx, &v1.DeleteRouteRequest{
+			RouteId: routeID,
+		})
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot delete route %d: %s", routeID, status.Convert(err).Message()),
 				output,
 			)
 
@@ -218,6 +270,19 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 	tableData := pterm.TableData{{"ID", "Machine", "Prefix", "Advertised", "Enabled", "Primary"}}
 
 	for _, route := range routes {
+		var isPrimaryStr string
+		prefix, err := netip.ParsePrefix(route.Prefix)
+		if err != nil {
+			log.Printf("Error parsing prefix %s: %s", route.Prefix, err)
+
+			continue
+		}
+		if prefix == headscale.ExitRouteV4 || prefix == headscale.ExitRouteV6 {
+			isPrimaryStr = "-"
+		} else {
+			isPrimaryStr = strconv.FormatBool(route.IsPrimary)
+		}
+
 		tableData = append(tableData,
 			[]string{
 				strconv.FormatUint(route.Id, Base10),
@@ -225,7 +290,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 				route.Prefix,
 				strconv.FormatBool(route.Advertised),
 				strconv.FormatBool(route.Enabled),
-				strconv.FormatBool(route.IsPrimary),
+				isPrimaryStr,
 			})
 	}
 

cmd/headscale/cli/users.go

@@ -27,7 +27,7 @@ const (
 var userCmd = &cobra.Command{
 	Use:     "users",
 	Short:   "Manage the users of Headscale",
-	Aliases: []string{"user", "namespace", "ns"},
+	Aliases: []string{"user", "namespace", "namespaces", "ns"},
 }
 
 var createUserCmd = &cobra.Command{

cmd/headscale/cli/utils.go

@@ -14,7 +14,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 const (

cmd/headscale/headscale_test.go

@@ -58,7 +58,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
@@ -101,7 +101,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")

config-example.yaml

@@ -44,9 +44,7 @@ grpc_allow_insecure: false
 # and Tailscale clients.
 # The private key file will be autogenerated if it's missing.
 #
-# For production:
-# /var/lib/headscale/private.key
-private_key_path: ./private.key
+private_key_path: /var/lib/headscale/private.key
 
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
@@ -55,10 +53,7 @@ noise:
   # traffic between headscale and Tailscale clients when
   # using the new Noise-based protocol. It must be different
   # from the legacy private key.
-  #
-  # For production:
-  # private_key_path: /var/lib/headscale/noise_private.key
-  private_key_path: ./noise_private.key
+  private_key_path: /var/lib/headscale/noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
@@ -137,8 +132,7 @@ node_update_check_interval: 10s
 db_type: sqlite3
 
 # For production:
-# db_path: /var/lib/headscale/db.sqlite
-db_path: ./db.sqlite
+db_path: /var/lib/headscale/db.sqlite
 
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -172,8 +166,7 @@ tls_letsencrypt_hostname: ""
 # Path to store certificates and metadata needed by
 # letsencrypt
 # For production:
-# tls_letsencrypt_cache_dir: /var/lib/headscale/cache
-tls_letsencrypt_cache_dir: ./cache
+tls_letsencrypt_cache_dir: /var/lib/headscale/cache
 
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
@@ -263,8 +256,7 @@ dns_config:
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
-# unix_socket: /var/run/headscale.sock
-unix_socket: ./headscale.sock
+unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
@@ -282,27 +274,38 @@ unix_socket_permission: "0770"
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
 #   # client_secret and client_secret_path are mutually exclusive.
 #
-#   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#   # The amount of time from a node is authenticated with OpenID until it
+#   # expires and needs to reauthenticate.
+#   # Setting the value to "0" will mean no expiry.
+#   expiry: 180d
+#
+#   # Use the expiry from the token received from OpenID when the user logged
+#   # in, this will typically lead to frequent need to reauthenticate and should
+#   # only been enabled if you know what you are doing.
+#   # Note: enabling this will cause `oidc.expiry` to be ignored.
+#   use_expiry_from_token: false
+#
+#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
 #
 #   scope: ["openid", "profile", "email", "custom"]
 #   extra_params:
 #     domain_hint: example.com
 #
-#   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   authentication request will be rejected.
+#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   # authentication request will be rejected.
 #
 #   allowed_domains:
 #     - example.com
-# Groups from keycloak have a leading '/'
+#   # Note: Groups from keycloak have a leading '/'
 #   allowed_groups:
 #     - /headscale
 #   allowed_users:
 #     - alice@example.com
 #
-#   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
 #   user: `first-name.last-name.example.com`
 #
 #   strip_email_domain: true

config.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/prometheus/common/model"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
@@ -25,9 +26,14 @@ const (
 
 	JSONLogFormat = "json"
 	TextLogFormat = "text"
+
+	defaultOIDCExpiryTime               = 180 * 24 * time.Hour // 180 Days
+	maxDuration           time.Duration = 1<<63 - 1
 )
 
-var errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
+var errOidcMutuallyExclusive = errors.New(
+	"oidc_client_secret and oidc_client_secret_path are mutually exclusive",
+)
 
 // Config contains the initial Headscale configuration.
 type Config struct {
@@ -101,6 +107,8 @@ type OIDCConfig struct {
 	AllowedUsers               []string
 	AllowedGroups              []string
 	StripEmaildomain           bool
+	Expiry                     time.Duration
+	UseExpiryFromToken         bool
 }
 
 type DERPConfig struct {
@@ -180,6 +188,8 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
 	viper.SetDefault("oidc.strip_email_domain", true)
 	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
+	viper.SetDefault("oidc.expiry", "180d")
+	viper.SetDefault("oidc.use_expiry_from_token", false)
 
 	viper.SetDefault("logtail.enabled", false)
 	viper.SetDefault("randomize_client_port", false)
@@ -411,34 +421,32 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 		}
 
 		if viper.IsSet("dns_config.restricted_nameservers") {
-			if len(dnsConfig.Resolvers) > 0 {
-				dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
-				restrictedDNS := viper.GetStringMapStringSlice(
-					"dns_config.restricted_nameservers",
+			dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
+			domains := []string{}
+			restrictedDNS := viper.GetStringMapStringSlice(
+				"dns_config.restricted_nameservers",
+			)
+			for domain, restrictedNameservers := range restrictedDNS {
+				restrictedResolvers := make(
+					[]*dnstype.Resolver,
+					len(restrictedNameservers),
 				)
-				for domain, restrictedNameservers := range restrictedDNS {
-					restrictedResolvers := make(
-						[]*dnstype.Resolver,
-						len(restrictedNameservers),
-					)
-					for index, nameserverStr := range restrictedNameservers {
-						nameserver, err := netip.ParseAddr(nameserverStr)
-						if err != nil {
-							log.Error().
-								Str("func", "getDNSConfig").
-								Err(err).
-								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
-						}
-						restrictedResolvers[index] = &dnstype.Resolver{
-							Addr: nameserver.String(),
-						}
+				for index, nameserverStr := range restrictedNameservers {
+					nameserver, err := netip.ParseAddr(nameserverStr)
+					if err != nil {
+						log.Error().
+							Str("func", "getDNSConfig").
+							Err(err).
+							Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
+					}
+					restrictedResolvers[index] = &dnstype.Resolver{
+						Addr: nameserver.String(),
 					}
-					dnsConfig.Routes[domain] = restrictedResolvers
 				}
-			} else {
-				log.Warn().
-					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
+				dnsConfig.Routes[domain] = restrictedResolvers
+				domains = append(domains, domain)
 			}
+			dnsConfig.Domains = domains
 		}
 
 		if viper.IsSet("dns_config.domains") {
@@ -603,6 +611,22 @@ func GetHeadscaleConfig() (*Config, error) {
 			AllowedUsers:     viper.GetStringSlice("oidc.allowed_users"),
 			AllowedGroups:    viper.GetStringSlice("oidc.allowed_groups"),
 			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
+			Expiry: func() time.Duration {
+				// if set to 0, we assume no expiry
+				if value := viper.GetString("oidc.expiry"); value == "0" {
+					return maxDuration
+				} else {
+					expiry, err := model.ParseDuration(value)
+					if err != nil {
+						log.Warn().Msg("failed to parse oidc.expiry, defaulting back to 180 days")
+
+						return defaultOIDCExpiryTime
+					}
+
+					return time.Duration(expiry)
+				}
+			}(),
+			UseExpiryFromToken: viper.GetBool("oidc.use_expiry_from_token"),
 		},
 
 		LogTail:             logConfig,

db.go

@@ -48,6 +48,9 @@ func (h *Headscale) initDB() error {
 		return err
 	}
 
+	_ = db.Migrator().RenameColumn(&Machine{}, "namespace_id", "user_id")
+	_ = db.Migrator().RenameColumn(&PreAuthKey{}, "namespace_id", "user_id")
+
 	_ = db.Migrator().RenameColumn(&Machine{}, "ip_address", "ip_addresses")
 	_ = db.Migrator().RenameColumn(&Machine{}, "name", "hostname")
 

derp.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/rs/zerolog/log"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 	"tailscale.com/tailcfg"
 )
 

derp_server.go

@@ -157,14 +157,14 @@ func (h *Headscale) DERPHandler(
 
 	if !fastStart {
 		pubKey := h.privateKey.Public()
-		pubKeyStr := pubKey.UntypedHexString() //nolint
+		pubKeyStr, _ := pubKey.MarshalText() //nolint
 		fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
 			"Upgrade: DERP\r\n"+
 			"Connection: Upgrade\r\n"+
 			"Derp-Version: %v\r\n"+
 			"Derp-Public-Key: %s\r\n\r\n",
 			derp.ProtocolVersion,
-			pubKeyStr)
+			string(pubKeyStr))
 	}
 
 	h.DERPServer.tailscaleDERP.Accept(req.Context(), netConn, conn, netConn.RemoteAddr().String())

docs/acls.md

@@ -42,6 +42,8 @@ a server they can register, the check of the tags is done on headscale server
 and only valid tags are applied. A tag is valid if the user that is
 registering it is allowed to do it.
 
+To use ACLs in headscale, you must edit your config.yaml file. In there you will find a `acl_policy_path: ""` parameter. This will need to point to your ACL file. More info on how these policies are written can be found [here](https://tailscale.com/kb/1018/acls/).
+
 Here are the ACL's to implement the same permissions as above:
 
 ```json

docs/exit-node.md

@@ -0,0 +1,47 @@
+# Exit Nodes
+
+## On the node
+
+Register the node and make it advertise itself as an exit node:
+
+```console
+$ sudo tailscale up --login-server https://my-server.com --advertise-exit-node
+```
+
+If the node is already registered, it can advertise exit capabilities like this:
+
+```console
+$ sudo tailscale set --advertise-exit-node
+```
+
+## On the control server
+
+```console
+$ # list nodes
+$ headscale routes list
+ID | Machine | Prefix    | Advertised | Enabled | Primary
+1  |         | 0.0.0.0/0 | false      | false   | -
+2  |         | ::/0      | false      | false   | -
+3  | phobos  | 0.0.0.0/0 | true       | false   | -
+4  | phobos  | ::/0      | true       | false   | -
+$ # enable routes for phobos
+$ headscale routes enable -r 3
+$ headscale routes enable -r 4
+$ # Check node list again. The routes are now enabled.
+$ headscale routes list
+ID | Machine | Prefix    | Advertised | Enabled | Primary
+1  |         | 0.0.0.0/0 | false      | false   | -
+2  |         | ::/0      | false      | false   | -
+3  | phobos  | 0.0.0.0/0 | true       | true    | -
+4  | phobos  | ::/0      | true       | true    | -
+```
+
+## On the client
+
+The exit node can now be used with:
+
+```console
+$ sudo tailscale set --exit-node phobos
+```
+
+Check the official [Tailscale documentation](https://tailscale.com/kb/1103/exit-nodes/?q=exit#step-3-use-the-exit-node) for how to do it on your device.

docs/iOS-client.md

@@ -0,0 +1,25 @@
+# Connecting an iOS client
+
+## Goal
+
+This documentation has the goal of showing how a user can use the official iOS [Tailscale](https://tailscale.com) client with `headscale`.
+
+## Installation
+
+Install the official Tailscale iOS client from the [App Store](https://apps.apple.com/app/tailscale/id1470499037).
+
+Ensure that the installed version is at least 1.38.1, as that is the first release to support alternate control servers.
+
+## Configuring the headscale URL
+
+Ensure that the tailscale app is logged out before proceeding.
+
+Go to iOS settings, scroll down past game center and tv provider to the tailscale app and select it. The headscale URL can be entered into the _"ALTERNATE COORDINATION SERVER URL"_ box.
+
+> **Note**
+>
+> If the app was previously logged into tailscale, toggle on the _Reset Keychain_ switch.
+
+Restart the app by closing it from the iOS app switcher, open the app and select the regular _Sign in_ option (non-SSO), and it should open up to the headscale authentication page.
+
+Enter your credentials and log in. Headscale should now be working on your iOS device.

docs/logo/headscale3-dots.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2" viewBox="0 0 1280 640"><circle cx="141.023" cy="338.36" r="117.472" style="fill:#f8b5cb" transform="matrix(.997276 0 0 1.00556 10.0024 -14.823)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 0)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 -3.15847 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.43 115.914)"/><circle cx="352.014" cy="268.302" r="33.095" style="fill:#a2a2a2" transform="matrix(1.01749 0 0 1 148.851 0)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 3.36978 -10.2458)"/><circle cx="805.557" cy="336.915" r="118.199" style="fill:#8d8d8d" transform="matrix(.99196 0 0 1 255.633 -10.2458)"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030"/><path d="M680.282 124.808h-68.093v390.325h68.081v-28.23H640V153.228h40.282v-28.42Z" style="fill:#303030" transform="matrix(-1 0 0 1 1857.19 0)"/></svg>

docs/oidc.md

@@ -139,3 +139,34 @@ oidc:
     # Optional: Force the Azure AD account picker
     prompt: select_account
 ```
+
+## Google OAuth Example
+
+In order to integrate Headscale with Google, you'll need to have a [Google Cloud Console](https://console.cloud.google.com) account.
+
+Google OAuth has a [verification process](https://support.google.com/cloud/answer/9110914?hl=en) if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie `@example.com`), you don't need to go through the verification process.
+
+However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google Console.
+
+### Steps
+
+1. Go to [Google Console](https://console.cloud.google.com) and login or create an account if you don't have one.
+2. Create a project (if you don't already have one).
+3. On the left hand menu, go to `APIs and services` -> `Credentials`
+4. Click `Create Credentials` -> `OAuth client ID`
+5. Under `Application Type`, choose `Web Application`
+6. For `Name`, enter whatever you like
+7. Under `Authorised redirect URIs`, use `https://example.com/oidc/callback`, replacing example.com with your Headscale URL.
+8. Click `Save` at the bottom of the form
+9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
+10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
+
+```yaml
+oidc:
+  issuer: "https://accounts.google.com"
+  client_id: ""
+  client_secret: ""
+  scope: ["openid", "profile", "email"]
+```
+
+You can also use `allowed_domains` and `allowed_users` to restrict the users who can authenticate.

docs/packaging/README.md

@@ -0,0 +1,5 @@
+# Packaging
+
+We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb`, `.rpm` and `.apk`.
+
+This folder contains files we need to package with these releases.

docs/packaging/headscale.systemd.service

@@ -0,0 +1,52 @@
+[Unit]
+After=syslog.target
+After=network.target
+Description=headscale coordination server for Tailscale
+X-Restart-Triggers=/etc/headscale/config.yaml
+
+[Service]
+Type=simple
+User=headscale
+Group=headscale
+ExecStart=/usr/bin/headscale serve
+Restart=always
+RestartSec=5
+
+WorkingDirectory=/var/lib/headscale
+ReadWritePaths=/var/lib/headscale /var/run
+
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
+CapabilityBoundingSet=CAP_CHOWN
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHome=yes
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=headscale
+RuntimeDirectoryMode=0750
+StateDirectory=headscale
+StateDirectoryMode=0750
+SystemCallArchitectures=native
+SystemCallFilter=@chown
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target

docs/packaging/postinstall.sh

@@ -0,0 +1,85 @@
+#!/bin/sh
+# Determine OS platform
+# shellcheck source=/dev/null
+. /etc/os-release
+
+HEADSCALE_EXE="/usr/bin/headscale"
+BSD_HIER=""
+HEADSCALE_RUN_DIR="/var/run/headscale"
+HEADSCALE_USER="headscale"
+HEADSCALE_GROUP="headscale"
+
+ensure_sudo() {
+	if [ "$(id -u)" = "0" ]; then
+		echo "Sudo permissions detected"
+	else
+		echo "No sudo permission detected, please run as sudo"
+		exit 1
+	fi
+}
+
+ensure_headscale_path() {
+	if [ ! -f "$HEADSCALE_EXE" ]; then
+		echo "headscale not in default path, exiting..."
+		exit 1
+	fi
+
+	printf "Found headscale %s\n" "$HEADSCALE_EXE"
+}
+
+create_headscale_user() {
+	printf "PostInstall: Adding headscale user %s\n" "$HEADSCALE_USER"
+	useradd -s /bin/sh -c "headscale default user" headscale
+}
+
+create_headscale_group() {
+	if command -V systemctl >/dev/null 2>&1; then
+		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
+		groupadd "$HEADSCALE_GROUP"
+
+		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
+		usermod -a -G "$HEADSCALE_GROUP" "$HEADSCALE_USER"
+	fi
+
+	if [ "$ID" = "alpine" ]; then
+		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
+		addgroup "$HEADSCALE_GROUP"
+
+		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
+		addgroup "$HEADSCALE_USER" "$HEADSCALE_GROUP"
+	fi
+}
+
+create_run_dir() {
+	printf "PostInstall: Creating headscale run directory \n"
+	mkdir -p "$HEADSCALE_RUN_DIR"
+
+	printf "PostInstall: Modifying group ownership of headscale run directory \n"
+	chown "$HEADSCALE_USER":"$HEADSCALE_GROUP" "$HEADSCALE_RUN_DIR"
+}
+
+summary() {
+	echo "----------------------------------------------------------------------"
+	echo " headscale package has been successfully installed."
+	echo ""
+	echo " Please follow the next steps to start the software:"
+	echo ""
+	echo "    sudo systemctl start headscale"
+	echo ""
+	echo " Configuration settings can be adjusted here:"
+	echo "    ${BSD_HIER}/etc/headscale/config.yaml"
+	echo ""
+	echo "----------------------------------------------------------------------"
+}
+
+#
+# Main body of the script
+#
+{
+	ensure_sudo
+	ensure_headscale_path
+	create_headscale_user
+	create_headscale_group
+	create_run_dir
+	summary
+}

docs/packaging/postremove.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+# Determine OS platform
+# shellcheck source=/dev/null
+. /etc/os-release
+
+if command -V systemctl >/dev/null 2>&1; then
+	echo "Stop and disable headscale service"
+	systemctl stop headscale >/dev/null 2>&1 || true
+	systemctl disable headscale >/dev/null 2>&1 || true
+	echo "Running daemon-reload"
+	systemctl daemon-reload || true
+fi
+
+echo "Removing run directory"
+rm -rf "/var/run/headscale.sock"

docs/reverse-proxy.md

@@ -112,3 +112,20 @@ The following Caddyfile is all that is necessary to use Caddy as a reverse proxy
 Caddy v2 will [automatically](https://caddyserver.com/docs/automatic-https) provision a certficate for your domain/subdomain, force HTTPS, and proxy websockets - no further configuration is necessary.
 
 For a slightly more complex configuration which utilizes Docker containers to manage Caddy, Headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.
+
+## Apache
+
+The following minimal Apache config will proxy traffic to the Headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
+
+```
+<VirtualHost *:443>
+	ServerName <YOUR_SERVER_NAME>
+
+	ProxyPreserveHost On
+	ProxyPass / http://<IP:PORT>/ upgrade=any
+
+	SSLEngine On
+	SSLCertificateFile <PATH_TO_CERT>
+	SSLCertificateKeyFile <PATH_CERT_KEY>
+</VirtualHost>
+```

docs/running-headscale-linux.md

@@ -138,6 +138,7 @@ NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectSystem=strict
 ProtectHome=yes
+WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run/headscale
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 RuntimeDirectory=headscale

docs/running-headscale-openbsd.md

@@ -10,17 +10,14 @@ describing how to make `headscale` run properly in a server environment.
 
 1. Install from ports (Not Recommend)
 
-   As of OpenBSD 7.1, there's a headscale in ports collection, however, it's severely outdated(v0.12.4).
+   As of OpenBSD 7.2, there's a headscale in ports collection, however, it's severely outdated(v0.12.4).
    You can install it via `pkg_add headscale`.
 
-2. Install from source on OpenBSD 7.1
+2. Install from source on OpenBSD 7.2
 
 ```shell
 # Install prerequistes
-# 1. go v1.19+: headscale newer than 0.17 needs go 1.19+ to compile
-# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
-pkg_add -D snap go
-pkg_add gmake
+pkg_add go
 
 git clone https://github.com/juanfont/headscale.git
 
@@ -33,7 +30,7 @@ latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
 
 git checkout $latestTag
 
-gmake build
+go build -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$latestTag" github.com/juanfont/headscale
 
 # make it executable
 chmod a+x headscale
@@ -46,7 +43,7 @@ cp headscale /usr/local/sbin
 
 ```shell
 # Install prerequistes
-# 1. go v1.19+: headscale newer than 0.17 needs go 1.19+ to compile
+# 1. go v1.20+: headscale newer than 0.21 needs go 1.20+ to compile
 # 2. gmake: Makefile in the headscale repo is written in GNU make syntax
 
 git clone https://github.com/juanfont/headscale.git

docs/windows-client.md

@@ -11,8 +11,17 @@ To make the Windows client behave as expected and to run well with `headscale`,
 - `HKLM:\SOFTWARE\Tailscale IPN\UnattendedMode` must be set to `always` as a `string` type, to allow Tailscale to run properly in the background
 - `HKLM:\SOFTWARE\Tailscale IPN\LoginURL` must be set to `<YOUR HEADSCALE URL>` as a `string` type, to ensure Tailscale contacts the correct control server.
 
+You can set these using the Windows Registry Editor:
+
 ![windows-registry](./images/windows-registry.png)
 
+Or via the following Powershell commands (right click Powershell icon and select "Run as administrator"):
+
+```
+New-ItemProperty -Path 'HKLM:\Software\Tailscale IPN' -Name UnattendedMode -PropertyType String -Value always
+New-ItemProperty -Path 'HKLM:\Software\Tailscale IPN' -Name LoginURL -PropertyType String -Value https://YOUR-HEADSCALE-URL
+```
+
 The Tailscale Windows client has been observed to reset its configuration on logout/reboot and these two keys [resolves that issue](https://github.com/tailscale/tailscale/issues/2798).
 
 For a guide on how to edit registry keys, [check out Computer Hope](https://www.computerhope.com/issues/ch001348.htm).

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1680776469,
+        "narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24",
         "type": "github"
       },
       "original": {
@@ -17,16 +17,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1670064435,
-        "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
+        "lastModified": 1680789907,
+        "narHash": "sha256-0AOMkabjbOauxspnqfzqgLKhB2gSh3sLkz1p/jIckcs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
+        "rev": "9de84cd029054adc54fdc6442e121fbc5ac33baf",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,161 +2,168 @@
   description = "headscale - Open Source Tailscale Control server";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = {
-    self,
-    nixpkgs,
-    flake-utils,
-    ...
-  }: let
-    headscaleVersion =
-      if (self ? shortRev)
-      then self.shortRev
-      else "dev";
-  in
+  outputs =
+    { self
+    , nixpkgs
+    , flake-utils
+    , ...
+    }:
+    let
+      headscaleVersion =
+        if (self ? shortRev)
+        then self.shortRev
+        else "dev";
+    in
     {
-      overlay = _: prev: let
-        pkgs = nixpkgs.legacyPackages.${prev.system};
-      in rec {
-        headscale = pkgs.buildGo119Module rec {
-          pname = "headscale";
-          version = headscaleVersion;
-          src = pkgs.lib.cleanSource self;
+      overlay = _: prev:
+        let
+          pkgs = nixpkgs.legacyPackages.${prev.system};
+        in
+        rec {
+          headscale = pkgs.buildGo120Module rec {
+            pname = "headscale";
+            version = headscaleVersion;
+            src = pkgs.lib.cleanSource self;
 
-          tags = ["ts2019"];
+            tags = [ "ts2019" ];
 
-          # Only run unit tests when testing a build
-          checkFlags = ["-short"];
+            # Only run unit tests when testing a build
+            checkFlags = [ "-short" ];
 
-          # When updating go.mod or go.sum, a new sha will need to be calculated,
-          # update this if you have a mismatch after doing a change to thos files.
-          vendorSha256 = "sha256-SuKT+b8g6xEK15ry2IAmpS/vwDG+zJqK9nfsWpHNXuU=";
+            # When updating go.mod or go.sum, a new sha will need to be calculated,
+            # update this if you have a mismatch after doing a change to thos files.
+            vendorSha256 = "sha256-+JxS4Q6rTpdBwms2nkVDY/Kluv2qu2T0BaOIjfeX85M=";
 
-          ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
-        };
-
-        golines = pkgs.buildGoModule rec {
-          pname = "golines";
-          version = "0.11.0";
-
-          src = pkgs.fetchFromGitHub {
-            owner = "segmentio";
-            repo = "golines";
-            rev = "v${version}";
-            sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
+            ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
           };
 
-          vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
+          golines = pkgs.buildGoModule rec {
+            pname = "golines";
+            version = "0.11.0";
 
-          nativeBuildInputs = [pkgs.installShellFiles];
-        };
+            src = pkgs.fetchFromGitHub {
+              owner = "segmentio";
+              repo = "golines";
+              rev = "v${version}";
+              sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
+            };
 
-        golangci-lint = prev.golangci-lint.override {
-          # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
-          # to buildGo118Module because it does not build on Darwin.
-          inherit (prev) buildGoModule;
-        };
+            vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
 
-        protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
-          pname = "grpc-gateway";
-          version = "2.14.0";
-
-          src = pkgs.fetchFromGitHub {
-            owner = "grpc-ecosystem";
-            repo = "grpc-gateway";
-            rev = "v${version}";
-            sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
+            nativeBuildInputs = [ pkgs.installShellFiles ];
           };
 
-          vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
+          golangci-lint = prev.golangci-lint.override {
+            # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
+            # to buildGo118Module because it does not build on Darwin.
+            inherit (prev) buildGoModule;
+          };
 
-          nativeBuildInputs = [pkgs.installShellFiles];
+          protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
+            pname = "grpc-gateway";
+            version = "2.14.0";
 
-          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
+            src = pkgs.fetchFromGitHub {
+              owner = "grpc-ecosystem";
+              repo = "grpc-gateway";
+              rev = "v${version}";
+              sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
+            };
+
+            vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
+
+            nativeBuildInputs = [ pkgs.installShellFiles ];
+
+            subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
+          };
         };
-      };
     }
     // flake-utils.lib.eachDefaultSystem
-    (system: let
-      pkgs = import nixpkgs {
-        overlays = [self.overlay];
-        inherit system;
-      };
-      buildDeps = with pkgs; [git go_1_19 gnumake];
-      devDeps = with pkgs;
-        buildDeps
-        ++ [
-          golangci-lint
-          golines
-          nodePackages.prettier
-          goreleaser
+      (system:
+      let
+        pkgs = import nixpkgs {
+          overlays = [ self.overlay ];
+          inherit system;
+        };
+        buildDeps = with pkgs; [ git go_1_20 gnumake ];
+        devDeps = with pkgs;
+          buildDeps
+          ++ [
+            golangci-lint
+            golines
+            nodePackages.prettier
+            goreleaser
+            nfpm
+            gotestsum
 
-          # Protobuf dependencies
-          protobuf
-          protoc-gen-go
-          protoc-gen-go-grpc
-          protoc-gen-grpc-gateway
-          buf
-          clang-tools # clang-format
-        ];
+            # Protobuf dependencies
+            protobuf
+            protoc-gen-go
+            protoc-gen-go-grpc
+            protoc-gen-grpc-gateway
+            buf
+            clang-tools # clang-format
+          ];
 
-      # Add entry to build a docker image with headscale
-      # caveat: only works on Linux
-      #
-      # Usage:
-      # nix build .#headscale-docker
-      # docker load < result
-      headscale-docker = pkgs.dockerTools.buildLayeredImage {
-        name = "headscale";
-        tag = headscaleVersion;
-        contents = [pkgs.headscale];
-        config.Entrypoint = [(pkgs.headscale + "/bin/headscale")];
-      };
-    in rec {
-      # `nix develop`
-      devShell = pkgs.mkShell {
-        buildInputs = devDeps;
+        # Add entry to build a docker image with headscale
+        # caveat: only works on Linux
+        #
+        # Usage:
+        # nix build .#headscale-docker
+        # docker load < result
+        headscale-docker = pkgs.dockerTools.buildLayeredImage {
+          name = "headscale";
+          tag = headscaleVersion;
+          contents = [ pkgs.headscale ];
+          config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
+        };
+      in
+      rec {
+        # `nix develop`
+        devShell = pkgs.mkShell {
+          buildInputs = devDeps;
 
-        shellHook = ''
-          export GOFLAGS=-tags="ts2019"
-        '';
-      };
-
-      # `nix build`
-      packages = with pkgs; {
-        inherit headscale;
-        inherit headscale-docker;
-      };
-      defaultPackage = pkgs.headscale;
-
-      # `nix run`
-      apps.headscale = flake-utils.lib.mkApp {
-        drv = packages.headscale;
-      };
-      apps.default = apps.headscale;
-
-      checks = {
-        format =
-          pkgs.runCommand "check-format"
-          {
-            buildInputs = with pkgs; [
-              gnumake
-              nixpkgs-fmt
-              golangci-lint
-              nodePackages.prettier
-              golines
-              clang-tools
-            ];
-          } ''
-            ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
-            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
-            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-            ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
+          shellHook = ''
+            export GOFLAGS=-tags="ts2019"
           '';
-      };
-    });
+        };
+
+        # `nix build`
+        packages = with pkgs; {
+          inherit headscale;
+          inherit headscale-docker;
+        };
+        defaultPackage = pkgs.headscale;
+
+        # `nix run`
+        apps.headscale = flake-utils.lib.mkApp {
+          drv = packages.headscale;
+        };
+        apps.default = apps.headscale;
+
+        checks = {
+          format =
+            pkgs.runCommand "check-format"
+              {
+                buildInputs = with pkgs; [
+                  gnumake
+                  nixpkgs-fmt
+                  golangci-lint
+                  nodePackages.prettier
+                  golines
+                  clang-tools
+                ];
+              } ''
+              ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
+              ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
+              ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+              ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
+              ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
+            '';
+        };
+      });
 }

gen/go/headscale/v1/apikey.pb.go

@@ -7,12 +7,11 @@
 package v1
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
@@ -423,19 +422,17 @@ func file_headscale_v1_apikey_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_apikey_proto_rawDescData
 }
 
-var (
-	file_headscale_v1_apikey_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
-	file_headscale_v1_apikey_proto_goTypes  = []interface{}{
-		(*ApiKey)(nil),                // 0: headscale.v1.ApiKey
-		(*CreateApiKeyRequest)(nil),   // 1: headscale.v1.CreateApiKeyRequest
-		(*CreateApiKeyResponse)(nil),  // 2: headscale.v1.CreateApiKeyResponse
-		(*ExpireApiKeyRequest)(nil),   // 3: headscale.v1.ExpireApiKeyRequest
-		(*ExpireApiKeyResponse)(nil),  // 4: headscale.v1.ExpireApiKeyResponse
-		(*ListApiKeysRequest)(nil),    // 5: headscale.v1.ListApiKeysRequest
-		(*ListApiKeysResponse)(nil),   // 6: headscale.v1.ListApiKeysResponse
-		(*timestamppb.Timestamp)(nil), // 7: google.protobuf.Timestamp
-	}
-)
+var file_headscale_v1_apikey_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_headscale_v1_apikey_proto_goTypes = []interface{}{
+	(*ApiKey)(nil),                // 0: headscale.v1.ApiKey
+	(*CreateApiKeyRequest)(nil),   // 1: headscale.v1.CreateApiKeyRequest
+	(*CreateApiKeyResponse)(nil),  // 2: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyRequest)(nil),   // 3: headscale.v1.ExpireApiKeyRequest
+	(*ExpireApiKeyResponse)(nil),  // 4: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysRequest)(nil),    // 5: headscale.v1.ListApiKeysRequest
+	(*ListApiKeysResponse)(nil),   // 6: headscale.v1.ListApiKeysResponse
+	(*timestamppb.Timestamp)(nil), // 7: google.protobuf.Timestamp
+}
 var file_headscale_v1_apikey_proto_depIdxs = []int32{
 	7, // 0: headscale.v1.ApiKey.expiration:type_name -> google.protobuf.Timestamp
 	7, // 1: headscale.v1.ApiKey.created_at:type_name -> google.protobuf.Timestamp

gen/go/headscale/v1/device.pb.go

@@ -7,12 +7,11 @@
 package v1
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
@@ -925,24 +924,22 @@ func file_headscale_v1_device_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_device_proto_rawDescData
 }
 
-var (
-	file_headscale_v1_device_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
-	file_headscale_v1_device_proto_goTypes  = []interface{}{
-		(*Latency)(nil),                    // 0: headscale.v1.Latency
-		(*ClientSupports)(nil),             // 1: headscale.v1.ClientSupports
-		(*ClientConnectivity)(nil),         // 2: headscale.v1.ClientConnectivity
-		(*GetDeviceRequest)(nil),           // 3: headscale.v1.GetDeviceRequest
-		(*GetDeviceResponse)(nil),          // 4: headscale.v1.GetDeviceResponse
-		(*DeleteDeviceRequest)(nil),        // 5: headscale.v1.DeleteDeviceRequest
-		(*DeleteDeviceResponse)(nil),       // 6: headscale.v1.DeleteDeviceResponse
-		(*GetDeviceRoutesRequest)(nil),     // 7: headscale.v1.GetDeviceRoutesRequest
-		(*GetDeviceRoutesResponse)(nil),    // 8: headscale.v1.GetDeviceRoutesResponse
-		(*EnableDeviceRoutesRequest)(nil),  // 9: headscale.v1.EnableDeviceRoutesRequest
-		(*EnableDeviceRoutesResponse)(nil), // 10: headscale.v1.EnableDeviceRoutesResponse
-		nil,                                // 11: headscale.v1.ClientConnectivity.LatencyEntry
-		(*timestamppb.Timestamp)(nil),      // 12: google.protobuf.Timestamp
-	}
-)
+var file_headscale_v1_device_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_headscale_v1_device_proto_goTypes = []interface{}{
+	(*Latency)(nil),                    // 0: headscale.v1.Latency
+	(*ClientSupports)(nil),             // 1: headscale.v1.ClientSupports
+	(*ClientConnectivity)(nil),         // 2: headscale.v1.ClientConnectivity
+	(*GetDeviceRequest)(nil),           // 3: headscale.v1.GetDeviceRequest
+	(*GetDeviceResponse)(nil),          // 4: headscale.v1.GetDeviceResponse
+	(*DeleteDeviceRequest)(nil),        // 5: headscale.v1.DeleteDeviceRequest
+	(*DeleteDeviceResponse)(nil),       // 6: headscale.v1.DeleteDeviceResponse
+	(*GetDeviceRoutesRequest)(nil),     // 7: headscale.v1.GetDeviceRoutesRequest
+	(*GetDeviceRoutesResponse)(nil),    // 8: headscale.v1.GetDeviceRoutesResponse
+	(*EnableDeviceRoutesRequest)(nil),  // 9: headscale.v1.EnableDeviceRoutesRequest
+	(*EnableDeviceRoutesResponse)(nil), // 10: headscale.v1.EnableDeviceRoutesResponse
+	nil,                                // 11: headscale.v1.ClientConnectivity.LatencyEntry
+	(*timestamppb.Timestamp)(nil),      // 12: google.protobuf.Timestamp
+}
 var file_headscale_v1_device_proto_depIdxs = []int32{
 	11, // 0: headscale.v1.ClientConnectivity.latency:type_name -> headscale.v1.ClientConnectivity.LatencyEntry
 	1,  // 1: headscale.v1.ClientConnectivity.client_supports:type_name -> headscale.v1.ClientSupports

gen/go/headscale/v1/headscale.pb.go

@@ -7,11 +7,10 @@
 package v1
 
 import (
-	reflect "reflect"
-
 	_ "google.golang.org/genproto/googleapis/api/annotations"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
 )
 
 const (
@@ -37,7 +36,7 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75,
 	0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x32, 0x96, 0x17, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x72, 0x6f, 0x74, 0x6f, 0x32, 0x8d, 0x18, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
 	0x6c, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x63, 0x0a, 0x07, 0x47, 0x65, 0x74,
 	0x55, 0x73, 0x65, 0x72, 0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
 	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x55, 0x73, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65,
@@ -201,31 +200,39 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
 	0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
-	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b,
-	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41,
-	0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
-	0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69,
-	0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70,
-	0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72,
-	0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72,
-	0x65, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73,
-	0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x42, 0x29, 0x5a,
-	0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e,
-	0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67,
-	0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x75, 0x0a, 0x0b, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75,
+	0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x21, 0x82, 0xd3, 0xe4, 0x93,
+	0x02, 0x1b, 0x2a, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74,
+	0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x70, 0x0a,
+	0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65,
+	0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22,
+	0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x12,
+	0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12,
+	0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45,
+	0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01,
+	0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65,
+	0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74,
+	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65,
+	0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69,
+	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70,
+	0x69, 0x6b, 0x65, 0x79, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var file_headscale_v1_headscale_proto_goTypes = []interface{}{
@@ -250,35 +257,36 @@ var file_headscale_v1_headscale_proto_goTypes = []interface{}{
 	(*EnableRouteRequest)(nil),         // 18: headscale.v1.EnableRouteRequest
 	(*DisableRouteRequest)(nil),        // 19: headscale.v1.DisableRouteRequest
 	(*GetMachineRoutesRequest)(nil),    // 20: headscale.v1.GetMachineRoutesRequest
-	(*CreateApiKeyRequest)(nil),        // 21: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),        // 22: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),         // 23: headscale.v1.ListApiKeysRequest
-	(*GetUserResponse)(nil),            // 24: headscale.v1.GetUserResponse
-	(*CreateUserResponse)(nil),         // 25: headscale.v1.CreateUserResponse
-	(*RenameUserResponse)(nil),         // 26: headscale.v1.RenameUserResponse
-	(*DeleteUserResponse)(nil),         // 27: headscale.v1.DeleteUserResponse
-	(*ListUsersResponse)(nil),          // 28: headscale.v1.ListUsersResponse
-	(*CreatePreAuthKeyResponse)(nil),   // 29: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil),   // 30: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),    // 31: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateMachineResponse)(nil), // 32: headscale.v1.DebugCreateMachineResponse
-	(*GetMachineResponse)(nil),         // 33: headscale.v1.GetMachineResponse
-	(*SetTagsResponse)(nil),            // 34: headscale.v1.SetTagsResponse
-	(*RegisterMachineResponse)(nil),    // 35: headscale.v1.RegisterMachineResponse
-	(*DeleteMachineResponse)(nil),      // 36: headscale.v1.DeleteMachineResponse
-	(*ExpireMachineResponse)(nil),      // 37: headscale.v1.ExpireMachineResponse
-	(*RenameMachineResponse)(nil),      // 38: headscale.v1.RenameMachineResponse
-	(*ListMachinesResponse)(nil),       // 39: headscale.v1.ListMachinesResponse
-	(*MoveMachineResponse)(nil),        // 40: headscale.v1.MoveMachineResponse
-	(*GetRoutesResponse)(nil),          // 41: headscale.v1.GetRoutesResponse
-	(*EnableRouteResponse)(nil),        // 42: headscale.v1.EnableRouteResponse
-	(*DisableRouteResponse)(nil),       // 43: headscale.v1.DisableRouteResponse
-	(*GetMachineRoutesResponse)(nil),   // 44: headscale.v1.GetMachineRoutesResponse
-	(*CreateApiKeyResponse)(nil),       // 45: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),       // 46: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),        // 47: headscale.v1.ListApiKeysResponse
+	(*DeleteRouteRequest)(nil),         // 21: headscale.v1.DeleteRouteRequest
+	(*CreateApiKeyRequest)(nil),        // 22: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),        // 23: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),         // 24: headscale.v1.ListApiKeysRequest
+	(*GetUserResponse)(nil),            // 25: headscale.v1.GetUserResponse
+	(*CreateUserResponse)(nil),         // 26: headscale.v1.CreateUserResponse
+	(*RenameUserResponse)(nil),         // 27: headscale.v1.RenameUserResponse
+	(*DeleteUserResponse)(nil),         // 28: headscale.v1.DeleteUserResponse
+	(*ListUsersResponse)(nil),          // 29: headscale.v1.ListUsersResponse
+	(*CreatePreAuthKeyResponse)(nil),   // 30: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil),   // 31: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),    // 32: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateMachineResponse)(nil), // 33: headscale.v1.DebugCreateMachineResponse
+	(*GetMachineResponse)(nil),         // 34: headscale.v1.GetMachineResponse
+	(*SetTagsResponse)(nil),            // 35: headscale.v1.SetTagsResponse
+	(*RegisterMachineResponse)(nil),    // 36: headscale.v1.RegisterMachineResponse
+	(*DeleteMachineResponse)(nil),      // 37: headscale.v1.DeleteMachineResponse
+	(*ExpireMachineResponse)(nil),      // 38: headscale.v1.ExpireMachineResponse
+	(*RenameMachineResponse)(nil),      // 39: headscale.v1.RenameMachineResponse
+	(*ListMachinesResponse)(nil),       // 40: headscale.v1.ListMachinesResponse
+	(*MoveMachineResponse)(nil),        // 41: headscale.v1.MoveMachineResponse
+	(*GetRoutesResponse)(nil),          // 42: headscale.v1.GetRoutesResponse
+	(*EnableRouteResponse)(nil),        // 43: headscale.v1.EnableRouteResponse
+	(*DisableRouteResponse)(nil),       // 44: headscale.v1.DisableRouteResponse
+	(*GetMachineRoutesResponse)(nil),   // 45: headscale.v1.GetMachineRoutesResponse
+	(*DeleteRouteResponse)(nil),        // 46: headscale.v1.DeleteRouteResponse
+	(*CreateApiKeyResponse)(nil),       // 47: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),       // 48: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),        // 49: headscale.v1.ListApiKeysResponse
 }
-
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	0,  // 0: headscale.v1.HeadscaleService.GetUser:input_type -> headscale.v1.GetUserRequest
 	1,  // 1: headscale.v1.HeadscaleService.CreateUser:input_type -> headscale.v1.CreateUserRequest
@@ -301,35 +309,37 @@ var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	18, // 18: headscale.v1.HeadscaleService.EnableRoute:input_type -> headscale.v1.EnableRouteRequest
 	19, // 19: headscale.v1.HeadscaleService.DisableRoute:input_type -> headscale.v1.DisableRouteRequest
 	20, // 20: headscale.v1.HeadscaleService.GetMachineRoutes:input_type -> headscale.v1.GetMachineRoutesRequest
-	21, // 21: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
-	22, // 22: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
-	23, // 23: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
-	24, // 24: headscale.v1.HeadscaleService.GetUser:output_type -> headscale.v1.GetUserResponse
-	25, // 25: headscale.v1.HeadscaleService.CreateUser:output_type -> headscale.v1.CreateUserResponse
-	26, // 26: headscale.v1.HeadscaleService.RenameUser:output_type -> headscale.v1.RenameUserResponse
-	27, // 27: headscale.v1.HeadscaleService.DeleteUser:output_type -> headscale.v1.DeleteUserResponse
-	28, // 28: headscale.v1.HeadscaleService.ListUsers:output_type -> headscale.v1.ListUsersResponse
-	29, // 29: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
-	30, // 30: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
-	31, // 31: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	32, // 32: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
-	33, // 33: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
-	34, // 34: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
-	35, // 35: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
-	36, // 36: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
-	37, // 37: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
-	38, // 38: headscale.v1.HeadscaleService.RenameMachine:output_type -> headscale.v1.RenameMachineResponse
-	39, // 39: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
-	40, // 40: headscale.v1.HeadscaleService.MoveMachine:output_type -> headscale.v1.MoveMachineResponse
-	41, // 41: headscale.v1.HeadscaleService.GetRoutes:output_type -> headscale.v1.GetRoutesResponse
-	42, // 42: headscale.v1.HeadscaleService.EnableRoute:output_type -> headscale.v1.EnableRouteResponse
-	43, // 43: headscale.v1.HeadscaleService.DisableRoute:output_type -> headscale.v1.DisableRouteResponse
-	44, // 44: headscale.v1.HeadscaleService.GetMachineRoutes:output_type -> headscale.v1.GetMachineRoutesResponse
-	45, // 45: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
-	46, // 46: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
-	47, // 47: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
-	24, // [24:48] is the sub-list for method output_type
-	0,  // [0:24] is the sub-list for method input_type
+	21, // 21: headscale.v1.HeadscaleService.DeleteRoute:input_type -> headscale.v1.DeleteRouteRequest
+	22, // 22: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
+	23, // 23: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
+	24, // 24: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
+	25, // 25: headscale.v1.HeadscaleService.GetUser:output_type -> headscale.v1.GetUserResponse
+	26, // 26: headscale.v1.HeadscaleService.CreateUser:output_type -> headscale.v1.CreateUserResponse
+	27, // 27: headscale.v1.HeadscaleService.RenameUser:output_type -> headscale.v1.RenameUserResponse
+	28, // 28: headscale.v1.HeadscaleService.DeleteUser:output_type -> headscale.v1.DeleteUserResponse
+	29, // 29: headscale.v1.HeadscaleService.ListUsers:output_type -> headscale.v1.ListUsersResponse
+	30, // 30: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
+	31, // 31: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
+	32, // 32: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
+	33, // 33: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
+	34, // 34: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
+	35, // 35: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
+	36, // 36: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
+	37, // 37: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
+	38, // 38: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
+	39, // 39: headscale.v1.HeadscaleService.RenameMachine:output_type -> headscale.v1.RenameMachineResponse
+	40, // 40: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
+	41, // 41: headscale.v1.HeadscaleService.MoveMachine:output_type -> headscale.v1.MoveMachineResponse
+	42, // 42: headscale.v1.HeadscaleService.GetRoutes:output_type -> headscale.v1.GetRoutesResponse
+	43, // 43: headscale.v1.HeadscaleService.EnableRoute:output_type -> headscale.v1.EnableRouteResponse
+	44, // 44: headscale.v1.HeadscaleService.DisableRoute:output_type -> headscale.v1.DisableRouteResponse
+	45, // 45: headscale.v1.HeadscaleService.GetMachineRoutes:output_type -> headscale.v1.GetMachineRoutesResponse
+	46, // 46: headscale.v1.HeadscaleService.DeleteRoute:output_type -> headscale.v1.DeleteRouteResponse
+	47, // 47: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
+	48, // 48: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
+	49, // 49: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
+	25, // [25:50] is the sub-list for method output_type
+	0,  // [0:25] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name

gen/go/headscale/v1/headscale.pb.gw.go

@@ -25,14 +25,11 @@ import (
 
 // Suppress "imported and not used" errors
 var _ codes.Code
-
-var (
-	_ io.Reader
-	_ status.Status
-	_ = runtime.String
-	_ = utilities.NewDoubleArray
-	_ = metadata.Join
-)
+var _ io.Reader
+var _ status.Status
+var _ = runtime.String
+var _ = utilities.NewDoubleArray
+var _ = metadata.Join
 
 func request_HeadscaleService_GetUser_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq GetUserRequest
@@ -57,6 +54,7 @@ func request_HeadscaleService_GetUser_0(ctx context.Context, marshaler runtime.M
 
 	msg, err := client.GetUser(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_GetUser_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -82,6 +80,7 @@ func local_request_HeadscaleService_GetUser_0(ctx context.Context, marshaler run
 
 	msg, err := server.GetUser(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_CreateUser_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -98,6 +97,7 @@ func request_HeadscaleService_CreateUser_0(ctx context.Context, marshaler runtim
 
 	msg, err := client.CreateUser(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_CreateUser_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -114,6 +114,7 @@ func local_request_HeadscaleService_CreateUser_0(ctx context.Context, marshaler
 
 	msg, err := server.CreateUser(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_RenameUser_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -149,6 +150,7 @@ func request_HeadscaleService_RenameUser_0(ctx context.Context, marshaler runtim
 
 	msg, err := client.RenameUser(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_RenameUser_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -184,6 +186,7 @@ func local_request_HeadscaleService_RenameUser_0(ctx context.Context, marshaler
 
 	msg, err := server.RenameUser(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_DeleteUser_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -209,6 +212,7 @@ func request_HeadscaleService_DeleteUser_0(ctx context.Context, marshaler runtim
 
 	msg, err := client.DeleteUser(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_DeleteUser_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -234,6 +238,7 @@ func local_request_HeadscaleService_DeleteUser_0(ctx context.Context, marshaler
 
 	msg, err := server.DeleteUser(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_ListUsers_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -242,6 +247,7 @@ func request_HeadscaleService_ListUsers_0(ctx context.Context, marshaler runtime
 
 	msg, err := client.ListUsers(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ListUsers_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -250,6 +256,7 @@ func local_request_HeadscaleService_ListUsers_0(ctx context.Context, marshaler r
 
 	msg, err := server.ListUsers(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_CreatePreAuthKey_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -266,6 +273,7 @@ func request_HeadscaleService_CreatePreAuthKey_0(ctx context.Context, marshaler
 
 	msg, err := client.CreatePreAuthKey(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_CreatePreAuthKey_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -282,6 +290,7 @@ func local_request_HeadscaleService_CreatePreAuthKey_0(ctx context.Context, mars
 
 	msg, err := server.CreatePreAuthKey(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_ExpirePreAuthKey_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -298,6 +307,7 @@ func request_HeadscaleService_ExpirePreAuthKey_0(ctx context.Context, marshaler
 
 	msg, err := client.ExpirePreAuthKey(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ExpirePreAuthKey_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -314,9 +324,12 @@ func local_request_HeadscaleService_ExpirePreAuthKey_0(ctx context.Context, mars
 
 	msg, err := server.ExpirePreAuthKey(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
-var filter_HeadscaleService_ListPreAuthKeys_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+var (
+	filter_HeadscaleService_ListPreAuthKeys_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
 
 func request_HeadscaleService_ListPreAuthKeys_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq ListPreAuthKeysRequest
@@ -331,6 +344,7 @@ func request_HeadscaleService_ListPreAuthKeys_0(ctx context.Context, marshaler r
 
 	msg, err := client.ListPreAuthKeys(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ListPreAuthKeys_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -346,6 +360,7 @@ func local_request_HeadscaleService_ListPreAuthKeys_0(ctx context.Context, marsh
 
 	msg, err := server.ListPreAuthKeys(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_DebugCreateMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -362,6 +377,7 @@ func request_HeadscaleService_DebugCreateMachine_0(ctx context.Context, marshale
 
 	msg, err := client.DebugCreateMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_DebugCreateMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -378,6 +394,7 @@ func local_request_HeadscaleService_DebugCreateMachine_0(ctx context.Context, ma
 
 	msg, err := server.DebugCreateMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_GetMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -403,6 +420,7 @@ func request_HeadscaleService_GetMachine_0(ctx context.Context, marshaler runtim
 
 	msg, err := client.GetMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_GetMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -428,6 +446,7 @@ func local_request_HeadscaleService_GetMachine_0(ctx context.Context, marshaler
 
 	msg, err := server.GetMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_SetTags_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -461,6 +480,7 @@ func request_HeadscaleService_SetTags_0(ctx context.Context, marshaler runtime.M
 
 	msg, err := client.SetTags(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_SetTags_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -494,9 +514,12 @@ func local_request_HeadscaleService_SetTags_0(ctx context.Context, marshaler run
 
 	msg, err := server.SetTags(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
-var filter_HeadscaleService_RegisterMachine_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+var (
+	filter_HeadscaleService_RegisterMachine_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
 
 func request_HeadscaleService_RegisterMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq RegisterMachineRequest
@@ -511,6 +534,7 @@ func request_HeadscaleService_RegisterMachine_0(ctx context.Context, marshaler r
 
 	msg, err := client.RegisterMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_RegisterMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -526,6 +550,7 @@ func local_request_HeadscaleService_RegisterMachine_0(ctx context.Context, marsh
 
 	msg, err := server.RegisterMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_DeleteMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -551,6 +576,7 @@ func request_HeadscaleService_DeleteMachine_0(ctx context.Context, marshaler run
 
 	msg, err := client.DeleteMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_DeleteMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -576,6 +602,7 @@ func local_request_HeadscaleService_DeleteMachine_0(ctx context.Context, marshal
 
 	msg, err := server.DeleteMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_ExpireMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -601,6 +628,7 @@ func request_HeadscaleService_ExpireMachine_0(ctx context.Context, marshaler run
 
 	msg, err := client.ExpireMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ExpireMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -626,6 +654,7 @@ func local_request_HeadscaleService_ExpireMachine_0(ctx context.Context, marshal
 
 	msg, err := server.ExpireMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_RenameMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -661,6 +690,7 @@ func request_HeadscaleService_RenameMachine_0(ctx context.Context, marshaler run
 
 	msg, err := client.RenameMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_RenameMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -696,9 +726,12 @@ func local_request_HeadscaleService_RenameMachine_0(ctx context.Context, marshal
 
 	msg, err := server.RenameMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
-var filter_HeadscaleService_ListMachines_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+var (
+	filter_HeadscaleService_ListMachines_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
 
 func request_HeadscaleService_ListMachines_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq ListMachinesRequest
@@ -713,6 +746,7 @@ func request_HeadscaleService_ListMachines_0(ctx context.Context, marshaler runt
 
 	msg, err := client.ListMachines(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ListMachines_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -728,9 +762,12 @@ func local_request_HeadscaleService_ListMachines_0(ctx context.Context, marshale
 
 	msg, err := server.ListMachines(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
-var filter_HeadscaleService_MoveMachine_0 = &utilities.DoubleArray{Encoding: map[string]int{"machine_id": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+var (
+	filter_HeadscaleService_MoveMachine_0 = &utilities.DoubleArray{Encoding: map[string]int{"machine_id": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+)
 
 func request_HeadscaleService_MoveMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq MoveMachineRequest
@@ -762,6 +799,7 @@ func request_HeadscaleService_MoveMachine_0(ctx context.Context, marshaler runti
 
 	msg, err := client.MoveMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_MoveMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -794,6 +832,7 @@ func local_request_HeadscaleService_MoveMachine_0(ctx context.Context, marshaler
 
 	msg, err := server.MoveMachine(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_GetRoutes_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -802,6 +841,7 @@ func request_HeadscaleService_GetRoutes_0(ctx context.Context, marshaler runtime
 
 	msg, err := client.GetRoutes(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_GetRoutes_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -810,6 +850,7 @@ func local_request_HeadscaleService_GetRoutes_0(ctx context.Context, marshaler r
 
 	msg, err := server.GetRoutes(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_EnableRoute_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -835,6 +876,7 @@ func request_HeadscaleService_EnableRoute_0(ctx context.Context, marshaler runti
 
 	msg, err := client.EnableRoute(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_EnableRoute_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -860,6 +902,7 @@ func local_request_HeadscaleService_EnableRoute_0(ctx context.Context, marshaler
 
 	msg, err := server.EnableRoute(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_DisableRoute_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -885,6 +928,7 @@ func request_HeadscaleService_DisableRoute_0(ctx context.Context, marshaler runt
 
 	msg, err := client.DisableRoute(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_DisableRoute_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -910,6 +954,7 @@ func local_request_HeadscaleService_DisableRoute_0(ctx context.Context, marshale
 
 	msg, err := server.DisableRoute(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_GetMachineRoutes_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -935,6 +980,7 @@ func request_HeadscaleService_GetMachineRoutes_0(ctx context.Context, marshaler
 
 	msg, err := client.GetMachineRoutes(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_GetMachineRoutes_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -960,6 +1006,59 @@ func local_request_HeadscaleService_GetMachineRoutes_0(ctx context.Context, mars
 
 	msg, err := server.GetMachineRoutes(ctx, &protoReq)
 	return msg, metadata, err
+
+}
+
+func request_HeadscaleService_DeleteRoute_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq DeleteRouteRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["route_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "route_id")
+	}
+
+	protoReq.RouteId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "route_id", err)
+	}
+
+	msg, err := client.DeleteRoute(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_HeadscaleService_DeleteRoute_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq DeleteRouteRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["route_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "route_id")
+	}
+
+	protoReq.RouteId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "route_id", err)
+	}
+
+	msg, err := server.DeleteRoute(ctx, &protoReq)
+	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_CreateApiKey_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -976,6 +1075,7 @@ func request_HeadscaleService_CreateApiKey_0(ctx context.Context, marshaler runt
 
 	msg, err := client.CreateApiKey(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_CreateApiKey_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -992,6 +1092,7 @@ func local_request_HeadscaleService_CreateApiKey_0(ctx context.Context, marshale
 
 	msg, err := server.CreateApiKey(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_ExpireApiKey_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -1008,6 +1109,7 @@ func request_HeadscaleService_ExpireApiKey_0(ctx context.Context, marshaler runt
 
 	msg, err := client.ExpireApiKey(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ExpireApiKey_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -1024,6 +1126,7 @@ func local_request_HeadscaleService_ExpireApiKey_0(ctx context.Context, marshale
 
 	msg, err := server.ExpireApiKey(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 func request_HeadscaleService_ListApiKeys_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -1032,6 +1135,7 @@ func request_HeadscaleService_ListApiKeys_0(ctx context.Context, marshaler runti
 
 	msg, err := client.ListApiKeys(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
 	return msg, metadata, err
+
 }
 
 func local_request_HeadscaleService_ListApiKeys_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
@@ -1040,6 +1144,7 @@ func local_request_HeadscaleService_ListApiKeys_0(ctx context.Context, marshaler
 
 	msg, err := server.ListApiKeys(ctx, &protoReq)
 	return msg, metadata, err
+
 }
 
 // RegisterHeadscaleServiceHandlerServer registers the http handlers for service HeadscaleService to "mux".
@@ -1047,6 +1152,7 @@ func local_request_HeadscaleService_ListApiKeys_0(ctx context.Context, marshaler
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
 // Note that using this registration option will cause many gRPC library features to stop working. Consider using RegisterHeadscaleServiceHandlerFromEndpoint instead.
 func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux, server HeadscaleServiceServer) error {
+
 	mux.Handle("GET", pattern_HeadscaleService_GetUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1069,6 +1175,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_CreateUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1093,6 +1200,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_CreateUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_RenameUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1117,6 +1225,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_RenameUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("DELETE", pattern_HeadscaleService_DeleteUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1141,6 +1250,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DeleteUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListUsers_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1165,6 +1275,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListUsers_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_CreatePreAuthKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1189,6 +1300,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_CreatePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_ExpirePreAuthKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1213,6 +1325,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ExpirePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListPreAuthKeys_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1237,6 +1350,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListPreAuthKeys_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_DebugCreateMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1261,6 +1375,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DebugCreateMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_GetMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1285,6 +1400,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_SetTags_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1309,6 +1425,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_SetTags_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_RegisterMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1333,6 +1450,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_RegisterMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("DELETE", pattern_HeadscaleService_DeleteMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1357,6 +1475,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DeleteMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_ExpireMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1381,6 +1500,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ExpireMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_RenameMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1405,6 +1525,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_RenameMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListMachines_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1429,6 +1550,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListMachines_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_MoveMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1453,6 +1575,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_MoveMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_GetRoutes_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1477,6 +1600,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetRoutes_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_EnableRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1501,6 +1625,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_EnableRoute_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_DisableRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1525,6 +1650,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DisableRoute_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_GetMachineRoutes_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1549,6 +1675,32 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetMachineRoutes_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("DELETE", pattern_HeadscaleService_DeleteRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/DeleteRoute", runtime.WithHTTPPathPattern("/api/v1/routes/{route_id}"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_HeadscaleService_DeleteRoute_0(annotatedContext, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_DeleteRoute_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_CreateApiKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1573,6 +1725,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_CreateApiKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_ExpireApiKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1597,6 +1750,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ExpireApiKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListApiKeys_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1621,6 +1775,7 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListApiKeys_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	return nil
@@ -1663,6 +1818,7 @@ func RegisterHeadscaleServiceHandler(ctx context.Context, mux *runtime.ServeMux,
 // doesn't go through the normal gRPC flow (creating a gRPC client etc.) then it will be up to the passed in
 // "HeadscaleServiceClient" to call the correct interceptors.
 func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux, client HeadscaleServiceClient) error {
+
 	mux.Handle("GET", pattern_HeadscaleService_GetUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1682,6 +1838,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_CreateUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1703,6 +1860,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_CreateUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_RenameUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1724,6 +1882,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_RenameUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("DELETE", pattern_HeadscaleService_DeleteUser_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1745,6 +1904,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DeleteUser_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListUsers_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1766,6 +1926,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListUsers_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_CreatePreAuthKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1787,6 +1948,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_CreatePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_ExpirePreAuthKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1808,6 +1970,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ExpirePreAuthKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListPreAuthKeys_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1829,6 +1992,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListPreAuthKeys_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_DebugCreateMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1850,6 +2014,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DebugCreateMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_GetMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1871,6 +2036,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_SetTags_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1892,6 +2058,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_SetTags_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_RegisterMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1913,6 +2080,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_RegisterMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("DELETE", pattern_HeadscaleService_DeleteMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1934,6 +2102,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DeleteMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_ExpireMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1955,6 +2124,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ExpireMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_RenameMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1976,6 +2146,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_RenameMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListMachines_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -1997,6 +2168,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListMachines_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_MoveMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2018,6 +2190,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_MoveMachine_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_GetRoutes_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2039,6 +2212,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetRoutes_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_EnableRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2060,6 +2234,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_EnableRoute_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_DisableRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2081,6 +2256,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_DisableRoute_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_GetMachineRoutes_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2102,6 +2278,29 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_GetMachineRoutes_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("DELETE", pattern_HeadscaleService_DeleteRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		var err error
+		var annotatedContext context.Context
+		annotatedContext, err = runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/DeleteRoute", runtime.WithHTTPPathPattern("/api/v1/routes/{route_id}"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_HeadscaleService_DeleteRoute_0(annotatedContext, inboundMarshaler, client, req, pathParams)
+		annotatedContext = runtime.NewServerMetadataContext(annotatedContext, md)
+		if err != nil {
+			runtime.HTTPError(annotatedContext, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_DeleteRoute_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_CreateApiKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2123,6 +2322,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_CreateApiKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("POST", pattern_HeadscaleService_ExpireApiKey_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2144,6 +2344,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ExpireApiKey_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	mux.Handle("GET", pattern_HeadscaleService_ListApiKeys_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
@@ -2165,6 +2366,7 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 		}
 
 		forward_HeadscaleService_ListApiKeys_0(annotatedContext, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
 	})
 
 	return nil
@@ -2213,6 +2415,8 @@ var (
 
 	pattern_HeadscaleService_GetMachineRoutes_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "routes"}, ""))
 
+	pattern_HeadscaleService_DeleteRoute_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "routes", "route_id"}, ""))
+
 	pattern_HeadscaleService_CreateApiKey_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "apikey"}, ""))
 
 	pattern_HeadscaleService_ExpireApiKey_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v1", "apikey", "expire"}, ""))
@@ -2263,6 +2467,8 @@ var (
 
 	forward_HeadscaleService_GetMachineRoutes_0 = runtime.ForwardResponseMessage
 
+	forward_HeadscaleService_DeleteRoute_0 = runtime.ForwardResponseMessage
+
 	forward_HeadscaleService_CreateApiKey_0 = runtime.ForwardResponseMessage
 
 	forward_HeadscaleService_ExpireApiKey_0 = runtime.ForwardResponseMessage

gen/go/headscale/v1/headscale_grpc.pb.go

@@ -8,7 +8,6 @@ package v1
 
 import (
 	context "context"
-
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
@@ -48,6 +47,7 @@ type HeadscaleServiceClient interface {
 	EnableRoute(ctx context.Context, in *EnableRouteRequest, opts ...grpc.CallOption) (*EnableRouteResponse, error)
 	DisableRoute(ctx context.Context, in *DisableRouteRequest, opts ...grpc.CallOption) (*DisableRouteResponse, error)
 	GetMachineRoutes(ctx context.Context, in *GetMachineRoutesRequest, opts ...grpc.CallOption) (*GetMachineRoutesResponse, error)
+	DeleteRoute(ctx context.Context, in *DeleteRouteRequest, opts ...grpc.CallOption) (*DeleteRouteResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error)
 	ExpireApiKey(ctx context.Context, in *ExpireApiKeyRequest, opts ...grpc.CallOption) (*ExpireApiKeyResponse, error)
@@ -251,6 +251,15 @@ func (c *headscaleServiceClient) GetMachineRoutes(ctx context.Context, in *GetMa
 	return out, nil
 }
 
+func (c *headscaleServiceClient) DeleteRoute(ctx context.Context, in *DeleteRouteRequest, opts ...grpc.CallOption) (*DeleteRouteResponse, error) {
+	out := new(DeleteRouteResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteRoute", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *headscaleServiceClient) CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error) {
 	out := new(CreateApiKeyResponse)
 	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreateApiKey", in, out, opts...)
@@ -307,6 +316,7 @@ type HeadscaleServiceServer interface {
 	EnableRoute(context.Context, *EnableRouteRequest) (*EnableRouteResponse, error)
 	DisableRoute(context.Context, *DisableRouteRequest) (*DisableRouteResponse, error)
 	GetMachineRoutes(context.Context, *GetMachineRoutesRequest) (*GetMachineRoutesResponse, error)
+	DeleteRoute(context.Context, *DeleteRouteRequest) (*DeleteRouteResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(context.Context, *CreateApiKeyRequest) (*CreateApiKeyResponse, error)
 	ExpireApiKey(context.Context, *ExpireApiKeyRequest) (*ExpireApiKeyResponse, error)
@@ -315,100 +325,81 @@ type HeadscaleServiceServer interface {
 }
 
 // UnimplementedHeadscaleServiceServer must be embedded to have forward compatible implementations.
-type UnimplementedHeadscaleServiceServer struct{}
+type UnimplementedHeadscaleServiceServer struct {
+}
 
 func (UnimplementedHeadscaleServiceServer) GetUser(context.Context, *GetUserRequest) (*GetUserResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetUser not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) CreateUser(context.Context, *CreateUserRequest) (*CreateUserResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreateUser not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) RenameUser(context.Context, *RenameUserRequest) (*RenameUserResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method RenameUser not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) DeleteUser(context.Context, *DeleteUserRequest) (*DeleteUserResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DeleteUser not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ListUsers(context.Context, *ListUsersRequest) (*ListUsersResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListUsers not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) CreatePreAuthKey(context.Context, *CreatePreAuthKeyRequest) (*CreatePreAuthKeyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreatePreAuthKey not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ExpirePreAuthKey(context.Context, *ExpirePreAuthKeyRequest) (*ExpirePreAuthKeyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ExpirePreAuthKey not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ListPreAuthKeys(context.Context, *ListPreAuthKeysRequest) (*ListPreAuthKeysResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListPreAuthKeys not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) DebugCreateMachine(context.Context, *DebugCreateMachineRequest) (*DebugCreateMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DebugCreateMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) GetMachine(context.Context, *GetMachineRequest) (*GetMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) SetTags(context.Context, *SetTagsRequest) (*SetTagsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SetTags not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) RegisterMachine(context.Context, *RegisterMachineRequest) (*RegisterMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method RegisterMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) DeleteMachine(context.Context, *DeleteMachineRequest) (*DeleteMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DeleteMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ExpireMachine(context.Context, *ExpireMachineRequest) (*ExpireMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ExpireMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) RenameMachine(context.Context, *RenameMachineRequest) (*RenameMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method RenameMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListMachines not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method MoveMachine not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) GetRoutes(context.Context, *GetRoutesRequest) (*GetRoutesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetRoutes not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) EnableRoute(context.Context, *EnableRouteRequest) (*EnableRouteResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method EnableRoute not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) DisableRoute(context.Context, *DisableRouteRequest) (*DisableRouteResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DisableRoute not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) GetMachineRoutes(context.Context, *GetMachineRoutesRequest) (*GetMachineRoutesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetMachineRoutes not implemented")
 }
-
+func (UnimplementedHeadscaleServiceServer) DeleteRoute(context.Context, *DeleteRouteRequest) (*DeleteRouteResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteRoute not implemented")
+}
 func (UnimplementedHeadscaleServiceServer) CreateApiKey(context.Context, *CreateApiKeyRequest) (*CreateApiKeyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreateApiKey not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ExpireApiKey(context.Context, *ExpireApiKeyRequest) (*ExpireApiKeyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ExpireApiKey not implemented")
 }
-
 func (UnimplementedHeadscaleServiceServer) ListApiKeys(context.Context, *ListApiKeysRequest) (*ListApiKeysResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListApiKeys not implemented")
 }
@@ -803,6 +794,24 @@ func _HeadscaleService_GetMachineRoutes_Handler(srv interface{}, ctx context.Con
 	return interceptor(ctx, in, info, handler)
 }
 
+func _HeadscaleService_DeleteRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DeleteRouteRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).DeleteRoute(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/headscale.v1.HeadscaleService/DeleteRoute",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).DeleteRoute(ctx, req.(*DeleteRouteRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _HeadscaleService_CreateApiKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(CreateApiKeyRequest)
 	if err := dec(in); err != nil {
@@ -948,6 +957,10 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetMachineRoutes",
 			Handler:    _HeadscaleService_GetMachineRoutes_Handler,
 		},
+		{
+			MethodName: "DeleteRoute",
+			Handler:    _HeadscaleService_DeleteRoute_Handler,
+		},
 		{
 			MethodName: "CreateApiKey",
 			Handler:    _HeadscaleService_CreateApiKey_Handler,

gen/go/headscale/v1/machine.pb.go

@@ -7,12 +7,11 @@
 package v1
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
@@ -1310,35 +1309,33 @@ func file_headscale_v1_machine_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_machine_proto_rawDescData
 }
 
-var (
-	file_headscale_v1_machine_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-	file_headscale_v1_machine_proto_msgTypes  = make([]protoimpl.MessageInfo, 19)
-	file_headscale_v1_machine_proto_goTypes   = []interface{}{
-		(RegisterMethod)(0),                // 0: headscale.v1.RegisterMethod
-		(*Machine)(nil),                    // 1: headscale.v1.Machine
-		(*RegisterMachineRequest)(nil),     // 2: headscale.v1.RegisterMachineRequest
-		(*RegisterMachineResponse)(nil),    // 3: headscale.v1.RegisterMachineResponse
-		(*GetMachineRequest)(nil),          // 4: headscale.v1.GetMachineRequest
-		(*GetMachineResponse)(nil),         // 5: headscale.v1.GetMachineResponse
-		(*SetTagsRequest)(nil),             // 6: headscale.v1.SetTagsRequest
-		(*SetTagsResponse)(nil),            // 7: headscale.v1.SetTagsResponse
-		(*DeleteMachineRequest)(nil),       // 8: headscale.v1.DeleteMachineRequest
-		(*DeleteMachineResponse)(nil),      // 9: headscale.v1.DeleteMachineResponse
-		(*ExpireMachineRequest)(nil),       // 10: headscale.v1.ExpireMachineRequest
-		(*ExpireMachineResponse)(nil),      // 11: headscale.v1.ExpireMachineResponse
-		(*RenameMachineRequest)(nil),       // 12: headscale.v1.RenameMachineRequest
-		(*RenameMachineResponse)(nil),      // 13: headscale.v1.RenameMachineResponse
-		(*ListMachinesRequest)(nil),        // 14: headscale.v1.ListMachinesRequest
-		(*ListMachinesResponse)(nil),       // 15: headscale.v1.ListMachinesResponse
-		(*MoveMachineRequest)(nil),         // 16: headscale.v1.MoveMachineRequest
-		(*MoveMachineResponse)(nil),        // 17: headscale.v1.MoveMachineResponse
-		(*DebugCreateMachineRequest)(nil),  // 18: headscale.v1.DebugCreateMachineRequest
-		(*DebugCreateMachineResponse)(nil), // 19: headscale.v1.DebugCreateMachineResponse
-		(*User)(nil),                       // 20: headscale.v1.User
-		(*timestamppb.Timestamp)(nil),      // 21: google.protobuf.Timestamp
-		(*PreAuthKey)(nil),                 // 22: headscale.v1.PreAuthKey
-	}
-)
+var file_headscale_v1_machine_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_headscale_v1_machine_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
+var file_headscale_v1_machine_proto_goTypes = []interface{}{
+	(RegisterMethod)(0),                // 0: headscale.v1.RegisterMethod
+	(*Machine)(nil),                    // 1: headscale.v1.Machine
+	(*RegisterMachineRequest)(nil),     // 2: headscale.v1.RegisterMachineRequest
+	(*RegisterMachineResponse)(nil),    // 3: headscale.v1.RegisterMachineResponse
+	(*GetMachineRequest)(nil),          // 4: headscale.v1.GetMachineRequest
+	(*GetMachineResponse)(nil),         // 5: headscale.v1.GetMachineResponse
+	(*SetTagsRequest)(nil),             // 6: headscale.v1.SetTagsRequest
+	(*SetTagsResponse)(nil),            // 7: headscale.v1.SetTagsResponse
+	(*DeleteMachineRequest)(nil),       // 8: headscale.v1.DeleteMachineRequest
+	(*DeleteMachineResponse)(nil),      // 9: headscale.v1.DeleteMachineResponse
+	(*ExpireMachineRequest)(nil),       // 10: headscale.v1.ExpireMachineRequest
+	(*ExpireMachineResponse)(nil),      // 11: headscale.v1.ExpireMachineResponse
+	(*RenameMachineRequest)(nil),       // 12: headscale.v1.RenameMachineRequest
+	(*RenameMachineResponse)(nil),      // 13: headscale.v1.RenameMachineResponse
+	(*ListMachinesRequest)(nil),        // 14: headscale.v1.ListMachinesRequest
+	(*ListMachinesResponse)(nil),       // 15: headscale.v1.ListMachinesResponse
+	(*MoveMachineRequest)(nil),         // 16: headscale.v1.MoveMachineRequest
+	(*MoveMachineResponse)(nil),        // 17: headscale.v1.MoveMachineResponse
+	(*DebugCreateMachineRequest)(nil),  // 18: headscale.v1.DebugCreateMachineRequest
+	(*DebugCreateMachineResponse)(nil), // 19: headscale.v1.DebugCreateMachineResponse
+	(*User)(nil),                       // 20: headscale.v1.User
+	(*timestamppb.Timestamp)(nil),      // 21: google.protobuf.Timestamp
+	(*PreAuthKey)(nil),                 // 22: headscale.v1.PreAuthKey
+}
 var file_headscale_v1_machine_proto_depIdxs = []int32{
 	20, // 0: headscale.v1.Machine.user:type_name -> headscale.v1.User
 	21, // 1: headscale.v1.Machine.last_seen:type_name -> google.protobuf.Timestamp

gen/go/headscale/v1/preauthkey.pb.go

@@ -7,12 +7,11 @@
 package v1
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
@@ -522,19 +521,17 @@ func file_headscale_v1_preauthkey_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_preauthkey_proto_rawDescData
 }
 
-var (
-	file_headscale_v1_preauthkey_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
-	file_headscale_v1_preauthkey_proto_goTypes  = []interface{}{
-		(*PreAuthKey)(nil),               // 0: headscale.v1.PreAuthKey
-		(*CreatePreAuthKeyRequest)(nil),  // 1: headscale.v1.CreatePreAuthKeyRequest
-		(*CreatePreAuthKeyResponse)(nil), // 2: headscale.v1.CreatePreAuthKeyResponse
-		(*ExpirePreAuthKeyRequest)(nil),  // 3: headscale.v1.ExpirePreAuthKeyRequest
-		(*ExpirePreAuthKeyResponse)(nil), // 4: headscale.v1.ExpirePreAuthKeyResponse
-		(*ListPreAuthKeysRequest)(nil),   // 5: headscale.v1.ListPreAuthKeysRequest
-		(*ListPreAuthKeysResponse)(nil),  // 6: headscale.v1.ListPreAuthKeysResponse
-		(*timestamppb.Timestamp)(nil),    // 7: google.protobuf.Timestamp
-	}
-)
+var file_headscale_v1_preauthkey_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_headscale_v1_preauthkey_proto_goTypes = []interface{}{
+	(*PreAuthKey)(nil),               // 0: headscale.v1.PreAuthKey
+	(*CreatePreAuthKeyRequest)(nil),  // 1: headscale.v1.CreatePreAuthKeyRequest
+	(*CreatePreAuthKeyResponse)(nil), // 2: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyRequest)(nil),  // 3: headscale.v1.ExpirePreAuthKeyRequest
+	(*ExpirePreAuthKeyResponse)(nil), // 4: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysRequest)(nil),   // 5: headscale.v1.ListPreAuthKeysRequest
+	(*ListPreAuthKeysResponse)(nil),  // 6: headscale.v1.ListPreAuthKeysResponse
+	(*timestamppb.Timestamp)(nil),    // 7: google.protobuf.Timestamp
+}
 var file_headscale_v1_preauthkey_proto_depIdxs = []int32{
 	7, // 0: headscale.v1.PreAuthKey.expiration:type_name -> google.protobuf.Timestamp
 	7, // 1: headscale.v1.PreAuthKey.created_at:type_name -> google.protobuf.Timestamp

gen/go/headscale/v1/routes.pb.go

@@ -7,12 +7,11 @@
 package v1
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
@@ -482,6 +481,91 @@ func (x *GetMachineRoutesResponse) GetRoutes() []*Route {
 	return nil
 }
 
+type DeleteRouteRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	RouteId uint64 `protobuf:"varint,1,opt,name=route_id,json=routeId,proto3" json:"route_id,omitempty"`
+}
+
+func (x *DeleteRouteRequest) Reset() {
+	*x = DeleteRouteRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_routes_proto_msgTypes[9]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DeleteRouteRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeleteRouteRequest) ProtoMessage() {}
+
+func (x *DeleteRouteRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_routes_proto_msgTypes[9]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeleteRouteRequest.ProtoReflect.Descriptor instead.
+func (*DeleteRouteRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *DeleteRouteRequest) GetRouteId() uint64 {
+	if x != nil {
+		return x.RouteId
+	}
+	return 0
+}
+
+type DeleteRouteResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DeleteRouteResponse) Reset() {
+	*x = DeleteRouteResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_routes_proto_msgTypes[10]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DeleteRouteResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeleteRouteResponse) ProtoMessage() {}
+
+func (x *DeleteRouteResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_routes_proto_msgTypes[10]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeleteRouteResponse.ProtoReflect.Descriptor instead.
+func (*DeleteRouteResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{10}
+}
+
 var File_headscale_v1_routes_proto protoreflect.FileDescriptor
 
 var file_headscale_v1_routes_proto_rawDesc = []byte{
@@ -536,11 +620,15 @@ var file_headscale_v1_routes_proto_rawDesc = []byte{
 	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
 	0x65, 0x12, 0x2b, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
 	0x0b, 0x32, 0x13, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
-	0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x29,
-	0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61,
-	0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f,
-	0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x2f,
+	0x0a, 0x12, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22,
+	0x15, 0x0a, 0x13, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76,
+	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -555,27 +643,27 @@ func file_headscale_v1_routes_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_routes_proto_rawDescData
 }
 
-var (
-	file_headscale_v1_routes_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
-	file_headscale_v1_routes_proto_goTypes  = []interface{}{
-		(*Route)(nil),                    // 0: headscale.v1.Route
-		(*GetRoutesRequest)(nil),         // 1: headscale.v1.GetRoutesRequest
-		(*GetRoutesResponse)(nil),        // 2: headscale.v1.GetRoutesResponse
-		(*EnableRouteRequest)(nil),       // 3: headscale.v1.EnableRouteRequest
-		(*EnableRouteResponse)(nil),      // 4: headscale.v1.EnableRouteResponse
-		(*DisableRouteRequest)(nil),      // 5: headscale.v1.DisableRouteRequest
-		(*DisableRouteResponse)(nil),     // 6: headscale.v1.DisableRouteResponse
-		(*GetMachineRoutesRequest)(nil),  // 7: headscale.v1.GetMachineRoutesRequest
-		(*GetMachineRoutesResponse)(nil), // 8: headscale.v1.GetMachineRoutesResponse
-		(*Machine)(nil),                  // 9: headscale.v1.Machine
-		(*timestamppb.Timestamp)(nil),    // 10: google.protobuf.Timestamp
-	}
-)
+var file_headscale_v1_routes_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_headscale_v1_routes_proto_goTypes = []interface{}{
+	(*Route)(nil),                    // 0: headscale.v1.Route
+	(*GetRoutesRequest)(nil),         // 1: headscale.v1.GetRoutesRequest
+	(*GetRoutesResponse)(nil),        // 2: headscale.v1.GetRoutesResponse
+	(*EnableRouteRequest)(nil),       // 3: headscale.v1.EnableRouteRequest
+	(*EnableRouteResponse)(nil),      // 4: headscale.v1.EnableRouteResponse
+	(*DisableRouteRequest)(nil),      // 5: headscale.v1.DisableRouteRequest
+	(*DisableRouteResponse)(nil),     // 6: headscale.v1.DisableRouteResponse
+	(*GetMachineRoutesRequest)(nil),  // 7: headscale.v1.GetMachineRoutesRequest
+	(*GetMachineRoutesResponse)(nil), // 8: headscale.v1.GetMachineRoutesResponse
+	(*DeleteRouteRequest)(nil),       // 9: headscale.v1.DeleteRouteRequest
+	(*DeleteRouteResponse)(nil),      // 10: headscale.v1.DeleteRouteResponse
+	(*Machine)(nil),                  // 11: headscale.v1.Machine
+	(*timestamppb.Timestamp)(nil),    // 12: google.protobuf.Timestamp
+}
 var file_headscale_v1_routes_proto_depIdxs = []int32{
-	9,  // 0: headscale.v1.Route.machine:type_name -> headscale.v1.Machine
-	10, // 1: headscale.v1.Route.created_at:type_name -> google.protobuf.Timestamp
-	10, // 2: headscale.v1.Route.updated_at:type_name -> google.protobuf.Timestamp
-	10, // 3: headscale.v1.Route.deleted_at:type_name -> google.protobuf.Timestamp
+	11, // 0: headscale.v1.Route.machine:type_name -> headscale.v1.Machine
+	12, // 1: headscale.v1.Route.created_at:type_name -> google.protobuf.Timestamp
+	12, // 2: headscale.v1.Route.updated_at:type_name -> google.protobuf.Timestamp
+	12, // 3: headscale.v1.Route.deleted_at:type_name -> google.protobuf.Timestamp
 	0,  // 4: headscale.v1.GetRoutesResponse.routes:type_name -> headscale.v1.Route
 	0,  // 5: headscale.v1.GetMachineRoutesResponse.routes:type_name -> headscale.v1.Route
 	6,  // [6:6] is the sub-list for method output_type
@@ -700,6 +788,30 @@ func file_headscale_v1_routes_proto_init() {
 				return nil
 			}
 		}
+		file_headscale_v1_routes_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DeleteRouteRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_routes_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DeleteRouteResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -707,7 +819,7 @@ func file_headscale_v1_routes_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_headscale_v1_routes_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   9,
+			NumMessages:   11,
 			NumExtensions: 0,
 			NumServices:   0,
 		},

gen/go/headscale/v1/user.pb.go

@@ -7,12 +7,11 @@
 package v1
 
 import (
-	reflect "reflect"
-	sync "sync"
-
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
 )
 
 const (
@@ -607,23 +606,21 @@ func file_headscale_v1_user_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_user_proto_rawDescData
 }
 
-var (
-	file_headscale_v1_user_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
-	file_headscale_v1_user_proto_goTypes  = []interface{}{
-		(*User)(nil),                  // 0: headscale.v1.User
-		(*GetUserRequest)(nil),        // 1: headscale.v1.GetUserRequest
-		(*GetUserResponse)(nil),       // 2: headscale.v1.GetUserResponse
-		(*CreateUserRequest)(nil),     // 3: headscale.v1.CreateUserRequest
-		(*CreateUserResponse)(nil),    // 4: headscale.v1.CreateUserResponse
-		(*RenameUserRequest)(nil),     // 5: headscale.v1.RenameUserRequest
-		(*RenameUserResponse)(nil),    // 6: headscale.v1.RenameUserResponse
-		(*DeleteUserRequest)(nil),     // 7: headscale.v1.DeleteUserRequest
-		(*DeleteUserResponse)(nil),    // 8: headscale.v1.DeleteUserResponse
-		(*ListUsersRequest)(nil),      // 9: headscale.v1.ListUsersRequest
-		(*ListUsersResponse)(nil),     // 10: headscale.v1.ListUsersResponse
-		(*timestamppb.Timestamp)(nil), // 11: google.protobuf.Timestamp
-	}
-)
+var file_headscale_v1_user_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_headscale_v1_user_proto_goTypes = []interface{}{
+	(*User)(nil),                  // 0: headscale.v1.User
+	(*GetUserRequest)(nil),        // 1: headscale.v1.GetUserRequest
+	(*GetUserResponse)(nil),       // 2: headscale.v1.GetUserResponse
+	(*CreateUserRequest)(nil),     // 3: headscale.v1.CreateUserRequest
+	(*CreateUserResponse)(nil),    // 4: headscale.v1.CreateUserResponse
+	(*RenameUserRequest)(nil),     // 5: headscale.v1.RenameUserRequest
+	(*RenameUserResponse)(nil),    // 6: headscale.v1.RenameUserResponse
+	(*DeleteUserRequest)(nil),     // 7: headscale.v1.DeleteUserRequest
+	(*DeleteUserResponse)(nil),    // 8: headscale.v1.DeleteUserResponse
+	(*ListUsersRequest)(nil),      // 9: headscale.v1.ListUsersRequest
+	(*ListUsersResponse)(nil),     // 10: headscale.v1.ListUsersResponse
+	(*timestamppb.Timestamp)(nil), // 11: google.protobuf.Timestamp
+}
 var file_headscale_v1_user_proto_depIdxs = []int32{
 	11, // 0: headscale.v1.User.created_at:type_name -> google.protobuf.Timestamp
 	0,  // 1: headscale.v1.GetUserResponse.user:type_name -> headscale.v1.User

gen/openapiv2/headscale/v1/headscale.swagger.json

@@ -559,6 +559,37 @@
         ]
       }
     },
+    "/api/v1/routes/{routeId}": {
+      "delete": {
+        "operationId": "HeadscaleService_DeleteRoute",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1DeleteRouteResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "routeId",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "format": "uint64"
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
     "/api/v1/routes/{routeId}/disable": {
       "post": {
         "operationId": "HeadscaleService_DisableRoute",
@@ -917,6 +948,9 @@
     "v1DeleteMachineResponse": {
       "type": "object"
     },
+    "v1DeleteRouteResponse": {
+      "type": "object"
+    },
     "v1DeleteUserResponse": {
       "type": "object"
     },

go.mod

@@ -1,55 +1,56 @@
 module github.com/juanfont/headscale
 
-go 1.19
+go 1.20
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/cenkalti/backoff/v4 v4.2.0
-	github.com/coreos/go-oidc/v3 v3.4.0
-	github.com/deckarep/golang-set/v2 v2.1.0
+	github.com/coreos/go-oidc/v3 v3.5.0
+	github.com/davecgh/go-spew v1.1.1
+	github.com/deckarep/golang-set/v2 v2.3.0
 	github.com/efekarakus/termcolor v1.0.1
-	github.com/glebarez/sqlite v1.5.0
-	github.com/gofrs/uuid v4.3.1+incompatible
+	github.com/glebarez/sqlite v1.7.0
+	github.com/gofrs/uuid/v5 v5.0.0
 	github.com/gorilla/mux v1.8.0
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0
-	github.com/klauspost/compress v1.15.12
+	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
+	github.com/klauspost/compress v1.16.4
 	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/prometheus/client_golang v1.14.0
-	github.com/prometheus/common v0.37.0
-	github.com/pterm/pterm v0.12.50
+	github.com/prometheus/common v0.42.0
+	github.com/pterm/pterm v0.12.58
 	github.com/puzpuzpuz/xsync/v2 v2.4.0
-	github.com/rs/zerolog v1.28.0
-	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.14.0
-	github.com/stretchr/testify v1.8.1
-	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
+	github.com/rs/zerolog v1.29.0
+	github.com/samber/lo v1.38.1
+	github.com/spf13/cobra v1.7.0
+	github.com/spf13/viper v1.15.0
+	github.com/stretchr/testify v1.8.2
+	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
-	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
-	golang.org/x/crypto v0.3.0
-	golang.org/x/net v0.2.0
-	golang.org/x/oauth2 v0.2.0
+	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
+	golang.org/x/crypto v0.7.0
+	golang.org/x/net v0.9.0
+	golang.org/x/oauth2 v0.7.0
 	golang.org/x/sync v0.1.0
-	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd
-	google.golang.org/grpc v1.51.0
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd
+	google.golang.org/grpc v1.54.0
+	google.golang.org/protobuf v1.30.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
-	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	gorm.io/driver/postgres v1.4.5
-	gorm.io/gorm v1.24.2
-	tailscale.com v1.34.0
+	gorm.io/driver/postgres v1.4.8
+	gorm.io/gorm v1.24.6
+	tailscale.com v1.38.4
 )
 
 require (
 	atomicgo.dev/cursor v0.1.1 // indirect
-	atomicgo.dev/keyboard v0.2.8 // indirect
+	atomicgo.dev/keyboard v0.2.9 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
@@ -58,94 +59,91 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.21+incompatible // indirect
-	github.com/docker/docker v20.10.21+incompatible // indirect
+	github.com/docker/cli v23.0.1+incompatible // indirect
+	github.com/docker/docker v23.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
-	github.com/glebarez/go-sqlite v1.19.5 // indirect
+	github.com/glebarez/go-sqlite v1.20.3 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/gookit/color v1.5.2 // indirect
+	github.com/gookit/color v1.5.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.13.0 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.1 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
-	github.com/jackc/pgtype v1.13.0 // indirect
-	github.com/jackc/pgx/v4 v4.17.2 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.3.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/josharian/native v1.0.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.3.0 // indirect
+	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
+	github.com/jsimonetti/rtnetlink v1.3.1 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
+	github.com/lib/pq v1.10.7 // indirect
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
-	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/netlink v1.7.0 // indirect
+	github.com/mdlayher/netlink v1.7.1 // indirect
 	github.com/mdlayher/socket v0.4.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
+	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
 	github.com/opencontainers/runc v1.1.4 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa // indirect
-	github.com/rivo/uniseg v0.4.3 // indirect
-	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
+	github.com/spf13/afero v1.9.4 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.2.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/sys v0.7.0 // indirect
+	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.3.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	modernc.org/libc v1.21.5 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	modernc.org/libc v1.22.2 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
-	modernc.org/sqlite v1.20.0 // indirect
+	modernc.org/sqlite v1.20.3 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )

grpcv1.go

@@ -422,6 +422,18 @@ func (api headscaleV1APIServer) GetMachineRoutes(
 	}, nil
 }
 
+func (api headscaleV1APIServer) DeleteRoute(
+	ctx context.Context,
+	request *v1.DeleteRouteRequest,
+) (*v1.DeleteRouteResponse, error) {
+	err := api.h.DeleteRoute(request.GetRouteId())
+	if err != nil {
+		return nil, err
+	}
+
+	return &v1.DeleteRouteResponse{}, nil
+}
+
 func (api headscaleV1APIServer) CreateApiKey(
 	ctx context.Context,
 	request *v1.CreateApiKeyRequest,

integration/README.md

@@ -9,8 +9,17 @@ Headscale's test framework and the current set of scenarios are defined in this
 
 Tests are located in files ending with `_test.go` and the framework are located in the rest.
 
+## Running integration tests locally
+
+The easiest way to run tests locally is to use `[act](INSERT LINK)`, a local GitHub Actions runner:
+
+```
+act pull_request -W .github/workflows/test-integration-v2-TestPingAllByIP.yaml
+```
+
+Alternatively, the `docker run` command in each GitHub workflow file can be used.
+
 ## Running integration tests on GitHub Actions
 
-Each test currently runs as a separate workflows in GitHub actions, to add new test, add
-the new test to the list in `../cmd/gh-action-integration-generator/main.go` and run
+Each test currently runs as a separate workflows in GitHub actions, to add new test, run
 `go generate` inside `../cmd/gh-action-integration-generator/` and commit the result.

integration/acl_test.go

@@ -0,0 +1,653 @@
+package integration
+
+import (
+	"fmt"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/stretchr/testify/assert"
+)
+
+const numberOfTestClients = 2
+
+func aclScenario(t *testing.T, policy headscale.ACLPolicy) *Scenario {
+	t.Helper()
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		"user1": numberOfTestClients,
+		"user2": numberOfTestClients,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{
+			tsic.WithDockerEntrypoint([]string{
+				"/bin/bash",
+				"-c",
+				"/bin/sleep 3 ; update-ca-certificates ; python3 -m http.server 80 & tailscaled --tun=tsdev",
+			}),
+			tsic.WithDockerWorkdir("/"),
+		},
+		hsic.WithACLPolicy(&policy),
+		hsic.WithTestName("acl"),
+	)
+	assert.NoError(t, err)
+
+	// allClients, err := scenario.ListTailscaleClients()
+	// assert.NoError(t, err)
+
+	err = scenario.WaitForTailscaleSync()
+	assert.NoError(t, err)
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	assert.NoError(t, err)
+
+	return scenario
+}
+
+// This tests a different ACL mechanism, if a host _cannot_ connect
+// to another node at all based on ACL, it should just not be part
+// of the NetMap sent to the host. This is slightly different than
+// the other tests as we can just check if the hosts are present
+// or not.
+func TestACLHostsInNetMapTable(t *testing.T) {
+	IntegrationSkip(t)
+
+	// NOTE: All want cases currently checks the
+	// total count of expected peers, this would
+	// typically be the client count of the users
+	// they can access minus one (them self).
+	tests := map[string]struct {
+		users  map[string]int
+		policy headscale.ACLPolicy
+		want   map[string]int
+	}{
+		// Test that when we have no ACL, each client netmap has
+		// the amount of peers of the total amount of clients
+		"base-acls": {
+			users: map[string]int{
+				"user1": 2,
+				"user2": 2,
+			},
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+			}, want: map[string]int{
+				"user1": 3, // ns1 + ns2
+				"user2": 3, // ns2 + ns1
+			},
+		},
+		// Test that when we have two users, which cannot see
+		// eachother, each node has only the number of pairs from
+		// their own user.
+		"two-isolated-users": {
+			users: map[string]int{
+				"user1": 2,
+				"user2": 2,
+			},
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: []string{"user1:*"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user2"},
+						Destinations: []string{"user2:*"},
+					},
+				},
+			}, want: map[string]int{
+				"user1": 1,
+				"user2": 1,
+			},
+		},
+		// Test that when we have two users, with ACLs and they
+		// are restricted to a single port, nodes are still present
+		// in the netmap.
+		"two-restricted-present-in-netmap": {
+			users: map[string]int{
+				"user1": 2,
+				"user2": 2,
+			},
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: []string{"user1:22"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user2"},
+						Destinations: []string{"user2:22"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: []string{"user2:22"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user2"},
+						Destinations: []string{"user1:22"},
+					},
+				},
+			}, want: map[string]int{
+				"user1": 3,
+				"user2": 3,
+			},
+		},
+		// Test that when we have two users, that are isolated,
+		// but one can see the others, we have the appropriate number
+		// of peers. This will still result in all the peers as we
+		// need them present on the other side for the "return path".
+		"two-ns-one-isolated": {
+			users: map[string]int{
+				"user1": 2,
+				"user2": 2,
+			},
+			policy: headscale.ACLPolicy{
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: []string{"user1:*"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user2"},
+						Destinations: []string{"user2:*"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"user1"},
+						Destinations: []string{"user2:*"},
+					},
+				},
+			}, want: map[string]int{
+				"user1": 3, // ns1 + ns2
+				"user2": 3, // ns1 + ns2 (return path)
+			},
+		},
+	}
+
+	for name, testCase := range tests {
+		t.Run(name, func(t *testing.T) {
+			scenario, err := NewScenario()
+			assert.NoError(t, err)
+
+			spec := testCase.users
+
+			err = scenario.CreateHeadscaleEnv(spec,
+				[]tsic.Option{},
+				hsic.WithACLPolicy(&testCase.policy),
+				// hsic.WithTestName(fmt.Sprintf("aclinnetmap%s", name)),
+			)
+			assert.NoError(t, err)
+
+			allClients, err := scenario.ListTailscaleClients()
+			assert.NoError(t, err)
+
+			err = scenario.WaitForTailscaleSync()
+			assert.NoError(t, err)
+
+			// allHostnames, err := scenario.ListTailscaleClientsFQDNs()
+			// assert.NoError(t, err)
+
+			for _, client := range allClients {
+				status, err := client.Status()
+				assert.NoError(t, err)
+
+				user := status.User[status.Self.UserID].LoginName
+
+				assert.Equal(t, (testCase.want[user]), len(status.Peer))
+			}
+
+			err = scenario.Shutdown()
+			assert.NoError(t, err)
+		})
+	}
+}
+
+// Test to confirm that we can use user:80 from one user
+// This should make the node appear in the peer list, but
+// disallow ping.
+// This ACL will not allow user1 access its own machines.
+// Reported: https://github.com/juanfont/headscale/issues/699
+func TestACLAllowUser80Dst(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		headscale.ACLPolicy{
+			ACLs: []headscale.ACL{
+				{
+					Action:       "accept",
+					Sources:      []string{"user1"},
+					Destinations: []string{"user2:80"},
+				},
+			},
+		},
+	)
+
+	user1Clients, err := scenario.ListTailscaleClients("user1")
+	assert.NoError(t, err)
+
+	user2Clients, err := scenario.ListTailscaleClients("user2")
+	assert.NoError(t, err)
+
+	// Test that user1 can visit all user2
+	for _, client := range user1Clients {
+		for _, peer := range user2Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			assert.NoError(t, err)
+		}
+	}
+
+	// Test that user2 _cannot_ visit user1
+	for _, client := range user2Clients {
+		for _, peer := range user1Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+		}
+	}
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestACLDenyAllPort80(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		headscale.ACLPolicy{
+			Groups: map[string][]string{
+				"group:integration-acl-test": {"user1", "user2"},
+			},
+			ACLs: []headscale.ACL{
+				{
+					Action:       "accept",
+					Sources:      []string{"group:integration-acl-test"},
+					Destinations: []string{"*:22"},
+				},
+			},
+		},
+	)
+
+	allClients, err := scenario.ListTailscaleClients()
+	assert.NoError(t, err)
+
+	allHostnames, err := scenario.ListTailscaleClientsFQDNs()
+	assert.NoError(t, err)
+
+	for _, client := range allClients {
+		for _, hostname := range allHostnames {
+			// We will always be allowed to check _self_ so shortcircuit
+			// the test here.
+			if strings.Contains(hostname, client.Hostname()) {
+				continue
+			}
+
+			url := fmt.Sprintf("http://%s/etc/hostname", hostname)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+		}
+	}
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+// Test to confirm that we can use user:* from one user.
+// This ACL will not allow user1 access its own machines.
+// Reported: https://github.com/juanfont/headscale/issues/699
+func TestACLAllowUserDst(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		headscale.ACLPolicy{
+			ACLs: []headscale.ACL{
+				{
+					Action:       "accept",
+					Sources:      []string{"user1"},
+					Destinations: []string{"user2:*"},
+				},
+			},
+		},
+	)
+
+	user1Clients, err := scenario.ListTailscaleClients("user1")
+	assert.NoError(t, err)
+
+	user2Clients, err := scenario.ListTailscaleClients("user2")
+	assert.NoError(t, err)
+
+	// Test that user1 can visit all user2
+	for _, client := range user1Clients {
+		for _, peer := range user2Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			assert.NoError(t, err)
+		}
+	}
+
+	// Test that user2 _cannot_ visit user1
+	for _, client := range user2Clients {
+		for _, peer := range user1Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+		}
+	}
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+// Test to confirm that we can use *:* from one user
+// Reported: https://github.com/juanfont/headscale/issues/699
+func TestACLAllowStarDst(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		headscale.ACLPolicy{
+			ACLs: []headscale.ACL{
+				{
+					Action:       "accept",
+					Sources:      []string{"user1"},
+					Destinations: []string{"*:*"},
+				},
+			},
+		},
+	)
+
+	user1Clients, err := scenario.ListTailscaleClients("user1")
+	assert.NoError(t, err)
+
+	user2Clients, err := scenario.ListTailscaleClients("user2")
+	assert.NoError(t, err)
+
+	// Test that user1 can visit all user2
+	for _, client := range user1Clients {
+		for _, peer := range user2Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			assert.NoError(t, err)
+		}
+	}
+
+	// Test that user2 _cannot_ visit user1
+	for _, client := range user2Clients {
+		for _, peer := range user1Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Empty(t, result)
+			assert.Error(t, err)
+		}
+	}
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+// This test aims to cover cases where individual hosts are allowed and denied
+// access based on their assigned hostname
+// https://github.com/juanfont/headscale/issues/941
+
+//	ACL = [{
+//			"DstPorts": [{
+//				"Bits": null,
+//				"IP": "100.64.0.3/32",
+//				"Ports": {
+//					"First": 0,
+//					"Last": 65535
+//				}
+//			}],
+//			"SrcIPs": ["*"]
+//		}, {
+//
+//			"DstPorts": [{
+//				"Bits": null,
+//				"IP": "100.64.0.2/32",
+//				"Ports": {
+//					"First": 0,
+//					"Last": 65535
+//				}
+//			}],
+//			"SrcIPs": ["100.64.0.1/32"]
+//		}]
+//
+//	ACL Cache Map= {
+//		"*": {
+//			"100.64.0.3/32": {}
+//		},
+//		"100.64.0.1/32": {
+//			"100.64.0.2/32": {}
+//		}
+//	}
+func TestACLNamedHostsCanReach(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		headscale.ACLPolicy{
+			Hosts: headscale.Hosts{
+				"test1": netip.MustParsePrefix("100.64.0.1/32"),
+				"test2": netip.MustParsePrefix("100.64.0.2/32"),
+				"test3": netip.MustParsePrefix("100.64.0.3/32"),
+			},
+			ACLs: []headscale.ACL{
+				// Everyone can curl test3
+				{
+					Action:       "accept",
+					Sources:      []string{"*"},
+					Destinations: []string{"test3:*"},
+				},
+				// test1 can curl test2
+				{
+					Action:       "accept",
+					Sources:      []string{"test1"},
+					Destinations: []string{"test2:*"},
+				},
+			},
+		},
+	)
+
+	// Since user/users dont matter here, we basically expect that some clients
+	// will be assigned these ips and that we can pick them up for our own use.
+	test1ip := netip.MustParseAddr("100.64.0.1")
+	test1, err := scenario.FindTailscaleClientByIP(test1ip)
+	assert.NoError(t, err)
+
+	test1fqdn, err := test1.FQDN()
+	assert.NoError(t, err)
+	test1ipURL := fmt.Sprintf("http://%s/etc/hostname", test1ip.String())
+	test1fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test1fqdn)
+
+	test2ip := netip.MustParseAddr("100.64.0.2")
+	test2, err := scenario.FindTailscaleClientByIP(test2ip)
+	assert.NoError(t, err)
+
+	test2fqdn, err := test2.FQDN()
+	assert.NoError(t, err)
+	test2ipURL := fmt.Sprintf("http://%s/etc/hostname", test2ip.String())
+	test2fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test2fqdn)
+
+	test3ip := netip.MustParseAddr("100.64.0.3")
+	test3, err := scenario.FindTailscaleClientByIP(test3ip)
+	assert.NoError(t, err)
+
+	test3fqdn, err := test3.FQDN()
+	assert.NoError(t, err)
+	test3ipURL := fmt.Sprintf("http://%s/etc/hostname", test3ip.String())
+	test3fqdnURL := fmt.Sprintf("http://%s/etc/hostname", test3fqdn)
+
+	// test1 can query test3
+	result, err := test1.Curl(test3ipURL)
+	assert.Len(t, result, 13)
+	assert.NoError(t, err)
+
+	result, err = test1.Curl(test3fqdnURL)
+	assert.Len(t, result, 13)
+	assert.NoError(t, err)
+
+	// test2 can query test3
+	result, err = test2.Curl(test3ipURL)
+	assert.Len(t, result, 13)
+	assert.NoError(t, err)
+
+	result, err = test2.Curl(test3fqdnURL)
+	assert.Len(t, result, 13)
+	assert.NoError(t, err)
+
+	// test3 cannot query test1
+	result, err = test3.Curl(test1ipURL)
+	assert.Empty(t, result)
+	assert.Error(t, err)
+
+	result, err = test3.Curl(test1fqdnURL)
+	assert.Empty(t, result)
+	assert.Error(t, err)
+
+	// test3 cannot query test2
+	result, err = test3.Curl(test2ipURL)
+	assert.Empty(t, result)
+	assert.Error(t, err)
+
+	result, err = test3.Curl(test2fqdnURL)
+	assert.Empty(t, result)
+	assert.Error(t, err)
+
+	// test1 can query test2
+	result, err = test1.Curl(test2ipURL)
+	assert.Len(t, result, 13)
+	assert.NoError(t, err)
+
+	result, err = test1.Curl(test2fqdnURL)
+	assert.Len(t, result, 13)
+	assert.NoError(t, err)
+
+	// test2 cannot query test1
+	result, err = test2.Curl(test1ipURL)
+	assert.Empty(t, result)
+	assert.Error(t, err)
+
+	result, err = test2.Curl(test1fqdnURL)
+	assert.Empty(t, result)
+	assert.Error(t, err)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+// TestACLNamedHostsCanReachBySubnet is the same as
+// TestACLNamedHostsCanReach, but it tests if we expand a
+// full CIDR correctly. All routes should work.
+func TestACLNamedHostsCanReachBySubnet(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario := aclScenario(t,
+		headscale.ACLPolicy{
+			Hosts: headscale.Hosts{
+				"all": netip.MustParsePrefix("100.64.0.0/24"),
+			},
+			ACLs: []headscale.ACL{
+				// Everyone can curl test3
+				{
+					Action:       "accept",
+					Sources:      []string{"*"},
+					Destinations: []string{"all:*"},
+				},
+			},
+		},
+	)
+
+	user1Clients, err := scenario.ListTailscaleClients("user1")
+	assert.NoError(t, err)
+
+	user2Clients, err := scenario.ListTailscaleClients("user2")
+	assert.NoError(t, err)
+
+	// Test that user1 can visit all user2
+	for _, client := range user1Clients {
+		for _, peer := range user2Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			assert.NoError(t, err)
+		}
+	}
+
+	// Test that user2 can visit all user1
+	for _, client := range user2Clients {
+		for _, peer := range user1Clients {
+			fqdn, err := peer.FQDN()
+			assert.NoError(t, err)
+
+			url := fmt.Sprintf("http://%s/etc/hostname", fqdn)
+			t.Logf("url from %s to %s", client.Hostname(), url)
+
+			result, err := client.Curl(url)
+			assert.Len(t, result, 13)
+			assert.NoError(t, err)
+		}
+	}
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}

integration/auth_oidc_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
+	"github.com/samber/lo"
 )
 
 const (
@@ -91,7 +92,11 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}
 
-	success := pingAll(t, allClients, allIps)
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
+
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	err = scenario.Shutdown()
@@ -100,7 +105,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 	}
 }
 
-func TestOIDCExpireNodes(t *testing.T) {
+func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()
 
@@ -125,10 +130,11 @@ func TestOIDCExpireNodes(t *testing.T) {
 	}
 
 	oidcMap := map[string]string{
-		"HEADSCALE_OIDC_ISSUER":             oidcConfig.Issuer,
-		"HEADSCALE_OIDC_CLIENT_ID":          oidcConfig.ClientID,
-		"HEADSCALE_OIDC_CLIENT_SECRET":      oidcConfig.ClientSecret,
-		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": fmt.Sprintf("%t", oidcConfig.StripEmaildomain),
+		"HEADSCALE_OIDC_ISSUER":                oidcConfig.Issuer,
+		"HEADSCALE_OIDC_CLIENT_ID":             oidcConfig.ClientID,
+		"HEADSCALE_OIDC_CLIENT_SECRET":         oidcConfig.ClientSecret,
+		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN":    fmt.Sprintf("%t", oidcConfig.StripEmaildomain),
+		"HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN": "1",
 	}
 
 	err = scenario.CreateHeadscaleEnv(
@@ -156,7 +162,11 @@ func TestOIDCExpireNodes(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}
 
-	success := pingAll(t, allClients, allIps)
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
+
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d (before expiry)", success, len(allClients)*len(allIps))
 
 	// await all nodes being logged out after OIDC token expiry
@@ -278,7 +288,10 @@ func (s *AuthOIDCScenario) runMockOIDC(accessTTL time.Duration) (*headscale.OIDC
 	log.Printf("headscale mock oidc is ready for tests at %s", hostEndpoint)
 
 	return &headscale.OIDCConfig{
-		Issuer:                     fmt.Sprintf("http://%s/oidc", net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(port))),
+		Issuer: fmt.Sprintf(
+			"http://%s/oidc",
+			net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(port)),
+		),
 		ClientID:                   "superclient",
 		ClientSecret:               "supersecret",
 		StripEmaildomain:           true,
@@ -355,24 +368,6 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 	return fmt.Errorf("failed to up tailscale node: %w", errNoUserAvailable)
 }
 
-func pingAll(t *testing.T, clients []TailscaleClient, ips []netip.Addr) int {
-	t.Helper()
-	success := 0
-
-	for _, client := range clients {
-		for _, ip := range ips {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
-
-	return success
-}
-
 func (s *AuthOIDCScenario) Shutdown() error {
 	err := s.pool.Purge(s.mockOIDC)
 	if err != nil {

integration/auth_web_flow_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 
 	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/samber/lo"
 )
 
 var errParseAuthPage = errors.New("failed to parse auth page")
@@ -59,18 +60,11 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}
 
-	success := 0
-	for _, client := range allClients {
-		for _, ip := range allIps {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
 
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	err = scenario.Shutdown()
@@ -117,18 +111,11 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}
 
-	success := 0
-	for _, client := range allClients {
-		for _, ip := range allIps {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
 
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	clientIPs := make(map[TailscaleClient][]netip.Addr)
@@ -175,18 +162,11 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 		t.Errorf("failed to get clients: %s", err)
 	}
 
-	success = 0
-	for _, client := range allClients {
-		for _, ip := range allIps {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	allAddrs = lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
 
+	success = pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	for _, client := range allClients {
@@ -211,7 +191,12 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 			}
 
 			if !found {
-				t.Errorf("IPs changed for client %s. Used to be %v now %v", client.Hostname(), clientIPs[client], ips)
+				t.Errorf(
+					"IPs changed for client %s. Used to be %v now %v",
+					client.Hostname(),
+					clientIPs[client],
+					ips,
+				)
 			}
 		}
 	}
@@ -335,7 +320,7 @@ func (s *AuthWebFlowScenario) runHeadscaleRegister(userStr string, loginURL *url
 
 	if headscale, err := s.Headscale(); err == nil {
 		_, err = headscale.Execute(
-			[]string{"headscale", "-n", userStr, "nodes", "register", "--key", key},
+			[]string{"headscale", "nodes", "register", "--user", userStr, "--key", key},
 		)
 		if err != nil {
 			log.Printf("failed to register node: %s", err)

integration/cli_test.go

@@ -99,7 +99,7 @@ func TestUserCommand(t *testing.T) {
 
 	assert.Equal(
 		t,
-		[]string{"user1", "newname"},
+		[]string{"newname", "user1"},
 		result,
 	)
 

integration/control.go

@@ -6,6 +6,7 @@ import (
 
 type ControlServer interface {
 	Shutdown() error
+	SaveLog(string) error
 	Execute(command []string) (string, error)
 	GetHealthEndpoint() string
 	GetEndpoint() string

integration/derp_server_test.go

@@ -0,0 +1,221 @@
+package integration
+
+import (
+	"fmt"
+	"log"
+	"net/netip"
+	"testing"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+	"github.com/samber/lo"
+)
+
+type DERPServerScenario struct {
+	*Scenario
+
+	tsicNetworks map[string]*dockertest.Network
+}
+
+func TestDERPServerScenario(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := DERPServerScenario{
+		Scenario:     baseScenario,
+		tsicNetworks: map[string]*dockertest.Network{},
+	}
+
+	spec := map[string]int{
+		"user1": len(TailscaleVersions),
+	}
+
+	headscaleConfig := hsic.DefaultConfigEnv()
+	// headscaleConfig["HEADSCALE_DERP_URLS"] = ""
+	// headscaleConfig["HEADSCALE_DERP_SERVER_ENABLED"] = "true"
+	// headscaleConfig["HEADSCALE_DERP_SERVER_REGION_ID"] = "999"
+	// headscaleConfig["HEADSCALE_DERP_SERVER_REGION_CODE"] = "headscale"
+	// headscaleConfig["HEADSCALE_DERP_SERVER_REGION_NAME"] = "Headscale Embedded DERP"
+	// headscaleConfig["HEADSCALE_DERP_SERVER_STUN_LISTEN_ADDR"] = "0.0.0.0:3478"
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithHostnameAsServerURL(),
+		hsic.WithTestName("derpserver"),
+		hsic.WithConfigEnv(headscaleConfig),
+		hsic.WithExtraPorts([]string{"3478/udp"}),
+		hsic.WithTLS(),
+	)
+
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
+
+	success := pingAllHelper(t, allClients, allAddrs)
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *DERPServerScenario) CreateHeadscaleEnv(
+	users map[string]int,
+	opts ...hsic.Option,
+) error {
+	hs, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	err = hs.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	hash, err := headscale.GenerateRandomStringDNSSafe(scenarioHashLength)
+	if err != nil {
+		return err
+	}
+
+	for userName, clientCount := range users {
+		log.Printf("creating user %s with %d clients", userName, clientCount)
+		err = s.CreateUser(userName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleIsolatedNodesInUser(hash, userName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		key, err := s.CreatePreAuthKey(userName, true, false)
+		if err != nil {
+			return err
+		}
+
+		err = s.RunTailscaleUp(userName, hs.GetEndpoint(), key.GetKey())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *DERPServerScenario) CreateTailscaleIsolatedNodesInUser(
+	hash string,
+	userStr string,
+	requestedVersion string,
+	count int,
+	opts ...tsic.Option,
+) error {
+	if user, ok := s.users[userStr]; ok {
+		for i := 0; i < count; i++ {
+			networkName := fmt.Sprintf("tsnet-%s-%s-%d",
+				hash,
+				userStr,
+				i,
+			)
+			network, err := dockertestutil.GetFirstOrCreateNetwork(
+				s.pool,
+				networkName,
+			)
+			if err != nil {
+				return fmt.Errorf("failed to create or get %s network: %w", networkName, err)
+			}
+
+			log.Printf("created network %s", networkName)
+
+			s.tsicNetworks[networkName] = network
+
+			version := requestedVersion
+			if requestedVersion == "all" {
+				version = TailscaleVersions[i%len(TailscaleVersions)]
+			}
+
+			headscale, err := s.Headscale()
+			if err != nil {
+				return fmt.Errorf("failed to create tailscale node: %w", err)
+			}
+
+			cert := headscale.GetCert()
+			hostname := headscale.GetHostname()
+
+			user.createWaitGroup.Add(1)
+
+			opts = append(opts,
+				tsic.WithHeadscaleTLS(cert),
+				tsic.WithHeadscaleName(hostname),
+			)
+
+			go func() {
+				defer user.createWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					network,
+					opts...,
+				)
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
+				}
+
+				user.Clients[tsClient.Hostname()] = tsClient
+			}()
+		}
+		user.createWaitGroup.Wait()
+
+	}
+
+	return fmt.Errorf("failed to add tailscale node: %w", errNoUserAvailable)
+}
+
+func (s *DERPServerScenario) Shutdown() error {
+	for _, network := range s.tsicNetworks {
+		err := s.pool.RemoveNetwork(network)
+		if err != nil {
+			return err
+		}
+	}
+
+	return s.Scenario.Shutdown()
+}

integration/dockertestutil/logs.go

@@ -0,0 +1,68 @@
+package dockertestutil
+
+import (
+	"bytes"
+	"context"
+	"log"
+	"os"
+	"path"
+
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+const filePerm = 0o644
+
+func SaveLog(
+	pool *dockertest.Pool,
+	resource *dockertest.Resource,
+	basePath string,
+) error {
+	err := os.MkdirAll(basePath, os.ModePerm)
+	if err != nil {
+		return err
+	}
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+
+	err = pool.Client.Logs(
+		docker.LogsOptions{
+			Context:      context.TODO(),
+			Container:    resource.Container.ID,
+			OutputStream: &stdout,
+			ErrorStream:  &stderr,
+			Tail:         "all",
+			RawTerminal:  false,
+			Stdout:       true,
+			Stderr:       true,
+			Follow:       false,
+			Timestamps:   false,
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
+
+	err = os.WriteFile(
+		path.Join(basePath, resource.Container.Name+".stdout.log"),
+		stdout.Bytes(),
+		filePerm,
+	)
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(
+		path.Join(basePath, resource.Container.Name+".stderr.log"),
+		stderr.Bytes(),
+		filePerm,
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

integration/general_test.go

@@ -1,15 +1,19 @@
 package integration
 
 import (
+	"encoding/json"
 	"fmt"
 	"net/netip"
 	"strings"
 	"testing"
 	"time"
 
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/rs/zerolog/log"
+	"github.com/samber/lo"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestPingAllByIP(t *testing.T) {
@@ -46,19 +50,11 @@ func TestPingAllByIP(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}
 
-	success := 0
-
-	for _, client := range allClients {
-		for _, ip := range allIps {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
 
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	err = scenario.Shutdown()
@@ -148,18 +144,11 @@ func TestAuthKeyLogoutAndRelogin(t *testing.T) {
 		t.Errorf("failed to get clients: %s", err)
 	}
 
-	success := 0
-	for _, client := range allClients {
-		for _, ip := range allIps {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
 
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	for _, client := range allClients {
@@ -184,7 +173,12 @@ func TestAuthKeyLogoutAndRelogin(t *testing.T) {
 			}
 
 			if !found {
-				t.Errorf("IPs changed for client %s. Used to be %v now %v", client.Hostname(), clientIPs[client], ips)
+				t.Errorf(
+					"IPs changed for client %s. Used to be %v now %v",
+					client.Hostname(),
+					clientIPs[client],
+					ips,
+				)
 			}
 		}
 	}
@@ -253,18 +247,11 @@ func TestEphemeral(t *testing.T) {
 		t.Errorf("failed to get clients: %s", err)
 	}
 
-	success := 0
-	for _, client := range allClients {
-		for _, ip := range allIps {
-			err := client.Ping(ip.String())
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
 
+	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
 	for _, client := range allClients {
@@ -335,18 +322,7 @@ func TestPingAllByHostname(t *testing.T) {
 		t.Errorf("failed to get FQDNs: %s", err)
 	}
 
-	success := 0
-
-	for _, client := range allClients {
-		for _, hostname := range allHostnames {
-			err := client.Ping(hostname)
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", hostname, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
+	success := pingAllHelper(t, allClients, allHostnames)
 
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allClients))
 
@@ -582,3 +558,93 @@ func TestResolveMagicDNS(t *testing.T) {
 		t.Errorf("failed to tear down scenario: %s", err)
 	}
 }
+
+func TestExpireNode(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"user1": len(TailscaleVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("expirenode"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+		return x.String()
+	})
+
+	success := pingAllHelper(t, allClients, allAddrs)
+	t.Logf("before expire: %d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	for _, client := range allClients {
+		status, err := client.Status()
+		assert.NoError(t, err)
+
+		// Assert that we have the original count - self
+		assert.Len(t, status.Peers(), len(TailscaleVersions)-1)
+	}
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	// TODO(kradalby): This is Headscale specific and would not play nicely
+	// with other implementations of the ControlServer interface
+	result, err := headscale.Execute([]string{
+		"headscale", "nodes", "expire", "--identifier", "0", "--output", "json",
+	})
+	assert.NoError(t, err)
+
+	var machine v1.Machine
+	err = json.Unmarshal([]byte(result), &machine)
+	assert.NoError(t, err)
+
+	time.Sleep(30 * time.Second)
+
+	// Verify that the expired not is no longer present in the Peer list
+	// of connected nodes.
+	for _, client := range allClients {
+		status, err := client.Status()
+		assert.NoError(t, err)
+
+		for _, peerKey := range status.Peers() {
+			peerStatus := status.Peer[peerKey]
+
+			peerPublicKey := strings.TrimPrefix(peerStatus.PublicKey.String(), "nodekey:")
+
+			assert.NotEqual(t, machine.NodeKey, peerPublicKey)
+		}
+
+		if client.Hostname() != machine.Name {
+			// Assert that we have the original count - self - expired node
+			assert.Len(t, status.Peers(), len(TailscaleVersions)-2)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}

integration/hsic/hsic.go

@@ -41,6 +41,8 @@ type fileInContainer struct {
 	contents []byte
 }
 
+// HeadscaleInContainer is an implementation of ControlServer which
+// sets up a Headscale instance inside a container.
 type HeadscaleInContainer struct {
 	hostname string
 
@@ -50,6 +52,7 @@ type HeadscaleInContainer struct {
 
 	// optional config
 	port             int
+	extraPorts       []string
 	aclPolicy        *headscale.ACLPolicy
 	env              map[string]string
 	tlsCert          []byte
@@ -57,8 +60,12 @@ type HeadscaleInContainer struct {
 	filesInContainer []fileInContainer
 }
 
+// Option represent optional settings that can be given to a
+// Headscale instance.
 type Option = func(c *HeadscaleInContainer)
 
+// WithACLPolicy adds a headscale.ACLPolicy policy to the
+// HeadscaleInContainer instance.
 func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 	return func(hsic *HeadscaleInContainer) {
 		// TODO(kradalby): Move somewhere appropriate
@@ -68,6 +75,7 @@ func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 	}
 }
 
+// WithTLS creates certificates and enables HTTPS.
 func WithTLS() Option {
 	return func(hsic *HeadscaleInContainer) {
 		cert, key, err := createCertificate()
@@ -84,6 +92,8 @@ func WithTLS() Option {
 	}
 }
 
+// WithConfigEnv takes a map of environment variables that
+// can be used to override Headscale configuration.
 func WithConfigEnv(configEnv map[string]string) Option {
 	return func(hsic *HeadscaleInContainer) {
 		for key, value := range configEnv {
@@ -92,12 +102,22 @@ func WithConfigEnv(configEnv map[string]string) Option {
 	}
 }
 
+// WithPort sets the port on where to run Headscale.
 func WithPort(port int) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.port = port
 	}
 }
 
+// WithExtraPorts exposes additional ports on the container (e.g. 3478/udp for STUN)
+func WithExtraPorts(ports []string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.extraPorts = ports
+	}
+}
+
+// WithTestName sets a name for the test, this will be reflected
+// in the Docker container name.
 func WithTestName(testName string) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hash, _ := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
@@ -107,6 +127,8 @@ func WithTestName(testName string) Option {
 	}
 }
 
+// WithHostnameAsServerURL sets the Headscale ServerURL based on
+// the Hostname.
 func WithHostnameAsServerURL() Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.env["HEADSCALE_SERVER_URL"] = fmt.Sprintf("http://%s",
@@ -116,6 +138,7 @@ func WithHostnameAsServerURL() Option {
 	}
 }
 
+// WithFileInContainer adds a file to the container at the given path.
 func WithFileInContainer(path string, contents []byte) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.filesInContainer = append(hsic.filesInContainer,
@@ -126,6 +149,7 @@ func WithFileInContainer(path string, contents []byte) Option {
 	}
 }
 
+// New returns a new HeadscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
 	network *dockertest.Network,
@@ -171,7 +195,7 @@ func New(
 
 	runOptions := &dockertest.RunOptions{
 		Name:         hsic.hostname,
-		ExposedPorts: []string{portProto},
+		ExposedPorts: append([]string{portProto}, hsic.extraPorts...),
 		Networks:     []*dockertest.Network{network},
 		// Cmd:          []string{"headscale", "serve"},
 		// TODO(kradalby): Get rid of this hack, we currently need to give us some
@@ -244,10 +268,19 @@ func (t *HeadscaleInContainer) hasTLS() bool {
 	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
 }
 
+// Shutdown stops and cleans up the Headscale container.
 func (t *HeadscaleInContainer) Shutdown() error {
 	return t.pool.Purge(t.container)
 }
 
+// SaveLog saves the current stdout log of the container to a path
+// on the host system.
+func (t *HeadscaleInContainer) SaveLog(path string) error {
+	return dockertestutil.SaveLog(t.pool, t.container, path)
+}
+
+// Execute runs a command inside the Headscale container and returns the
+// result of stdout as a string.
 func (t *HeadscaleInContainer) Execute(
 	command []string,
 ) (string, error) {
@@ -269,18 +302,23 @@ func (t *HeadscaleInContainer) Execute(
 	return stdout, nil
 }
 
+// GetIP returns the docker container IP as a string.
 func (t *HeadscaleInContainer) GetIP() string {
 	return t.container.GetIPInNetwork(t.network)
 }
 
+// GetPort returns the docker container port as a string.
 func (t *HeadscaleInContainer) GetPort() string {
 	return fmt.Sprintf("%d", t.port)
 }
 
+// GetHealthEndpoint returns a health endpoint for the HeadscaleInContainer
+// instance.
 func (t *HeadscaleInContainer) GetHealthEndpoint() string {
 	return fmt.Sprintf("%s/health", t.GetEndpoint())
 }
 
+// GetEndpoint returns the Headscale endpoint for the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetEndpoint() string {
 	hostEndpoint := fmt.Sprintf("%s:%d",
 		t.GetIP(),
@@ -293,14 +331,18 @@ func (t *HeadscaleInContainer) GetEndpoint() string {
 	return fmt.Sprintf("http://%s", hostEndpoint)
 }
 
+// GetCert returns the public certificate of the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetCert() []byte {
 	return t.tlsCert
 }
 
+// GetHostname returns the hostname of the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetHostname() string {
 	return t.hostname
 }
 
+// WaitForReady blocks until the Headscale instance is ready to
+// serve clients.
 func (t *HeadscaleInContainer) WaitForReady() error {
 	url := t.GetHealthEndpoint()
 
@@ -328,6 +370,7 @@ func (t *HeadscaleInContainer) WaitForReady() error {
 	})
 }
 
+// CreateUser adds a new user to the Headscale instance.
 func (t *HeadscaleInContainer) CreateUser(
 	user string,
 ) error {
@@ -345,6 +388,8 @@ func (t *HeadscaleInContainer) CreateUser(
 	return nil
 }
 
+// CreateAuthKey creates a new "authorisation key" for a User that can be used
+// to authorise a TailscaleClient with the Headscale instance.
 func (t *HeadscaleInContainer) CreateAuthKey(
 	user string,
 	reusable bool,
@@ -388,6 +433,8 @@ func (t *HeadscaleInContainer) CreateAuthKey(
 	return &preAuthKey, nil
 }
 
+// ListMachinesInUser list the TailscaleClients (Machine, Headscale internal representation)
+// associated with a user.
 func (t *HeadscaleInContainer) ListMachinesInUser(
 	user string,
 ) ([]*v1.Machine, error) {
@@ -411,6 +458,7 @@ func (t *HeadscaleInContainer) ListMachinesInUser(
 	return nodes, nil
 }
 
+// WriteFile save file inside the Headscale container.
 func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }