tsnet: add support for Services

This change allows tsnet nodes to act as Service hosts by adding a new
function, tsnet.Server.ListenService. Invoking this function will
advertise the node as a host for the Service and create a listener to
receive traffic for the Service.

Fixes #17697
Fixes tailscale/corp#27200
Signed-off-by: Harry Harpham <harry@tailscale.com>

.github/CONTRIBUTING.md

@@ -0,0 +1,17 @@
+PRs welcome! But please file bugs first and explain the problem or
+motivation. For new or changed functionality, strike up a discussion
+and get agreement on the design/solution before spending too much time writing
+code.
+
+Commit messages should [reference
+bugs](https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls).
+
+We require [Developer Certificate of
+Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin) (DCO)
+`Signed-off-by` lines in commits. (`git commit -s`)
+
+Please squash your code review edits & force push. Multiple commits in
+a PR are fine, but only if they're each logically separate and all tests pass
+at each stage. No fixup commits.
+
+See [commit-messages.md](docs/commit-messages.md) (or skim `git log`) for our commit message style.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -12,7 +12,6 @@ body:
     attributes:
       label: What is the issue?
       description: What happened? What did you expect to happen?
-      placeholder: oh no
     validations:
       required: true
   - type: textarea
@@ -61,6 +60,13 @@ body:
       placeholder: e.g., 1.14.4
     validations:
       required: false
+  - type: textarea
+    id: other-software
+    attributes:
+      label: Other software
+      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
+    validations:
+      required: false
   - type: input
     id: bug-report
     attributes:

.github/actions/go-cache/action.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+#
+# This script sets up cigocacher, but should never fail the build if unsuccessful.
+# It expects to run on a GitHub-hosted runner, and connects to cigocached over a
+# private Azure network that is configured at the runner group level in GitHub.
+#
+# Usage: ./action.sh
+# Inputs:
+#   URL: The cigocached server URL.
+#   HOST: The cigocached server host to dial.
+# Outputs:
+#   success: Whether cigocacher was set up successfully.
+
+set -euo pipefail
+
+if [ -z "${GITHUB_ACTIONS:-}" ]; then
+    echo "This script is intended to run within GitHub Actions"
+    exit 1
+fi
+
+if [ -z "${URL:-}" ]; then
+    echo "No cigocached URL is set, skipping cigocacher setup"
+    exit 0
+fi
+
+GOPATH=$(command -v go || true)
+if [ -z "${GOPATH}" ]; then
+  if [ ! -f "tool/go" ]; then
+    echo "Go not available, unable to proceed"
+    exit 1
+  fi
+  GOPATH="./tool/go"
+fi
+
+BIN_PATH="${RUNNER_TEMP:-/tmp}/cigocacher$(${GOPATH} env GOEXE)"
+if [ -d "cmd/cigocacher" ]; then
+  echo "cmd/cigocacher found locally, building from local source"
+  "${GOPATH}" build -o "${BIN_PATH}" ./cmd/cigocacher
+else
+  echo "cmd/cigocacher not found locally, fetching from tailscale.com/cmd/cigocacher"
+  "${GOPATH}" build -o "${BIN_PATH}" tailscale.com/cmd/cigocacher
+fi
+
+CIGOCACHER_TOKEN="$("${BIN_PATH}" --auth --cigocached-url "${URL}" --cigocached-host "${HOST}" )"
+if [ -z "${CIGOCACHER_TOKEN:-}" ]; then
+    echo "Failed to fetch cigocacher token, skipping cigocacher setup"
+    exit 0
+fi
+
+echo "Fetched cigocacher token successfully"
+echo "::add-mask::${CIGOCACHER_TOKEN}"
+
+echo "GOCACHEPROG=${BIN_PATH} --cache-dir ${CACHE_DIR} --cigocached-url ${URL} --cigocached-host ${HOST} --token ${CIGOCACHER_TOKEN}" >> "${GITHUB_ENV}"
+echo "success=true" >> "${GITHUB_OUTPUT}"

.github/actions/go-cache/action.yml

@@ -0,0 +1,35 @@
+name: go-cache
+description: Set up build to use cigocacher
+
+inputs:
+  cigocached-url:
+    description: URL of the cigocached server
+    required: true
+  cigocached-host:
+    description: Host to dial for the cigocached server
+    required: true
+  checkout-path:
+    description: Path to cloned repository
+    required: true
+  cache-dir:
+    description: Directory to use for caching
+    required: true
+
+outputs:
+  success:
+    description: Whether cigocacher was set up successfully
+    value: ${{ steps.setup.outputs.success }}
+
+runs:
+  using: composite
+  steps:
+    - name: Setup cigocacher
+      id: setup
+      shell: bash
+      env:
+        URL: ${{ inputs.cigocached-url }}
+        HOST: ${{ inputs.cigocached-host }}
+        CACHE_DIR: ${{ inputs.cache-dir }}
+      working-directory: ${{ inputs.checkout-path }}
+      # https://github.com/orgs/community/discussions/25910
+      run: $GITHUB_ACTION_PATH/action.sh

.github/workflows/checklocks.yml

@@ -0,0 +1,34 @@
+name: checklocks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '**/*.go'
+      - '.github/workflows/checklocks.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  checklocks:
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Build checklocks
+        run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
+
+      - name: Run checklocks vet
+        # TODO(#12625): add more packages as we add annotations
+        run: |-
+          ./tool/go vet -vettool=/tmp/checklocks \
+            ./envknob           \
+            ./ipn/store/mem     \
+            ./net/stun/stuntest \
+            ./net/wsconn        \
+            ./proxymap

.github/workflows/cifuzz.yml

@@ -1,31 +0,0 @@
-name: CIFuzz
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  Fuzzing:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Build Fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        dry-run: false
-        language: go
-    - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: Upload Crash
-      uses: actions/upload-artifact@v3
-      if: failure() && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts

.github/workflows/cigocacher.yml

@@ -0,0 +1,73 @@
+name: Build cigocacher
+
+on:
+  # Released on-demand. The commit will be used as part of the tag, so generally
+  # prefer to release from main where the commit is stable in linear history.
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        GOOS: ["linux", "darwin", "windows"]
+        GOARCH: ["amd64", "arm64"]
+    runs-on: ubuntu-24.04
+    env:
+      GOOS: "${{ matrix.GOOS }}"
+      GOARCH: "${{ matrix.GOARCH }}"
+      CGO_ENABLED: "0"
+    steps:
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: Build
+      run: |
+        OUT="cigocacher$(./tool/go env GOEXE)"
+        ./tool/go build -o "${OUT}" ./cmd/cigocacher/
+        tar -zcf cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz "${OUT}"
+
+    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      with:
+        name: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
+        path: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz
+
+  release:
+    runs-on: ubuntu-24.04
+    needs: build
+    permissions:
+      contents: write
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          pattern: 'cigocacher-*'
+          merge-multiple: true
+      # This step is a simplified version of actions/create-release and
+      # actions/upload-release-asset, which are archived and unmaintained.
+      - name: Create release
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+
+            const { data: release } = await github.rest.repos.createRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag_name: `cmd/cigocacher/${{ github.sha }}`,
+              name: `cigocacher-${{ github.sha }}`,
+              draft: false,
+              prerelease: true,
+              target_commitish: `${{ github.sha }}`
+            });
+
+            const files = fs.readdirSync('.').filter(f => f.endsWith('.tar.gz'));
+            
+            for (const file of files) {
+              await github.rest.repos.uploadReleaseAsset({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                release_id: release.id,
+                name: file,
+                data: fs.readFileSync(file)
+              });
+              console.log(`Uploaded ${file}`);
+            }

.github/workflows/codeql-analysis.yml

@@ -17,11 +17,13 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]
+  merge_group:
+    branches: [ main ]
   schedule:
     - cron: '31 14 * * 5'
 
 concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
@@ -43,11 +45,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+    # Install a more recent Go that understands modern go.mod content.
+    - name: Install Go
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.5

.github/workflows/cross-android.yml

@@ -1,55 +0,0 @@
-name: Android-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Android smoke build
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-      env:
-        GOOS: android
-        GOARCH: arm64
-      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-darwin.yml

@@ -1,63 +0,0 @@
-name: Darwin-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: macOS build cmd
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: macOS build tests
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - name: iOS build most
-      env:
-        GOOS: ios
-        GOARCH: arm64
-      run: go install ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-freebsd.yml

@@ -1,57 +0,0 @@
-name: FreeBSD-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: FreeBSD build cmd
-      env:
-        GOOS: freebsd
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: FreeBSD build tests
-      env:
-        GOOS: freebsd
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-loong64.yml

@@ -1,57 +0,0 @@
-name: Loongnix-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Loongnix build cmd
-      env:
-        GOOS: linux
-        GOARCH: loong64
-      run: go build ./cmd/...
-
-    - name: Loongnix build tests
-      env:
-        GOOS: linux
-        GOARCH: loong64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-openbsd.yml

@@ -1,57 +0,0 @@
-name: OpenBSD-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: OpenBSD build cmd
-      env:
-        GOOS: openbsd
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: OpenBSD build tests
-      env:
-        GOOS: openbsd
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-wasm.yml

@@ -1,58 +0,0 @@
-name: Wasm-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Wasm client build
-      env:
-        GOOS: js
-        GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
-    - name: tsconnect static build
-      # Use our custom Go toolchain, we set build tags (to control binary size)
-      # that depend on it.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/cross-windows.yml

@@ -1,57 +0,0 @@
-name: Windows-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Windows build cmd
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: Windows build tests
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/depaware.yml

@@ -1,33 +0,0 @@
-name: depaware
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-
-    - name: depaware
-      run: go run github.com/tailscale/depaware --check
-        tailscale.com/cmd/tailscaled
-        tailscale.com/cmd/tailscale
-        tailscale.com/cmd/derper

.github/workflows/docker-base.yml

@@ -0,0 +1,29 @@
+name: "Validate Docker base image"
+on: 
+  workflow_dispatch:
+  pull_request:
+    paths:
+    - "Dockerfile.base"
+    - ".github/workflows/docker-base.yml"
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: "build and test"
+      run: |
+        set -e
+        IMG="test-base:$(head -c 8 /dev/urandom | xxd -p)"
+        docker build -t "$IMG" -f Dockerfile.base .
+
+        iptables_version=$(docker run --rm "$IMG" iptables --version)
+        if [[ "$iptables_version" != *"(legacy)"* ]]; then
+            echo "ERROR: Docker base image should contain legacy iptables; found ${iptables_version}"
+            exit 1
+        fi
+
+        ip6tables_version=$(docker run --rm "$IMG" ip6tables --version)
+        if [[ "$ip6tables_version" != *"(legacy)"* ]]; then
+            echo "ERROR: Docker base image should contain legacy ip6tables; found ${ip6tables_version}"
+            exit 1
+        fi

.github/workflows/docker-file-build.yml

@@ -0,0 +1,13 @@
+name: "Dockerfile build"
+on: 
+  push:
+    branches:
+    - main
+  pull_request:
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: "Build Docker image"
+      run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -0,0 +1,27 @@
+name: update-flakehub
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.*[02468].[0-9]+"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The existing tag to publish to FlakeHub"
+        type: "string"
+        required: true
+jobs:
+  flakehub-publish:
+    runs-on: "ubuntu-latest"
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
+      - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20
+      - uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 # v6
+        with:
+          visibility: "public"
+          tag: "${{ inputs.tag }}"

.github/workflows/go-licenses.yml

@@ -1,64 +0,0 @@
-name: go-licenses
-
-on:
-  # run action when a change lands in the main branch which updates go.mod or
-  # our license template file. Also allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/licenses.tmpl
-      - .github/workflows/go-licenses.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  tailscale:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: Install go-licenses
-        run: |
-          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
-
-      - name: Run go-licenses
-        env:
-          # include all build tags to include platform-specific dependencies
-          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
-        run: |
-          [ -d licenses ] || mkdir licenses
-          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
-
-      - name: Get access token
-        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply@tailscale.com>
-          committer: License Updater <noreply@tailscale.com>
-          branch: licenses/cli
-          commit-message: "licenses: update tailscale{,d} licenses"
-          title: "licenses: update tailscale{,d} licenses"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          team-reviewers: opensource-license-reviewers

.github/workflows/go_generate.yml

@@ -1,42 +0,0 @@
-name: go generate
-
-on:
-  push:
-    branches:
-      - main
-      - "release-branch/*"
-  pull_request:
-    branches:
-      - "*"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: check 'go generate' is clean
-        run: |
-          if [[ "${{github.ref}}" == release-branch/* ]]
-          then
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          else
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          fi
-          go generate $pkgs
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)

.github/workflows/go_mod_tidy.yml

@@ -1,35 +0,0 @@
-name: go mod tidy
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - "*"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: check 'go mod tidy' is clean
-        run: |
-          go mod tidy
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)

.github/workflows/golangci-lint.yml

@@ -0,0 +1,47 @@
+name: golangci-lint
+on:
+  # For now, only lint pull requests, not the main branches.
+  pull_request:
+    paths:
+      - ".github/workflows/golangci-lint.yml"
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
+  # TODO(andrew): enable for main branch after an initial waiting period.
+  #push:
+  #  branches:
+  #    - main
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        with:
+          version: v2.4.0
+
+          # Show only new issues if it's a pull request.
+          only-new-issues: true
+
+          # Loading packages with a cold cache takes a while:
+          args: --timeout=10m
+          

.github/workflows/govulncheck.yml

@@ -0,0 +1,51 @@
+name: govulncheck
+
+on:
+  schedule:
+    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
+  workflow_dispatch: # allow manual trigger for testing
+  pull_request:
+    paths:
+      - ".github/workflows/govulncheck.yml"
+
+jobs:
+  source-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Install govulncheck
+        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Scan source code for known vulnerabilities
+        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
+
+      - name: Post to slack
+        if: failure() && github.event_name == 'schedule'
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "C08FGKZCQTW",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "Govulncheck failed in ${{ github.repository }}"
+                  },
+                  "accessory": {
+                    "type": "button",
+                    "text": {
+                      "type": "plain_text",
+                      "text": "View results"
+                    },
+                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                  }
+                }
+              ]
+            }

.github/workflows/installer.yml

@@ -0,0 +1,143 @@
+name: test installer.sh
+
+on:
+  schedule:
+    - cron: '0 15 * * *' # 10am EST (UTC-4/5)
+  push:
+    branches:
+      - "main"
+    paths:
+      - scripts/installer.sh
+      - .github/workflows/installer.yml
+  pull_request:
+    paths:
+      - scripts/installer.sh
+      - .github/workflows/installer.yml
+
+jobs:
+  test:
+    strategy:
+      # Don't abort the entire matrix if one element fails.
+      fail-fast: false
+      # Don't start all of these at once, which could saturate Github workers.
+      max-parallel: 4
+      matrix:
+        image:
+          # This is a list of Docker images against which we test our installer.
+          # If you find that some of these no longer exist, please feel free
+          # to remove them from the list.
+          # When adding new images, please only use official ones.
+          - "debian:oldstable-slim"
+          - "debian:stable-slim"
+          - "debian:testing-slim"
+          - "debian:sid-slim"
+          - "ubuntu:20.04"
+          - "ubuntu:22.04"
+          - "ubuntu:24.04"
+          - "elementary/docker:stable"
+          - "elementary/docker:unstable"
+          - "parrotsec/core:latest"
+          - "kalilinux/kali-rolling"
+          - "kalilinux/kali-dev"
+          - "oraclelinux:9"
+          - "oraclelinux:8"
+          - "fedora:latest"
+          - "rockylinux:8.7"
+          - "rockylinux:9"
+          - "amazonlinux:latest"
+          - "opensuse/leap:latest"
+          - "opensuse/tumbleweed:latest"
+          - "archlinux:latest"
+          - "alpine:3.21"
+          - "alpine:latest"
+          - "alpine:edge"
+        deps:
+          # Run all images installing curl as a dependency.
+          - curl
+        include:
+          # Check a few images with wget rather than curl.
+          - { image: "debian:oldstable-slim", deps: "wget" }
+          - { image: "debian:sid-slim", deps: "wget" }
+          - { image: "debian:stable-slim", deps: "curl" }
+          - { image: "ubuntu:24.04", deps: "curl" }
+          - { image: "fedora:latest", deps: "curl" }
+          # Test TAILSCALE_VERSION pinning on a subset of distros.
+          # Skip Alpine as community repos don't reliably keep old versions.
+          - { image: "debian:stable-slim", deps: "curl", version: "1.80.0" }
+          - { image: "ubuntu:24.04", deps: "curl", version: "1.80.0" }
+          - { image: "fedora:latest", deps: "curl", version: "1.80.0" }
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ matrix.image }}
+      options: --user root
+    steps:
+    - name: install dependencies (pacman)
+      # Refresh the package databases to ensure that the tailscale package is
+      # defined.
+      run: pacman -Sy
+      if: contains(matrix.image, 'archlinux')
+    - name: install dependencies (yum)
+      # tar and gzip are needed by the actions/checkout below.
+      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
+      if: |
+        contains(matrix.image, 'centos') ||
+        contains(matrix.image, 'oraclelinux') ||
+        contains(matrix.image, 'fedora') ||
+        contains(matrix.image, 'amazonlinux')
+    - name: install dependencies (zypper)
+      # tar and gzip are needed by the actions/checkout below.
+      run: zypper --non-interactive install tar gzip ${{ matrix.deps }}
+      if: contains(matrix.image, 'opensuse')
+    - name: install dependencies (apt-get)
+      run: |
+        apt-get update
+        apt-get install -y ${{ matrix.deps }}
+      if: |
+        contains(matrix.image, 'debian') ||
+        contains(matrix.image, 'ubuntu') ||
+        contains(matrix.image, 'elementary') ||
+        contains(matrix.image, 'parrotsec') ||
+        contains(matrix.image, 'kalilinux')
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: run installer
+      run: scripts/installer.sh
+      env:
+        TAILSCALE_VERSION: ${{ matrix.version }}
+      # Package installation can fail in docker because systemd is not running
+      # as PID 1, so ignore errors at this step. The real check is the
+      # `tailscale --version` command below.
+      continue-on-error: true
+    - name: check tailscale version
+      run: |
+        tailscale --version
+        if [ -n "${{ matrix.version }}" ]; then
+          tailscale --version | grep -q "^${{ matrix.version }}" || { echo "Version mismatch!"; exit 1; }
+        fi
+  notify-slack:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Slack of failure on scheduled runs
+        if: failure() && github.event_name == 'schedule'
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            {
+              "attachments": [{
+                "title": "Tailscale installer test failed",
+                "title_link": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+                "text": "One or more OSes in the test matrix failed. See the run for details.",
+                "fields": [
+                  {
+                    "title": "Ref",
+                    "value": "${{ github.ref_name }}",
+                    "short": true
+                  }
+                ],
+                "footer": "${{ github.workflow }} on schedule",
+                "color": "danger"
+              }]
+            }

.github/workflows/kubemanifests.yaml

@@ -0,0 +1,31 @@
+name: "Kubernetes manifests"
+on:
+  pull_request:
+   paths: 
+   - 'cmd/k8s-operator/**'
+   - 'k8s-operator/**'
+   - '.github/workflows/kubemanifests.yaml'
+
+# Cancel workflow run if there is a newer push to the same PR for which it is
+# running
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  testchart:
+    runs-on: [ ubuntu-latest ]
+    steps:
+    - name: Check out code
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: Build and lint Helm chart
+      run: |
+        eval `./tool/go run ./cmd/mkversion`
+        ./tool/helm package --app-version="${VERSION_SHORT}" --version=${VERSION_SHORT} './cmd/k8s-operator/deploy/chart'
+        ./tool/helm lint "tailscale-operator-${VERSION_SHORT}.tgz"
+    - name: Verify that static manifests are up to date
+      run: |
+        make kube-generate-all
+        echo
+        echo
+        git diff --name-only --exit-code || (echo "Generated files for Tailscale Kubernetes operator are out of date. Please run 'make kube-generate-all' and commit the diff."; exit 1)

.github/workflows/license.yml

@@ -1,45 +0,0 @@
-name: license
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-
-    - name: Run license checker
-      run: ./scripts/check_license_headers.sh .
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/linux-race.yml

@@ -1,67 +0,0 @@
-name: Linux race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Run tests and benchmarks with -race flag on linux
-      run: go test -race -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-

.github/workflows/linux.yml

@@ -1,77 +0,0 @@
-name: Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-22.04
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Build variants
-      run: |
-        go install --tags=ts_include_cli ./cmd/tailscaled
-        go install --tags=ts_omit_aws ./cmd/tailscaled
-
-    - name: Get QEMU
-      run: |
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-
-    - name: Run tests on linux
-      run: go test -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-

.github/workflows/linux32.yml

@@ -1,67 +0,0 @@
-name: Linux 32-bit
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Basic build
-      run: GOARCH=386 go build ./cmd/...
-
-    - name: Run tests on linux
-      run: GOARCH=386 go test -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-

.github/workflows/natlab-integrationtest.yml

@@ -0,0 +1,27 @@
+# Run some natlab integration tests.
+# See https://github.com/tailscale/tailscale/issues/13038
+name: "natlab-integrationtest"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    paths:
+      - "tstest/integration/nat/nat_test.go"
+jobs:
+  natlab-integrationtest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Install qemu
+        run: |
+          sudo rm /var/lib/man-db/auto-update
+          sudo apt-get -y update
+          sudo apt-get -y remove man-db
+          sudo apt-get install -y qemu-system-x86 qemu-utils
+      - name: Run natlab integration tests
+        run: |
+          ./tool/go test -v -run=^TestEasyEasy$ -timeout=3m -count=1 ./tstest/integration/nat  --run-vm-tests

.github/workflows/pin-github-actions.yml

@@ -0,0 +1,29 @@
+# Pin images used in github actions to a hash instead of a version tag.
+name: pin-github-actions
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  run:
+    name: pin-github-actions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: pin
+        run: make pin-github-actions
+      - name: check for changed workflow files
+        run: git diff --no-ext-diff --exit-code .github/workflows || (echo "Some github actions versions need pinning, run make pin-github-actions."; exit 1)

.github/workflows/request-dataplane-review.yml

@@ -0,0 +1,32 @@
+name: request-dataplane-review
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened, ready_for_review ]
+    paths:
+      - ".github/workflows/request-dataplane-review.yml"
+      - "**/*derp*"
+      - "**/derp*/**"
+      - "!**/depaware.txt"
+
+jobs:
+  request-dataplane-review:
+    if: github.event.pull_request.draft == false
+    name: Request Dataplane Review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Get access token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: generate-token
+        with:
+          # Get token for app: https://github.com/apps/change-visibility-bot
+          app-id: ${{ secrets.VISIBILITY_BOT_APP_ID }}
+          private-key: ${{ secrets.VISIBILITY_BOT_APP_PRIVATE_KEY }}
+      - name: Add reviewers
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          url: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit "$url" --add-reviewer tailscale/dataplane

.github/workflows/ssh-integrationtest.yml

@@ -0,0 +1,23 @@
+# Run the ssh integration tests with `make sshintegrationtest`.
+# These tests can also be running locally.
+name: "ssh-integrationtest"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    paths:
+      - "ssh/**"
+      - "tempfork/gliderlabs/ssh/**"
+      - ".github/workflows/ssh-integrationtest"
+jobs:
+  ssh-integrationtest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Run SSH integration tests
+        run: |
+          make sshintegrationtest

.github/workflows/static-analysis.yml

@@ -1,113 +0,0 @@
-name: static-analysis
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  gofmt:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-    - name: Run gofmt (goimports)
-      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  vet:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Run go vet
-      run: go vet ./...
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  staticcheck:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        goos: [linux, windows, darwin]
-        goarch: [amd64]
-        include:
-          - goos: windows
-            goarch: 386
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
-    - name: Print staticcheck version
-      run: "staticcheck -version"
-
-    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'

.github/workflows/test.yml

@@ -0,0 +1,961 @@
+# This is our main "CI tests" workflow. It runs everything that should run on
+# both PRs and merged commits, and for the latter reports failures to slack.
+name: CI
+
+env:
+  # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
+  # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
+  # ends up being unable to compile our code.
+  #
+  # When this happens, we want to disable the fuzz target until OSS-Fuzz catches
+  # up. However, we also don't want to forget to turn it back on when OSS-Fuzz
+  # can once again build our code.
+  #
+  # This variable toggles the fuzz job between two modes:
+  #  - false: we expect fuzzing to be happy, and should report failure if it's not.
+  #  - true: we expect fuzzing is broken, and should report failure if it start working.
+  TS_FUZZ_CURRENTLY_BROKEN: false
+  # GOMODCACHE is the same definition on all OSes. Within the workspace, we use
+  # toplevel directories "src" (for the checked out source code), and "gomodcache"
+  # and other caches as siblings to follow.
+  GOMODCACHE: ${{ github.workspace }}/gomodcache
+
+on:
+  push:
+    branches:
+      - "main"
+      - "release-branch/*"
+  pull_request:
+    # all PRs on all branches
+  merge_group:
+    branches:
+      - "main"
+
+concurrency:
+  # For PRs, later CI runs preempt previous ones. e.g. a force push on a PR
+  # cancels running CI jobs and starts all new ones.
+  #
+  # For non-PR pushes, concurrency.group needs to be unique for every distinct
+  # CI run we want to have happen. Use run_id, which in practice means all
+  # non-PR CI runs will be allowed to run without preempting each other.
+  group: ${{ github.workflow }}-$${{ github.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  gomod-cache:
+    runs-on: ubuntu-24.04
+    outputs:
+      cache-key: ${{ steps.hash.outputs.key }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          path: src
+      - name: Compute cache key from go.{mod,sum}
+        id: hash
+        run: echo "key=gomod-cross3-${{ hashFiles('src/go.mod', 'src/go.sum') }}" >> $GITHUB_OUTPUT
+      # See if the cache entry already exists to avoid downloading it
+      # and doing the cache write again.
+      - id: check-cache
+        uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
+        with:
+          path: gomodcache # relative to workspace; see env note at top of file
+          key: ${{ steps.hash.outputs.key }}
+          lookup-only: true
+          enableCrossOsArchive: true
+      - name: Download modules
+        if: steps.check-cache.outputs.cache-hit != 'true'
+        working-directory: src
+        run: go mod download
+      - name: Cache Go modules
+        if: steps.check-cache.outputs.cache-hit != 'true'
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: gomodcache # relative to workspace; see env note at top of file
+          key: ${{ steps.hash.outputs.key }}
+          enableCrossOsArchive: true
+
+  race-root-integration:
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          - shard: '1/4'
+          - shard: '2/4'
+          - shard: '3/4'
+          - shard: '4/4'
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: build test wrapper
+      working-directory: src
+      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
+    - name: integration tests as root
+      working-directory: src
+      run: PATH=$PWD/tool:$PATH /tmp/testwrapper -exec "sudo -E" -race ./tstest/integration/
+      env:
+        TS_TEST_SHARD: ${{ matrix.shard }}
+
+  test:
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          - goarch: amd64
+          - goarch: amd64
+            buildflags: "-race"
+            shard: '1/3'
+          - goarch: amd64
+            buildflags: "-race"
+            shard: '2/3'
+          - goarch: amd64
+            buildflags: "-race"
+            shard: '3/3'
+          - goarch: "386" # thanks yaml
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: Restore Cache
+      id: restore-cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only restoring the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
+          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-
+          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-
+          ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-
+    - name: build all
+      if: matrix.buildflags == '' # skip on race builder
+      working-directory: src
+      run: ./tool/go build ${{matrix.buildflags}} ./...
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: build variant CLIs
+      if: matrix.buildflags == '' # skip on race builder
+      working-directory: src
+      run: |
+        ./build_dist.sh --extra-small ./cmd/tailscaled
+        ./build_dist.sh --box ./cmd/tailscaled
+        ./build_dist.sh --extra-small --box ./cmd/tailscaled
+        rm -f tailscaled
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: get qemu # for tstest/archtest
+      if: matrix.goarch == 'amd64' && matrix.buildflags == ''
+      run: |
+        sudo apt-get -y update
+        sudo apt-get -y install qemu-user
+    - name: build test wrapper
+      working-directory: src
+      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
+    - name: test all
+      working-directory: src
+      run: NOBASHDEBUG=true NOPWSHDEBUG=true PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
+      env:
+        GOARCH: ${{ matrix.goarch }}
+        TS_TEST_SHARD: ${{ matrix.shard }}
+    - name: bench all
+      working-directory: src
+      run: ./tool/go test ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ $(for x in $(git grep -l "^func Benchmark" | xargs dirname | sort | uniq); do echo "./$x"; done)
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: check that no tracked files changed
+      working-directory: src
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+    - name: check that no new files were added
+      working-directory: src
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+    - name: Tidy cache
+      working-directory: src
+      shell: bash
+      run: |
+        find $(go env GOCACHE) -type f -mmin +90 -delete
+    - name: Save Cache
+      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
+      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
+      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only saving the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-${{ matrix.shard }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+
+  windows:
+    permissions:
+      id-token: write # This is required for requesting the GitHub action identity JWT that can auth to cigocached
+      contents: read # This is required for actions/checkout
+    # ci-windows-github-1 is a 2022 GitHub-managed runner in our org with 8 cores
+    # and 32 GB of RAM. It is connected to a private Azure VNet that hosts cigocached.
+    # https://github.com/organizations/tailscale/settings/actions/github-hosted-runners/5
+    runs-on: ci-windows-github-1
+    needs: gomod-cache
+    name: Windows (${{ matrix.name || matrix.shard}})
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          - key: "win-bench"
+            name: "benchmarks"
+          - key: "win-shard-1-2"
+            shard: "1/2"
+          - key: "win-shard-2-2"
+            shard: "2/2"
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: ${{ github.workspace }}/src
+
+    - name: Install Go
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version-file: ${{ github.workspace }}/src/go.mod
+        cache: false
+
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+
+    - name: Set up cigocacher
+      id: cigocacher-setup
+      uses: ./src/.github/actions/go-cache
+      with:
+        checkout-path: ${{ github.workspace }}/src
+        cache-dir: ${{ github.workspace }}/cigocacher
+        cigocached-url: ${{ vars.CIGOCACHED_AZURE_URL }}
+        cigocached-host: ${{ vars.CIGOCACHED_AZURE_HOST }}
+
+    - name: test
+      if: matrix.key != 'win-bench' # skip on bench builder
+      working-directory: src
+      run: go run ./cmd/testwrapper sharded:${{ matrix.shard }}
+
+    - name: bench all
+      if: matrix.key == 'win-bench'
+      working-directory: src
+      # Don't use -bench=. -benchtime=1x.
+      # Somewhere in the layers (powershell?)
+      # the equals signs cause great confusion.
+      run: go test ./... -bench . -benchtime 1x -run "^$"
+
+    - name: Print stats
+      shell: pwsh
+      if: steps.cigocacher-setup.outputs.success == 'true'
+      env:
+        GOCACHEPROG: ${{ env.GOCACHEPROG }}
+      run: |
+        Invoke-Expression "$env:GOCACHEPROG --stats" | jq .
+
+  win-tool-go:
+    runs-on: windows-latest
+    needs: gomod-cache
+    name: Windows (win-tool-go)
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: test-tool-go
+      working-directory: src
+      run: ./tool/go version
+
+  privileged:
+    needs: gomod-cache
+    runs-on: ubuntu-24.04
+    container:
+      image: golang:latest
+      options: --privileged
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: chown
+      working-directory: src
+      run: chown -R $(id -u):$(id -g) $PWD
+    - name: privileged tests
+      working-directory: src
+      run: ./tool/go test ./util/linuxfw ./derp/xdp
+
+  vm:
+    needs: gomod-cache
+    runs-on: ["self-hosted", "linux", "vm"]
+    # VM tests run with some privileges, don't let them run on 3p PRs.
+    if: github.repository == 'tailscale/tailscale'
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: Run VM tests
+      working-directory: src
+      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2404
+      env:
+        HOME: "/var/lib/ghrunner/home"
+        TMPDIR: "/tmp"
+        XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+
+  cross: # cross-compile checks, build only.
+    needs: gomod-cache
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          # Note: linux/amd64 is not in this matrix, because that goos/goarch is
+          # tested more exhaustively in the 'test' job above.
+          - goos: linux
+            goarch: arm64
+          - goos: linux
+            goarch: "386" # thanks yaml
+          - goos: linux
+            goarch: loong64
+          - goos: linux
+            goarch: arm
+            goarm: "5"
+          - goos: linux
+            goarch: arm
+            goarm: "7"
+          # macOS
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          # Windows
+          - goos: windows
+            goarch: amd64
+          - goos: windows
+            goarch: arm64
+          # BSDs
+          - goos: freebsd
+            goarch: amd64
+          - goos: openbsd
+            goarch: amd64
+
+    runs-on: ubuntu-24.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: Restore Cache
+      id: restore-cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only restoring the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
+          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-
+          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-
+    - name: build all
+      working-directory: src
+      run: ./tool/go build ./cmd/...
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+        GOARM: ${{ matrix.goarm }}
+        CGO_ENABLED: "0"
+    - name: build tests
+      working-directory: src
+      run: ./tool/go test -exec=true ./...
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+        CGO_ENABLED: "0"
+    - name: Tidy cache
+      working-directory: src
+      shell: bash
+      run: |
+        find $(go env GOCACHE) -type f -mmin +90 -delete
+    - name: Save Cache
+      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
+      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
+      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only saving the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ matrix.goarm }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+
+  ios: # similar to cross above, but iOS can't build most of the repo. So, just
+       # make it build a few smoke packages.
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: build some
+      working-directory: src
+      run: ./tool/go build ./ipn/... ./ssh/tailssh ./wgengine/ ./types/... ./control/controlclient
+      env:
+        GOOS: ios
+        GOARCH: arm64
+
+  crossmin: # cross-compile for platforms where we only check cmd/tailscale{,d}
+    needs: gomod-cache
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          # Plan9
+          - goos: plan9
+            goarch: amd64
+          # AIX
+          - goos: aix
+            goarch: ppc64
+          # Solaris
+          - goos: solaris
+            goarch: amd64
+          # illumos
+          - goos: illumos
+            goarch: amd64
+
+    runs-on: ubuntu-24.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: Restore Cache
+      id: restore-cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only restoring the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
+          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-
+          ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-
+    - name: build core
+      working-directory: src
+      run: ./tool/go build ./cmd/tailscale ./cmd/tailscaled
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+        GOARM: ${{ matrix.goarm }}
+        CGO_ENABLED: "0"
+    - name: Tidy cache
+      working-directory: src
+      shell: bash
+      run: |
+        find $(go env GOCACHE) -type f -mmin +90 -delete
+    - name: Save Cache
+      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
+      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
+      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only saving the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+
+  android:
+    # similar to cross above, but android fails to build a few pieces of the
+    # repo. We should fix those pieces, they're small, but as a stepping stone,
+    # only test the subset of android that our past smoke test checked.
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
+      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
+      # some Android breakages early.
+      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: build some
+      working-directory: src
+      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/netmon ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version ./ssh/tailssh
+      env:
+        GOOS: android
+        GOARCH: arm64
+
+  wasm: # builds tsconnect, which is the only wasm build we support
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: Restore Cache
+      id: restore-cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only restoring the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-
+          ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-
+          ${{ runner.os }}-js-wasm-go-
+    - name: build tsconnect client
+      working-directory: src
+      run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+      env:
+        GOOS: js
+        GOARCH: wasm
+    - name: build tsconnect server
+      working-directory: src
+      # Note, no GOOS/GOARCH in env on this build step, we're running a build
+      # tool that handles the build itself.
+      run: |
+        ./tool/go run ./cmd/tsconnect --fast-compression build
+        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
+    - name: Tidy cache
+      working-directory: src
+      shell: bash
+      run: |
+        find $(go env GOCACHE) -type f -mmin +90 -delete
+    - name: Save Cache
+      # Save cache even on failure, but only on cache miss and main branch to avoid thrashing.
+      if: always() && steps.restore-cache.outputs.cache-hit != 'true' && github.ref == 'refs/heads/main'
+      uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        # Note: this is only saving the build cache. Mod cache is shared amongst
+        # all jobs in the workflow.
+        path: |
+          ~/.cache/go-build
+          ~\AppData\Local\go-build
+        key: ${{ runner.os }}-js-wasm-go-${{ hashFiles('**/go.sum') }}-${{ github.job }}-${{ github.run_id }}
+
+  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - name: Set GOMODCACHE env
+      run: echo "GOMODCACHE=$HOME/.cache/go-mod" >> $GITHUB_ENV
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: test tailscale_go
+      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
+
+
+  fuzz:
+    # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
+    # of the file), so it's more complex than usual: the 'build fuzzers' step
+    # might fail, and depending on the value of 'TS_FUZZ_CURRENTLY_BROKEN', that
+    # might or might not be fine. The steps after the build figure out whether
+    # the success/failure is expected, and appropriately pass/fail the job
+    # overall accordingly.
+    #
+    # Practically, this means that all steps after 'build fuzzers' must have an
+    # explicit 'if' condition, because the default condition for steps is
+    # 'success()', meaning "only run this if no previous steps failed".
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-24.04
+    steps:
+    - name: build fuzzers
+      id: build
+      # As of 21 October 2025, this repo doesn't tag releases, so this commit
+      # hash is just the tip of master.
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@1242ccb5b6352601e73c00f189ac2ae397242264
+      # continue-on-error makes steps.build.conclusion be 'success' even if
+      # steps.build.outcome is 'failure'. This means this step does not
+      # contribute to the job's overall pass/fail evaluation.
+      continue-on-error: true
+      with:
+       oss-fuzz-project-name: 'tailscale'
+       dry-run: false
+       language: go
+    - name: report unexpectedly broken fuzz build
+      if: steps.build.outcome == 'failure' && env.TS_FUZZ_CURRENTLY_BROKEN != 'true'
+      run: |
+        echo "fuzzer build failed, see above for why"
+        echo "if the failure is due to OSS-Fuzz not being on the latest Go yet,"
+        echo "set TS_FUZZ_CURRENTLY_BROKEN=true in .github/workflows/test.yml"
+        echo "to temporarily disable fuzzing until OSS-Fuzz works again."
+        exit 1
+    - name: report unexpectedly working fuzz build
+      if: steps.build.outcome == 'success' && env.TS_FUZZ_CURRENTLY_BROKEN == 'true'
+      run: |
+        echo "fuzzer build succeeded, but we expect it to be broken"
+        echo "please set TS_FUZZ_CURRENTLY_BROKEN=false in .github/workflows/test.yml"
+        echo "to reenable fuzz testing"
+        exit 1
+    - name: run fuzzers
+      id: run
+      # Run the fuzzers whenever they're able to build, even if we're going to
+      # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
+      # value.
+      if: steps.build.outcome == 'success'
+      # As of 21 October 2025, this repo doesn't tag releases, so this commit
+      # hash is just the tip of master.
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@1242ccb5b6352601e73c00f189ac2ae397242264
+      with:
+        oss-fuzz-project-name: 'tailscale'
+        fuzz-seconds: 150
+        dry-run: false
+        language: go
+    - name: Set artifacts_path in env (workaround for actions/upload-artifact#176)
+      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
+      run: |
+        echo "artifacts_path=$(realpath .)" >> $GITHUB_ENV
+    - name: upload crash
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ${{ env.artifacts_path }}/out/artifacts
+
+  depaware:
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Set GOMODCACHE env
+      run: echo "GOMODCACHE=$HOME/.cache/go-mod" >> $GITHUB_ENV
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: check depaware
+      working-directory: src
+      run: make depaware
+
+  go_generate:
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: check that 'go generate' is clean
+      working-directory: src
+      run: |
+        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
+        ./tool/go generate $pkgs
+        git add -N . # ensure untracked files are noticed
+        echo
+        echo
+        git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
+
+  go_mod_tidy:
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: check that 'go mod tidy' is clean
+      working-directory: src
+      run: |
+        make tidy
+        echo
+        echo
+        git diff --name-only --exit-code || (echo "Please run 'make tidy'"; exit 1)
+
+  licenses:
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: check licenses
+      working-directory: src
+      run: |
+        grep -q TestLicenseHeaders *.go || (echo "Expected a test named TestLicenseHeaders"; exit 1)
+        ./tool/go test -v -run=TestLicenseHeaders
+
+  staticcheck:
+    runs-on: ubuntu-24.04
+    needs: gomod-cache
+    name: staticcheck (${{ matrix.name }})
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          - name: "macOS"
+            goos: "darwin"
+            goarch: "arm64"
+            flags: "--with-tags-all=darwin"
+          - name: "Windows"
+            goos: "windows"
+            goarch: "amd64"
+            flags: "--with-tags-all=windows"
+          - name: "Linux"
+            goos: "linux"
+            goarch: "amd64"
+            flags: "--with-tags-all=linux"
+          - name: "Portable (1/4)"
+            goos: "linux"
+            goarch: "amd64"
+            flags: "--without-tags-any=windows,darwin,linux --shard=1/4"
+          - name: "Portable (2/4)"
+            goos: "linux"
+            goarch: "amd64"
+            flags: "--without-tags-any=windows,darwin,linux --shard=2/4"
+          - name: "Portable (3/4)"
+            goos: "linux"
+            goarch: "amd64"
+            flags: "--without-tags-any=windows,darwin,linux --shard=3/4"
+          - name: "Portable (4/4)"
+            goos: "linux"
+            goarch: "amd64"
+            flags: "--without-tags-any=windows,darwin,linux --shard=4/4"
+
+    steps:
+    - name: checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        path: src
+    - name: Restore Go module cache
+      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: gomodcache
+        key: ${{ needs.gomod-cache.outputs.cache-key }}
+        enableCrossOsArchive: true
+    - name: run staticcheck (${{ matrix.name }})
+      working-directory: src
+      run: |
+        export GOROOT=$(./tool/go env GOROOT)
+        ./tool/go run -exec \
+          "env GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }}" \
+           honnef.co/go/tools/cmd/staticcheck -- \
+           $(./tool/go run ./tool/listpkgs --ignore-3p --goos=${{ matrix.goos }} --goarch=${{ matrix.goarch }} ${{ matrix.flags }} ./...)
+
+  notify_slack:
+    if: always()
+    # Any of these jobs failing causes a slack notification.
+    needs: 
+      - android
+      - test
+      - windows
+      - vm
+      - cross
+      - ios
+      - wasm
+      - tailscale_go
+      - fuzz
+      - depaware
+      - go_generate
+      - go_mod_tidy
+      - licenses
+      - staticcheck
+    runs-on: ubuntu-24.04
+    steps:
+    - name: notify  
+      # Only notify slack for merged commits, not PR failures.
+      #
+      # It may be tempting to move this condition into the job's 'if' block, but
+      # don't: Github only collapses the test list into "everything is OK" if
+      # all jobs succeeded. A skipped job results in the list staying expanded.
+      # By having the job always run, but skipping its only step as needed, we
+      # let the CI output collapse nicely in PRs.
+      if: failure() && github.event_name == 'push'
+      uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
+      with:
+        webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+        webhook-type: incoming-webhook
+        payload: |
+          {
+            "attachments": [{
+              "title": "Failure: ${{ github.workflow }}",
+              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
+              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
+              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
+              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
+              "color": "danger"
+            }]
+          }
+
+  merge_blocker:
+    if: always()
+    runs-on: ubuntu-24.04
+    needs:
+      - android
+      - test
+      - windows
+      - vm
+      - cross
+      - ios
+      - wasm
+      - tailscale_go
+      - fuzz
+      - depaware
+      - go_generate
+      - go_mod_tidy
+      - licenses
+      - staticcheck
+    steps:
+    - name: Decide if change is okay to merge
+      if: github.event_name != 'push'
+      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+      with:
+        jobs: ${{ toJSON(needs) }}
+
+   # This waits on all the jobs which must never fail. Branch protection rules
+   # enforce these. No flaky tests are allowed in these jobs. (We don't want flaky
+   # tests anywhere, really, but a flaky test here prevents merging.)
+  check_mergeability_strict:
+    if: always()
+    runs-on: ubuntu-24.04
+    needs:
+      - android
+      - cross
+      - crossmin
+      - ios
+      - tailscale_go
+      - depaware
+      - go_generate
+      - go_mod_tidy
+      - licenses
+      - staticcheck
+    steps:
+    - name: Decide if change is okay to merge
+      if: github.event_name != 'push'
+      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+      with:
+        jobs: ${{ toJSON(needs) }}
+
+  check_mergeability:
+    if: always()
+    runs-on: ubuntu-24.04
+    needs:
+      - check_mergeability_strict
+      - test
+      - windows
+      - vm
+      - wasm
+      - fuzz
+      - race-root-integration
+      - privileged
+    steps:
+    - name: Decide if change is okay to merge
+      if: github.event_name != 'push'
+      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+      with:
+        jobs: ${{ toJSON(needs) }}

.github/workflows/tsconnect-pkg-publish.yml

@@ -1,30 +0,0 @@
-name: "@tailscale/connect npm publish"
-
-on: workflow_dispatch
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up node
-        uses: actions/setup-node@v3
-        with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Build package
-        # Build with build_dist.sh to ensure that version information is embedded.
-        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
-        # also picks up our custom Go toolchain.
-        run: |
-          ./build_dist.sh tailscale.com/cmd/tsconnect
-          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
-
-      - name: Publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
-        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public

.github/workflows/update-flake.yml

@@ -0,0 +1,49 @@
+name: update-flake
+
+on:
+  # run action when a change lands in the main branch which updates go.mod. Also
+  # allow manual triggering.
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - .github/workflows/update-flake.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  update-flake:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Run update-flakes
+        run: ./update-flake.sh
+
+      - name: Get access token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: generate-token
+        with:
+          # Get token for app: https://github.com/apps/tailscale-code-updater
+          app-id: ${{ secrets.CODE_UPDATER_APP_ID }}
+          private-key: ${{ secrets.CODE_UPDATER_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 #v8.0.0
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
+          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
+          branch: flakes
+          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
+          title: "go.mod.sri: update SRI hash for go.mod changes"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          reviewers: danderson

.github/workflows/update-webclient-prebuilt.yml

@@ -0,0 +1,50 @@
+name: update-webclient-prebuilt
+
+on:
+  # manually triggered
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  update-webclient-prebuilt:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Run go get
+        run: |
+          ./tool/go version # build gocross if needed using regular GOPROXY
+          GOPROXY=direct ./tool/go get github.com/tailscale/web-client-prebuilt
+          ./tool/go mod tidy
+
+      - name: Get access token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: generate-token
+        with:
+          # Get token for app: https://github.com/apps/tailscale-code-updater
+          app-id: ${{ secrets.CODE_UPDATER_APP_ID }}
+          private-key: ${{ secrets.CODE_UPDATER_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        id: pull-request
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 #v8.0.0
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: OSS Updater <noreply+oss-updater@tailscale.com>
+          committer: OSS Updater <noreply+oss-updater@tailscale.com>
+          branch: actions/update-webclient-prebuilt
+          commit-message: "go.mod: update web-client-prebuilt module"
+          title: "go.mod: update web-client-prebuilt module"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          reviewers: ${{ github.triggering_actor }}
+
+      - name: Summary
+        if: ${{ steps.pull-request.outputs.pull-request-number }}
+        run: echo "${{ steps.pull-request.outputs.pull-request-operation}} ${{ steps.pull-request.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/vet.yml

@@ -0,0 +1,38 @@
+name: tailscale.com/cmd/vet
+
+env:
+  HOME: ${{ github.workspace }}
+  # GOMODCACHE is the same definition on all OSes. Within the workspace, we use
+  # toplevel directories "src" (for the checked out source code), and "gomodcache"
+  # and other caches as siblings to follow.
+  GOMODCACHE: ${{ github.workspace }}/gomodcache
+
+on:
+  push:
+    branches:
+      - main
+      - "release-branch/*"
+    paths:
+      - "**.go"
+  pull_request:
+    paths:
+      - "**.go"
+
+jobs:
+  vet:
+    runs-on: [ self-hosted, linux ]
+    timeout-minutes: 5
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          path: src
+
+      - name: Build 'go vet' tool
+        working-directory: src
+        run: ./tool/go build -o /tmp/vettool tailscale.com/cmd/vet
+
+      - name: Run 'go vet'
+        working-directory: src
+        run: ./tool/go vet -vettool=/tmp/vettool tailscale.com/...

.github/workflows/vm.yml

@@ -1,51 +0,0 @@
-name: VM
-
-on:
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  ubuntu2004-LTS-cloud-base:
-    runs-on: [ self-hosted, linux, vm ]
-
-    if: "(github.repository == 'tailscale/tailscale') && !contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-      - name: Set GOPATH
-        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
-
-      - name: Checkout Code
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-        env:
-          HOME: "/tmp"
-          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - uses: k0kubun/action-slack@v2.0.0
-        with:
-          payload: |
-            {
-              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                        "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                        "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        if: failure() && github.event_name == 'push'

.github/workflows/webclient.yml

@@ -0,0 +1,38 @@
+name: webclient
+on:
+  workflow_dispatch:
+  # For now, only run on requests, not the main branches.
+  pull_request:
+    paths:
+      - "client/web/**"
+      - ".github/workflows/webclient.yml"
+      - "!**.md"
+  # TODO(soniaappasamy): enable for main branch after an initial waiting period.
+  #push:
+  #  branches:
+  #    - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  webclient:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - name: Install deps
+        run: ./tool/yarn --cwd client/web
+      - name: Run lint
+        run: ./tool/yarn --cwd client/web run --silent lint
+      - name: Run test
+        run: ./tool/yarn --cwd client/web run --silent test
+      - name: Run formatter check
+        run: |
+          ./tool/yarn --cwd client/web run --silent format-check || ( \
+            echo "Run this command on your local device to fix the error:" && \
+            echo "" && \
+            echo "  ./tool/yarn --cwd client/web format" && \
+            echo "" && exit 1)

.github/workflows/windows.yml

@@ -1,67 +0,0 @@
-name: Windows
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike some other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-
-    - name: Test
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -bench . -benchtime 1x ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-

.gitignore

@@ -9,6 +9,7 @@
 
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
+ssh/tailssh/testcontainers/tailscaled
 
 # Test binary, built with `go test -c`
 *.test
@@ -26,5 +27,28 @@ cmd/tailscaled/tailscaled
 # Ignore personal VS Code settings
 .vscode/
 
+# Support personal project-specific GOPATH
+.gopath/
+
+# Ignore nix build result path
+/result
+
 # Ignore direnv nix-shell environment cache
 .direnv/
+
+# Ignore web client node modules
+.vite/
+client/web/node_modules
+client/web/build/assets
+
+/gocross
+/dist
+
+# Ignore xcode userstate and workspace data
+*.xcuserstate
+*.xcworkspacedata
+/tstest/tailmac/bin
+/tstest/tailmac/build
+
+# Ignore personal IntelliJ settings
+.idea/

.golangci.yml

@@ -0,0 +1,110 @@
+version: "2"
+# Configuration for how we run golangci-lint
+# Timeout of 5m was the default in v1.
+run:
+  timeout: 5m
+linters:
+  # Don't enable any linters by default; just the ones that we explicitly
+  # enable in the list below.
+  default: none
+  enable:
+    - bidichk
+    - govet
+    - misspell
+    - revive
+  settings:
+    # Matches what we use in corp as of 2023-12-07
+    govet:
+      enable:
+        - asmdecl
+        - assign
+        - atomic
+        - bools
+        - buildtag
+        - cgocall
+        - copylocks
+        - deepequalerrors
+        - errorsas
+        - framepointer
+        - httpresponse
+        - ifaceassert
+        - loopclosure
+        - lostcancel
+        - nilfunc
+        - nilness
+        - printf
+        - reflectvaluecompare
+        - shift
+        - sigchanyzer
+        - sortslice
+        - stdmethods
+        - stringintconv
+        - structtag
+        - testinggoroutine
+        - tests
+        - unmarshal
+        - unreachable
+        - unsafeptr
+        - unusedresult
+      settings:
+        printf:
+          # List of print function names to check (in addition to default)
+          funcs:
+            - github.com/tailscale/tailscale/types/logger.Discard
+            # NOTE(andrew-d): this doesn't currently work because the printf
+            # analyzer doesn't support type declarations
+            #- github.com/tailscale/tailscale/types/logger.Logf
+    revive:
+      enable-all-rules: false
+      rules:
+        - name: atomic
+        - name: context-keys-type
+        - name: defer
+          arguments: [[
+              # Calling 'recover' at the time a defer is registered (i.e. "defer recover()") has no effect.
+              "immediate-recover",
+              # Calling 'recover' outside of a deferred function has no effect
+              "recover",
+              # Returning values from a deferred function has no effect
+              "return",
+          ]]
+        - name: duplicated-imports
+        - name: errorf
+        - name: string-of-int
+        - name: time-equal
+        - name: unconditional-recursion
+        - name: useless-break
+        - name: waitgroup-by-value
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      # These are forks of an upstream package and thus are exempt from stylistic
+      # changes that would make pulling in upstream changes harder.
+      - path: tempfork/.*\.go
+        text: File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`
+      - path: util/singleflight/.*\.go
+        text: File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    gofmt:
+      rewrite-rules:
+        - pattern: interface{}
+          replacement: any
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

ALPINE.txt

@@ -1 +1 @@
-3.16
+3.22

CODEOWNERS

@@ -0,0 +1 @@
+/tailcfg/ @tailscale/control-protocol-owners

CODE_OF_CONDUCT.md

@@ -1,135 +1,103 @@
-# Contributor Covenant Code of Conduct
+# Tailscale Community Code of Conduct
 
 ## Our Pledge
 
-We as members, contributors, and leaders pledge to make participation
-in our community a harassment-free experience for everyone, regardless
-of age, body size, visible or invisible disability, ethnicity, sex
-characteristics, gender identity and expression, level of experience,
-education, socio-economic status, nationality, personal appearance,
-race, religion, or sexual identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open,
-welcoming, diverse, inclusive, and healthy community.
+We are committed to creating an open, welcoming, diverse, inclusive, healthy and respectful community.
+Unacceptable, harmful and inappropriate behavior will not be tolerated.
 
 ## Our Standards
 
-Examples of behavior that contributes to a positive environment for
-our community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our
-  mistakes, and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
-
-Examples of unacceptable behavior include:
+Examples of behavior that contributes to a positive environment for our community include:
 
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or
-  political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in
-  a professional setting
+- Demonstrating empathy and kindness toward other people.
+- Being respectful of differing opinions, viewpoints, and experiences.
+- Giving and gracefully accepting constructive feedback.
+- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience.
+- Focusing on what is best not just for us as individuals, but for the overall community.
 
-## Enforcement Responsibilities
+Examples of unacceptable behavior include without limitation:
 
-Community leaders are responsible for clarifying and enforcing our
-standards of acceptable behavior and will take appropriate and fair
-corrective action in response to any behavior that they deem
-inappropriate, threatening, offensive, or harmful.
+- The use of language, imagery or emojis (collectively "content") that is racist, sexist, homophobic, transphobic, or otherwise harassing or discriminatory based on any protected characteristic.
+- The use of sexualized content and sexual attention or advances of any kind.
+- The use of violent, intimidating or bullying content.
+- Trolling, concern trolling, insulting or derogatory comments, and personal or political attacks.
+- Public or private harassment.
+- Publishing others' personal information, such as a photo, physical address, email address, online profile information, or other personal information, without their explicit permission or with the intent to bully or harass the other person.
+- Posting deep fake or other AI generated content about or involving another person without the explicit permission.
+- Spamming community channels and members, such as sending repeat messages, low-effort content, or automated messages.
+- Phishing or any similar activity.
+- Distributing or promoting malware.
+- The use of any coded or suggestive content to hide or provoke otherwise unacceptable behavior.
+- Other conduct which could reasonably be considered harmful, illegal, or inappropriate in a professional setting.
 
-Community leaders have the right and responsibility to remove, edit,
-or reject comments, commits, code, wiki edits, issues, and other
-contributions that are not aligned to this Code of Conduct, and will
-communicate reasons for moderation decisions when appropriate.
+Please also see the Tailscale Acceptable Use Policy, available at [tailscale.com/tailscale-aup](https://tailscale.com/tailscale-aup).
 
-## Scope
+## Reporting Incidents
 
-This Code of Conduct applies within all community spaces, and also
-applies when an individual is officially representing the community in
-public spaces. Examples of representing our community include using an
-official e-mail address, posting via an official social media account,
-or acting as an appointed representative at an online or offline
-event.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to Tailscale directly via <info@tailscale.com>, or to the community leaders or moderators via DM or similar.
+All complaints will be reviewed and investigated promptly and fairly.
+We will respect the privacy and safety of the reporter of any issues.
 
-## Enforcement
+Please note that this community is not moderated by staff 24/7, and we do not have, and do not undertake, any obligation to prescreen, monitor, edit, or remove any content or data, or to actively seek facts or circumstances indicating illegal activity.
+While we strive to keep the community safe and welcoming, moderation may not be immediate at all hours.
+If you encounter any issues, report them using the appropriate channels.
 
-Instances of abusive, harassing, or otherwise unacceptable behavior
-may be reported to the community leaders responsible for enforcement
-at [info@tailscale.com](mailto:info@tailscale.com). All complaints
-will be reviewed and investigated promptly and fairly.
+## Enforcement Guidelines
 
-All community leaders are obligated to respect the privacy and
-security of the reporter of any incident.
+Community leaders and moderators are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
 
-## Enforcement Guidelines
+Community leaders and moderators have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Community Code of Conduct.
+Tailscale retains full discretion to take action (or not) in response to a violation of these guidelines with or without notice or liability to you.
+We will interpret our policies and resolve disputes in favor of protecting users, customers, the public, our community and our company, as a whole.
 
-Community leaders will follow these Community Impact Guidelines in
-determining the consequences for any action they deem in violation of
-this Code of Conduct:
+Community leaders will follow these community enforcement guidelines in determining the consequences for any action they deem in violation of this Code of Conduct,
+and retain full discretion to apply the enforcement guidelines as necessary depending on the circumstances:
 
 ### 1. Correction
 
-**Community Impact**: Use of inappropriate language or other behavior
-deemed unprofessional or unwelcome in the community.
+Community Impact: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
 
-**Consequence**: A private, written warning from community leaders,
-providing clarity around the nature of the violation and an
-explanation of why the behavior was inappropriate. A public apology
-may be requested.
+Consequence: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate.
+A public apology may be requested.
 
 ### 2. Warning
 
-**Community Impact**: A violation through a single incident or series
-of actions.
+Community Impact: A violation through a single incident or series of actions.
 
-**Consequence**: A warning with consequences for continued
-behavior. No interaction with the people involved, including
-unsolicited interaction with those enforcing the Code of Conduct, for
-a specified period of time. This includes avoiding interactions in
-community spaces as well as external channels like social
-media. Violating these terms may lead to a temporary or permanent ban.
+Consequence: A warning with consequences for continued behavior.
+No interaction with the people involved, including unsolicited interaction with those enforcing this Community Code of Conduct, for a specified period of time.
+This includes avoiding interactions in community spaces as well as external channels like social media.
+Violating these terms may lead to a temporary or permanent ban.
 
 ### 3. Temporary Ban
 
-**Community Impact**: A serious violation of community standards,
-including sustained inappropriate behavior.
+Community Impact: A serious violation of community standards, including sustained inappropriate behavior.
 
-**Consequence**: A temporary ban from any sort of interaction or
-public communication with the community for a specified period of
-time. No public or private interaction with the people involved,
-including unsolicited interaction with those enforcing the Code of
-Conduct, is allowed during this period. Violating these terms may lead
-to a permanent ban.
+Consequence: A temporary ban from any sort of interaction or public communication with the community for a specified period of time.
+No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
 
 ### 4. Permanent Ban
 
-**Community Impact**: Demonstrating a pattern of violation of
-community standards, including sustained inappropriate behavior,
-harassment of an individual, or aggression toward or disparagement of
-classes of individuals.
+Community Impact: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
 
-**Consequence**: A permanent ban from any sort of public interaction
-within the community.
+Consequence: A permanent ban from any sort of public interaction within the community.
+
+## Acceptable Use Policy
+
+Violation of this Community Code of Conduct may also violate the Tailscale Acceptable Use Policy, which may result in suspension or termination of your Tailscale account.
+For more information, please see the Tailscale Acceptable Use Policy, available at [tailscale.com/tailscale-aup](https://tailscale.com/tailscale-aup).
+
+## Privacy
+
+Please see the Tailscale [Privacy Policy](https://tailscale.com/privacy-policy) for more information about how Tailscale collects, uses, discloses and protects information.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor
-Covenant][homepage], version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, available at <https://www.contributor-covenant.org/version/2/0/code_of_conduct.html>.
 
-Community Impact Guidelines were inspired by [Mozilla's code of
-conduct enforcement ladder](https://github.com/mozilla/diversity).
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
 
 [homepage]: https://www.contributor-covenant.org
 
-For answers to common questions about this code of conduct, see the
-FAQ at https://www.contributor-covenant.org/faq. Translations are
-available at https://www.contributor-covenant.org/translations.
-
+For answers to common questions about this code of conduct, see the FAQ at <https://www.contributor-covenant.org/faq>.
+Translations are available at <https://www.contributor-covenant.org/translations>.

Dockerfile

@@ -1,18 +1,22 @@
-# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
 
-############################################################################
+# Note that this Dockerfile is currently NOT used to build any of the published
+# Tailscale container images and may have drifted from the image build mechanism
+# we use.
+# Tailscale images are currently built using https://github.com/tailscale/mkctr,
+# and the build script can be found in ./build_docker.sh.
 #
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
+# If you want to build local images for testing, you can use make.
 #
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
+# To build a Tailscale image and push to the local docker registry:
+#
+#   $ REPO=local/tailscale TAGS=v0.0.1 PLATFORM=local  make publishdevimage
+#
+# To build a Tailscale image and push to a remote docker registry:
+#
+#   $ REPO=<your-registry>/<your-repo>/tailscale TAGS=v0.0.1  make publishdevimage
 #
-############################################################################
-
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
@@ -32,7 +36,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.19-alpine AS build-env
+FROM golang:1.25-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
@@ -47,9 +51,8 @@ RUN go install \
     gvisor.dev/gvisor/pkg/tcpip/stack \
     golang.org/x/crypto/ssh \
     golang.org/x/crypto/acme \
-    nhooyr.io/websocket \
-    github.com/mdlayher/netlink \
-    golang.zx2c4.com/wireguard/device
+    github.com/coder/websocket \
+    github.com/mdlayher/netlink
 
 COPY . .
 
@@ -63,15 +66,22 @@ ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH
 
 RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.Long=$VERSION_LONG \
-      -X tailscale.com/version.Short=$VERSION_SHORT \
-      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
+      -X tailscale.com/version.longStamp=$VERSION_LONG \
+      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
+      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
       -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
 
-FROM alpine:3.16
+FROM alpine:3.22
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+# Alpine 3.19 replaced legacy iptables with nftables based implementation.
+# Tailscale is used on some hosts that don't support nftables, such as Synology
+# NAS, so link iptables back to legacy version. Hosts that don't require legacy
+# iptables should be able to use Tailscale in nftables mode.  See
+# https://github.com/tailscale/tailscale/issues/17854
+RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
+RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
 # using build_docker.sh which sets an entrypoint for the image.
-RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh
+RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh

Dockerfile.base

@@ -1,6 +1,12 @@
-# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
 
-FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+FROM alpine:3.22
+RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
+# Alpine 3.19 replaced legacy iptables with nftables based implementation.
+# Tailscale is used on some hosts that don't support nftables, such as Synology
+# NAS, so link iptables back to legacy version. Hosts that don't require legacy
+# iptables should be able to use Tailscale in nftables mode.  See
+# https://github.com/tailscale/tailscale/issues/17854
+RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables
+RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables

LICENSE

@@ -1,7 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2020 Tailscale & AUTHORS.
-All rights reserved.
+Copyright (c) 2020 Tailscale Inc & AUTHORS.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

Makefile

@@ -1,75 +1,161 @@
 IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "amd64"
+SYNO_ARCH ?= "x86_64"
 SYNO_DSM ?= "7"
+TAGS ?= "latest"
 
-usage:
-	echo "See Makefile"
+PLATFORM ?= "flyio" ## flyio==linux/amd64. Set to "" to build all platforms.
 
-vet:
+vet: ## Run go vet
 	./tool/go vet ./...
 
-tidy:
+tidy: ## Run go mod tidy and update nix flake hashes
 	./tool/go mod tidy
+	./update-flake.sh
 
-updatedeps:
-	./tool/go run github.com/tailscale/depaware --update \
+lint: ## Run golangci-lint
+	./tool/go run github.com/golangci/golangci-lint/cmd/golangci-lint run
+
+updatedeps: ## Update depaware deps
+	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
+	# it finds in its $$PATH is the right one.
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --vendor --internal \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
-
-depaware:
-	./tool/go run github.com/tailscale/depaware --check \
+		tailscale.com/cmd/derper \
+		tailscale.com/cmd/k8s-operator \
+		tailscale.com/cmd/stund \
+		tailscale.com/cmd/tsidp
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --goos=linux,darwin,windows,android,ios --vendor --internal \
+		tailscale.com/tsnet
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --file=depaware-minbox.txt --goos=linux --tags="$$(./tool/go run ./cmd/featuretags --min --add=cli)" --vendor --internal \
+		tailscale.com/cmd/tailscaled
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update --file=depaware-min.txt --goos=linux --tags="$$(./tool/go run ./cmd/featuretags --min)" --vendor --internal \
+		tailscale.com/cmd/tailscaled
+
+depaware: ## Run depaware checks
+	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
+	# it finds in its $$PATH is the right one.
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --vendor --internal \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
-
-buildwindows:
+		tailscale.com/cmd/derper \
+		tailscale.com/cmd/k8s-operator \
+		tailscale.com/cmd/stund \
+		tailscale.com/cmd/tsidp
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --goos=linux,darwin,windows,android,ios --vendor --internal \
+		tailscale.com/tsnet
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --file=depaware-minbox.txt --goos=linux --tags="$$(./tool/go run ./cmd/featuretags --min --add=cli)" --vendor --internal \
+		tailscale.com/cmd/tailscaled
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check --file=depaware-min.txt --goos=linux --tags="$$(./tool/go run ./cmd/featuretags --min)" --vendor --internal \
+		tailscale.com/cmd/tailscaled
+
+buildwindows: ## Build tailscale CLI for windows/amd64
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
 
-build386:
+build386: ## Build tailscale CLI for linux/386
 	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
 
-buildlinuxarm:
+buildlinuxarm: ## Build tailscale CLI for linux/arm
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
 
-buildwasm:
+buildwasm: ## Build tailscale CLI for js/wasm
 	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
 
-buildlinuxloong64:
+buildplan9:
+	GOOS=plan9 GOARCH=amd64 ./tool/go install ./cmd/tailscale ./cmd/tailscaled
+
+buildlinuxloong64: ## Build tailscale CLI for linux/loong64
 	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
 
-buildmultiarchimage:
+buildmultiarchimage: ## Build (and optionally push) multiarch docker image
 	./build_docker.sh
 
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ## Perform basic checks and compilation tests
+
+staticcheck: ## Run staticcheck.io checks
+	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go run ./tool/listpkgs --ignore-3p  ./...)
+
+kube-generate-all: kube-generate-deepcopy ## Refresh generated files for Tailscale Kubernetes Operator
+	./tool/go generate ./cmd/k8s-operator
 
-staticcheck:
-	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
+# Tailscale operator watches Connector custom resources in a Kubernetes cluster
+# and caches them locally. Caching is done implicitly by controller-runtime
+# library (the middleware used by Tailscale operator to create kube control
+# loops). When a Connector resource is GET/LIST-ed from within our control loop,
+# the request goes through the cache. To ensure that cache contents don't get
+# modified by control loops, controller-runtime deep copies the requested
+# object. In order for this to work, Connector must implement deep copy
+# functionality so we autogenerate it here.
+# https://github.com/kubernetes-sigs/controller-runtime/blob/v0.16.3/pkg/cache/internal/cache_reader.go#L86-L89
+kube-generate-deepcopy: ## Refresh generated deepcopy functionality for Tailscale kube API types
+	./scripts/kube-deepcopy.sh
 
-spk:
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
+spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
+	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
 
-spkall:
-	mkdir -p spks
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all
+spkall: ## Build synology packages for all architectures and DSM versions
+	./tool/go run ./cmd/dist build synology
 
-pushspk: spk
+pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
 	scp tailscale.spk root@${SYNO_HOST}:
 	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
 
-publishdevimage:
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
-
-publishdevoperator:
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
+.PHONY: check-image-repo
+check-image-repo:
+	@if [ -z "$(REPO)" ]; then \
+		echo "REPO=... required; e.g. REPO=ghcr.io/$$USER/tailscale" >&2; \
+		exit 1; \
+	fi
+	@for repo in tailscale/tailscale ghcr.io/tailscale/tailscale \
+		tailscale/k8s-operator ghcr.io/tailscale/k8s-operator \
+		tailscale/k8s-nameserver ghcr.io/tailscale/k8s-nameserver \
+		tailscale/tsidp ghcr.io/tailscale/tsidp \
+		tailscale/k8s-proxy ghcr.io/tailscale/k8s-proxy; do \
+		if [ "$(REPO)" = "$$repo" ]; then \
+			echo "REPO=... must not be $$repo" >&2; \
+			exit 1; \
+		fi; \
+	done
+
+publishdevimage: check-image-repo ## Build and publish tailscale image to location specified by ${REPO}
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=client ./build_docker.sh
+
+publishdevoperator: check-image-repo ## Build and publish k8s-operator image to location specified by ${REPO}
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-operator ./build_docker.sh
+
+publishdevnameserver: check-image-repo ## Build and publish k8s-nameserver image to location specified by ${REPO}
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-nameserver ./build_docker.sh
+
+publishdevtsidp: check-image-repo ## Build and publish tsidp image to location specified by ${REPO}
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=tsidp ./build_docker.sh
+
+publishdevproxy: check-image-repo ## Build and publish k8s-proxy image to location specified by ${REPO}
+	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-proxy ./build_docker.sh
+
+.PHONY: sshintegrationtest
+sshintegrationtest: ## Run the SSH integration tests in various Docker containers
+	@GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
+	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
+	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
+	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
+	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \
+	echo "Testing on alpine:latest" && docker build --build-arg="BASE=alpine:latest" -t ssh-alpine-latest ssh/tailssh/testcontainers
+
+.PHONY: generate
+generate: ## Generate code
+	./tool/go generate ./...
+
+.PHONY: pin-github-actions
+pin-github-actions:
+	./tool/go tool github.com/stacklok/frizbee actions .github/workflows
+
+help: ## Show this help
+	@echo ""
+	@echo "Specify a command. The choices are:"
+	@echo ""
+	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'
+	@echo ""
+.PHONY: help
+
+.DEFAULT_GOAL := help

README.md

@@ -37,7 +37,7 @@ not open source.
 
 ## Building
 
-We always require the latest Go release, currently Go 1.19. (While we build
+We always require the latest Go release, currently Go 1.25. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)
 
@@ -71,8 +71,7 @@ We require [Developer Certificate of
 Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
 `Signed-off-by` lines in commits.
 
-See `git log` for our commit message style. It's basically the same as
-[Go's style](https://github.com/golang/go/wiki/CommitMessage).
+See [commit-messages.md](docs/commit-messages.md) (or skim `git log`) for our commit message style.
 
 ## About Us
 

VERSION.txt

@@ -1 +1 @@
-1.35.0
+1.95.0

appc/appconnector.go

@@ -0,0 +1,527 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package appc implements App Connectors.
+// An AppConnector provides DNS domain oriented routing of traffic. An App
+// Connector becomes a DNS server for a peer, authoritative for the set of
+// configured domains. DNS resolution of the target domain triggers dynamic
+// publication of routes to ensure that traffic to the domain is routed through
+// the App Connector.
+package appc
+
+import (
+	"context"
+	"fmt"
+	"maps"
+	"net/netip"
+	"slices"
+	"strings"
+	"time"
+
+	"tailscale.com/syncs"
+	"tailscale.com/types/appctype"
+	"tailscale.com/types/logger"
+	"tailscale.com/types/views"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/dnsname"
+	"tailscale.com/util/eventbus"
+	"tailscale.com/util/execqueue"
+	"tailscale.com/util/slicesx"
+)
+
+// rateLogger responds to calls to update by adding a count for the current period and
+// calling the callback if any previous period has finished since update was last called
+type rateLogger struct {
+	interval    time.Duration
+	start       time.Time
+	periodStart time.Time
+	periodCount int64
+	now         func() time.Time
+	callback    func(int64, time.Time, int64)
+}
+
+func (rl *rateLogger) currentIntervalStart(now time.Time) time.Time {
+	millisSince := now.Sub(rl.start).Milliseconds() % rl.interval.Milliseconds()
+	return now.Add(-(time.Duration(millisSince)) * time.Millisecond)
+}
+
+func (rl *rateLogger) update(numRoutes int64) {
+	now := rl.now()
+	periodEnd := rl.periodStart.Add(rl.interval)
+	if periodEnd.Before(now) {
+		if rl.periodCount != 0 {
+			rl.callback(rl.periodCount, rl.periodStart, numRoutes)
+		}
+		rl.periodCount = 0
+		rl.periodStart = rl.currentIntervalStart(now)
+	}
+	rl.periodCount++
+}
+
+func newRateLogger(now func() time.Time, interval time.Duration, callback func(int64, time.Time, int64)) *rateLogger {
+	nowTime := now()
+	return &rateLogger{
+		callback:    callback,
+		now:         now,
+		interval:    interval,
+		start:       nowTime,
+		periodStart: nowTime,
+	}
+}
+
+// RouteAdvertiser is an interface that allows the AppConnector to advertise
+// newly discovered routes that need to be served through the AppConnector.
+type RouteAdvertiser interface {
+	// AdvertiseRoute adds one or more route advertisements skipping any that
+	// are already advertised.
+	AdvertiseRoute(...netip.Prefix) error
+
+	// UnadvertiseRoute removes any matching route advertisements.
+	UnadvertiseRoute(...netip.Prefix) error
+}
+
+var (
+	metricStoreRoutesRateBuckets = []int64{1, 2, 3, 4, 5, 10, 100, 1000}
+	metricStoreRoutesNBuckets    = []int64{1, 2, 3, 4, 5, 10, 100, 1000, 10000}
+	metricStoreRoutesRate        []*clientmetric.Metric
+	metricStoreRoutesN           []*clientmetric.Metric
+)
+
+func initMetricStoreRoutes() {
+	for _, n := range metricStoreRoutesRateBuckets {
+		metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_rate_%d", n)))
+	}
+	metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter("appc_store_routes_rate_over"))
+	for _, n := range metricStoreRoutesNBuckets {
+		metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_n_routes_%d", n)))
+	}
+	metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter("appc_store_routes_n_routes_over"))
+}
+
+func recordMetric(val int64, buckets []int64, metrics []*clientmetric.Metric) {
+	if len(buckets) < 1 {
+		return
+	}
+	// finds the first bucket where val <=, or len(buckets) if none match
+	// for bucket values of 1, 10, 100; 0-1 goes to [0], 2-10 goes to [1], 11-100 goes to [2], 101+ goes to [3]
+	bucket, _ := slices.BinarySearch(buckets, val)
+	metrics[bucket].Add(1)
+}
+
+func metricStoreRoutes(rate, nRoutes int64) {
+	if len(metricStoreRoutesRate) == 0 {
+		initMetricStoreRoutes()
+	}
+	recordMetric(rate, metricStoreRoutesRateBuckets, metricStoreRoutesRate)
+	recordMetric(nRoutes, metricStoreRoutesNBuckets, metricStoreRoutesN)
+}
+
+// AppConnector is an implementation of an AppConnector that performs
+// its function as a subsystem inside of a tailscale node. At the control plane
+// side App Connector routing is configured in terms of domains rather than IP
+// addresses.
+// The AppConnectors responsibility inside tailscaled is to apply the routing
+// and domain configuration as supplied in the map response.
+// DNS requests for configured domains are observed. If the domains resolve to
+// routes not yet served by the AppConnector the local node configuration is
+// updated to advertise the new route.
+type AppConnector struct {
+	// These fields are immutable after initialization.
+	logf            logger.Logf
+	eventBus        *eventbus.Bus
+	routeAdvertiser RouteAdvertiser
+	pubClient       *eventbus.Client
+	updatePub       *eventbus.Publisher[appctype.RouteUpdate]
+	storePub        *eventbus.Publisher[appctype.RouteInfo]
+
+	// hasStoredRoutes records whether the connector was initialized with
+	// persisted route information.
+	hasStoredRoutes bool
+
+	// mu guards the fields that follow
+	mu syncs.Mutex
+
+	// domains is a map of lower case domain names with no trailing dot, to an
+	// ordered list of resolved IP addresses.
+	domains map[string][]netip.Addr
+
+	// controlRoutes is the list of routes that were last supplied by control.
+	controlRoutes []netip.Prefix
+
+	// wildcards is the list of domain strings that match subdomains.
+	wildcards []string
+
+	// queue provides ordering for update operations
+	queue execqueue.ExecQueue
+
+	writeRateMinute *rateLogger
+	writeRateDay    *rateLogger
+}
+
+// Config carries the settings for an [AppConnector].
+type Config struct {
+	// Logf is the logger to which debug logs from the connector will be sent.
+	// It must be non-nil.
+	Logf logger.Logf
+
+	// EventBus receives events when the collection of routes maintained by the
+	// connector is updated. It must be non-nil.
+	EventBus *eventbus.Bus
+
+	// RouteAdvertiser allows the connector to update the set of advertised routes.
+	RouteAdvertiser RouteAdvertiser
+
+	// RouteInfo, if non-nil, use used as the initial set of routes for the
+	// connector.  If nil, the connector starts empty.
+	RouteInfo *appctype.RouteInfo
+
+	// HasStoredRoutes indicates that the connector should assume stored routes.
+	HasStoredRoutes bool
+}
+
+// NewAppConnector creates a new AppConnector.
+func NewAppConnector(c Config) *AppConnector {
+	switch {
+	case c.Logf == nil:
+		panic("missing logger")
+	case c.EventBus == nil:
+		panic("missing event bus")
+	}
+	ec := c.EventBus.Client("appc.AppConnector")
+
+	ac := &AppConnector{
+		logf:            logger.WithPrefix(c.Logf, "appc: "),
+		eventBus:        c.EventBus,
+		pubClient:       ec,
+		updatePub:       eventbus.Publish[appctype.RouteUpdate](ec),
+		storePub:        eventbus.Publish[appctype.RouteInfo](ec),
+		routeAdvertiser: c.RouteAdvertiser,
+		hasStoredRoutes: c.HasStoredRoutes,
+	}
+	if c.RouteInfo != nil {
+		ac.domains = c.RouteInfo.Domains
+		ac.wildcards = c.RouteInfo.Wildcards
+		ac.controlRoutes = c.RouteInfo.Control
+	}
+	ac.writeRateMinute = newRateLogger(time.Now, time.Minute, func(c int64, s time.Time, ln int64) {
+		ac.logf("routeInfo write rate: %d in minute starting at %v (%d routes)", c, s, ln)
+		metricStoreRoutes(c, ln)
+	})
+	ac.writeRateDay = newRateLogger(time.Now, 24*time.Hour, func(c int64, s time.Time, ln int64) {
+		ac.logf("routeInfo write rate: %d in 24 hours starting at %v (%d routes)", c, s, ln)
+	})
+	return ac
+}
+
+// ShouldStoreRoutes returns true if the appconnector was created with the controlknob on
+// and is storing its discovered routes persistently.
+func (e *AppConnector) ShouldStoreRoutes() bool { return e.hasStoredRoutes }
+
+// storeRoutesLocked takes the current state of the AppConnector and persists it
+func (e *AppConnector) storeRoutesLocked() {
+	if e.storePub.ShouldPublish() {
+		// log write rate and write size
+		numRoutes := int64(len(e.controlRoutes))
+		for _, rs := range e.domains {
+			numRoutes += int64(len(rs))
+		}
+		e.writeRateMinute.update(numRoutes)
+		e.writeRateDay.update(numRoutes)
+
+		e.storePub.Publish(appctype.RouteInfo{
+			// Clone here, as the subscriber will handle these outside our lock.
+			Control:   slices.Clone(e.controlRoutes),
+			Domains:   maps.Clone(e.domains),
+			Wildcards: slices.Clone(e.wildcards),
+		})
+	}
+}
+
+// ClearRoutes removes all route state from the AppConnector.
+func (e *AppConnector) ClearRoutes() error {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+	e.controlRoutes = nil
+	e.domains = nil
+	e.wildcards = nil
+	e.storeRoutesLocked()
+	return nil
+}
+
+// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
+// given the new domains and routes.
+func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
+	e.queue.Add(func() {
+		// Add the new routes first.
+		e.updateRoutes(routes)
+		e.updateDomains(domains)
+	})
+}
+
+// UpdateDomains asynchronously replaces the current set of configured domains
+// with the supplied set of domains. Domains must not contain a trailing dot,
+// and should be lower case. If the domain contains a leading '*' label it
+// matches all subdomains of a domain.
+func (e *AppConnector) UpdateDomains(domains []string) {
+	e.queue.Add(func() {
+		e.updateDomains(domains)
+	})
+}
+
+// Wait waits for the currently scheduled asynchronous configuration changes to
+// complete.
+func (e *AppConnector) Wait(ctx context.Context) {
+	e.queue.Wait(ctx)
+}
+
+// Close closes the connector and cleans up resources associated with it.
+// It is safe (and a noop) to call Close on nil.
+func (e *AppConnector) Close() {
+	if e == nil {
+		return
+	}
+	e.mu.Lock()
+	defer e.mu.Unlock()
+	e.queue.Shutdown() // TODO(creachadair): Should we wait for it too?
+	e.pubClient.Close()
+}
+
+func (e *AppConnector) updateDomains(domains []string) {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	var oldDomains map[string][]netip.Addr
+	oldDomains, e.domains = e.domains, make(map[string][]netip.Addr, len(domains))
+	e.wildcards = e.wildcards[:0]
+	for _, d := range domains {
+		d = strings.ToLower(d)
+		if len(d) == 0 {
+			continue
+		}
+		if strings.HasPrefix(d, "*.") {
+			e.wildcards = append(e.wildcards, d[2:])
+			continue
+		}
+		e.domains[d] = oldDomains[d]
+		delete(oldDomains, d)
+	}
+
+	// Ensure that still-live wildcards addresses are preserved as well.
+	for d, addrs := range oldDomains {
+		for _, wc := range e.wildcards {
+			if dnsname.HasSuffix(d, wc) {
+				e.domains[d] = addrs
+				delete(oldDomains, d)
+				break
+			}
+		}
+	}
+
+	// Everything left in oldDomains is a domain we're no longer tracking and we
+	// can unadvertise the routes.
+	if e.hasStoredRoutes {
+		toRemove := []netip.Prefix{}
+		for _, addrs := range oldDomains {
+			for _, a := range addrs {
+				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
+			}
+		}
+
+		if len(toRemove) != 0 {
+			if ra := e.routeAdvertiser; ra != nil {
+				e.queue.Add(func() {
+					if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+						e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
+					}
+				})
+			}
+			e.updatePub.Publish(appctype.RouteUpdate{Unadvertise: toRemove})
+		}
+	}
+
+	e.logf("handling domains: %v and wildcards: %v", slicesx.MapKeys(e.domains), e.wildcards)
+}
+
+// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
+// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
+// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
+// covered by new ranges.
+func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	// If there was no change since the last update, no work to do.
+	if slices.Equal(e.controlRoutes, routes) {
+		return
+	}
+
+	var toRemove []netip.Prefix
+
+	// If we know e.controlRoutes is a good representation of what should be in
+	// AdvertisedRoutes we can stop advertising routes that used to be in
+	// e.controlRoutes but are not in routes.
+	if e.hasStoredRoutes {
+		toRemove = routesWithout(e.controlRoutes, routes)
+	}
+
+nextRoute:
+	for _, r := range routes {
+		for _, addr := range e.domains {
+			for _, a := range addr {
+				if r.Contains(a) && netip.PrefixFrom(a, a.BitLen()) != r {
+					pfx := netip.PrefixFrom(a, a.BitLen())
+					toRemove = append(toRemove, pfx)
+					continue nextRoute
+				}
+			}
+		}
+	}
+
+	if e.routeAdvertiser != nil {
+		e.queue.Add(func() {
+			if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+				e.logf("failed to advertise routes: %v: %v", routes, err)
+			}
+			if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+				e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+			}
+		})
+	}
+	e.updatePub.Publish(appctype.RouteUpdate{
+		Advertise:   routes,
+		Unadvertise: toRemove,
+	})
+
+	e.controlRoutes = routes
+	e.storeRoutesLocked()
+}
+
+// Domains returns the currently configured domain list.
+func (e *AppConnector) Domains() views.Slice[string] {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	return views.SliceOf(slicesx.MapKeys(e.domains))
+}
+
+// DomainRoutes returns a map of domains to resolved IP
+// addresses.
+func (e *AppConnector) DomainRoutes() map[string][]netip.Addr {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	drCopy := make(map[string][]netip.Addr)
+	for k, v := range e.domains {
+		drCopy[k] = append(drCopy[k], v...)
+	}
+
+	return drCopy
+}
+
+// starting from the given domain that resolved to an address, find it, or any
+// of the domains in the CNAME chain toward resolving it, that are routed
+// domains, returning the routed domain name and a bool indicating whether a
+// routed domain was found.
+// e.mu must be held.
+func (e *AppConnector) findRoutedDomainLocked(domain string, cnameChain map[string]string) (string, bool) {
+	var isRouted bool
+	for {
+		_, isRouted = e.domains[domain]
+		if isRouted {
+			break
+		}
+
+		// match wildcard domains
+		for _, wc := range e.wildcards {
+			if dnsname.HasSuffix(domain, wc) {
+				e.domains[domain] = nil
+				isRouted = true
+				break
+			}
+		}
+
+		next, ok := cnameChain[domain]
+		if !ok {
+			break
+		}
+		domain = next
+	}
+	return domain, isRouted
+}
+
+// isAddrKnownLocked returns true if the address is known to be associated with
+// the given domain. Known domain tables are updated for covered routes to speed
+// up future matches.
+// e.mu must be held.
+func (e *AppConnector) isAddrKnownLocked(domain string, addr netip.Addr) bool {
+	if e.hasDomainAddrLocked(domain, addr) {
+		return true
+	}
+	for _, route := range e.controlRoutes {
+		if route.Contains(addr) {
+			// record the new address associated with the domain for faster matching in subsequent
+			// requests and for diagnostic records.
+			e.addDomainAddrLocked(domain, addr)
+			return true
+		}
+	}
+	return false
+}
+
+// scheduleAdvertisement schedules an advertisement of the given address
+// associated with the given domain.
+func (e *AppConnector) scheduleAdvertisement(domain string, routes ...netip.Prefix) {
+	e.queue.Add(func() {
+		if e.routeAdvertiser != nil {
+			if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+				e.logf("failed to advertise routes for %s: %v: %v", domain, routes, err)
+				return
+			}
+		}
+		e.updatePub.Publish(appctype.RouteUpdate{Advertise: routes})
+		e.mu.Lock()
+		defer e.mu.Unlock()
+
+		for _, route := range routes {
+			if !route.IsSingleIP() {
+				continue
+			}
+			addr := route.Addr()
+			if !e.hasDomainAddrLocked(domain, addr) {
+				e.addDomainAddrLocked(domain, addr)
+				e.logf("[v2] advertised route for %v: %v", domain, addr)
+			}
+		}
+		e.storeRoutesLocked()
+	})
+}
+
+// hasDomainAddrLocked returns true if the address has been observed in a
+// resolution of domain.
+func (e *AppConnector) hasDomainAddrLocked(domain string, addr netip.Addr) bool {
+	_, ok := slices.BinarySearchFunc(e.domains[domain], addr, compareAddr)
+	return ok
+}
+
+// addDomainAddrLocked adds the address to the list of addresses resolved for
+// domain and ensures the list remains sorted. Does not attempt to deduplicate.
+func (e *AppConnector) addDomainAddrLocked(domain string, addr netip.Addr) {
+	e.domains[domain] = append(e.domains[domain], addr)
+	slices.SortFunc(e.domains[domain], compareAddr)
+}
+
+func compareAddr(a, b netip.Addr) int {
+	return a.Compare(b)
+}
+
+// routesWithout returns a without b where a and b
+// are unsorted slices of netip.Prefix
+func routesWithout(a, b []netip.Prefix) []netip.Prefix {
+	m := make(map[netip.Prefix]bool, len(b))
+	for _, p := range b {
+		m[p] = true
+	}
+	return slicesx.Filter(make([]netip.Prefix, 0, len(a)), a, func(p netip.Prefix) bool {
+		return !m[p]
+	})
+}

appc/appconnector_test.go

@@ -0,0 +1,872 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appc
+
+import (
+	stdcmp "cmp"
+	"fmt"
+	"net/netip"
+	"reflect"
+	"slices"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/appc/appctest"
+	"tailscale.com/tstest"
+	"tailscale.com/types/appctype"
+	"tailscale.com/util/clientmetric"
+	"tailscale.com/util/eventbus/eventbustest"
+	"tailscale.com/util/mak"
+	"tailscale.com/util/must"
+	"tailscale.com/util/slicesx"
+)
+
+func TestUpdateDomains(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		a.UpdateDomains([]string{"example.com"})
+		a.Wait(ctx)
+		if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		addr := netip.MustParseAddr("192.0.0.8")
+		a.domains["example.com"] = append(a.domains["example.com"], addr)
+		a.UpdateDomains([]string{"example.com"})
+		a.Wait(ctx)
+
+		if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		// domains are explicitly downcased on set.
+		a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
+		a.Wait(ctx)
+		if got, want := slicesx.MapKeys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+	}
+}
+
+func TestUpdateRoutes(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		a.updateDomains([]string{"*.example.com"})
+
+		// This route should be collapsed into the range
+		if err := a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+
+		if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
+			t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+		}
+
+		// This route should not be collapsed or removed
+		if err := a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+
+		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
+		a.updateRoutes(routes)
+		a.Wait(ctx)
+
+		slices.SortFunc(rc.Routes(), prefixCompare)
+		rc.SetRoutes(slices.Compact(rc.Routes()))
+		slices.SortFunc(routes, prefixCompare)
+
+		// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
+		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+			t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
+		}
+
+		// Ensure that the contained /32 is removed, replaced by the /24.
+		wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
+		if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
+			t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
+		}
+
+		if err := eventbustest.Expect(w,
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.2.1/32")}),
+			eventbustest.Type[appctype.RouteInfo](),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.0.1/32")}),
+			eventbustest.Type[appctype.RouteInfo](),
+			eqUpdate(appctype.RouteUpdate{
+				Advertise:   prefixes("192.0.0.1/32", "192.0.2.0/24"),
+				Unadvertise: prefixes("192.0.2.1/32"),
+			}),
+			eventbustest.Type[appctype.RouteInfo](),
+		); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
+		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
+		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
+		a.updateRoutes(routes)
+		a.Wait(ctx)
+
+		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
+			t.Fatalf("got %v, want %v", rc.Routes(), routes)
+		}
+
+		if err := eventbustest.ExpectExactly(w,
+			eqUpdate(appctype.RouteUpdate{
+				Advertise:   prefixes("192.0.2.0/24"),
+				Unadvertise: prefixes("192.0.2.1/32"),
+			}),
+			eventbustest.Type[appctype.RouteInfo](),
+		); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestDomainRoutes(t *testing.T) {
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+		a.updateDomains([]string{"example.com"})
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(t.Context())
+
+		want := map[string][]netip.Addr{
+			"example.com": {netip.MustParseAddr("192.0.0.8")},
+		}
+
+		if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
+			t.Fatalf("DomainRoutes: got %v, want %v", got, want)
+		}
+
+		if err := eventbustest.ExpectExactly(w,
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.0.8/32")}),
+			eventbustest.Type[appctype.RouteInfo](),
+		); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestObserveDNSResponse(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		// a has no domains configured, so it should not advertise any routes
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
+
+		a.updateDomains([]string{"example.com"})
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		// a CNAME record chain should result in a route being added if the chain
+		// matches a routed domain.
+		a.updateDomains([]string{"www.example.com", "example.com"})
+		if err := a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com.")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
+		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		// a CNAME record chain should result in a route being added if the chain
+		// even if only found in the middle of the chain
+		if err := a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org.")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
+		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
+
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+			t.Errorf("got %v; want %v", got, want)
+		}
+
+		// don't re-advertise routes that have already been advertised
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		if !slices.Equal(rc.Routes(), wantRoutes) {
+			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+		}
+
+		// don't advertise addresses that are already in a control provided route
+		pfx := netip.MustParsePrefix("192.0.2.0/24")
+		a.updateRoutes([]netip.Prefix{pfx})
+		wantRoutes = append(wantRoutes, pfx)
+		if err := a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		if !slices.Equal(rc.Routes(), wantRoutes) {
+			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
+		}
+		if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
+			t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
+		}
+
+		if err := eventbustest.ExpectExactly(w,
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.0.8/32")}), // from initial DNS response, via example.com
+			eventbustest.Type[appctype.RouteInfo](),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.0.9/32")}), // from CNAME response
+			eventbustest.Type[appctype.RouteInfo](),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.0.10/32")}), // from CNAME response, mid-chain
+			eventbustest.Type[appctype.RouteInfo](),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("2001:db8::1/128")}), // v6 DNS response
+			eventbustest.Type[appctype.RouteInfo](),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.2.0/24")}), // additional prefix
+			eventbustest.Type[appctype.RouteInfo](),
+			// N.B. no update for 192.0.2.1 as it is already covered
+		); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestWildcardDomains(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		a.updateDomains([]string{"*.example.com"})
+		if err := a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8")); err != nil {
+			t.Errorf("ObserveDNSResponse: %v", err)
+		}
+		a.Wait(ctx)
+		if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+			t.Errorf("routes: got %v; want %v", got, want)
+		}
+		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+			t.Errorf("wildcards: got %v; want %v", got, want)
+		}
+
+		a.updateDomains([]string{"*.example.com", "example.com"})
+		if _, ok := a.domains["foo.example.com"]; !ok {
+			t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
+		}
+		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+			t.Errorf("wildcards: got %v; want %v", got, want)
+		}
+
+		// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
+		a.updateDomains([]string{"*.example.com", "example.com"})
+		if len(a.wildcards) != 1 {
+			t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
+		}
+
+		if err := eventbustest.ExpectExactly(w,
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("192.0.0.8/32")}),
+			eventbustest.Type[appctype.RouteInfo](),
+		); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+// dnsResponse is a test helper that creates a DNS response buffer for the given domain and address
+func dnsResponse(domain, address string) []byte {
+	addr := netip.MustParseAddr(address)
+	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
+	b.EnableCompression()
+	b.StartAnswers()
+	switch addr.BitLen() {
+	case 32:
+		b.AResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AResource{
+				A: addr.As4(),
+			},
+		)
+	case 128:
+		b.AAAAResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeAAAA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AAAAResource{
+				AAAA: addr.As16(),
+			},
+		)
+	default:
+		panic("invalid address length")
+	}
+	return must.Get(b.Finish())
+}
+
+func dnsCNAMEResponse(address string, domains ...string) []byte {
+	addr := netip.MustParseAddr(address)
+	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
+	b.EnableCompression()
+	b.StartAnswers()
+
+	if len(domains) >= 2 {
+		for i, domain := range domains[:len(domains)-1] {
+			b.CNAMEResource(
+				dnsmessage.ResourceHeader{
+					Name:  dnsmessage.MustNewName(domain),
+					Type:  dnsmessage.TypeCNAME,
+					Class: dnsmessage.ClassINET,
+					TTL:   0,
+				},
+				dnsmessage.CNAMEResource{
+					CNAME: dnsmessage.MustNewName(domains[i+1]),
+				},
+			)
+		}
+	}
+
+	domain := domains[len(domains)-1]
+
+	switch addr.BitLen() {
+	case 32:
+		b.AResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AResource{
+				A: addr.As4(),
+			},
+		)
+	case 128:
+		b.AAAAResource(
+			dnsmessage.ResourceHeader{
+				Name:  dnsmessage.MustNewName(domain),
+				Type:  dnsmessage.TypeAAAA,
+				Class: dnsmessage.ClassINET,
+				TTL:   0,
+			},
+			dnsmessage.AAAAResource{
+				AAAA: addr.As16(),
+			},
+		)
+	default:
+		panic("invalid address length")
+	}
+	return must.Get(b.Finish())
+}
+
+func prefixEqual(a, b netip.Prefix) bool {
+	return a == b
+}
+
+func prefixCompare(a, b netip.Prefix) int {
+	if a.Addr().Compare(b.Addr()) == 0 {
+		return a.Bits() - b.Bits()
+	}
+	return a.Addr().Compare(b.Addr())
+}
+
+func prefixes(in ...string) []netip.Prefix {
+	toRet := make([]netip.Prefix, len(in))
+	for i, s := range in {
+		toRet[i] = netip.MustParsePrefix(s)
+	}
+	return toRet
+}
+
+func TestUpdateRouteRouteRemoval(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+
+		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
+			if !slices.Equal(routes, rc.Routes()) {
+				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
+			}
+			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
+				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
+			}
+		}
+
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		// nothing has yet been advertised
+		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
+
+		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.2/32"))
+		a.Wait(ctx)
+		// the routes passed to UpdateDomainsAndRoutes have been advertised
+		assertRoutes("simple update", prefixes("1.2.3.1/32", "1.2.3.2/32"), []netip.Prefix{})
+
+		// one route the same, one different
+		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.3/32"))
+		a.Wait(ctx)
+		// old behavior: routes are not removed, resulting routes are both old and new
+		// (we have dupe 1.2.3.1 routes because the test RouteAdvertiser doesn't have the deduplication
+		// the real one does)
+		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.1/32", "1.2.3.3/32")
+		wantRemovedRoutes := []netip.Prefix{}
+		if shouldStore {
+			// new behavior: routes are removed, resulting routes are new only
+			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.1/32", "1.2.3.3/32")
+			wantRemovedRoutes = prefixes("1.2.3.2/32")
+		}
+		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
+
+		if err := eventbustest.Expect(w,
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.1/32", "1.2.3.2/32")}), // no duplicates here
+			eventbustest.Type[appctype.RouteInfo](),
+		); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestUpdateDomainRouteRemoval(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+
+		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
+			if !slices.Equal(routes, rc.Routes()) {
+				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
+			}
+			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
+				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
+			}
+		}
+
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
+
+		a.UpdateDomainsAndRoutes([]string{"a.example.com", "b.example.com"}, []netip.Prefix{})
+		a.Wait(ctx)
+		// adding domains doesn't immediately cause any routes to be advertised
+		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
+
+		for _, res := range [][]byte{
+			dnsResponse("a.example.com.", "1.2.3.1"),
+			dnsResponse("a.example.com.", "1.2.3.2"),
+			dnsResponse("b.example.com.", "1.2.3.3"),
+			dnsResponse("b.example.com.", "1.2.3.4"),
+		} {
+			if err := a.ObserveDNSResponse(res); err != nil {
+				t.Errorf("ObserveDNSResponse: %v", err)
+			}
+		}
+		a.Wait(ctx)
+		// observing dns responses causes routes to be advertised
+		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
+
+		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
+		a.Wait(ctx)
+		// old behavior, routes are not removed
+		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
+		wantRemovedRoutes := []netip.Prefix{}
+		if shouldStore {
+			// new behavior, routes are removed for b.example.com
+			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
+			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
+		}
+		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
+
+		wantEvents := []any{
+			// Each DNS record observed triggers an update.
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.1/32")}),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.2/32")}),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.3/32")}),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.4/32")}),
+		}
+		if shouldStore {
+			wantEvents = append(wantEvents, eqUpdate(appctype.RouteUpdate{
+				Unadvertise: prefixes("1.2.3.3/32", "1.2.3.4/32"),
+			}))
+		}
+		if err := eventbustest.Expect(w, wantEvents...); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestUpdateWildcardRouteRemoval(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	for _, shouldStore := range []bool{false, true} {
+		w := eventbustest.NewWatcher(t, bus)
+		rc := &appctest.RouteCollector{}
+
+		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
+			if !slices.Equal(routes, rc.Routes()) {
+				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
+			}
+			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
+				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
+			}
+		}
+
+		a := NewAppConnector(Config{
+			Logf:            t.Logf,
+			EventBus:        bus,
+			RouteAdvertiser: rc,
+			HasStoredRoutes: shouldStore,
+		})
+		t.Cleanup(a.Close)
+
+		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
+
+		a.UpdateDomainsAndRoutes([]string{"a.example.com", "*.b.example.com"}, []netip.Prefix{})
+		a.Wait(ctx)
+		// adding domains doesn't immediately cause any routes to be advertised
+		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
+
+		for _, res := range [][]byte{
+			dnsResponse("a.example.com.", "1.2.3.1"),
+			dnsResponse("a.example.com.", "1.2.3.2"),
+			dnsResponse("1.b.example.com.", "1.2.3.3"),
+			dnsResponse("2.b.example.com.", "1.2.3.4"),
+		} {
+			if err := a.ObserveDNSResponse(res); err != nil {
+				t.Errorf("ObserveDNSResponse: %v", err)
+			}
+		}
+		a.Wait(ctx)
+		// observing dns responses causes routes to be advertised
+		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
+
+		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
+		a.Wait(ctx)
+		// old behavior, routes are not removed
+		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
+		wantRemovedRoutes := []netip.Prefix{}
+		if shouldStore {
+			// new behavior, routes are removed for *.b.example.com
+			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
+			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
+		}
+		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
+
+		wantEvents := []any{
+			// Each DNS record observed triggers an update.
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.1/32")}),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.2/32")}),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.3/32")}),
+			eqUpdate(appctype.RouteUpdate{Advertise: prefixes("1.2.3.4/32")}),
+		}
+		if shouldStore {
+			wantEvents = append(wantEvents, eqUpdate(appctype.RouteUpdate{
+				Unadvertise: prefixes("1.2.3.3/32", "1.2.3.4/32"),
+			}))
+		}
+		if err := eventbustest.Expect(w, wantEvents...); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+func TestRoutesWithout(t *testing.T) {
+	assert := func(msg string, got, want []netip.Prefix) {
+		if !slices.Equal(want, got) {
+			t.Errorf("%s: want %v, got %v", msg, want, got)
+		}
+	}
+
+	assert("empty routes", routesWithout([]netip.Prefix{}, []netip.Prefix{}), []netip.Prefix{})
+	assert("a empty", routesWithout([]netip.Prefix{}, prefixes("1.1.1.1/32", "1.1.1.2/32")), []netip.Prefix{})
+	assert("b empty", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), []netip.Prefix{}), prefixes("1.1.1.1/32", "1.1.1.2/32"))
+	assert("no overlap", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.3/32", "1.1.1.4/32")), prefixes("1.1.1.1/32", "1.1.1.2/32"))
+	assert("a has fewer", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32")), []netip.Prefix{})
+	assert("a has more", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32"), prefixes("1.1.1.1/32", "1.1.1.3/32")), prefixes("1.1.1.2/32", "1.1.1.4/32"))
+}
+
+func TestRateLogger(t *testing.T) {
+	clock := tstest.Clock{}
+	wasCalled := false
+	rl := newRateLogger(func() time.Time { return clock.Now() }, 1*time.Second, func(count int64, _ time.Time, _ int64) {
+		if count != 3 {
+			t.Fatalf("count for prev period: got %d, want 3", count)
+		}
+		wasCalled = true
+	})
+
+	for i := 0; i < 3; i++ {
+		clock.Advance(1 * time.Millisecond)
+		rl.update(0)
+		if wasCalled {
+			t.Fatalf("wasCalled: got true, want false")
+		}
+	}
+
+	clock.Advance(1 * time.Second)
+	rl.update(0)
+	if !wasCalled {
+		t.Fatalf("wasCalled: got false, want true")
+	}
+
+	wasCalled = false
+	rl = newRateLogger(func() time.Time { return clock.Now() }, 1*time.Hour, func(count int64, _ time.Time, _ int64) {
+		if count != 3 {
+			t.Fatalf("count for prev period: got %d, want 3", count)
+		}
+		wasCalled = true
+	})
+
+	for i := 0; i < 3; i++ {
+		clock.Advance(1 * time.Minute)
+		rl.update(0)
+		if wasCalled {
+			t.Fatalf("wasCalled: got true, want false")
+		}
+	}
+
+	clock.Advance(1 * time.Hour)
+	rl.update(0)
+	if !wasCalled {
+		t.Fatalf("wasCalled: got false, want true")
+	}
+}
+
+func TestRouteStoreMetrics(t *testing.T) {
+	metricStoreRoutes(1, 1)
+	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
+	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1
+	metricStoreRoutes(6, 6)         // the 10 buckets value should be 1
+	metricStoreRoutes(10001, 10001) // the over buckets value should be 1
+	wanted := map[string]int64{
+		"appc_store_routes_n_routes_1":    2,
+		"appc_store_routes_rate_1":        2,
+		"appc_store_routes_n_routes_5":    1,
+		"appc_store_routes_rate_5":        1,
+		"appc_store_routes_n_routes_10":   1,
+		"appc_store_routes_rate_10":       1,
+		"appc_store_routes_n_routes_over": 1,
+		"appc_store_routes_rate_over":     1,
+	}
+	for _, x := range clientmetric.Metrics() {
+		if x.Value() != wanted[x.Name()] {
+			t.Errorf("%s: want: %d, got: %d", x.Name(), wanted[x.Name()], x.Value())
+		}
+	}
+}
+
+func TestMetricBucketsAreSorted(t *testing.T) {
+	if !slices.IsSorted(metricStoreRoutesRateBuckets) {
+		t.Errorf("metricStoreRoutesRateBuckets must be in order")
+	}
+	if !slices.IsSorted(metricStoreRoutesNBuckets) {
+		t.Errorf("metricStoreRoutesNBuckets must be in order")
+	}
+}
+
+// TestUpdateRoutesDeadlock is a regression test for a deadlock in
+// LocalBackend<->AppConnector interaction. When using real LocalBackend as the
+// routeAdvertiser, calls to Advertise/UnadvertiseRoutes can end up calling
+// back into AppConnector via authReconfig. If everything is called
+// synchronously, this results in a deadlock on AppConnector.mu.
+//
+// TODO(creachadair, 2025-09-18): Remove this along with the advertiser
+// interface once the LocalBackend is switched to use the event bus and the
+// tests have been updated not to need it.
+func TestUpdateRoutesDeadlock(t *testing.T) {
+	ctx := t.Context()
+	bus := eventbustest.NewBus(t)
+	w := eventbustest.NewWatcher(t, bus)
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(Config{
+		Logf:            t.Logf,
+		EventBus:        bus,
+		RouteAdvertiser: rc,
+		HasStoredRoutes: true,
+	})
+	t.Cleanup(a.Close)
+
+	advertiseCalled := new(atomic.Bool)
+	unadvertiseCalled := new(atomic.Bool)
+	rc.AdvertiseCallback = func() {
+		// Call something that requires a.mu to be held.
+		a.DomainRoutes()
+		advertiseCalled.Store(true)
+	}
+	rc.UnadvertiseCallback = func() {
+		// Call something that requires a.mu to be held.
+		a.DomainRoutes()
+		unadvertiseCalled.Store(true)
+	}
+
+	a.updateDomains([]string{"example.com"})
+	a.Wait(ctx)
+
+	// Trigger rc.AdveriseRoute.
+	a.updateRoutes(
+		[]netip.Prefix{
+			netip.MustParsePrefix("127.0.0.1/32"),
+			netip.MustParsePrefix("127.0.0.2/32"),
+		},
+	)
+	a.Wait(ctx)
+	// Trigger rc.UnadveriseRoute.
+	a.updateRoutes(
+		[]netip.Prefix{
+			netip.MustParsePrefix("127.0.0.1/32"),
+		},
+	)
+	a.Wait(ctx)
+
+	if !advertiseCalled.Load() {
+		t.Error("AdvertiseRoute was not called")
+	}
+	if !unadvertiseCalled.Load() {
+		t.Error("UnadvertiseRoute was not called")
+	}
+
+	if want := []netip.Prefix{netip.MustParsePrefix("127.0.0.1/32")}; !slices.Equal(slices.Compact(rc.Routes()), want) {
+		t.Fatalf("got %v, want %v", rc.Routes(), want)
+	}
+
+	if err := eventbustest.ExpectExactly(w,
+		eqUpdate(appctype.RouteUpdate{Advertise: prefixes("127.0.0.1/32", "127.0.0.2/32")}),
+		eventbustest.Type[appctype.RouteInfo](),
+		eqUpdate(appctype.RouteUpdate{Advertise: prefixes("127.0.0.1/32"), Unadvertise: prefixes("127.0.0.2/32")}),
+		eventbustest.Type[appctype.RouteInfo](),
+	); err != nil {
+		t.Error(err)
+	}
+}
+
+type textUpdate struct {
+	Advertise   []string
+	Unadvertise []string
+}
+
+func routeUpdateToText(u appctype.RouteUpdate) textUpdate {
+	var out textUpdate
+	for _, p := range u.Advertise {
+		out.Advertise = append(out.Advertise, p.String())
+	}
+	for _, p := range u.Unadvertise {
+		out.Unadvertise = append(out.Unadvertise, p.String())
+	}
+	return out
+}
+
+// eqUpdate generates an eventbus test filter that matches a appctype.RouteUpdate
+// message equal to want, or reports an error giving a human-readable diff.
+func eqUpdate(want appctype.RouteUpdate) func(appctype.RouteUpdate) error {
+	return func(got appctype.RouteUpdate) error {
+		if diff := cmp.Diff(routeUpdateToText(got), routeUpdateToText(want),
+			cmpopts.SortSlices(stdcmp.Less[string]),
+		); diff != "" {
+			return fmt.Errorf("wrong update (-got, +want):\n%s", diff)
+		}
+		return nil
+	}
+}

appc/appctest/appctest.go

@@ -0,0 +1,63 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package appctest contains code to help test App Connectors.
+package appctest
+
+import (
+	"net/netip"
+	"slices"
+)
+
+// RouteCollector is a test helper that collects the list of routes advertised
+type RouteCollector struct {
+	// AdvertiseCallback (optional) is called synchronously from
+	// AdvertiseRoute.
+	AdvertiseCallback func()
+	// UnadvertiseCallback (optional) is called synchronously from
+	// UnadvertiseRoute.
+	UnadvertiseCallback func()
+
+	routes        []netip.Prefix
+	removedRoutes []netip.Prefix
+}
+
+func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx...)
+	if rc.AdvertiseCallback != nil {
+		rc.AdvertiseCallback()
+	}
+	return nil
+}
+
+func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
+	routes := rc.routes
+	rc.routes = rc.routes[:0]
+	for _, r := range routes {
+		if !slices.Contains(toRemove, r) {
+			rc.routes = append(rc.routes, r)
+		} else {
+			rc.removedRoutes = append(rc.removedRoutes, r)
+		}
+	}
+	if rc.UnadvertiseCallback != nil {
+		rc.UnadvertiseCallback()
+	}
+	return nil
+}
+
+// RemovedRoutes returns the list of routes that were removed.
+func (rc *RouteCollector) RemovedRoutes() []netip.Prefix {
+	return rc.removedRoutes
+}
+
+// Routes returns the ordered list of routes that were added, including
+// possible duplicates.
+func (rc *RouteCollector) Routes() []netip.Prefix {
+	return rc.routes
+}
+
+func (rc *RouteCollector) SetRoutes(routes []netip.Prefix) error {
+	rc.routes = routes
+	return nil
+}

appc/conn25.go

@@ -0,0 +1,110 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appc
+
+import (
+	"net/netip"
+	"sync"
+
+	"tailscale.com/tailcfg"
+)
+
+// Conn25 holds the developing state for the as yet nascent next generation app connector.
+// There is currently (2025-12-08) no actual app connecting functionality.
+type Conn25 struct {
+	mu         sync.Mutex
+	transitIPs map[tailcfg.NodeID]map[netip.Addr]netip.Addr
+}
+
+const dupeTransitIPMessage = "Duplicate transit address in ConnectorTransitIPRequest"
+
+// HandleConnectorTransitIPRequest creates a ConnectorTransitIPResponse in response to a ConnectorTransitIPRequest.
+// It updates the connectors mapping of TransitIP->DestinationIP per peer (tailcfg.NodeID).
+// If a peer has stored this mapping in the connector Conn25 will route traffic to TransitIPs to DestinationIPs for that peer.
+func (c *Conn25) HandleConnectorTransitIPRequest(nid tailcfg.NodeID, ctipr ConnectorTransitIPRequest) ConnectorTransitIPResponse {
+	resp := ConnectorTransitIPResponse{}
+	seen := map[netip.Addr]bool{}
+	for _, each := range ctipr.TransitIPs {
+		if seen[each.TransitIP] {
+			resp.TransitIPs = append(resp.TransitIPs, TransitIPResponse{
+				Code:    OtherFailure,
+				Message: dupeTransitIPMessage,
+			})
+			continue
+		}
+		tipresp := c.handleTransitIPRequest(nid, each)
+		seen[each.TransitIP] = true
+		resp.TransitIPs = append(resp.TransitIPs, tipresp)
+	}
+	return resp
+}
+
+func (c *Conn25) handleTransitIPRequest(nid tailcfg.NodeID, tipr TransitIPRequest) TransitIPResponse {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.transitIPs == nil {
+		c.transitIPs = make(map[tailcfg.NodeID]map[netip.Addr]netip.Addr)
+	}
+	peerMap, ok := c.transitIPs[nid]
+	if !ok {
+		peerMap = make(map[netip.Addr]netip.Addr)
+		c.transitIPs[nid] = peerMap
+	}
+	peerMap[tipr.TransitIP] = tipr.DestinationIP
+	return TransitIPResponse{}
+}
+
+func (c *Conn25) transitIPTarget(nid tailcfg.NodeID, tip netip.Addr) netip.Addr {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.transitIPs[nid][tip]
+}
+
+// TransitIPRequest details a single TransitIP allocation request from a client to a
+// connector.
+type TransitIPRequest struct {
+	// TransitIP is the intermediate destination IP that will be received at this
+	// connector and will be replaced by DestinationIP when performing DNAT.
+	TransitIP netip.Addr `json:"transitIP,omitzero"`
+
+	// DestinationIP is the final destination IP that connections to the TransitIP
+	// should be mapped to when performing DNAT.
+	DestinationIP netip.Addr `json:"destinationIP,omitzero"`
+}
+
+// ConnectorTransitIPRequest is the request body for a PeerAPI request to
+// /connector/transit-ip and can include zero or more TransitIP allocation requests.
+type ConnectorTransitIPRequest struct {
+	// TransitIPs is the list of requested mappings.
+	TransitIPs []TransitIPRequest `json:"transitIPs,omitempty"`
+}
+
+// TransitIPResponseCode appears in TransitIPResponse and signifies success or failure status.
+type TransitIPResponseCode int
+
+const (
+	// OK indicates that the mapping was created as requested.
+	OK TransitIPResponseCode = 0
+
+	// OtherFailure indicates that the mapping failed for a reason that does not have
+	// another relevant [TransitIPResponsecode].
+	OtherFailure TransitIPResponseCode = 1
+)
+
+// TransitIPResponse is the response to a TransitIPRequest
+type TransitIPResponse struct {
+	// Code is an error code indicating success or failure of the [TransitIPRequest].
+	Code TransitIPResponseCode `json:"code,omitzero"`
+	// Message is an error message explaining what happened, suitable for logging but
+	// not necessarily suitable for displaying in a UI to non-technical users. It
+	// should be empty when [Code] is [OK].
+	Message string `json:"message,omitzero"`
+}
+
+// ConnectorTransitIPResponse is the response to a ConnectorTransitIPRequest
+type ConnectorTransitIPResponse struct {
+	// TransitIPs is the list of outcomes for each requested mapping. Elements
+	// correspond to the order of [ConnectorTransitIPRequest.TransitIPs].
+	TransitIPs []TransitIPResponse `json:"transitIPs,omitempty"`
+}

appc/conn25_test.go

@@ -0,0 +1,188 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appc
+
+import (
+	"net/netip"
+	"testing"
+
+	"tailscale.com/tailcfg"
+)
+
+// TestHandleConnectorTransitIPRequestZeroLength tests that if sent a
+// ConnectorTransitIPRequest with 0 TransitIPRequests, we respond with a
+// ConnectorTransitIPResponse with 0 TransitIPResponses.
+func TestHandleConnectorTransitIPRequestZeroLength(t *testing.T) {
+	c := &Conn25{}
+	req := ConnectorTransitIPRequest{}
+	nid := tailcfg.NodeID(1)
+
+	resp := c.HandleConnectorTransitIPRequest(nid, req)
+	if len(resp.TransitIPs) != 0 {
+		t.Fatalf("n TransitIPs in response: %d, want 0", len(resp.TransitIPs))
+	}
+}
+
+// TestHandleConnectorTransitIPRequestStoresAddr tests that if sent a
+// request with a transit addr and a destination addr we store that mapping
+// and can retrieve it. If sent another req with a different dst for that transit addr
+// we store that instead.
+func TestHandleConnectorTransitIPRequestStoresAddr(t *testing.T) {
+	c := &Conn25{}
+	nid := tailcfg.NodeID(1)
+	tip := netip.MustParseAddr("0.0.0.1")
+	dip := netip.MustParseAddr("1.2.3.4")
+	dip2 := netip.MustParseAddr("1.2.3.5")
+	mr := func(t, d netip.Addr) ConnectorTransitIPRequest {
+		return ConnectorTransitIPRequest{
+			TransitIPs: []TransitIPRequest{
+				{TransitIP: t, DestinationIP: d},
+			},
+		}
+	}
+
+	resp := c.HandleConnectorTransitIPRequest(nid, mr(tip, dip))
+	if len(resp.TransitIPs) != 1 {
+		t.Fatalf("n TransitIPs in response: %d, want 1", len(resp.TransitIPs))
+	}
+	got := resp.TransitIPs[0].Code
+	if got != TransitIPResponseCode(0) {
+		t.Fatalf("TransitIP Code: %d, want 0", got)
+	}
+	gotAddr := c.transitIPTarget(nid, tip)
+	if gotAddr != dip {
+		t.Fatalf("Connector stored destination for tip: %v, want %v", gotAddr, dip)
+	}
+
+	// mapping can be overwritten
+	resp2 := c.HandleConnectorTransitIPRequest(nid, mr(tip, dip2))
+	if len(resp2.TransitIPs) != 1 {
+		t.Fatalf("n TransitIPs in response: %d, want 1", len(resp2.TransitIPs))
+	}
+	got2 := resp.TransitIPs[0].Code
+	if got2 != TransitIPResponseCode(0) {
+		t.Fatalf("TransitIP Code: %d, want 0", got2)
+	}
+	gotAddr2 := c.transitIPTarget(nid, tip)
+	if gotAddr2 != dip2 {
+		t.Fatalf("Connector stored destination for tip: %v, want %v", gotAddr, dip2)
+	}
+}
+
+// TestHandleConnectorTransitIPRequestMultipleTIP tests that we can
+// get a req with multiple mappings and we store them all. Including
+// multiple transit addrs for the same destination.
+func TestHandleConnectorTransitIPRequestMultipleTIP(t *testing.T) {
+	c := &Conn25{}
+	nid := tailcfg.NodeID(1)
+	tip := netip.MustParseAddr("0.0.0.1")
+	tip2 := netip.MustParseAddr("0.0.0.2")
+	tip3 := netip.MustParseAddr("0.0.0.3")
+	dip := netip.MustParseAddr("1.2.3.4")
+	dip2 := netip.MustParseAddr("1.2.3.5")
+	req := ConnectorTransitIPRequest{
+		TransitIPs: []TransitIPRequest{
+			{TransitIP: tip, DestinationIP: dip},
+			{TransitIP: tip2, DestinationIP: dip2},
+			// can store same dst addr for multiple transit addrs
+			{TransitIP: tip3, DestinationIP: dip},
+		},
+	}
+	resp := c.HandleConnectorTransitIPRequest(nid, req)
+	if len(resp.TransitIPs) != 3 {
+		t.Fatalf("n TransitIPs in response: %d, want 3", len(resp.TransitIPs))
+	}
+
+	for i := 0; i < 3; i++ {
+		got := resp.TransitIPs[i].Code
+		if got != TransitIPResponseCode(0) {
+			t.Fatalf("i=%d TransitIP Code: %d, want 0", i, got)
+		}
+	}
+	gotAddr1 := c.transitIPTarget(nid, tip)
+	if gotAddr1 != dip {
+		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip, gotAddr1, dip)
+	}
+	gotAddr2 := c.transitIPTarget(nid, tip2)
+	if gotAddr2 != dip2 {
+		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip2, gotAddr2, dip2)
+	}
+	gotAddr3 := c.transitIPTarget(nid, tip3)
+	if gotAddr3 != dip {
+		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip3, gotAddr3, dip)
+	}
+}
+
+// TestHandleConnectorTransitIPRequestSameTIP tests that if we get
+// a req that has more than one TransitIPRequest for the same transit addr
+// only the first is stored, and the subsequent ones get an error code and
+// message in the response.
+func TestHandleConnectorTransitIPRequestSameTIP(t *testing.T) {
+	c := &Conn25{}
+	nid := tailcfg.NodeID(1)
+	tip := netip.MustParseAddr("0.0.0.1")
+	tip2 := netip.MustParseAddr("0.0.0.2")
+	dip := netip.MustParseAddr("1.2.3.4")
+	dip2 := netip.MustParseAddr("1.2.3.5")
+	dip3 := netip.MustParseAddr("1.2.3.6")
+	req := ConnectorTransitIPRequest{
+		TransitIPs: []TransitIPRequest{
+			{TransitIP: tip, DestinationIP: dip},
+			// cannot have dupe TransitIPs in one ConnectorTransitIPRequest
+			{TransitIP: tip, DestinationIP: dip2},
+			{TransitIP: tip2, DestinationIP: dip3},
+		},
+	}
+
+	resp := c.HandleConnectorTransitIPRequest(nid, req)
+	if len(resp.TransitIPs) != 3 {
+		t.Fatalf("n TransitIPs in response: %d, want 3", len(resp.TransitIPs))
+	}
+
+	got := resp.TransitIPs[0].Code
+	if got != TransitIPResponseCode(0) {
+		t.Fatalf("i=0 TransitIP Code: %d, want 0", got)
+	}
+	msg := resp.TransitIPs[0].Message
+	if msg != "" {
+		t.Fatalf("i=0 TransitIP Message: \"%s\", want \"%s\"", msg, "")
+	}
+	got1 := resp.TransitIPs[1].Code
+	if got1 != TransitIPResponseCode(1) {
+		t.Fatalf("i=1 TransitIP Code: %d, want 1", got1)
+	}
+	msg1 := resp.TransitIPs[1].Message
+	if msg1 != dupeTransitIPMessage {
+		t.Fatalf("i=1 TransitIP Message: \"%s\", want \"%s\"", msg1, dupeTransitIPMessage)
+	}
+	got2 := resp.TransitIPs[2].Code
+	if got2 != TransitIPResponseCode(0) {
+		t.Fatalf("i=2 TransitIP Code: %d, want 0", got2)
+	}
+	msg2 := resp.TransitIPs[2].Message
+	if msg2 != "" {
+		t.Fatalf("i=2 TransitIP Message: \"%s\", want \"%s\"", msg, "")
+	}
+
+	gotAddr1 := c.transitIPTarget(nid, tip)
+	if gotAddr1 != dip {
+		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip, gotAddr1, dip)
+	}
+	gotAddr2 := c.transitIPTarget(nid, tip2)
+	if gotAddr2 != dip3 {
+		t.Fatalf("Connector stored destination for tip(%v): %v, want %v", tip2, gotAddr2, dip3)
+	}
+}
+
+// TestGetDstIPUnknownTIP tests that unknown transit addresses can be looked up without problem.
+func TestTransitIPTargetUnknownTIP(t *testing.T) {
+	c := &Conn25{}
+	nid := tailcfg.NodeID(1)
+	tip := netip.MustParseAddr("0.0.0.1")
+	got := c.transitIPTarget(nid, tip)
+	want := netip.Addr{}
+	if got != want {
+		t.Fatalf("Unknown transit addr, want: %v, got %v", want, got)
+	}
+}

appc/ippool.go

@@ -0,0 +1,61 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appc
+
+import (
+	"errors"
+	"net/netip"
+
+	"go4.org/netipx"
+)
+
+// errPoolExhausted is returned when there are no more addresses to iterate over.
+var errPoolExhausted = errors.New("ip pool exhausted")
+
+// ippool allows for iteration over all the addresses within a netipx.IPSet.
+// netipx.IPSet has a Ranges call that returns the "minimum and sorted set of IP ranges that covers [the set]".
+// netipx.IPRange is "an inclusive range of IP addresses from the same address family.". So we can iterate over
+// all the addresses in the set by keeping a track of the last address we returned, calling Next on the last address
+// to get the new one, and if we run off the edge of the current range, starting on the next one.
+type ippool struct {
+	// ranges defines the addresses in the pool
+	ranges []netipx.IPRange
+	// last is internal tracking of which the last address provided was.
+	last netip.Addr
+	// rangeIdx is internal tracking of which netipx.IPRange from the IPSet we are currently on.
+	rangeIdx int
+}
+
+func newIPPool(ipset *netipx.IPSet) *ippool {
+	if ipset == nil {
+		return &ippool{}
+	}
+	return &ippool{ranges: ipset.Ranges()}
+}
+
+// next returns the next address from the set, or errPoolExhausted if we have
+// iterated over the whole set.
+func (ipp *ippool) next() (netip.Addr, error) {
+	if ipp.rangeIdx >= len(ipp.ranges) {
+		// ipset is empty or we have iterated off the end
+		return netip.Addr{}, errPoolExhausted
+	}
+	if !ipp.last.IsValid() {
+		// not initialized yet
+		ipp.last = ipp.ranges[0].From()
+		return ipp.last, nil
+	}
+	currRange := ipp.ranges[ipp.rangeIdx]
+	if ipp.last == currRange.To() {
+		// then we need to move to the next range
+		ipp.rangeIdx++
+		if ipp.rangeIdx >= len(ipp.ranges) {
+			return netip.Addr{}, errPoolExhausted
+		}
+		ipp.last = ipp.ranges[ipp.rangeIdx].From()
+		return ipp.last, nil
+	}
+	ipp.last = ipp.last.Next()
+	return ipp.last, nil
+}

appc/ippool_test.go

@@ -0,0 +1,60 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package appc
+
+import (
+	"errors"
+	"net/netip"
+	"testing"
+
+	"go4.org/netipx"
+	"tailscale.com/util/must"
+)
+
+func TestNext(t *testing.T) {
+	a := ippool{}
+	_, err := a.next()
+	if !errors.Is(err, errPoolExhausted) {
+		t.Fatalf("expected errPoolExhausted, got %v", err)
+	}
+
+	var isb netipx.IPSetBuilder
+	ipset := must.Get(isb.IPSet())
+	b := newIPPool(ipset)
+	_, err = b.next()
+	if !errors.Is(err, errPoolExhausted) {
+		t.Fatalf("expected errPoolExhausted, got %v", err)
+	}
+
+	isb.AddRange(netipx.IPRangeFrom(netip.MustParseAddr("192.168.0.0"), netip.MustParseAddr("192.168.0.2")))
+	isb.AddRange(netipx.IPRangeFrom(netip.MustParseAddr("200.0.0.0"), netip.MustParseAddr("200.0.0.0")))
+	isb.AddRange(netipx.IPRangeFrom(netip.MustParseAddr("201.0.0.0"), netip.MustParseAddr("201.0.0.1")))
+	ipset = must.Get(isb.IPSet())
+	c := newIPPool(ipset)
+	expected := []string{
+		"192.168.0.0",
+		"192.168.0.1",
+		"192.168.0.2",
+		"200.0.0.0",
+		"201.0.0.0",
+		"201.0.0.1",
+	}
+	for i, want := range expected {
+		addr, err := c.next()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if addr != netip.MustParseAddr(want) {
+			t.Fatalf("next call %d want: %s, got: %v", i, want, addr)
+		}
+	}
+	_, err = c.next()
+	if !errors.Is(err, errPoolExhausted) {
+		t.Fatalf("expected errPoolExhausted, got %v", err)
+	}
+	_, err = c.next()
+	if !errors.Is(err, errPoolExhausted) {
+		t.Fatalf("expected errPoolExhausted, got %v", err)
+	}
+}

appc/observe.go

@@ -0,0 +1,132 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_appconnectors
+
+package appc
+
+import (
+	"net/netip"
+	"strings"
+
+	"golang.org/x/net/dns/dnsmessage"
+	"tailscale.com/util/mak"
+)
+
+// ObserveDNSResponse is a callback invoked by the DNS resolver when a DNS
+// response is being returned over the PeerAPI. The response is parsed and
+// matched against the configured domains, if matched the routeAdvertiser is
+// advised to advertise the discovered route.
+func (e *AppConnector) ObserveDNSResponse(res []byte) error {
+	var p dnsmessage.Parser
+	if _, err := p.Start(res); err != nil {
+		return err
+	}
+	if err := p.SkipAllQuestions(); err != nil {
+		return err
+	}
+
+	// cnameChain tracks a chain of CNAMEs for a given query in order to reverse
+	// a CNAME chain back to the original query for flattening. The keys are
+	// CNAME record targets, and the value is the name the record answers, so
+	// for www.example.com CNAME example.com, the map would contain
+	// ["example.com"] = "www.example.com".
+	var cnameChain map[string]string
+
+	// addressRecords is a list of address records found in the response.
+	var addressRecords map[string][]netip.Addr
+
+	for {
+		h, err := p.AnswerHeader()
+		if err == dnsmessage.ErrSectionDone {
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		if h.Class != dnsmessage.ClassINET {
+			if err := p.SkipAnswer(); err != nil {
+				return err
+			}
+			continue
+		}
+
+		switch h.Type {
+		case dnsmessage.TypeCNAME, dnsmessage.TypeA, dnsmessage.TypeAAAA:
+		default:
+			if err := p.SkipAnswer(); err != nil {
+				return err
+			}
+			continue
+
+		}
+
+		domain := strings.TrimSuffix(strings.ToLower(h.Name.String()), ".")
+		if len(domain) == 0 {
+			continue
+		}
+
+		if h.Type == dnsmessage.TypeCNAME {
+			res, err := p.CNAMEResource()
+			if err != nil {
+				return err
+			}
+			cname := strings.TrimSuffix(strings.ToLower(res.CNAME.String()), ".")
+			if len(cname) == 0 {
+				continue
+			}
+			mak.Set(&cnameChain, cname, domain)
+			continue
+		}
+
+		switch h.Type {
+		case dnsmessage.TypeA:
+			r, err := p.AResource()
+			if err != nil {
+				return err
+			}
+			addr := netip.AddrFrom4(r.A)
+			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
+		case dnsmessage.TypeAAAA:
+			r, err := p.AAAAResource()
+			if err != nil {
+				return err
+			}
+			addr := netip.AddrFrom16(r.AAAA)
+			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
+		default:
+			if err := p.SkipAnswer(); err != nil {
+				return err
+			}
+			continue
+		}
+	}
+
+	e.mu.Lock()
+	defer e.mu.Unlock()
+
+	for domain, addrs := range addressRecords {
+		domain, isRouted := e.findRoutedDomainLocked(domain, cnameChain)
+
+		// domain and none of the CNAMEs in the chain are routed
+		if !isRouted {
+			continue
+		}
+
+		// advertise each address we have learned for the routed domain, that
+		// was not already known.
+		var toAdvertise []netip.Prefix
+		for _, addr := range addrs {
+			if !e.isAddrKnownLocked(domain, addr) {
+				toAdvertise = append(toAdvertise, netip.PrefixFrom(addr, addr.BitLen()))
+			}
+		}
+
+		if len(toAdvertise) > 0 {
+			e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
+			e.scheduleAdvertisement(domain, toAdvertise...)
+		}
+	}
+	return nil
+}

appc/observe_disabled.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ts_omit_appconnectors
+
+package appc
+
+func (e *AppConnector) ObserveDNSResponse(res []byte) error { return nil }

assert_ts_toolchain_match.go

@@ -0,0 +1,27 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build tailscale_go
+
+package tailscaleroot
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+func init() {
+	tsRev, ok := tailscaleToolchainRev()
+	if !ok {
+		panic("binary built with tailscale_go build tag but failed to read build info or find tailscale.toolchain.rev in build info")
+	}
+	want := strings.TrimSpace(GoToolchainRev)
+	if tsRev != want {
+		if os.Getenv("TS_PERMIT_TOOLCHAIN_MISMATCH") == "1" {
+			fmt.Fprintf(os.Stderr, "tailscale.toolchain.rev = %q, want %q; but ignoring due to TS_PERMIT_TOOLCHAIN_MISMATCH=1\n", tsRev, want)
+			return
+		}
+		panic(fmt.Sprintf("binary built with tailscale_go build tag but Go toolchain %q doesn't match github.com/tailscale/tailscale expected value %q; override this failure with TS_PERMIT_TOOLCHAIN_MISMATCH=1", tsRev, want))
+	}
+}

atomicfile/atomicfile.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 // Package atomicfile contains code related to writing to filesystems
 // atomically.
@@ -9,14 +8,21 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 
-// WriteFile writes data to filename+some suffix, then renames it
-// into filename. The perm argument is ignored on Windows.
+// WriteFile writes data to filename+some suffix, then renames it into filename.
+// The perm argument is ignored on Windows, but if the target filename already
+// exists then the target file's attributes and ACLs are preserved. If the target
+// filename already exists but is not a regular file, WriteFile returns an error.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
+	fi, err := os.Stat(filename)
+	if err == nil && !fi.Mode().IsRegular() {
+		return fmt.Errorf("%s already exists and is not a regular file", filename)
+	}
 	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
@@ -42,5 +48,9 @@ func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
 	if err := f.Close(); err != nil {
 		return err
 	}
-	return os.Rename(tmpName, filename)
+	return Rename(tmpName, filename)
 }
+
+// Rename srcFile to dstFile, similar to [os.Rename] but preserving file
+// attributes and ACLs on Windows.
+func Rename(srcFile, dstFile string) error { return rename(srcFile, dstFile) }

atomicfile/atomicfile_notwindows.go

@@ -0,0 +1,14 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !windows
+
+package atomicfile
+
+import (
+	"os"
+)
+
+func rename(srcFile, destFile string) error {
+	return os.Rename(srcFile, destFile)
+}

atomicfile/atomicfile_test.go

@@ -0,0 +1,47 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !js && !windows
+
+package atomicfile
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
+	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
+	// atomicfile.Write should likely not attempt to overwrite an irregular file
+	// such as a device node, socket, or named pipe.
+
+	const filename = "TestDoesNotOverwriteIrregularFiles"
+	var path string
+	// macOS private temp does not allow unix socket creation, but /tmp does.
+	if runtime.GOOS == "darwin" {
+		path = filepath.Join("/tmp", filename)
+		t.Cleanup(func() { os.Remove(path) })
+	} else {
+		path = filepath.Join(t.TempDir(), filename)
+	}
+
+	// The least troublesome thing to make that is not a file is a unix socket.
+	// Making a null device sadly requires root.
+	ln, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer ln.Close()
+
+	err = WriteFile(path, []byte("hello"), 0644)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "is not a regular file") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}

atomicfile/atomicfile_windows.go

@@ -0,0 +1,33 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package atomicfile
+
+import (
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+func rename(srcFile, destFile string) error {
+	// Use replaceFile when possible to preserve the original file's attributes and ACLs.
+	if err := replaceFile(destFile, srcFile); err == nil || err != windows.ERROR_FILE_NOT_FOUND {
+		return err
+	}
+	// destFile doesn't exist. Just do a normal rename.
+	return os.Rename(srcFile, destFile)
+}
+
+func replaceFile(destFile, srcFile string) error {
+	destFile16, err := windows.UTF16PtrFromString(destFile)
+	if err != nil {
+		return err
+	}
+
+	srcFile16, err := windows.UTF16PtrFromString(srcFile)
+	if err != nil {
+		return err
+	}
+
+	return replaceFileW(destFile16, srcFile16, nil, 0, nil, nil)
+}

atomicfile/atomicfile_windows_test.go

@@ -0,0 +1,146 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package atomicfile
+
+import (
+	"os"
+	"testing"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _SECURITY_RESOURCE_MANAGER_AUTHORITY = windows.SidIdentifierAuthority{[6]byte{0, 0, 0, 0, 0, 9}}
+
+// makeRandomSID generates a SID derived from a v4 GUID.
+// This is basically the same algorithm used by browser sandboxes for generating
+// random SIDs.
+func makeRandomSID() (*windows.SID, error) {
+	guid, err := windows.GenerateGUID()
+	if err != nil {
+		return nil, err
+	}
+
+	rids := *((*[4]uint32)(unsafe.Pointer(&guid)))
+
+	var pSID *windows.SID
+	if err := windows.AllocateAndInitializeSid(&_SECURITY_RESOURCE_MANAGER_AUTHORITY, 4, rids[0], rids[1], rids[2], rids[3], 0, 0, 0, 0, &pSID); err != nil {
+		return nil, err
+	}
+	defer windows.FreeSid(pSID)
+
+	// Make a copy that lives on the Go heap
+	return pSID.Copy()
+}
+
+func getExistingFileSD(name string) (*windows.SECURITY_DESCRIPTOR, error) {
+	const infoFlags = windows.DACL_SECURITY_INFORMATION
+	return windows.GetNamedSecurityInfo(name, windows.SE_FILE_OBJECT, infoFlags)
+}
+
+func getExistingFileDACL(name string) (*windows.ACL, error) {
+	sd, err := getExistingFileSD(name)
+	if err != nil {
+		return nil, err
+	}
+
+	dacl, _, err := sd.DACL()
+	return dacl, err
+}
+
+func addDenyACEForRandomSID(dacl *windows.ACL) (*windows.ACL, error) {
+	randomSID, err := makeRandomSID()
+	if err != nil {
+		return nil, err
+	}
+
+	randomSIDTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
+		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_UNKNOWN,
+		windows.TrusteeValueFromSID(randomSID)}
+
+	entries := []windows.EXPLICIT_ACCESS{
+		{
+			windows.GENERIC_ALL,
+			windows.DENY_ACCESS,
+			windows.NO_INHERITANCE,
+			randomSIDTrustee,
+		},
+	}
+
+	return windows.ACLFromEntries(entries, dacl)
+}
+
+func setExistingFileDACL(name string, dacl *windows.ACL) error {
+	return windows.SetNamedSecurityInfo(name, windows.SE_FILE_OBJECT,
+		windows.DACL_SECURITY_INFORMATION, nil, nil, dacl, nil)
+}
+
+// makeOrigFileWithCustomDACL creates a new, temporary file with a custom
+// DACL that we can check for later. It returns the name of the temporary
+// file and the security descriptor for the file in SDDL format.
+func makeOrigFileWithCustomDACL() (name, sddl string, err error) {
+	f, err := os.CreateTemp("", "foo*.tmp")
+	if err != nil {
+		return "", "", err
+	}
+	name = f.Name()
+	if err := f.Close(); err != nil {
+		return "", "", err
+	}
+	f = nil
+	defer func() {
+		if err != nil {
+			os.Remove(name)
+		}
+	}()
+
+	dacl, err := getExistingFileDACL(name)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Add a harmless, deny-only ACE for a random SID that isn't used for anything
+	// (but that we can check for later).
+	dacl, err = addDenyACEForRandomSID(dacl)
+	if err != nil {
+		return "", "", err
+	}
+
+	if err := setExistingFileDACL(name, dacl); err != nil {
+		return "", "", err
+	}
+
+	sd, err := getExistingFileSD(name)
+	if err != nil {
+		return "", "", err
+	}
+
+	return name, sd.String(), nil
+}
+
+func TestPreserveSecurityInfo(t *testing.T) {
+	// Make a test file with a custom ACL.
+	origFileName, want, err := makeOrigFileWithCustomDACL()
+	if err != nil {
+		t.Fatalf("makeOrigFileWithCustomDACL returned %v", err)
+	}
+	t.Cleanup(func() {
+		os.Remove(origFileName)
+	})
+
+	if err := WriteFile(origFileName, []byte{}, 0); err != nil {
+		t.Fatalf("WriteFile returned %v", err)
+	}
+
+	// We expect origFileName's security descriptor to be unchanged despite
+	// the WriteFile call.
+	sd, err := getExistingFileSD(origFileName)
+	if err != nil {
+		t.Fatalf("getExistingFileSD(%q) returned %v", origFileName, err)
+	}
+
+	if got := sd.String(); got != want {
+		t.Errorf("security descriptor comparison failed: got %q, want %q", got, want)
+	}
+}

atomicfile/mksyscall.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package atomicfile
+
+//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go mksyscall.go
+
+//sys replaceFileW(replaced *uint16, replacement *uint16, backup *uint16, flags uint32, exclude unsafe.Pointer, reserved unsafe.Pointer) (err error) [int32(failretval)==0] = kernel32.ReplaceFileW

atomicfile/zsyscall_windows.go

@@ -0,0 +1,52 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package atomicfile
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+
+	procReplaceFileW = modkernel32.NewProc("ReplaceFileW")
+)
+
+func replaceFileW(replaced *uint16, replacement *uint16, backup *uint16, flags uint32, exclude unsafe.Pointer, reserved unsafe.Pointer) (err error) {
+	r1, _, e1 := syscall.SyscallN(procReplaceFileW.Addr(), uintptr(unsafe.Pointer(replaced)), uintptr(unsafe.Pointer(replacement)), uintptr(unsafe.Pointer(backup)), uintptr(flags), uintptr(exclude), uintptr(reserved))
+	if int32(r1) == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}

build_dist.sh

@@ -11,52 +11,51 @@
 
 set -eu
 
-IFS=".$IFS" read -r major minor patch <VERSION.txt
-git_hash=$(git rev-parse HEAD)
-if ! git diff-index --quiet HEAD; then
-	git_hash="${git_hash}-dirty"
+go="go"
+if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
+	go="./tool/go"
 fi
-base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
-change_count=$(git rev-list --count HEAD "^$base_hash")
-short_hash=$(echo "$git_hash" | cut -c1-9)
 
-if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
-	patch="$change_count"
-	change_suffix=""
-elif [ "$change_count" != "0" ]; then
-	change_suffix="-$change_count"
-else
-	change_suffix=""
-fi
-
-long_suffix="$change_suffix-t$short_hash"
-MINOR="$major.$minor"
-SHORT="$MINOR.$patch"
-LONG="${SHORT}$long_suffix"
-GIT_HASH="$git_hash"
+eval `CGO_ENABLED=0 GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
 
-if [ "$1" = "shellvars" ]; then
+if [ "$#" -ge 1 ] && [ "$1" = "shellvars" ]; then
 	cat <<EOF
-VERSION_MINOR="$MINOR"
-VERSION_SHORT="$SHORT"
-VERSION_LONG="$LONG"
-VERSION_GIT_HASH="$GIT_HASH"
+VERSION_MINOR="$VERSION_MINOR"
+VERSION_SHORT="$VERSION_SHORT"
+VERSION_LONG="$VERSION_LONG"
+VERSION_GIT_HASH="$VERSION_GIT_HASH"
 EOF
 	exit 0
 fi
 
-tags=""
-ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"
+tags="${TAGS:-}"
+ldflags="-X tailscale.com/version.longStamp=${VERSION_LONG} -X tailscale.com/version.shortStamp=${VERSION_SHORT}"
 
 # build_dist.sh arguments must precede go build arguments.
 while [ "$#" -gt 1 ]; do
 	case "$1" in
 	--extra-small)
+		if [ ! -z "${TAGS:-}" ]; then
+			echo "set either --extra-small or \$TAGS, but not both"
+			exit 1
+		fi
+		shift
+		ldflags="$ldflags -w -s"
+		tags="${tags:+$tags,},$(GOOS= GOARCH= $go run ./cmd/featuretags --min --add=osrouter)"
+		;;
+	--min)
+	    # --min is like --extra-small but even smaller, removing all features,
+		# even if it results in a useless binary (e.g. removing both netstack +
+		# osrouter). It exists for benchmarking purposes only.
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap"
+		tags="${tags:+$tags,},$(GOOS= GOARCH= $go run ./cmd/featuretags --min)"
 		;;
 	--box)
+		if [ ! -z "${TAGS:-}" ]; then
+			echo "set either --box or \$TAGS, but not both"
+			exit 1
+		fi
 		shift
 		tags="${tags:+$tags,}ts_include_cli"
 		;;
@@ -66,4 +65,4 @@ while [ "$#" -gt 1 ]; do
 	esac
 done
 
-exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec $go build ${tags:+-tags=$tags} -trimpath -ldflags "$ldflags" "$@"

build_docker.sh

@@ -1,71 +1,149 @@
 #!/usr/bin/env sh
-
 #
-# Runs `go build` with flags configured for docker distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries inside docker, so that we can track down user
-# issues.
+# This script builds Tailscale container images using
+# github.com/tailscale/mkctr.
+# By default the images will be tagged with the current version and git
+# hash of this repository as produced by ./cmd/mkversion.
+# This is the image build mechanim used to build the official Tailscale
+# container images.
 #
-############################################################################
+# If you want to build local images for testing, you can use make, which provides few convenience wrappers around this script.
 #
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
+# To build a Tailscale image and push to the local docker registry:
+
+#   $ REPO=local/tailscale TAGS=v0.0.1 PLATFORM=local  make publishdevimage
 #
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
+# To build a Tailscale image and push to a remote docker registry:
 #
-############################################################################
+#   $ REPO=<your-registry>/<your-repo>/tailscale TAGS=v0.0.1  make publishdevimage
 
 set -eu
 
 # Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH=$PWD/tool:$PATH
+export PATH="$PWD"/tool:"$PATH"
+
+eval "$(./build_dist.sh shellvars)"
 
-eval $(./build_dist.sh shellvars)
-DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
-DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.16"
 DEFAULT_TARGET="client"
+DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
+DEFAULT_BASE="tailscale/alpine-base:3.22"
+# Set a few pre-defined OCI annotations. The source annotation is used by tools such as Renovate that scan the linked
+# Github repo to find release notes for any new image tags. Note that for official Tailscale images the default
+# annotations defined here will be overriden by release scripts that call this script.
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
+DEFAULT_ANNOTATIONS="org.opencontainers.image.source=https://github.com/tailscale/tailscale/blob/main/build_docker.sh,org.opencontainers.image.vendor=Tailscale"
 
 PUSH="${PUSH:-false}"
-REPOS="${REPOS:-${DEFAULT_REPOS}}"
+TARGET="${TARGET:-${DEFAULT_TARGET}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
-TARGET="${TARGET:-${DEFAULT_TARGET}}"
+PLATFORM="${PLATFORM:-}" # default to all platforms
+FILES="${FILES:-}" # default to no extra files
+# OCI annotations that will be added to the image.
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md
+ANNOTATIONS="${ANNOTATIONS:-${DEFAULT_ANNOTATIONS}}"
 
 case "$TARGET" in
   client)
+    DEFAULT_REPOS="tailscale/tailscale"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
     go run github.com/tailscale/mkctr \
       --gopaths="\
         tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
         tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
         tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
       --ldflags="\
-        -X tailscale.com/version.Long=${VERSION_LONG} \
-        -X tailscale.com/version.Short=${VERSION_SHORT} \
-        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
+      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
+      --target="${PLATFORM}" \
+      --annotations="${ANNOTATIONS}" \
+      --files="${FILES}" \
       /usr/local/bin/containerboot
     ;;
-  operator)
+  k8s-operator)
+    DEFAULT_REPOS="tailscale/k8s-operator"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
     go run github.com/tailscale/mkctr \
       --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
       --ldflags="\
-        -X tailscale.com/version.Long=${VERSION_LONG} \
-        -X tailscale.com/version.Short=${VERSION_SHORT} \
-        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
       --base="${BASE}" \
       --tags="${TAGS}" \
+      --gotags="ts_kube,ts_package_container" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
+      --target="${PLATFORM}" \
+      --annotations="${ANNOTATIONS}" \
+      --files="${FILES}" \
       /usr/local/bin/operator
     ;;
+  k8s-nameserver)
+    DEFAULT_REPOS="tailscale/k8s-nameserver"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
+    go run github.com/tailscale/mkctr \
+      --gopaths="tailscale.com/cmd/k8s-nameserver:/usr/local/bin/k8s-nameserver" \
+      --ldflags=" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+      --base="${BASE}" \
+      --tags="${TAGS}" \
+      --gotags="ts_kube,ts_package_container" \
+      --repos="${REPOS}" \
+      --push="${PUSH}" \
+      --target="${PLATFORM}" \
+      --annotations="${ANNOTATIONS}" \
+      --files="${FILES}" \
+      /usr/local/bin/k8s-nameserver
+    ;;
+  tsidp)
+    DEFAULT_REPOS="tailscale/tsidp"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
+    go run github.com/tailscale/mkctr \
+      --gopaths="tailscale.com/cmd/tsidp:/usr/local/bin/tsidp" \
+      --ldflags=" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+      --base="${BASE}" \
+      --tags="${TAGS}" \
+      --gotags="ts_package_container" \
+      --repos="${REPOS}" \
+      --push="${PUSH}" \
+      --target="${PLATFORM}" \
+      --annotations="${ANNOTATIONS}" \
+      --files="${FILES}" \
+      /usr/local/bin/tsidp
+    ;;
+  k8s-proxy)
+    DEFAULT_REPOS="tailscale/k8s-proxy"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
+    go run github.com/tailscale/mkctr \
+      --gopaths="tailscale.com/cmd/k8s-proxy:/usr/local/bin/k8s-proxy" \
+      --ldflags=" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+      --base="${BASE}" \
+      --tags="${TAGS}" \
+      --gotags="ts_kube,ts_package_container" \
+      --repos="${REPOS}" \
+      --push="${PUSH}" \
+      --target="${PLATFORM}" \
+      --annotations="${ANNOTATIONS}" \
+      --files="${FILES}" \
+      /usr/local/bin/k8s-proxy
+    ;;
   *)
     echo "unknown target: $TARGET"
     exit 1
     ;;
-esac
+esac

chirp/chirp.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 // Package chirp implements a client to communicate with the BIRD Internet
 // Routing Daemon.

chirp/chirp_test.go

@@ -1,6 +1,6 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
 package chirp
 
 import (
@@ -24,7 +24,7 @@ type fakeBIRD struct {
 
 func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
 	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
+	ln, err := net.Listen("unix", sock)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -33,7 +33,7 @@ func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
 		pe[p] = false
 	}
 	return &fakeBIRD{
-		Listener:         l,
+		Listener:         ln,
 		protocolsEnabled: pe,
 		sock:             sock,
 	}
@@ -123,12 +123,12 @@ type hangingListener struct {
 
 func newHangingListener(t *testing.T) *hangingListener {
 	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
+	ln, err := net.Listen("unix", sock)
 	if err != nil {
 		t.Fatal(err)
 	}
 	return &hangingListener{
-		Listener: l,
+		Listener: ln,
 		t:        t,
 		done:     make(chan struct{}),
 		sock:     sock,

client/local/cert.go

@@ -0,0 +1,151 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !js && !ts_omit_acme
+
+package local
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+
+	"go4.org/mem"
+)
+
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
+func (lc *Client) SetDNS(ctx context.Context, name, value string) error {
+	v := url.Values{}
+	v.Set("name", name)
+	v.Set("value", value)
+	_, err := lc.send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
+	return err
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// Deprecated: use [Client.CertPair].
+func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	return defaultClient.CertPair(ctx, domain)
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// API maturity: this is considered a stable API.
+func (lc *Client) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	return lc.CertPairWithValidity(ctx, domain, 0)
+}
+
+// CertPairWithValidity returns a cert and private key for the provided DNS
+// domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+// When minValidity is non-zero, the returned certificate will be valid for at
+// least the given duration, if permitted by the CA. If the certificate is
+// valid, but for less than minValidity, it will be synchronously renewed.
+//
+// API maturity: this is considered a stable API.
+func (lc *Client) CertPairWithValidity(ctx context.Context, domain string, minValidity time.Duration) (certPEM, keyPEM []byte, err error) {
+	res, err := lc.send(ctx, "GET", fmt.Sprintf("/localapi/v0/cert/%s?type=pair&min_validity=%s", domain, minValidity), 200, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	// with ?type=pair, the response PEM is first the one private
+	// key PEM block, then the cert PEM blocks.
+	i := mem.Index(mem.B(res), mem.S("--\n--"))
+	if i == -1 {
+		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
+	}
+	i += len("--\n")
+	keyPEM, certPEM = res[:i], res[i:]
+	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
+		return nil, nil, fmt.Errorf("unexpected output: key in cert")
+	}
+	return certPEM, keyPEM, nil
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// [tls.Config.GetCertificate].
+//
+// Deprecated: use [Client.GetCertificate].
+func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return defaultClient.GetCertificate(hi)
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// [tls.Config.GetCertificate].
+//
+// API maturity: this is considered a stable API.
+func (lc *Client) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if hi == nil || hi.ServerName == "" {
+		return nil, errors.New("no SNI ServerName")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	name := hi.ServerName
+	if !strings.Contains(name, ".") {
+		if v, ok := lc.ExpandSNIName(ctx, name); ok {
+			name = v
+		}
+	}
+	certPEM, keyPEM, err := lc.CertPair(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, err
+	}
+	return &cert, nil
+}
+
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
+//
+// Deprecated: use [Client.ExpandSNIName].
+func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	return defaultClient.ExpandSNIName(ctx, name)
+}
+
+// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
+func (lc *Client) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	st, err := lc.StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", false
+	}
+	for _, d := range st.CertDomains {
+		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
+			return d, true
+		}
+	}
+	return "", false
+}

client/local/debugportmapper.go

@@ -0,0 +1,84 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_debugportmapper
+
+package local
+
+import (
+	"cmp"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"strconv"
+	"time"
+
+	"tailscale.com/client/tailscale/apitype"
+)
+
+// DebugPortmapOpts contains options for the [Client.DebugPortmap] command.
+type DebugPortmapOpts struct {
+	// Duration is how long the mapping should be created for. It defaults
+	// to 5 seconds if not set.
+	Duration time.Duration
+
+	// Type is the kind of portmap to debug. The empty string instructs the
+	// portmap client to perform all known types. Other valid options are
+	// "pmp", "pcp", and "upnp".
+	Type string
+
+	// GatewayAddr specifies the gateway address used during portmapping.
+	// If set, SelfAddr must also be set. If unset, it will be
+	// autodetected.
+	GatewayAddr netip.Addr
+
+	// SelfAddr specifies the gateway address used during portmapping. If
+	// set, GatewayAddr must also be set. If unset, it will be
+	// autodetected.
+	SelfAddr netip.Addr
+
+	// LogHTTP instructs the debug-portmap endpoint to print all HTTP
+	// requests and responses made to the logs.
+	LogHTTP bool
+}
+
+// DebugPortmap invokes the debug-portmap endpoint, and returns an
+// io.ReadCloser that can be used to read the logs that are printed during this
+// process.
+//
+// opts can be nil; if so, default values will be used.
+func (lc *Client) DebugPortmap(ctx context.Context, opts *DebugPortmapOpts) (io.ReadCloser, error) {
+	vals := make(url.Values)
+	if opts == nil {
+		opts = &DebugPortmapOpts{}
+	}
+
+	vals.Set("duration", cmp.Or(opts.Duration, 5*time.Second).String())
+	vals.Set("type", opts.Type)
+	vals.Set("log_http", strconv.FormatBool(opts.LogHTTP))
+
+	if opts.GatewayAddr.IsValid() != opts.SelfAddr.IsValid() {
+		return nil, fmt.Errorf("both GatewayAddr and SelfAddr must be provided if one is")
+	} else if opts.GatewayAddr.IsValid() {
+		vals.Set("gateway_and_self", fmt.Sprintf("%s/%s", opts.GatewayAddr, opts.SelfAddr))
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-portmap?"+vals.Encode(), nil)
+	if err != nil {
+		return nil, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
+
+	return res.Body, nil
+}

client/local/local_test.go

@@ -0,0 +1,74 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build go1.19
+
+package local
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"testing"
+
+	"tailscale.com/tstest/deptest"
+	"tailscale.com/tstest/nettest"
+	"tailscale.com/types/key"
+)
+
+func TestGetServeConfigFromJSON(t *testing.T) {
+	sc, err := getServeConfigFromJSON([]byte("null"))
+	if sc != nil {
+		t.Errorf("want nil for null")
+	}
+	if err != nil {
+		t.Errorf("reading null: %v", err)
+	}
+
+	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
+	if err != nil {
+		t.Errorf("reading object: %v", err)
+	} else if sc == nil {
+		t.Errorf("want non-nil for object")
+	} else if sc.TCP == nil {
+		t.Errorf("want non-nil TCP for object")
+	}
+}
+
+func TestWhoIsPeerNotFound(t *testing.T) {
+	nw := nettest.GetNetwork(t)
+	ts := nettest.NewHTTPServer(nw, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(404)
+	}))
+	defer ts.Close()
+
+	lc := &Client{
+		Dial: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			return nw.Dial(ctx, network, ts.Listener.Addr().String())
+		},
+	}
+	var k key.NodePublic
+	if err := k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")); err != nil {
+		t.Fatal(err)
+	}
+	res, err := lc.WhoIsNodeKey(context.Background(), k)
+	if err != ErrPeerNotFound {
+		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
+	}
+	res, err = lc.WhoIs(context.Background(), "1.2.3.4:5678")
+	if err != ErrPeerNotFound {
+		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
+	}
+}
+
+func TestDeps(t *testing.T) {
+	deptest.DepChecker{
+		BadDeps: map[string]string{
+			// Make sure we don't again accidentally bring in a dependency on
+			// drive or its transitive dependencies
+			"testing":                        "do not use testing package in production code",
+			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
+			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
+		},
+	}.Check(t)
+}

client/local/serve.go

@@ -0,0 +1,55 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_serve
+
+package local
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"tailscale.com/ipn"
+)
+
+// GetServeConfig return the current serve config.
+//
+// If the serve config is empty, it returns (nil, nil).
+func (lc *Client) GetServeConfig(ctx context.Context) (*ipn.ServeConfig, error) {
+	body, h, err := lc.sendWithHeaders(ctx, "GET", "/localapi/v0/serve-config", 200, nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("getting serve config: %w", err)
+	}
+	sc, err := getServeConfigFromJSON(body)
+	if err != nil {
+		return nil, err
+	}
+	if sc == nil {
+		sc = new(ipn.ServeConfig)
+	}
+	sc.ETag = h.Get("Etag")
+	return sc, nil
+}
+
+func getServeConfigFromJSON(body []byte) (sc *ipn.ServeConfig, err error) {
+	if err := json.Unmarshal(body, &sc); err != nil {
+		return nil, err
+	}
+	return sc, nil
+}
+
+// SetServeConfig sets or replaces the serving settings.
+// If config is nil, settings are cleared and serving is disabled.
+func (lc *Client) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
+	h := make(http.Header)
+	if config != nil {
+		h.Set("If-Match", config.ETag)
+	}
+	_, _, err := lc.sendWithHeaders(ctx, "POST", "/localapi/v0/serve-config", 200, jsonBody(config), h)
+	if err != nil {
+		return fmt.Errorf("sending serve config: %w", err)
+	}
+	return nil
+}

client/local/syspolicy.go

@@ -0,0 +1,40 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_syspolicy
+
+package local
+
+import (
+	"context"
+	"net/http"
+
+	"tailscale.com/util/syspolicy/setting"
+)
+
+// GetEffectivePolicy returns the effective policy for the specified scope.
+func (lc *Client) GetEffectivePolicy(ctx context.Context, scope setting.PolicyScope) (*setting.Snapshot, error) {
+	scopeID, err := scope.MarshalText()
+	if err != nil {
+		return nil, err
+	}
+	body, err := lc.get200(ctx, "/localapi/v0/policy/"+string(scopeID))
+	if err != nil {
+		return nil, err
+	}
+	return decodeJSON[*setting.Snapshot](body)
+}
+
+// ReloadEffectivePolicy reloads the effective policy for the specified scope
+// by reading and merging policy settings from all applicable policy sources.
+func (lc *Client) ReloadEffectivePolicy(ctx context.Context, scope setting.PolicyScope) (*setting.Snapshot, error) {
+	scopeID, err := scope.MarshalText()
+	if err != nil {
+		return nil, err
+	}
+	body, err := lc.send(ctx, "POST", "/localapi/v0/policy/"+string(scopeID), 200, http.NoBody)
+	if err != nil {
+		return nil, err
+	}
+	return decodeJSON[*setting.Snapshot](body)
+}

client/local/tailnetlock.go

@@ -0,0 +1,204 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_tailnetlock
+
+package local
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/url"
+
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tka"
+	"tailscale.com/types/key"
+	"tailscale.com/types/tkatype"
+)
+
+// NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
+func (lc *Client) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
+	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+	return decodeJSON[*ipnstate.NetworkLockStatus](body)
+}
+
+// NetworkLockInit initializes the tailnet key authority.
+//
+// TODO(tom): Plumb through disablement secrets.
+func (lc *Client) NetworkLockInit(ctx context.Context, keys []tka.Key, disablementValues [][]byte, supportDisablement []byte) (*ipnstate.NetworkLockStatus, error) {
+	var b bytes.Buffer
+	type initRequest struct {
+		Keys               []tka.Key
+		DisablementValues  [][]byte
+		SupportDisablement []byte
+	}
+
+	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys, DisablementValues: disablementValues, SupportDisablement: supportDisablement}); err != nil {
+		return nil, err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/init", 200, &b)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+	return decodeJSON[*ipnstate.NetworkLockStatus](body)
+}
+
+// NetworkLockWrapPreauthKey wraps a pre-auth key with information to
+// enable unattended bringup in the locked tailnet.
+func (lc *Client) NetworkLockWrapPreauthKey(ctx context.Context, preauthKey string, tkaKey key.NLPrivate) (string, error) {
+	encodedPrivate, err := tkaKey.MarshalText()
+	if err != nil {
+		return "", err
+	}
+
+	var b bytes.Buffer
+	type wrapRequest struct {
+		TSKey  string
+		TKAKey string // key.NLPrivate.MarshalText
+	}
+	if err := json.NewEncoder(&b).Encode(wrapRequest{TSKey: preauthKey, TKAKey: string(encodedPrivate)}); err != nil {
+		return "", err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/wrap-preauth-key", 200, &b)
+	if err != nil {
+		return "", fmt.Errorf("error: %w", err)
+	}
+	return string(body), nil
+}
+
+// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
+func (lc *Client) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) error {
+	var b bytes.Buffer
+	type modifyRequest struct {
+		AddKeys    []tka.Key
+		RemoveKeys []tka.Key
+	}
+
+	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
+		return err
+	}
+
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 204, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
+	}
+	return nil
+}
+
+// NetworkLockSign signs the specified node-key and transmits that signature to the control plane.
+// rotationPublic, if specified, must be an ed25519 public key.
+func (lc *Client) NetworkLockSign(ctx context.Context, nodeKey key.NodePublic, rotationPublic []byte) error {
+	var b bytes.Buffer
+	type signRequest struct {
+		NodeKey        key.NodePublic
+		RotationPublic []byte
+	}
+
+	if err := json.NewEncoder(&b).Encode(signRequest{NodeKey: nodeKey, RotationPublic: rotationPublic}); err != nil {
+		return err
+	}
+
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/sign", 200, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
+	}
+	return nil
+}
+
+// NetworkLockAffectedSigs returns all signatures signed by the specified keyID.
+func (lc *Client) NetworkLockAffectedSigs(ctx context.Context, keyID tkatype.KeyID) ([]tkatype.MarshaledSignature, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/affected-sigs", 200, bytes.NewReader(keyID))
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+	return decodeJSON[[]tkatype.MarshaledSignature](body)
+}
+
+// NetworkLockLog returns up to maxEntries number of changes to network-lock state.
+func (lc *Client) NetworkLockLog(ctx context.Context, maxEntries int) ([]ipnstate.NetworkLockUpdate, error) {
+	v := url.Values{}
+	v.Set("limit", fmt.Sprint(maxEntries))
+	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/log?"+v.Encode(), 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	return decodeJSON[[]ipnstate.NetworkLockUpdate](body)
+}
+
+// NetworkLockForceLocalDisable forcibly shuts down network lock on this node.
+func (lc *Client) NetworkLockForceLocalDisable(ctx context.Context) error {
+	// This endpoint expects an empty JSON stanza as the payload.
+	var b bytes.Buffer
+	if err := json.NewEncoder(&b).Encode(struct{}{}); err != nil {
+		return err
+	}
+
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/force-local-disable", 200, &b); err != nil {
+		return fmt.Errorf("error: %w", err)
+	}
+	return nil
+}
+
+// NetworkLockVerifySigningDeeplink verifies the network lock deeplink contained
+// in url and returns information extracted from it.
+func (lc *Client) NetworkLockVerifySigningDeeplink(ctx context.Context, url string) (*tka.DeeplinkValidationResult, error) {
+	vr := struct {
+		URL string
+	}{url}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/verify-deeplink", 200, jsonBody(vr))
+	if err != nil {
+		return nil, fmt.Errorf("sending verify-deeplink: %w", err)
+	}
+
+	return decodeJSON[*tka.DeeplinkValidationResult](body)
+}
+
+// NetworkLockGenRecoveryAUM generates an AUM for recovering from a tailnet-lock key compromise.
+func (lc *Client) NetworkLockGenRecoveryAUM(ctx context.Context, removeKeys []tkatype.KeyID, forkFrom tka.AUMHash) ([]byte, error) {
+	vr := struct {
+		Keys     []tkatype.KeyID
+		ForkFrom string
+	}{removeKeys, forkFrom.String()}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/generate-recovery-aum", 200, jsonBody(vr))
+	if err != nil {
+		return nil, fmt.Errorf("sending generate-recovery-aum: %w", err)
+	}
+
+	return body, nil
+}
+
+// NetworkLockCosignRecoveryAUM co-signs a recovery AUM using the node's tailnet lock key.
+func (lc *Client) NetworkLockCosignRecoveryAUM(ctx context.Context, aum tka.AUM) ([]byte, error) {
+	r := bytes.NewReader(aum.Serialize())
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/cosign-recovery-aum", 200, r)
+	if err != nil {
+		return nil, fmt.Errorf("sending cosign-recovery-aum: %w", err)
+	}
+
+	return body, nil
+}
+
+// NetworkLockSubmitRecoveryAUM submits a recovery AUM to the control plane.
+func (lc *Client) NetworkLockSubmitRecoveryAUM(ctx context.Context, aum tka.AUM) error {
+	r := bytes.NewReader(aum.Serialize())
+	_, err := lc.send(ctx, "POST", "/localapi/v0/tka/submit-recovery-aum", 200, r)
+	if err != nil {
+		return fmt.Errorf("sending cosign-recovery-aum: %w", err)
+	}
+	return nil
+}
+
+// NetworkLockDisable shuts down network-lock across the tailnet.
+func (lc *Client) NetworkLockDisable(ctx context.Context, secret []byte) error {
+	if _, err := lc.send(ctx, "POST", "/localapi/v0/tka/disable", 200, bytes.NewReader(secret)); err != nil {
+		return fmt.Errorf("error: %w", err)
+	}
+	return nil
+}

client/systray/logo.go

@@ -0,0 +1,327 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build cgo || !darwin
+
+package systray
+
+import (
+	"bytes"
+	"context"
+	"image"
+	"image/color"
+	"image/png"
+	"runtime"
+	"sync"
+	"time"
+
+	"fyne.io/systray"
+	ico "github.com/Kodeworks/golang-image-ico"
+	"github.com/fogleman/gg"
+)
+
+// tsLogo represents the Tailscale logo displayed as the systray icon.
+type tsLogo struct {
+	// dots represents the state of the 3x3 dot grid in the logo.
+	// A 0 represents a gray dot, any other value is a white dot.
+	dots [9]byte
+
+	// dotMask returns an image mask to be used when rendering the logo dots.
+	dotMask func(dc *gg.Context, borderUnits int, radius int) *image.Alpha
+
+	// overlay is called after the dots are rendered to draw an additional overlay.
+	overlay func(dc *gg.Context, borderUnits int, radius int)
+}
+
+var (
+	// disconnected is all gray dots
+	disconnected = tsLogo{dots: [9]byte{
+		0, 0, 0,
+		0, 0, 0,
+		0, 0, 0,
+	}}
+
+	// connected is the normal Tailscale logo
+	connected = tsLogo{dots: [9]byte{
+		0, 0, 0,
+		1, 1, 1,
+		0, 1, 0,
+	}}
+
+	// loading is a special tsLogo value that is not meant to be rendered directly,
+	// but indicates that the loading animation should be shown.
+	loading = tsLogo{dots: [9]byte{'l', 'o', 'a', 'd', 'i', 'n', 'g'}}
+
+	// loadingIcons are shown in sequence as an animated loading icon.
+	loadingLogos = []tsLogo{
+		{dots: [9]byte{
+			0, 1, 1,
+			1, 0, 1,
+			0, 0, 1,
+		}},
+		{dots: [9]byte{
+			0, 1, 1,
+			0, 0, 1,
+			0, 1, 0,
+		}},
+		{dots: [9]byte{
+			0, 1, 1,
+			0, 0, 0,
+			0, 0, 1,
+		}},
+		{dots: [9]byte{
+			0, 0, 1,
+			0, 1, 0,
+			0, 0, 0,
+		}},
+		{dots: [9]byte{
+			0, 1, 0,
+			0, 0, 0,
+			0, 0, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			0, 0, 1,
+			0, 0, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			0, 0, 0,
+			0, 0, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 1,
+			0, 0, 0,
+			0, 0, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			0, 0, 0,
+			1, 0, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			0, 0, 0,
+			1, 1, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			1, 0, 0,
+			1, 1, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			1, 1, 0,
+			0, 1, 0,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			1, 1, 0,
+			0, 1, 1,
+		}},
+		{dots: [9]byte{
+			0, 0, 0,
+			1, 1, 1,
+			0, 0, 1,
+		}},
+		{dots: [9]byte{
+			0, 1, 0,
+			0, 1, 1,
+			1, 0, 1,
+		}},
+	}
+
+	// exitNodeOnline is the Tailscale logo with an additional arrow overlay in the corner.
+	exitNodeOnline = tsLogo{
+		dots: [9]byte{
+			0, 0, 0,
+			1, 1, 1,
+			0, 1, 0,
+		},
+		// draw an arrow mask in the bottom right corner with a reasonably thick line width.
+		dotMask: func(dc *gg.Context, borderUnits int, radius int) *image.Alpha {
+			bu, r := float64(borderUnits), float64(radius)
+
+			x1 := r * (bu + 3.5)
+			y := r * (bu + 7)
+			x2 := x1 + (r * 5)
+
+			mc := gg.NewContext(dc.Width(), dc.Height())
+			mc.DrawLine(x1, y, x2, y)                 // arrow center line
+			mc.DrawLine(x2-(1.5*r), y-(1.5*r), x2, y) // top of arrow tip
+			mc.DrawLine(x2-(1.5*r), y+(1.5*r), x2, y) // bottom of arrow tip
+			mc.SetLineWidth(r * 3)
+			mc.Stroke()
+			return mc.AsMask()
+		},
+		// draw an arrow in the bottom right corner over the masked area.
+		overlay: func(dc *gg.Context, borderUnits int, radius int) {
+			bu, r := float64(borderUnits), float64(radius)
+
+			x1 := r * (bu + 3.5)
+			y := r * (bu + 7)
+			x2 := x1 + (r * 5)
+
+			dc.DrawLine(x1, y, x2, y)                 // arrow center line
+			dc.DrawLine(x2-(1.5*r), y-(1.5*r), x2, y) // top of arrow tip
+			dc.DrawLine(x2-(1.5*r), y+(1.5*r), x2, y) // bottom of arrow tip
+			dc.SetColor(fg)
+			dc.SetLineWidth(r)
+			dc.Stroke()
+		},
+	}
+
+	// exitNodeOffline is the Tailscale logo with a red "x" in the corner.
+	exitNodeOffline = tsLogo{
+		dots: [9]byte{
+			0, 0, 0,
+			1, 1, 1,
+			0, 1, 0,
+		},
+		// Draw a square that hides the four dots in the bottom right corner,
+		dotMask: func(dc *gg.Context, borderUnits int, radius int) *image.Alpha {
+			bu, r := float64(borderUnits), float64(radius)
+			x := r * (bu + 3)
+
+			mc := gg.NewContext(dc.Width(), dc.Height())
+			mc.DrawRectangle(x, x, r*6, r*6)
+			mc.Fill()
+			return mc.AsMask()
+		},
+		// draw a red "x" over the bottom right corner.
+		overlay: func(dc *gg.Context, borderUnits int, radius int) {
+			bu, r := float64(borderUnits), float64(radius)
+
+			x1 := r * (bu + 4)
+			x2 := x1 + (r * 3.5)
+			dc.DrawLine(x1, x1, x2, x2) // top-left to bottom-right stroke
+			dc.DrawLine(x1, x2, x2, x1) // bottom-left to top-right stroke
+			dc.SetColor(red)
+			dc.SetLineWidth(r)
+			dc.Stroke()
+		},
+	}
+)
+
+var (
+	bg   = color.NRGBA{0, 0, 0, 255}
+	fg   = color.NRGBA{255, 255, 255, 255}
+	gray = color.NRGBA{255, 255, 255, 102}
+	red  = color.NRGBA{229, 111, 74, 255}
+)
+
+// render returns a PNG image of the logo.
+func (logo tsLogo) render() *bytes.Buffer {
+	const borderUnits = 1
+	return logo.renderWithBorder(borderUnits)
+}
+
+// renderWithBorder returns a PNG image of the logo with the specified border width.
+// One border unit is equal to the radius of a tailscale logo dot.
+func (logo tsLogo) renderWithBorder(borderUnits int) *bytes.Buffer {
+	const radius = 25
+	dim := radius * (8 + borderUnits*2)
+
+	dc := gg.NewContext(dim, dim)
+	dc.DrawRectangle(0, 0, float64(dim), float64(dim))
+	dc.SetColor(bg)
+	dc.Fill()
+
+	if logo.dotMask != nil {
+		mask := logo.dotMask(dc, borderUnits, radius)
+		dc.SetMask(mask)
+		dc.InvertMask()
+	}
+
+	for y := 0; y < 3; y++ {
+		for x := 0; x < 3; x++ {
+			px := (borderUnits + 1 + 3*x) * radius
+			py := (borderUnits + 1 + 3*y) * radius
+			col := fg
+			if logo.dots[y*3+x] == 0 {
+				col = gray
+			}
+			dc.DrawCircle(float64(px), float64(py), radius)
+			dc.SetColor(col)
+			dc.Fill()
+		}
+	}
+
+	if logo.overlay != nil {
+		dc.ResetClip()
+		logo.overlay(dc, borderUnits, radius)
+	}
+
+	b := bytes.NewBuffer(nil)
+
+	// Encode as ICO format on Windows, PNG on all other platforms.
+	if runtime.GOOS == "windows" {
+		_ = ico.Encode(b, dc.Image())
+	} else {
+		_ = png.Encode(b, dc.Image())
+	}
+	return b
+}
+
+// setAppIcon renders logo and sets it as the systray icon.
+func setAppIcon(icon tsLogo) {
+	if icon.dots == loading.dots {
+		startLoadingAnimation()
+	} else {
+		stopLoadingAnimation()
+		systray.SetIcon(icon.render().Bytes())
+	}
+}
+
+var (
+	loadingMu sync.Mutex // protects loadingCancel
+
+	// loadingCancel stops the loading animation in the systray icon.
+	// This is nil if the animation is not currently active.
+	loadingCancel func()
+)
+
+// startLoadingAnimation starts the animated loading icon in the system tray.
+// The animation continues until [stopLoadingAnimation] is called.
+// If the loading animation is already active, this func does nothing.
+func startLoadingAnimation() {
+	loadingMu.Lock()
+	defer loadingMu.Unlock()
+
+	if loadingCancel != nil {
+		// loading icon already displayed
+		return
+	}
+
+	ctx := context.Background()
+	ctx, loadingCancel = context.WithCancel(ctx)
+
+	go func() {
+		t := time.NewTicker(500 * time.Millisecond)
+		var i int
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-t.C:
+				systray.SetIcon(loadingLogos[i].render().Bytes())
+				i++
+				if i >= len(loadingLogos) {
+					i = 0
+				}
+			}
+		}
+	}()
+}
+
+// stopLoadingAnimation stops the animated loading icon in the system tray.
+// If the loading animation is not currently active, this func does nothing.
+func stopLoadingAnimation() {
+	loadingMu.Lock()
+	defer loadingMu.Unlock()
+
+	if loadingCancel != nil {
+		loadingCancel()
+		loadingCancel = nil
+	}
+}

client/systray/startup-creator.go

@@ -0,0 +1,76 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build cgo || !darwin
+
+// Package systray provides a minimal Tailscale systray application.
+package systray
+
+import (
+	"bufio"
+	"bytes"
+	_ "embed"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+)
+
+//go:embed tailscale-systray.service
+var embedSystemd string
+
+func InstallStartupScript(initSystem string) error {
+	switch initSystem {
+	case "systemd":
+		return installSystemd()
+	default:
+		return fmt.Errorf("unsupported init system '%s'", initSystem)
+	}
+}
+
+func installSystemd() error {
+	// Find the path to tailscale, just in case it's not where the example file
+	// has it placed, and replace that before writing the file.
+	tailscaleBin, err := exec.LookPath("tailscale")
+	if err != nil {
+		return fmt.Errorf("failed to find tailscale binary %w", err)
+	}
+
+	var output bytes.Buffer
+	scanner := bufio.NewScanner(strings.NewReader(embedSystemd))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "ExecStart=") {
+			line = fmt.Sprintf("ExecStart=%s systray", tailscaleBin)
+		}
+		output.WriteString(line + "\n")
+	}
+
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		homeDir, err := os.UserHomeDir()
+		if err != nil {
+			return fmt.Errorf("unable to locate user home: %w", err)
+		}
+		configDir = filepath.Join(homeDir, ".config")
+	}
+
+	systemdDir := filepath.Join(configDir, "systemd", "user")
+	if err := os.MkdirAll(systemdDir, 0o755); err != nil {
+		return fmt.Errorf("failed creating systemd uuser dir: %w", err)
+	}
+
+	serviceFile := filepath.Join(systemdDir, "tailscale-systray.service")
+
+	if err := os.WriteFile(serviceFile, output.Bytes(), 0o755); err != nil {
+		return fmt.Errorf("failed writing systemd user service: %w", err)
+	}
+
+	fmt.Printf("Successfully installed systemd service to: %s\n", serviceFile)
+	fmt.Println("To enable and start the service, run:")
+	fmt.Println("  systemctl --user daemon-reload")
+	fmt.Println("  systemctl --user enable --now tailscale-systray")
+
+	return nil
+}

client/systray/systray.go

@@ -0,0 +1,801 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build cgo || !darwin
+
+// Package systray provides a minimal Tailscale systray application.
+package systray
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"image"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"runtime"
+	"slices"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"fyne.io/systray"
+	ico "github.com/Kodeworks/golang-image-ico"
+	"github.com/atotto/clipboard"
+	dbus "github.com/godbus/dbus/v5"
+	"github.com/toqueteos/webbrowser"
+	"tailscale.com/client/local"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/slicesx"
+	"tailscale.com/util/stringsx"
+)
+
+var (
+	// newMenuDelay is the amount of time to sleep after creating a new menu,
+	// but before adding items to it. This works around a bug in some dbus implementations.
+	newMenuDelay time.Duration
+
+	// if true, treat all mullvad exit node countries as single-city.
+	// Instead of rendering a submenu with cities, just select the highest-priority peer.
+	hideMullvadCities bool
+)
+
+// Run starts the systray menu and blocks until the menu exits.
+// If client is nil, a default local.Client is used.
+func (menu *Menu) Run(client *local.Client) {
+	if client == nil {
+		client = &local.Client{}
+	}
+	menu.lc = client
+	menu.updateState()
+
+	// exit cleanly on SIGINT and SIGTERM
+	go func() {
+		interrupt := make(chan os.Signal, 1)
+		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
+		select {
+		case <-interrupt:
+			menu.onExit()
+		case <-menu.bgCtx.Done():
+		}
+	}()
+	go menu.lc.SetGauge(menu.bgCtx, "systray_running", 1)
+	defer menu.lc.SetGauge(menu.bgCtx, "systray_running", 0)
+
+	systray.Run(menu.onReady, menu.onExit)
+}
+
+// Menu represents the systray menu, its items, and the current Tailscale state.
+type Menu struct {
+	mu sync.Mutex // protects the entire Menu
+
+	lc          *local.Client
+	status      *ipnstate.Status
+	curProfile  ipn.LoginProfile
+	allProfiles []ipn.LoginProfile
+
+	// readonly is whether the systray app is running in read-only mode.
+	// This is set if LocalAPI returns a permission error,
+	// typically because the user needs to run `tailscale set --operator=$USER`.
+	readonly bool
+
+	bgCtx    context.Context // ctx for background tasks not involving menu item clicks
+	bgCancel context.CancelFunc
+
+	// Top-level menu items
+	connect     *systray.MenuItem
+	disconnect  *systray.MenuItem
+	self        *systray.MenuItem
+	exitNodes   *systray.MenuItem
+	more        *systray.MenuItem
+	rebuildMenu *systray.MenuItem
+	quit        *systray.MenuItem
+
+	rebuildCh  chan struct{} // triggers a menu rebuild
+	accountsCh chan ipn.ProfileID
+	exitNodeCh chan tailcfg.StableNodeID // ID of selected exit node
+
+	eventCancel context.CancelFunc // cancel eventLoop
+
+	notificationIcon *os.File // icon used for desktop notifications
+}
+
+func (menu *Menu) init() {
+	if menu.bgCtx != nil {
+		// already initialized
+		return
+	}
+
+	menu.rebuildCh = make(chan struct{}, 1)
+	menu.accountsCh = make(chan ipn.ProfileID)
+	menu.exitNodeCh = make(chan tailcfg.StableNodeID)
+
+	// dbus wants a file path for notification icons, so copy to a temp file.
+	menu.notificationIcon, _ = os.CreateTemp("", "tailscale-systray.png")
+	io.Copy(menu.notificationIcon, connected.renderWithBorder(3))
+
+	menu.bgCtx, menu.bgCancel = context.WithCancel(context.Background())
+	go menu.watchIPNBus()
+}
+
+func init() {
+	if runtime.GOOS != "linux" {
+		// so far, these tweaks are only needed on Linux
+		return
+	}
+
+	desktop := strings.ToLower(os.Getenv("XDG_CURRENT_DESKTOP"))
+	switch desktop {
+	case "gnome", "ubuntu:gnome":
+		// GNOME expands submenus downward in the main menu, rather than flyouts to the side.
+		// Either as a result of that or another limitation, there seems to be a maximum depth of submenus.
+		// Mullvad countries that have a city submenu are not being rendered, and so can't be selected.
+		// Handle this by simply treating all mullvad countries as single-city and select the best peer.
+		hideMullvadCities = true
+	case "kde":
+		// KDE doesn't need a delay, and actually won't render submenus
+		// if we delay for more than about 400µs.
+		newMenuDelay = 0
+	default:
+		// Add a slight delay to ensure the menu is created before adding items.
+		//
+		// Systray implementations that use libdbusmenu sometimes process messages out of order,
+		// resulting in errors such as:
+		//    (waybar:153009): LIBDBUSMENU-GTK-WARNING **: 18:07:11.551: Children but no menu, someone's been naughty with their 'children-display' property: 'submenu'
+		//
+		// See also: https://github.com/fyne-io/systray/issues/12
+		newMenuDelay = 10 * time.Millisecond
+	}
+}
+
+// onReady is called by the systray package when the menu is ready to be built.
+func (menu *Menu) onReady() {
+	log.Printf("starting")
+	if os.Getuid() == 0 || os.Getuid() != os.Geteuid() || os.Getenv("SUDO_USER") != "" || os.Getenv("DOAS_USER") != "" {
+		fmt.Fprintln(os.Stderr, `
+It appears that you might be running the systray with sudo/doas.
+This can lead to issues with D-Bus, and should be avoided.
+
+The systray application should be run with the same user as your desktop session.
+This usually means that you should run the application like:
+
+tailscale systray
+
+See https://tailscale.com/kb/1597/linux-systray for more information.`)
+	}
+	setAppIcon(disconnected)
+	menu.rebuild()
+
+	menu.mu.Lock()
+	if menu.readonly {
+		fmt.Fprintln(os.Stderr, `
+No permission to manage Tailscale. Set operator by running:
+
+sudo tailscale set --operator=$USER
+
+See https://tailscale.com/s/cli-operator for more information.`)
+	}
+	menu.mu.Unlock()
+}
+
+// updateState updates the Menu state from the Tailscale local client.
+func (menu *Menu) updateState() {
+	menu.mu.Lock()
+	defer menu.mu.Unlock()
+	menu.init()
+
+	menu.readonly = false
+
+	var err error
+	menu.status, err = menu.lc.Status(menu.bgCtx)
+	if err != nil {
+		log.Print(err)
+	}
+	menu.curProfile, menu.allProfiles, err = menu.lc.ProfileStatus(menu.bgCtx)
+	if err != nil {
+		if local.IsAccessDeniedError(err) {
+			menu.readonly = true
+		}
+		log.Print(err)
+	}
+}
+
+// rebuild the systray menu based on the current Tailscale state.
+//
+// We currently rebuild the entire menu because it is not easy to update the existing menu.
+// You cannot iterate over the items in a menu, nor can you remove some items like separators.
+// So for now we rebuild the whole thing, and can optimize this later if needed.
+func (menu *Menu) rebuild() {
+	menu.mu.Lock()
+	defer menu.mu.Unlock()
+	menu.init()
+
+	if menu.eventCancel != nil {
+		menu.eventCancel()
+	}
+	ctx := context.Background()
+	ctx, menu.eventCancel = context.WithCancel(ctx)
+
+	systray.ResetMenu()
+
+	if menu.readonly {
+		const readonlyMsg = "No permission to manage Tailscale.\nSee tailscale.com/s/cli-operator"
+		m := systray.AddMenuItem(readonlyMsg, "")
+		onClick(ctx, m, func(_ context.Context) {
+			webbrowser.Open("https://tailscale.com/s/cli-operator")
+		})
+		systray.AddSeparator()
+	}
+
+	menu.connect = systray.AddMenuItem("Connect", "")
+	menu.disconnect = systray.AddMenuItem("Disconnect", "")
+	menu.disconnect.Hide()
+	systray.AddSeparator()
+
+	// delay to prevent race setting icon on first start
+	time.Sleep(newMenuDelay)
+
+	// Set systray menu icon and title.
+	// Also adjust connect/disconnect menu items if needed.
+	var backendState string
+	if menu.status != nil {
+		backendState = menu.status.BackendState
+	}
+	switch backendState {
+	case ipn.Running.String():
+		if menu.status.ExitNodeStatus != nil && !menu.status.ExitNodeStatus.ID.IsZero() {
+			if menu.status.ExitNodeStatus.Online {
+				setTooltip("Using exit node")
+				setAppIcon(exitNodeOnline)
+			} else {
+				setTooltip("Exit node offline")
+				setAppIcon(exitNodeOffline)
+			}
+		} else {
+			setTooltip(fmt.Sprintf("Connected to %s", menu.status.CurrentTailnet.Name))
+			setAppIcon(connected)
+		}
+		menu.connect.SetTitle("Connected")
+		menu.connect.Disable()
+		menu.disconnect.Show()
+		menu.disconnect.Enable()
+	case ipn.Starting.String():
+		setTooltip("Connecting")
+		setAppIcon(loading)
+	default:
+		setTooltip("Disconnected")
+		setAppIcon(disconnected)
+	}
+
+	if menu.readonly {
+		menu.connect.Disable()
+		menu.disconnect.Disable()
+	}
+
+	account := "Account"
+	if pt := profileTitle(menu.curProfile); pt != "" {
+		account = pt
+	}
+	if !menu.readonly {
+		accounts := systray.AddMenuItem(account, "")
+		setRemoteIcon(accounts, menu.curProfile.UserProfile.ProfilePicURL)
+		time.Sleep(newMenuDelay)
+		for _, profile := range menu.allProfiles {
+			title := profileTitle(profile)
+			var item *systray.MenuItem
+			if profile.ID == menu.curProfile.ID {
+				item = accounts.AddSubMenuItemCheckbox(title, "", true)
+			} else {
+				item = accounts.AddSubMenuItem(title, "")
+			}
+			setRemoteIcon(item, profile.UserProfile.ProfilePicURL)
+			onClick(ctx, item, func(ctx context.Context) {
+				select {
+				case <-ctx.Done():
+				case menu.accountsCh <- profile.ID:
+				}
+			})
+		}
+	}
+
+	if menu.status != nil && menu.status.Self != nil && len(menu.status.Self.TailscaleIPs) > 0 {
+		title := fmt.Sprintf("This Device: %s (%s)", menu.status.Self.HostName, menu.status.Self.TailscaleIPs[0])
+		menu.self = systray.AddMenuItem(title, "")
+	} else {
+		menu.self = systray.AddMenuItem("This Device: not connected", "")
+		menu.self.Disable()
+	}
+	systray.AddSeparator()
+
+	if !menu.readonly {
+		menu.rebuildExitNodeMenu(ctx)
+	}
+
+	menu.more = systray.AddMenuItem("More settings", "")
+	if menu.status != nil && menu.status.BackendState == "Running" {
+		// web client is only available if backend is running
+		onClick(ctx, menu.more, func(_ context.Context) {
+			webbrowser.Open("http://100.100.100.100/")
+		})
+	} else {
+		menu.more.Disable()
+	}
+
+	// TODO(#15528): this menu item shouldn't be necessary at all,
+	// but is at least more discoverable than having users switch profiles or exit nodes.
+	menu.rebuildMenu = systray.AddMenuItem("Rebuild menu", "Fix missing menu items")
+	onClick(ctx, menu.rebuildMenu, func(ctx context.Context) {
+		select {
+		case <-ctx.Done():
+		case menu.rebuildCh <- struct{}{}:
+		}
+	})
+	menu.rebuildMenu.Enable()
+
+	menu.quit = systray.AddMenuItem("Quit", "Quit the app")
+	menu.quit.Enable()
+
+	go menu.eventLoop(ctx)
+}
+
+// profileTitle returns the title string for a profile menu item.
+func profileTitle(profile ipn.LoginProfile) string {
+	title := profile.Name
+	if profile.NetworkProfile.DomainName != "" {
+		if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+			// windows and mac don't support multi-line menu
+			title += " (" + profile.NetworkProfile.DisplayNameOrDefault() + ")"
+		} else {
+			title += "\n" + profile.NetworkProfile.DisplayNameOrDefault()
+		}
+	}
+	return title
+}
+
+var (
+	cacheMu   sync.Mutex
+	httpCache = map[string][]byte{} // URL => response body
+)
+
+// setRemoteIcon sets the icon for menu to the specified remote image.
+// Remote images are fetched as needed and cached.
+func setRemoteIcon(menu *systray.MenuItem, urlStr string) {
+	if menu == nil || urlStr == "" {
+		return
+	}
+
+	cacheMu.Lock()
+	defer cacheMu.Unlock()
+	b, ok := httpCache[urlStr]
+	if !ok {
+		resp, err := http.Get(urlStr)
+		if err == nil && resp.StatusCode == http.StatusOK {
+			b, _ = io.ReadAll(resp.Body)
+
+			// Convert image to ICO format on Windows
+			if runtime.GOOS == "windows" {
+				im, _, err := image.Decode(bytes.NewReader(b))
+				if err != nil {
+					return
+				}
+				buf := bytes.NewBuffer(nil)
+				if err := ico.Encode(buf, im); err != nil {
+					return
+				}
+				b = buf.Bytes()
+			}
+
+			httpCache[urlStr] = b
+			resp.Body.Close()
+		}
+	}
+
+	if len(b) > 0 {
+		menu.SetIcon(b)
+	}
+}
+
+// setTooltip sets the tooltip text for the systray icon.
+func setTooltip(text string) {
+	if runtime.GOOS == "darwin" || runtime.GOOS == "windows" {
+		systray.SetTooltip(text)
+	} else {
+		// on Linux, SetTitle actually sets the tooltip
+		systray.SetTitle(text)
+	}
+}
+
+// eventLoop is the main event loop for handling click events on menu items
+// and responding to Tailscale state changes.
+// This method does not return until ctx.Done is closed.
+func (menu *Menu) eventLoop(ctx context.Context) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-menu.rebuildCh:
+			menu.updateState()
+			menu.rebuild()
+		case <-menu.connect.ClickedCh:
+			_, err := menu.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					WantRunning: true,
+				},
+				WantRunningSet: true,
+			})
+			if err != nil {
+				log.Printf("error connecting: %v", err)
+			}
+
+		case <-menu.disconnect.ClickedCh:
+			_, err := menu.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
+				Prefs: ipn.Prefs{
+					WantRunning: false,
+				},
+				WantRunningSet: true,
+			})
+			if err != nil {
+				log.Printf("error disconnecting: %v", err)
+			}
+
+		case <-menu.self.ClickedCh:
+			menu.copyTailscaleIP(menu.status.Self)
+
+		case id := <-menu.accountsCh:
+			if err := menu.lc.SwitchProfile(ctx, id); err != nil {
+				log.Printf("error switching to profile ID %v: %v", id, err)
+			}
+
+		case exitNode := <-menu.exitNodeCh:
+			if exitNode.IsZero() {
+				log.Print("disable exit node")
+				if err := menu.lc.SetUseExitNode(ctx, false); err != nil {
+					log.Printf("error disabling exit node: %v", err)
+				}
+			} else {
+				log.Printf("enable exit node: %v", exitNode)
+				mp := &ipn.MaskedPrefs{
+					Prefs: ipn.Prefs{
+						ExitNodeID: exitNode,
+					},
+					ExitNodeIDSet: true,
+				}
+				if _, err := menu.lc.EditPrefs(ctx, mp); err != nil {
+					log.Printf("error setting exit node: %v", err)
+				}
+			}
+
+		case <-menu.quit.ClickedCh:
+			systray.Quit()
+		}
+	}
+}
+
+// onClick registers a click handler for a menu item.
+func onClick(ctx context.Context, item *systray.MenuItem, fn func(ctx context.Context)) {
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-item.ClickedCh:
+				fn(ctx)
+			}
+		}
+	}()
+}
+
+// watchIPNBus subscribes to the tailscale event bus and sends state updates to chState.
+// This method does not return.
+func (menu *Menu) watchIPNBus() {
+	for {
+		if err := menu.watchIPNBusInner(); err != nil {
+			log.Println(err)
+			if errors.Is(err, context.Canceled) {
+				// If the context got canceled, we will never be able to
+				// reconnect to IPN bus, so exit the process.
+				log.Fatalf("watchIPNBus: %v", err)
+			}
+		}
+		// If our watch connection breaks, wait a bit before reconnecting. No
+		// reason to spam the logs if e.g. tailscaled is restarting or goes
+		// down.
+		time.Sleep(3 * time.Second)
+	}
+}
+
+func (menu *Menu) watchIPNBusInner() error {
+	watcher, err := menu.lc.WatchIPNBus(menu.bgCtx, 0)
+	if err != nil {
+		return fmt.Errorf("watching ipn bus: %w", err)
+	}
+	defer watcher.Close()
+	for {
+		select {
+		case <-menu.bgCtx.Done():
+			return nil
+		default:
+			n, err := watcher.Next()
+			if err != nil {
+				return fmt.Errorf("ipnbus error: %w", err)
+			}
+			var rebuild bool
+			if n.State != nil {
+				log.Printf("new state: %v", n.State)
+				rebuild = true
+			}
+			if n.Prefs != nil {
+				rebuild = true
+			}
+			if rebuild {
+				menu.rebuildCh <- struct{}{}
+			}
+		}
+	}
+}
+
+// copyTailscaleIP copies the first Tailscale IP of the given device to the clipboard
+// and sends a notification with the copied value.
+func (menu *Menu) copyTailscaleIP(device *ipnstate.PeerStatus) {
+	if device == nil || len(device.TailscaleIPs) == 0 {
+		return
+	}
+	name := strings.Split(device.DNSName, ".")[0]
+	ip := device.TailscaleIPs[0].String()
+	err := clipboard.WriteAll(ip)
+	if err != nil {
+		log.Printf("clipboard error: %v", err)
+	} else {
+		menu.sendNotification(fmt.Sprintf("Copied Address for %v", name), ip)
+	}
+}
+
+// sendNotification sends a desktop notification with the given title and content.
+func (menu *Menu) sendNotification(title, content string) {
+	conn, err := dbus.SessionBus()
+	if err != nil {
+		log.Printf("dbus: %v", err)
+		return
+	}
+	timeout := 3 * time.Second
+	obj := conn.Object("org.freedesktop.Notifications", "/org/freedesktop/Notifications")
+	call := obj.Call("org.freedesktop.Notifications.Notify", 0, "Tailscale", uint32(0),
+		menu.notificationIcon.Name(), title, content, []string{}, map[string]dbus.Variant{}, int32(timeout.Milliseconds()))
+	if call.Err != nil {
+		log.Printf("dbus: %v", call.Err)
+	}
+}
+
+func (menu *Menu) rebuildExitNodeMenu(ctx context.Context) {
+	if menu.status == nil {
+		return
+	}
+
+	status := menu.status
+	menu.exitNodes = systray.AddMenuItem("Exit Nodes", "")
+	time.Sleep(newMenuDelay)
+
+	// register a click handler for a menu item to set nodeID as the exit node.
+	setExitNodeOnClick := func(item *systray.MenuItem, nodeID tailcfg.StableNodeID) {
+		onClick(ctx, item, func(ctx context.Context) {
+			select {
+			case <-ctx.Done():
+			case menu.exitNodeCh <- nodeID:
+			}
+		})
+	}
+
+	noExitNodeMenu := menu.exitNodes.AddSubMenuItemCheckbox("None", "", status.ExitNodeStatus == nil)
+	setExitNodeOnClick(noExitNodeMenu, "")
+
+	// Show recommended exit node if available.
+	if status.Self.CapMap.Contains(tailcfg.NodeAttrSuggestExitNodeUI) {
+		sugg, err := menu.lc.SuggestExitNode(ctx)
+		if err == nil {
+			title := "Recommended: "
+			if loc := sugg.Location; loc.Valid() && loc.Country() != "" {
+				flag := countryFlag(loc.CountryCode())
+				title += fmt.Sprintf("%s %s: %s", flag, loc.Country(), loc.City())
+			} else {
+				title += strings.Split(sugg.Name, ".")[0]
+			}
+			menu.exitNodes.AddSeparator()
+			rm := menu.exitNodes.AddSubMenuItemCheckbox(title, "", false)
+			setExitNodeOnClick(rm, sugg.ID)
+			if status.ExitNodeStatus != nil && sugg.ID == status.ExitNodeStatus.ID {
+				rm.Check()
+			}
+		}
+	}
+
+	// Add tailnet exit nodes if present.
+	var tailnetExitNodes []*ipnstate.PeerStatus
+	for _, ps := range status.Peer {
+		if ps.ExitNodeOption && ps.Location == nil {
+			tailnetExitNodes = append(tailnetExitNodes, ps)
+		}
+	}
+	if len(tailnetExitNodes) > 0 {
+		menu.exitNodes.AddSeparator()
+		menu.exitNodes.AddSubMenuItem("Tailnet Exit Nodes", "").Disable()
+		for _, ps := range status.Peer {
+			if !ps.ExitNodeOption || ps.Location != nil {
+				continue
+			}
+			name := strings.Split(ps.DNSName, ".")[0]
+			if !ps.Online {
+				name += " (offline)"
+			}
+			sm := menu.exitNodes.AddSubMenuItemCheckbox(name, "", false)
+			if !ps.Online {
+				sm.Disable()
+			}
+			if status.ExitNodeStatus != nil && ps.ID == status.ExitNodeStatus.ID {
+				sm.Check()
+			}
+			setExitNodeOnClick(sm, ps.ID)
+		}
+	}
+
+	// Add mullvad exit nodes if present.
+	var mullvadExitNodes mullvadPeers
+	if status.Self.CapMap.Contains("mullvad") {
+		mullvadExitNodes = newMullvadPeers(status)
+	}
+	if len(mullvadExitNodes.countries) > 0 {
+		menu.exitNodes.AddSeparator()
+		menu.exitNodes.AddSubMenuItem("Location-based Exit Nodes", "").Disable()
+		mullvadMenu := menu.exitNodes.AddSubMenuItemCheckbox("Mullvad VPN", "", false)
+
+		for _, country := range mullvadExitNodes.sortedCountries() {
+			flag := countryFlag(country.code)
+			countryMenu := mullvadMenu.AddSubMenuItemCheckbox(flag+" "+country.name, "", false)
+
+			// single-city country, no submenu
+			if len(country.cities) == 1 || hideMullvadCities {
+				setExitNodeOnClick(countryMenu, country.best.ID)
+				if status.ExitNodeStatus != nil {
+					for _, city := range country.cities {
+						for _, ps := range city.peers {
+							if status.ExitNodeStatus.ID == ps.ID {
+								mullvadMenu.Check()
+								countryMenu.Check()
+							}
+						}
+					}
+				}
+				continue
+			}
+
+			// multi-city country, build submenu with "best available" option and cities.
+			time.Sleep(newMenuDelay)
+			bm := countryMenu.AddSubMenuItemCheckbox("Best Available", "", false)
+			setExitNodeOnClick(bm, country.best.ID)
+			countryMenu.AddSeparator()
+
+			for _, city := range country.sortedCities() {
+				cityMenu := countryMenu.AddSubMenuItemCheckbox(city.name, "", false)
+				setExitNodeOnClick(cityMenu, city.best.ID)
+				if status.ExitNodeStatus != nil {
+					for _, ps := range city.peers {
+						if status.ExitNodeStatus.ID == ps.ID {
+							mullvadMenu.Check()
+							countryMenu.Check()
+							cityMenu.Check()
+						}
+					}
+				}
+			}
+		}
+	}
+
+	// TODO: "Allow Local Network Access" and "Run Exit Node" menu items
+}
+
+// mullvadPeers contains all mullvad peer nodes, sorted by country and city.
+type mullvadPeers struct {
+	countries map[string]*mvCountry // country code (uppercase) => country
+}
+
+// sortedCountries returns countries containing mullvad nodes, sorted by name.
+func (mp mullvadPeers) sortedCountries() []*mvCountry {
+	countries := slicesx.MapValues(mp.countries)
+	slices.SortFunc(countries, func(a, b *mvCountry) int {
+		return stringsx.CompareFold(a.name, b.name)
+	})
+	return countries
+}
+
+type mvCountry struct {
+	code   string
+	name   string
+	best   *ipnstate.PeerStatus // highest priority peer in the country
+	cities map[string]*mvCity   // city code => city
+}
+
+// sortedCities returns cities containing mullvad nodes, sorted by name.
+func (mc *mvCountry) sortedCities() []*mvCity {
+	cities := slicesx.MapValues(mc.cities)
+	slices.SortFunc(cities, func(a, b *mvCity) int {
+		return stringsx.CompareFold(a.name, b.name)
+	})
+	return cities
+}
+
+// countryFlag takes a 2-character ASCII string and returns the corresponding emoji flag.
+// It returns the empty string on error.
+func countryFlag(code string) string {
+	if len(code) != 2 {
+		return ""
+	}
+	runes := make([]rune, 0, 2)
+	for i := range 2 {
+		b := code[i] | 32 // lowercase
+		if b < 'a' || b > 'z' {
+			return ""
+		}
+		// https://en.wikipedia.org/wiki/Regional_indicator_symbol
+		runes = append(runes, 0x1F1E6+rune(b-'a'))
+	}
+	return string(runes)
+}
+
+type mvCity struct {
+	name  string
+	best  *ipnstate.PeerStatus // highest priority peer in the city
+	peers []*ipnstate.PeerStatus
+}
+
+func newMullvadPeers(status *ipnstate.Status) mullvadPeers {
+	countries := make(map[string]*mvCountry)
+	for _, ps := range status.Peer {
+		if !ps.ExitNodeOption || ps.Location == nil {
+			continue
+		}
+		loc := ps.Location
+		country, ok := countries[loc.CountryCode]
+		if !ok {
+			country = &mvCountry{
+				code:   loc.CountryCode,
+				name:   loc.Country,
+				cities: make(map[string]*mvCity),
+			}
+			countries[loc.CountryCode] = country
+		}
+		city, ok := countries[loc.CountryCode].cities[loc.CityCode]
+		if !ok {
+			city = &mvCity{
+				name: loc.City,
+			}
+			countries[loc.CountryCode].cities[loc.CityCode] = city
+		}
+		city.peers = append(city.peers, ps)
+		if city.best == nil || ps.Location.Priority > city.best.Location.Priority {
+			city.best = ps
+		}
+		if country.best == nil || ps.Location.Priority > country.best.Location.Priority {
+			country.best = ps
+		}
+	}
+	return mullvadPeers{countries}
+}
+
+// onExit is called by the systray package when the menu is exiting.
+func (menu *Menu) onExit() {
+	log.Printf("exiting")
+	if menu.bgCancel != nil {
+		menu.bgCancel()
+	}
+	if menu.eventCancel != nil {
+		menu.eventCancel()
+	}
+
+	os.Remove(menu.notificationIcon.Name())
+}

client/systray/tailscale-systray.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Tailscale System Tray
+After=graphical.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/tailscale systray
+
+[Install]
+WantedBy=default.target

client/tailscale/acl.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19
 
@@ -13,6 +12,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
+	"net/url"
 )
 
 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -20,6 +20,7 @@ import (
 // Only one of Src/Dst or Users/Ports may be specified.
 type ACLRow struct {
 	Action string   `json:"action,omitempty"` // valid values: "accept"
+	Proto  string   `json:"proto,omitempty"`  // protocol
 	Users  []string `json:"users,omitempty"`  // old name for src
 	Ports  []string `json:"ports,omitempty"`  // old name for dst
 	Src    []string `json:"src,omitempty"`
@@ -32,12 +33,23 @@ type ACLRow struct {
 type ACLTest struct {
 	Src    string   `json:"src,omitempty"`    // source
 	User   string   `json:"user,omitempty"`   // old name for source
+	Proto  string   `json:"proto,omitempty"`  // protocol
 	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
 	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
 
 	Allow []string `json:"allow,omitempty"` // old name for accept
 }
 
+// NodeAttrGrant defines additional string attributes that apply to specific devices.
+type NodeAttrGrant struct {
+	// Target specifies which nodes the attributes apply to. The nodes can be a
+	// tag (tag:server), user (alice@example.com), group (group:kids), or *.
+	Target []string `json:"target,omitempty"`
+
+	// Attr are the attributes to set on Target(s).
+	Attr []string `json:"attr,omitempty"`
+}
+
 // ACLDetails contains all the details for an ACL.
 type ACLDetails struct {
 	Tests     []ACLTest           `json:"tests,omitempty"`
@@ -45,6 +57,7 @@ type ACLDetails struct {
 	Groups    map[string][]string `json:"groups,omitempty"`
 	TagOwners map[string][]string `json:"tagowners,omitempty"`
 	Hosts     map[string]string   `json:"hosts,omitempty"`
+	NodeAttrs []NodeAttrGrant     `json:"nodeAttrs,omitempty"`
 }
 
 // ACL contains an ACLDetails and metadata.
@@ -71,7 +84,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl")
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -85,7 +98,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	// Otherwise, try to decode the response.
@@ -104,7 +117,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 // it as a string.
 // HuJSON is JSON with a few modifications to make it more human-friendly. The primary
 // changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
+// https://tailscale.com/s/acl-format
 // https://github.com/tailscale/hujson
 func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	// Format return errors to be descriptive.
@@ -114,7 +127,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl", url.Values{"details": {"1"}})
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -126,7 +139,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	data := struct {
@@ -134,7 +147,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		Warnings []string `json:"warnings"`
 	}{}
 	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("json.Unmarshal %q: %w", b, err)
 	}
 
 	acl = &ACLHuJSON{
@@ -151,8 +164,14 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
+	// User is the source ("src") value of the ACL test that failed.
+	// The name "user" is a legacy holdover from the original naming and
+	// is kept for compatibility but it may also contain any value
+	// that's valid in a ACL test "src" field.
+	User string `json:"user,omitempty"`
+
+	Errors   []string `json:"errors,omitempty"`
+	Warnings []string `json:"warnings,omitempty"`
 }
 
 // ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
@@ -166,7 +185,7 @@ func (e ACLTestError) Error() string {
 }
 
 func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, "", err
@@ -270,6 +289,17 @@ type UserRuleMatch struct {
 	Users      []string `json:"users"`
 	Ports      []string `json:"ports"`
 	LineNumber int      `json:"lineNumber"`
+	// Via is the list of targets through which Users can access Ports.
+	// See https://tailscale.com/kb/1378/via for more information.
+	Via []string `json:"via,omitempty"`
+
+	// Postures is a list of posture policies that are
+	// associated with this match. The rules can be looked
+	// up in the ACLPreviewResponse parent struct.
+	// The source of the list is from srcPosture on
+	// an ACL or Grant rule:
+	// https://tailscale.com/kb/1288/device-posture#posture-conditions
+	Postures []string `json:"postures"`
 }
 
 // ACLPreviewResponse is the response type of previewACLPostRequest
@@ -277,6 +307,12 @@ type ACLPreviewResponse struct {
 	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
 	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
 	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
+
+	// Postures is a map of postures and associated rules that apply
+	// to this preview.
+	// For more details about the posture mapping, see:
+	// https://tailscale.com/kb/1288/device-posture#postures
+	Postures map[string][]string `json:"postures,omitempty"`
 }
 
 // ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
@@ -284,10 +320,16 @@ type ACLPreview struct {
 	Matches []UserRuleMatch `json:"matches"`
 	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
 	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
+
+	// Postures is a map of postures and associated rules that apply
+	// to this preview.
+	// For more details about the posture mapping, see:
+	// https://tailscale.com/kb/1288/device-posture#postures
+	Postures map[string][]string `json:"postures,omitempty"`
 }
 
 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl", "preview")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, err
@@ -309,7 +351,7 @@ func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, preview
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 	if err = json.Unmarshal(b, &res); err != nil {
 		return nil, err
@@ -341,8 +383,9 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 	}
 
 	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
+		Matches:  b.Matches,
+		User:     b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }
 
@@ -369,8 +412,9 @@ func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.
 	}
 
 	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
+		Matches:  b.Matches,
+		IPPort:   b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }
 
@@ -394,8 +438,9 @@ func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, use
 	}
 
 	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
+		Matches:  b.Matches,
+		User:     b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }
 
@@ -419,8 +464,9 @@ func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, i
 	}
 
 	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
+		Matches:  b.Matches,
+		IPPort:   b.PreviewFor,
+		Postures: b.Postures,
 	}, nil
 }
 
@@ -437,13 +483,13 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		}
 	}()
 
-	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
+	tests := []ACLTest{{User: source, Allow: []string{dest}}}
 	postData, err := json.Marshal(tests)
 	if err != nil {
 		return nil, err
 	}
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl", "validate")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
 	if err != nil {
 		return nil, err

client/tailscale/apitype/apitype.go

@@ -1,22 +1,44 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 // Package apitype contains types for the Tailscale LocalAPI and control plane API.
 package apitype
 
-import "tailscale.com/tailcfg"
+import (
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
+	"tailscale.com/util/ctxkey"
+)
 
 // LocalAPIHost is the Host header value used by the LocalAPI.
 const LocalAPIHost = "local-tailscaled.sock"
 
+// RequestReasonHeader is the header used to pass justification for a LocalAPI request,
+// such as when a user wants to perform an action they don't have permission for,
+// and a policy allows it with justification. As of 2025-01-29, it is only used to
+// allow a user to disconnect Tailscale when the "always-on" mode is enabled.
+//
+// The header value is base64-encoded using the standard encoding defined in RFC 4648.
+//
+// See tailscale/corp#26146.
+const RequestReasonHeader = "X-Tailscale-Reason"
+
+// RequestReasonKey is the context key used to pass the request reason
+// when making a LocalAPI request via [local.Client].
+// It's value is a raw string. An empty string means no reason was provided.
+//
+// See tailscale/corp#26146.
+var RequestReasonKey = ctxkey.New(RequestReasonHeader, "")
+
 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
+// In successful whois responses, Node and UserProfile are never nil.
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile
 
-	// Caps are extra capabilities that the remote Node has to this node.
-	Caps []string `json:",omitempty"`
+	// CapMap is a map of capabilities to their values.
+	// See tailcfg.PeerCapMap and tailcfg.PeerCapability for details.
+	CapMap tailcfg.PeerCapMap
 }
 
 // FileTarget is a node to which files can be sent, and the PeerAPI
@@ -33,3 +55,52 @@ type WaitingFile struct {
 	Name string
 	Size int64
 }
+
+// SetPushDeviceTokenRequest is the body POSTed to the LocalAPI endpoint /set-device-token.
+type SetPushDeviceTokenRequest struct {
+	// PushDeviceToken is the iOS/macOS APNs device token (and any future Android equivalent).
+	PushDeviceToken string
+}
+
+// ReloadConfigResponse is the response to a LocalAPI reload-config request.
+//
+// There are three possible outcomes: (false, "") if no config mode in use,
+// (true, "") on success, or (false, "error message") on failure.
+type ReloadConfigResponse struct {
+	Reloaded bool   // whether the config was reloaded
+	Err      string // any error message
+}
+
+// ExitNodeSuggestionResponse is the response to a LocalAPI suggest-exit-node GET request.
+// It returns the StableNodeID, name, and location of a suggested exit node for the client making the request.
+type ExitNodeSuggestionResponse struct {
+	ID       tailcfg.StableNodeID
+	Name     string
+	Location tailcfg.LocationView `json:",omitempty"`
+}
+
+// DNSOSConfig mimics dns.OSConfig without forcing us to import the entire dns package
+// into the CLI.
+type DNSOSConfig struct {
+	Nameservers   []string
+	SearchDomains []string
+	MatchDomains  []string
+}
+
+// DNSQueryResponse is the response to a DNS query request sent via LocalAPI.
+type DNSQueryResponse struct {
+	// Bytes is the raw DNS response bytes.
+	Bytes []byte
+	// Resolvers is the list of resolvers that the forwarder deemed able to resolve the query.
+	Resolvers []*dnstype.Resolver
+}
+
+// OptionalFeatures describes which optional features are enabled in the build.
+type OptionalFeatures struct {
+	// Features is the map of optional feature names to whether they are
+	// enabled.
+	//
+	// Disabled features may be absent from the map. (That is, false values
+	// are not guaranteed to be present.)
+	Features map[string]bool
+}

client/tailscale/apitype/controltype.go

@@ -1,19 +1,52 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package apitype
 
+// DNSConfig is the DNS configuration for a tailnet
+// used in /tailnet/{tailnet}/dns/config.
 type DNSConfig struct {
-	Resolvers         []DNSResolver            `json:"resolvers"`
-	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
-	Routes            map[string][]DNSResolver `json:"routes"`
-	Domains           []string                 `json:"domains"`
-	Nameservers       []string                 `json:"nameservers"`
-	Proxied           bool                     `json:"proxied"`
+	// Resolvers are the global DNS resolvers to use
+	// overriding the local OS configuration.
+	Resolvers []DNSResolver `json:"resolvers"`
+
+	// FallbackResolvers are used as global resolvers when
+	// the client is unable to determine the OS's preferred DNS servers.
+	FallbackResolvers []DNSResolver `json:"fallbackResolvers"`
+
+	// Routes map DNS name suffixes to a set of DNS resolvers,
+	// used for Split DNS and other advanced routing overlays.
+	Routes map[string][]DNSResolver `json:"routes"`
+
+	// Domains are the search domains to use.
+	Domains []string `json:"domains"`
+
+	// Proxied means MagicDNS is enabled.
+	Proxied bool `json:"proxied"`
+
+	// TempCorpIssue13969 is from an internal hack day prototype,
+	// See tailscale/corp#13969.
+	TempCorpIssue13969 string `json:"TempCorpIssue13969,omitempty"`
+
+	// Nameservers are the IP addresses of global nameservers to use.
+	// This is a deprecated format but may still be found in tailnets
+	// that were configured a long time ago. When making updates,
+	// set Resolvers and leave Nameservers empty.
+	Nameservers []string `json:"nameservers"`
 }
 
+// DNSResolver is a DNS resolver in a DNS configuration.
 type DNSResolver struct {
-	Addr                string   `json:"addr"`
+	// Addr is the address of the DNS resolver.
+	// It is usually an IP address or a DoH URL.
+	// See dnstype.Resolver.Addr for full details.
+	Addr string `json:"addr"`
+
+	// BootstrapResolution is an optional suggested resolution for
+	// the DoT/DoH resolver.
 	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
+
+	// UseWithExitNode signals this resolver should be used
+	// even when a tailscale exit node is configured on a device.
+	UseWithExitNode bool `json:"useWithExitNode,omitempty"`
 }

client/tailscale/cert.go

@@ -0,0 +1,34 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !js && !ts_omit_acme
+
+package tailscale
+
+import (
+	"context"
+	"crypto/tls"
+
+	"tailscale.com/client/local"
+)
+
+// GetCertificate is an alias for [tailscale.com/client/local.GetCertificate].
+//
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.GetCertificate].
+func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return local.GetCertificate(hi)
+}
+
+// CertPair is an alias for [tailscale.com/client/local.CertPair].
+//
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.CertPair].
+func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	return local.CertPair(ctx, domain)
+}
+
+// ExpandSNIName is an alias for [tailscale.com/client/local.ExpandSNIName].
+//
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.ExpandSNIName].
+func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	return local.ExpandSNIName(ctx, name)
+}

client/tailscale/devices.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19
 
@@ -11,9 +10,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"tailscale.com/types/opt"
 )
@@ -41,21 +40,23 @@ type Device struct {
 	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
 	Addresses []string `json:"addresses"`
 	DeviceID  string   `json:"id"`
+	NodeID    string   `json:"nodeId"`
 	User      string   `json:"user"`
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`
 
-	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
-	OS                string `json:"os"`
-	Created           string `json:"created"` // Empty for external devices.
-	LastSeen          string `json:"lastSeen"`
-	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
-	Expires           string `json:"expires"`
-	Authorized        bool   `json:"authorized"`
-	IsExternal        bool   `json:"isExternal"`
-	MachineKey        string `json:"machineKey"` // Empty for external devices.
-	NodeKey           string `json:"nodeKey"`
+	ClientVersion     string   `json:"clientVersion"`   // Empty for external devices.
+	UpdateAvailable   bool     `json:"updateAvailable"` // Empty for external devices.
+	OS                string   `json:"os"`
+	Tags              []string `json:"tags"`
+	Created           string   `json:"created"` // Empty for external devices.
+	LastSeen          string   `json:"lastSeen"`
+	KeyExpiryDisabled bool     `json:"keyExpiryDisabled"`
+	Expires           string   `json:"expires"`
+	Authorized        bool     `json:"authorized"`
+	IsExternal        bool     `json:"isExternal"`
+	MachineKey        string   `json:"machineKey"` // Empty for external devices.
+	NodeKey           string   `json:"nodeKey"`
 
 	// BlocksIncomingConnections is configured via the device's
 	// Tailscale client preferences. This field is only reported
@@ -72,6 +73,24 @@ type Device struct {
 	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
 
 	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
+
+	// PostureIdentity contains extra identifiers collected from the device when
+	// the tailnet has the device posture identification features enabled. If
+	// Tailscale have attempted to collect this from the device but it has not
+	// opted in, PostureIdentity will have Disabled=true.
+	PostureIdentity *DevicePostureIdentity `json:"postureIdentity"`
+
+	// TailnetLockKey is the tailnet lock public key of the node as a hex string.
+	TailnetLockKey string `json:"tailnetLockKey,omitempty"`
+
+	// TailnetLockErr indicates an issue with the tailnet lock node-key signature
+	// on this device. This field is only populated when tailnet lock is enabled.
+	TailnetLockErr string `json:"tailnetLockError,omitempty"`
+}
+
+type DevicePostureIdentity struct {
+	Disabled      bool     `json:"disabled,omitempty"`
+	SerialNumbers []string `json:"serialNumbers,omitempty"`
 }
 
 // DeviceFieldsOpts determines which fields should be returned in the response.
@@ -119,7 +138,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("devices")
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -137,7 +156,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var devices GetDevicesResponse
@@ -176,7 +195,7 @@ func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFiel
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	err = json.Unmarshal(b, &device)
@@ -203,18 +222,33 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	if err != nil {
 		return err
 	}
+
+	log.Printf("RESP: %di, path: %s", resp.StatusCode, path)
+
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 	return nil
 }
 
 // AuthorizeDevice marks a device as authorized.
 func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
+	return c.SetAuthorized(ctx, deviceID, true)
+}
+
+// SetAuthorized marks a device as authorized or not.
+func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
+	params := &struct {
+		Authorized bool `json:"authorized"`
+	}{Authorized: authorized}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return err
+	}
 	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -226,7 +260,7 @@ func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 
 	return nil
@@ -254,7 +288,7 @@ func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/dns.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19
 
@@ -45,7 +44,7 @@ type DNSPreferences struct {
 }
 
 func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	path := c.BuildTailnetURL("dns", endpoint)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -58,14 +57,14 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	return b, nil
 }
 
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
+	path := c.BuildTailnetURL("dns", endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {
 		return nil, err
@@ -85,7 +84,7 @@ func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData i
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	return b, nil

client/tailscale/example/servetls/servetls.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 // The servetls program shows how to run an HTTPS server
 // using a Tailscale cert via LetsEncrypt.
@@ -12,13 +11,14 @@ import (
 	"log"
 	"net/http"
 
-	"tailscale.com/client/tailscale"
+	"tailscale.com/client/local"
 )
 
 func main() {
+	var lc local.Client
 	s := &http.Server{
 		TLSConfig: &tls.Config{
-			GetCertificate: tailscale.GetCertificate,
+			GetCertificate: lc.GetCertificate,
 		},
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")

client/tailscale/keys.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 package tailscale
 
@@ -41,7 +40,7 @@ type KeyDeviceCreateCapabilities struct {
 
 // Keys returns the list of keys for the current user.
 func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("keys")
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -52,35 +51,55 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
-	var keys []struct {
-		ID string `json:"id"`
+	var keys struct {
+		Keys []*Key `json:"keys"`
 	}
 	if err := json.Unmarshal(b, &keys); err != nil {
 		return nil, err
 	}
-	ret := make([]string, 0, len(keys))
-	for _, k := range keys {
+	ret := make([]string, 0, len(keys.Keys))
+	for _, k := range keys.Keys {
 		ret = append(ret, k.ID)
 	}
 	return ret, nil
 }
 
 // CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. Returns the key itself, which cannot be retrieved again
+// can be created. It returns the secret key itself, which cannot be retrieved again
 // later, and the key metadata.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
+//
+// To create a key with a specific expiry, use CreateKeyWithExpiry.
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
+	return c.CreateKeyWithExpiry(ctx, caps, 0)
+}
+
+// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
+//
+// The time is truncated to a whole number of seconds. If zero, that means no expiration.
+func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
+
+	// convert expirySeconds to an int64 (seconds)
+	expirySeconds := int64(expiry.Seconds())
+	if expirySeconds < 0 {
+		return "", nil, fmt.Errorf("expiry must be positive")
+	}
+	if expirySeconds == 0 && expiry != 0 {
+		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
+	}
+
 	keyRequest := struct {
-		Capabilities KeyCapabilities `json:"capabilities"`
-	}{caps}
+		Capabilities  KeyCapabilities `json:"capabilities"`
+		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
+	}{caps, int64(expirySeconds)}
 	bs, err := json.Marshal(keyRequest)
 	if err != nil {
 		return "", nil, err
 	}
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("keys")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
 	if err != nil {
 		return "", nil, err
@@ -91,7 +110,7 @@ func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *
 		return "", nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return "", nil, handleErrorResponse(b, resp)
+		return "", nil, HandleErrorResponse(b, resp)
 	}
 
 	var key struct {
@@ -107,7 +126,7 @@ func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *
 // Key returns the metadata for the given key ID. Currently, capabilities are
 // only returned for auth keys, API keys only return general metadata.
 func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	path := c.BuildTailnetURL("keys", id)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -118,7 +137,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var key Key
@@ -130,7 +149,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 
 // DeleteKey deletes the key with the given ID.
 func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	path := c.BuildTailnetURL("keys", id)
 	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
 	if err != nil {
 		return err
@@ -141,7 +160,7 @@ func (c *Client) DeleteKey(ctx context.Context, id string) error {
 		return err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 	return nil
 }

client/tailscale/localclient_aliases.go

@@ -0,0 +1,79 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+import (
+	"context"
+
+	"tailscale.com/client/local"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn/ipnstate"
+)
+
+// ErrPeerNotFound is an alias for [tailscale.com/client/local.ErrPeerNotFound].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+var ErrPeerNotFound = local.ErrPeerNotFound
+
+// LocalClient is an alias for [tailscale.com/client/local.Client].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+type LocalClient = local.Client
+
+// IPNBusWatcher is an alias for [tailscale.com/client/local.IPNBusWatcher].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+type IPNBusWatcher = local.IPNBusWatcher
+
+// BugReportOpts is an alias for [tailscale.com/client/local.BugReportOpts].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+type BugReportOpts = local.BugReportOpts
+
+// PingOpts is an alias for [tailscale.com/client/local.PingOpts].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+type PingOpts = local.PingOpts
+
+// SetVersionMismatchHandler is an alias for [tailscale.com/client/local.SetVersionMismatchHandler].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
+	local.SetVersionMismatchHandler(f)
+}
+
+// IsAccessDeniedError is an alias for [tailscale.com/client/local.IsAccessDeniedError].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+func IsAccessDeniedError(err error) bool {
+	return local.IsAccessDeniedError(err)
+}
+
+// IsPreconditionsFailedError is an alias for [tailscale.com/client/local.IsPreconditionsFailedError].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+func IsPreconditionsFailedError(err error) bool {
+	return local.IsPreconditionsFailedError(err)
+}
+
+// WhoIs is an alias for [tailscale.com/client/local.WhoIs].
+//
+// Deprecated: import [tailscale.com/client/local] instead and use [local.Client.WhoIs].
+func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	return local.WhoIs(ctx, remoteAddr)
+}
+
+// Status is an alias for [tailscale.com/client/local.Status].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+func Status(ctx context.Context) (*ipnstate.Status, error) {
+	return local.Status(ctx)
+}
+
+// StatusWithoutPeers is an alias for [tailscale.com/client/local.StatusWithoutPeers].
+//
+// Deprecated: import [tailscale.com/client/local] instead.
+func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return local.StatusWithoutPeers(ctx)
+}

client/tailscale/localclient_test.go

@@ -1,28 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-
-package tailscale
-
-import "testing"
-
-func TestGetServeConfigFromJSON(t *testing.T) {
-	sc, err := getServeConfigFromJSON([]byte("null"))
-	if sc != nil {
-		t.Errorf("want nil for null")
-	}
-	if err != nil {
-		t.Errorf("reading null: %v", err)
-	}
-
-	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
-	if err != nil {
-		t.Errorf("reading object: %v", err)
-	} else if sc == nil {
-		t.Errorf("want non-nil for object")
-	} else if sc.TCP == nil {
-		t.Errorf("want non-nil TCP for object")
-	}
-}

client/tailscale/required_version.go

@@ -1,11 +1,10 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !go1.19
+//go:build !go1.23
 
 package tailscale
 
 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_23_to_compile_Tailscale()
 }

client/tailscale/routes.go

@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 
 //go:build go1.19
 
@@ -45,7 +44,7 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var sr Routes
@@ -85,7 +84,7 @@ func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var srr *Routes