util/codegen: Remove year from copyright header.

Copyright notices in software are not supposed to update the year in the header. Because we have a CI check for `go generate`, we're failing CI until we go update all of the copyright headers in generated files to say 2023. Instead, relax the requirement to always have a year in the copyright header. Fixes https://github.com/tailscale/tailscale/issues/6865 Signed-off-by: Denton Gentry <dgentry@tailscale.com>
2023-01-01 16:36:10 -08:00
928 changed files with 5975 additions and 15258 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -12,6 +12,7 @@ body:
    attributes:
      label: What is the issue?
      description: What happened? What did you expect to happen?
+      placeholder: oh no
    validations:
      required: true
  - type: textarea
@@ -60,13 +61,6 @@ body:
      placeholder: e.g., 1.14.4
    validations:
      required: false
-  - type: textarea
-    id: other-software
-    attributes:
-      label: Other software
-      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
-    validations:
-      required: false
  - type: input
    id: bug-report
    attributes:
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -0,0 +1,31 @@
+name: CIFuzz
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Build Fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'tailscale'
+        dry-run: false
+        language: go
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'tailscale'
+        fuzz-seconds: 300
+        dry-run: false
+        language: go
+    - name: Upload Crash
+      uses: actions/upload-artifact@v3
+      if: failure() && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -17,8 +17,6 @@ on:
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
-  merge_group:
-    branches: [ main ]
  schedule:
    - cron: '31 14 * * 5'

@@ -49,7 +47,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +58,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v1

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -74,4 +72,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -0,0 +1,55 @@
+name: Android-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Android smoke build
+      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
+      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
+      # some Android breakages early.
+      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
+      env:
+        GOOS: android
+        GOARCH: arm64
+      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -0,0 +1,63 @@
+name: Darwin-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: macOS build cmd
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: macOS build tests
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - name: iOS build most
+      env:
+        GOOS: ios
+        GOARCH: arm64
+      run: go install ./ipn/... ./wgengine/ ./types/... ./control/controlclient
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -0,0 +1,57 @@
+name: FreeBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: FreeBSD build cmd
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: FreeBSD build tests
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-loong64.yml
+++ b/.github/workflows/cross-loong64.yml
@@ -0,0 +1,57 @@
+name: Loongnix-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Loongnix build cmd
+      env:
+        GOOS: linux
+        GOARCH: loong64
+      run: go build ./cmd/...
+
+    - name: Loongnix build tests
+      env:
+        GOOS: linux
+        GOARCH: loong64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -0,0 +1,57 @@
+name: OpenBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: OpenBSD build cmd
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: OpenBSD build tests
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -0,0 +1,58 @@
+name: Wasm-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Wasm client build
+      env:
+        GOOS: js
+        GOARCH: wasm
+      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+
+    - name: tsconnect static build
+      # Use our custom Go toolchain, we set build tags (to control binary size)
+      # that depend on it.
+      run: |
+        ./tool/go run ./cmd/tsconnect --fast-compression build
+        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -0,0 +1,57 @@
+name: Windows-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Windows build cmd
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Windows build tests
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -0,0 +1,33 @@
+name: depaware
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: depaware
+      run: go run github.com/tailscale/depaware --check
+        tailscale.com/cmd/tailscaled
+        tailscale.com/cmd/tailscale
+        tailscale.com/cmd/derper
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -0,0 +1,42 @@
+name: go generate
+
+on:
+  push:
+    branches:
+      - main
+      - "release-branch/*"
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: check 'go generate' is clean
+        run: |
+          if [[ "${{github.ref}}" == release-branch/* ]]
+          then
+            pkgs=$(go list ./... | grep -v dnsfallback)
+          else
+            pkgs=$(go list ./... | grep -v dnsfallback)
+          fi
+          go generate $pkgs
+          echo
+          echo
+          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
--- a/.github/workflows/go_mod_tidy.yml
+++ b/.github/workflows/go_mod_tidy.yml
@@ -0,0 +1,35 @@
+name: go mod tidy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: check 'go mod tidy' is clean
+        run: |
+          go mod tidy
+          echo
+          echo
+          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -0,0 +1,45 @@
+name: license
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: Run license checker
+      run: ./scripts/check_license_headers.sh .
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -0,0 +1,67 @@
+name: Linux race
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Run tests and benchmarks with -race flag on linux
+      run: go test -race -bench=. -benchtime=1x ./...
+
+    - name: Check that no tracked files in the repo have been modified
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+
+    - name: Check that no files have been added to the repo
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -0,0 +1,77 @@
+name: Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Build variants
+      run: |
+        go install --tags=ts_include_cli ./cmd/tailscaled
+        go install --tags=ts_omit_aws ./cmd/tailscaled
+
+    - name: Get QEMU
+      run: |
+        sudo apt-get -y update
+        sudo apt-get -y install qemu-user
+
+    - name: Run tests on linux
+      run: go test -bench=. -benchtime=1x ./...
+
+    - name: Check that no tracked files in the repo have been modified
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+
+    - name: Check that no files have been added to the repo
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -0,0 +1,67 @@
+name: Linux 32-bit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Basic build
+      run: GOARCH=386 go build ./cmd/...
+
+    - name: Run tests on linux
+      run: GOARCH=386 go test -bench=. -benchtime=1x ./...
+
+    - name: Check that no tracked files in the repo have been modified
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+
+    - name: Check that no files have been added to the repo
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -0,0 +1,113 @@
+name: static-analysis
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  gofmt:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+    - name: Run gofmt (goimports)
+      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  vet:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Run go vet
+      run: go vet ./...
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  staticcheck:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin]
+        goarch: [amd64]
+        include:
+          - goos: windows
+            goarch: 386
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Install staticcheck
+      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
+
+    - name: Print staticcheck version
+      run: "staticcheck -version"
+
+    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,430 +0,0 @@
-# This is our main "CI tests" workflow. It runs everything that should run on
-# both PRs and merged commits, and for the latter reports failures to slack.
-name: CI
-
-env:
-  # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
-  # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
-  # ends up being unable to compile our code.
-  #
-  # When this happens, we want to disable the fuzz target until OSS-Fuzz catches
-  # up. However, we also don't want to forget to turn it back on when OSS-Fuzz
-  # can once again build our code.
-  #
-  # This variable toggles the fuzz job between two modes:
-  #  - false: we expect fuzzing to be happy, and should report failure if it's not.
-  #  - true: we expect fuzzing is broken, and should report failure if it start working.
-  TS_FUZZ_CURRENTLY_BROKEN: false
-
-on:
-  push:
-    branches:
-      - "main"
-      - "release-branch/*"
-  pull_request:
-    branches:
-      - "*"
-  merge_group:
-    branches:
-      - "main"
-
-concurrency:
-  # For PRs, later CI runs preempt previous ones. e.g. a force push on a PR
-  # cancels running CI jobs and starts all new ones.
-  #
-  # For non-PR pushes, concurrency.group needs to be unique for every distinct
-  # CI run we want to have happen. Use run_id, which in practice means all
-  # non-PR CI runs will be allowed to run without preempting each other.
-  group: ${{ github.workflow }}-$${{ github.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          - goarch: amd64
-          - goarch: amd64
-            variant: race
-          - goarch: "386" # thanks yaml
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: build all
-      run: ./tool/go build ./...
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: build variant CLIs
-      run: |
-        export TS_USE_TOOLCHAIN=1
-        ./build_dist.sh --extra-small ./cmd/tailscaled
-        ./build_dist.sh --box ./cmd/tailscaled
-        ./build_dist.sh --extra-small --box ./cmd/tailscaled
-        rm -f tailscaled
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: get qemu # for tstest/archtest
-      if: matrix.goarch == 'amd64' && matrix.variant == ''
-      run: |
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-    - name: build test wrapper
-      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
-    - name: test all
-      if: matrix.variant != 'race'
-      run: ./tool/go test -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: test all (race)
-      if: matrix.variant == 'race'
-      run: ./tool/go test -race -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: check that no tracked files changed
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-    - name: check that no new files were added
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-  windows:
-    runs-on: windows-2022
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-    - name: test
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: ./tool/go test -bench . -benchtime 1x ./...
-
-  vm:
-    runs-on: ["self-hosted", "linux", "vm"]
-    # VM tests run with some privileges, don't let them run on 3p PRs.
-    if: github.repository == 'tailscale/tailscale'
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Run VM tests
-      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-      env:
-        HOME: "/tmp"
-        TMPDIR: "/tmp"
-        XDB_CACHE_HOME: "/var/lib/ghrunner/cache"
-  
-  cross: # cross-compile checks, build only.
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Note: linux/amd64 is not in this matrix, because that goos/goarch is
-          # tested more exhaustively in the 'test' job above.
-          - goos: linux
-            goarch: arm64
-          - goos: linux
-            goarch: "386" # thanks yaml
-          - goos: linux
-            goarch: loong64
-          - goos: linux
-            goarch: arm
-            goarm: "5"
-          - goos: linux
-            goarch: arm
-            goarm: "7"
-          # macOS
-          - goos: darwin
-            goarch: amd64
-          - goos: darwin
-            goarch: arm64
-          # Windows
-          - goos: windows
-            goarch: amd64
-          - goos: windows
-            goarch: arm64
-          # BSDs
-          - goos: freebsd
-            goarch: amd64
-          - goos: openbsd
-            goarch: amd64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: build all
-      run: ./tool/go build ./cmd/...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-    - name: build tests
-      run: ./tool/go test -exec=true ./...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        CGO_ENABLED: "0"
-
-  ios: # similar to cross above, but iOS can't build most of the repo. So, just
-       #make it build a few smoke packages.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: build some
-      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-      env:
-        GOOS: ios
-        GOARCH: arm64
-
-  android:
-    # similar to cross above, but android fails to build a few pieces of the
-    # repo. We should fix those pieces, they're small, but as a stepping stone,
-    # only test the subset of android that our past smoke test checked.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-    - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-      env:
-        GOOS: android
-        GOARCH: arm64
-
-  wasm: # builds tsconnect, which is the only wasm build we support
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: build tsconnect client
-      run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-      env:
-        GOOS: js
-        GOARCH: wasm
-    - name: build tsconnect server
-      # Note, no GOOS/GOARCH in env on this build step, we're running a build
-      # tool that handles the build itself.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-
-  fuzz:
-    # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
-    # of the file), so it's more complex than usual: the 'build fuzzers' step
-    # might fail, and depending on the value of 'TS_FUZZ_CURRENTLY_BROKEN', that
-    # might or might not be fine. The steps after the build figure out whether
-    # the success/failure is expected, and appropriately pass/fail the job
-    # overall accordingly.
-    #
-    # Practically, this means that all steps after 'build fuzzers' must have an
-    # explicit 'if' condition, because the default condition for steps is
-    # 'success()', meaning "only run this if no previous steps failed".
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-22.04
-    steps:
-    - name: build fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      # continue-on-error makes steps.build.conclusion be 'success' even if
-      # steps.build.outcome is 'failure'. This means this step does not
-      # contribute to the job's overall pass/fail evaluation.
-      continue-on-error: true
-      with:
-       oss-fuzz-project-name: 'tailscale'
-       dry-run: false
-       language: go
-    - name: report unexpectedly broken fuzz build
-      if: steps.build.outcome == 'failure' && env.TS_FUZZ_CURRENTLY_BROKEN != 'true'
-      run: |
-        echo "fuzzer build failed, see above for why"
-        echo "if the failure is due to OSS-Fuzz not being on the latest Go yet,"
-        echo "set TS_FUZZ_CURRENTLY_BROKEN=true in .github/workflows/test.yml"
-        echo "to temporarily disable fuzzing until OSS-Fuzz works again."
-        exit 1
-    - name: report unexpectedly working fuzz build
-      if: steps.build.outcome == 'success' && env.TS_FUZZ_CURRENTLY_BROKEN == 'true'
-      run: |
-        echo "fuzzer build succeeded, but we expect it to be broken"
-        echo "please set TS_FUZZ_CURRENTLY_BROKEN=false in .github/workflows/test.yml"
-        echo "to reenable fuzz testing"
-        exit 1
-    - name: run fuzzers
-      id: run
-      # Run the fuzzers whenever they're able to build, even if we're going to
-      # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
-      # value.
-      if: steps.build.outcome == 'success'
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: upload crash
-      uses: actions/upload-artifact@v3
-      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts
-
-  depaware:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check depaware
-      run: |
-        export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
-
-  go_generate:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check that 'go generate' is clean
-      run: |
-        pkgs=$(./tool/go list ./... | grep -v dnsfallback)
-        ./tool/go generate $pkgs
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
-
-  go_mod_tidy:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check that 'go mod tidy' is clean
-      run: |
-        ./tool/go mod tidy
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
-
-  licenses:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check licenses
-      run: ./scripts/check_license_headers.sh .
-
-  staticcheck:
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        goos: ["linux", "windows", "darwin"]
-        goarch: ["amd64"]
-        include:
-          - goos: "windows"
-            goarch: "386"
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: install staticcheck
-      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
-    - name: run staticcheck
-      run: |
-        export GOROOT=$(./tool/go env GOROOT)
-        export PATH=$GOROOT/bin:$PATH
-        staticcheck -- $(./tool/go list ./... | grep -v tempfork)
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-
-  notify_slack:
-    if: always()
-    # Any of these jobs failing causes a slack notification.
-    needs: 
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    runs-on: ubuntu-22.04
-    steps:
-    - name: notify  
-      # Only notify slack for merged commits, not PR failures.
-      #
-      # It may be tempting to move this condition into the job's 'if' block, but
-      # don't: Github only collapses the test list into "everything is OK" if
-      # all jobs succeeded. A skipped job results in the list staying expanded.
-      # By having the job always run, but skipping its only step as needed, we
-      # let the CI output collapse nicely in PRs.
-      if: failure() && github.event_name == 'push'
-      uses: ruby/action-slack@v3.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "title": "Failure: ${{ github.workflow }}",
-              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
-              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
-              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
-              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-
-  check_mergeability:
-    if: always()
-    runs-on: ubuntu-22.04
-    needs:
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    steps:
-    - name: Decide if change is okay to merge
-      if: github.event_name != 'push'
-      uses: re-actors/alls-green@release/v1
-      with:
-        jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/tsconnect-pkg-publish.yml
+++ b/.github/workflows/tsconnect-pkg-publish.yml
@@ -21,7 +21,6 @@ jobs:
        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
        # also picks up our custom Go toolchain.
        run: |
-          export TS_USE_TOOLCHAIN=1
          ./build_dist.sh tailscale.com/cmd/tsconnect
          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg

--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -1,49 +0,0 @@
-name: update-flake
-
-on:
-  # run action when a change lands in the main branch which updates go.mod. Also
-  # allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/workflows/update-flakes.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  tailscale:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Run update-flakes
-        run: ./update-flake.sh
-
-      - name: Get access token
-        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: Flakes Updater <noreply@tailscale.com>
-          committer: Flakes Updater <noreply@tailscale.com>
-          branch: flakes
-          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
-          title: "go.mod.sri: update SRI hash for go.mod changes"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          reviewers: danderson
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -0,0 +1,51 @@
+name: VM
+
+on:
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  ubuntu2004-LTS-cloud-base:
+    runs-on: [ self-hosted, linux, vm ]
+
+    if: "(github.repository == 'tailscale/tailscale') && !contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+      - name: Set GOPATH
+        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
+
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Run VM tests
+        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
+        env:
+          HOME: "/tmp"
+          TMPDIR: "/tmp"
+          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+
+      - uses: k0kubun/action-slack@v2.0.0
+        with:
+          payload: |
+            {
+              "attachments": [{
+                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                        "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                        "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+                "color": "danger"
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: failure() && github.event_name == 'push'
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -0,0 +1,67 @@
+name: Windows
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+      - 'release-branch/*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Install Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike some other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+
+    - name: Test
+      # Don't use -bench=. -benchtime=1x.
+      # Somewhere in the layers (powershell?)
+      # the equals signs cause great confusion.
+      run: go test -bench . -benchtime 1x ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
--- a/.gitignore
+++ b/.gitignore
@@ -26,14 +26,5 @@ cmd/tailscaled/tailscaled
 # Ignore personal VS Code settings
 .vscode/

-# Support personal project-specific GOPATH
-.gopath/
-
-# Ignore nix build result path
-/result
-
 # Ignore direnv nix-shell environment cache
 .direnv/
-
-/gocross
-/dist
--- a/13
+++ b/13
@@ -1,5 +1,6 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
+# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.

 ############################################################################
 #
@@ -31,7 +32,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.20-alpine AS build-env
+FROM golang:1.19-alpine AS build-env

 WORKDIR /go/src/tailscale

@@ -62,9 +63,9 @@ ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

 RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.longStamp=$VERSION_LONG \
-      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
-      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
+      -X tailscale.com/version.Long=$VERSION_LONG \
+      -X tailscale.com/version.Short=$VERSION_SHORT \
+      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot

 FROM alpine:3.16
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,5 +1,6 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
+# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.

 FROM alpine:3.16
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/3
+++ b/3
@@ -1,6 +1,7 @@
 BSD 3-Clause License

-Copyright (c) 2020 Tailscale Inc & AUTHORS.
+Copyright (c) 2020 Tailscale & AUTHORS.
+All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
--- a/53
+++ b/53
@@ -2,64 +2,63 @@ IMAGE_REPO ?= tailscale/tailscale
 SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"

-vet: ## Run go vet
+usage:
+	echo "See Makefile"
+
+vet:
 	./tool/go vet ./...

-tidy: ## Run go mod tidy
+tidy:
 	./tool/go mod tidy

-updatedeps: ## Update depaware deps
-	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
-	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
+updatedeps:
+	./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper

-depaware: ## Run depaware checks
-	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
-	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
+depaware:
+	./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper

-buildwindows: ## Build tailscale CLI for windows/amd64
+buildwindows:
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-build386: ## Build tailscale CLI for linux/386
+build386:
 	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildlinuxarm: ## Build tailscale CLI for linux/arm
+buildlinuxarm:
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildwasm: ## Build tailscale CLI for js/wasm
+buildwasm:
 	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli

-buildlinuxloong64: ## Build tailscale CLI for linux/loong64
+buildlinuxloong64:
 	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildmultiarchimage: ## Build (and optionally push) multiarch docker image
+buildmultiarchimage:
 	./build_docker.sh

-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ## Perform basic checks and compilation tests
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm

-staticcheck: ## Run staticcheck.io checks
+staticcheck:
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)

-spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
+spk:
 	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}

-spkall: ## Build synology packages for all architectures and DSM versions
+spkall:
 	mkdir -p spks
 	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all

-pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
+pushspk: spk
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
 	scp tailscale.spk root@${SYNO_HOST}:
 	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk

-publishdevimage: ## Build and publish tailscale image to location specified by ${REPO}
+publishdevimage:
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
@@ -67,18 +66,10 @@ publishdevimage: ## Build and publish tailscale image to location specified by $
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
 	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh

-publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
+publishdevoperator:
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
 	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
-
-help: ## Show this help
-	@echo "\nSpecify a command. The choices are:\n"
-	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'
-	@echo ""
-.PHONY: help
-
-.DEFAULT_GOAL := help
--- a/README.md
+++ b/README.md
@@ -6,41 +6,27 @@ Private WireGuard® networks made easy

 ## Overview

-This repository contains the majority of Tailscale's open source code.
-Notably, it includes the `tailscaled` daemon and
-the `tailscale` CLI tool. The `tailscaled` daemon runs on Linux, Windows,
-[macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees
-on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's
-code, but this repo doesn't contain the mobile GUI code.
+This repository contains all the open source Tailscale client code and
+the `tailscaled` daemon and `tailscale` CLI tool. The `tailscaled`
+daemon runs on Linux, Windows and [macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees on FreeBSD, OpenBSD, and Darwin. (The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code.)

-Other [Tailscale repos](https://github.com/orgs/tailscale/repositories) of note:
+The Android app is at https://github.com/tailscale/tailscale-android

-* the Android app is at https://github.com/tailscale/tailscale-android
-* the Synology package is at https://github.com/tailscale/tailscale-synology
-* the QNAP package is at https://github.com/tailscale/tailscale-qpkg
-* the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey
-
-For background on which parts of Tailscale are open source and why,
-see [https://tailscale.com/opensource/](https://tailscale.com/opensource/).
+The Synology package is at https://github.com/tailscale/tailscale-synology

 ## Using

-We serve packages for a variety of distros and platforms at
-[https://pkgs.tailscale.com](https://pkgs.tailscale.com/).
+We serve packages for a variety of distros at
+https://pkgs.tailscale.com .

 ## Other clients

 The [macOS, iOS, and Windows clients](https://tailscale.com/download)
 use the code in this repository but additionally include small GUI
-wrappers. The GUI wrappers on non-open source platforms are themselves
-not open source.
+wrappers that are not open source.

 ## Building

-We always require the latest Go release, currently Go 1.20. (While we build
-releases with our [Go fork](https://github.com/tailscale/go/), its use is not
-required.)
-
 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```
@@ -57,6 +43,8 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.

+We require the latest Go release, currently Go 1.19.
+
 ## Bugs

 Please file any issues about this code or the hosted service on
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.37.0
+1.35.0
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Package atomicfile contains code related to writing to filesystems
 // atomically.
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -11,25 +11,42 @@

 set -eu

-go="go"
-if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
-	go="./tool/go"
+IFS=".$IFS" read -r major minor patch <VERSION.txt
+git_hash=$(git rev-parse HEAD)
+if ! git diff-index --quiet HEAD; then
+	git_hash="${git_hash}-dirty"
+fi
+base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
+change_count=$(git rev-list --count HEAD "^$base_hash")
+short_hash=$(echo "$git_hash" | cut -c1-9)
+
+if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
+	patch="$change_count"
+	change_suffix=""
+elif [ "$change_count" != "0" ]; then
+	change_suffix="-$change_count"
+else
+	change_suffix=""
 fi

-eval `$go run ./cmd/mkversion`
+long_suffix="$change_suffix-t$short_hash"
+MINOR="$major.$minor"
+SHORT="$MINOR.$patch"
+LONG="${SHORT}$long_suffix"
+GIT_HASH="$git_hash"

 if [ "$1" = "shellvars" ]; then
 	cat <<EOF
-VERSION_MINOR="$VERSION_MINOR"
-VERSION_SHORT="$VERSION_SHORT"
-VERSION_LONG="$VERSION_LONG"
-VERSION_GIT_HASH="$VERSION_GIT_HASH"
+VERSION_MINOR="$MINOR"
+VERSION_SHORT="$SHORT"
+VERSION_LONG="$LONG"
+VERSION_GIT_HASH="$GIT_HASH"
 EOF
 	exit 0
 fi

 tags=""
-ldflags="-X tailscale.com/version.longStamp=${VERSION_LONG} -X tailscale.com/version.shortStamp=${VERSION_SHORT}"
+ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"

 # build_dist.sh arguments must precede go build arguments.
 while [ "$#" -gt 1 ]; do
@@ -37,7 +54,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap"
 		;;
 	--box)
 		shift
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -23,29 +23,28 @@ set -eu
 export PATH=$PWD/tool:$PATH

 eval $(./build_dist.sh shellvars)
-
-DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_BASE="tailscale/alpine-base:3.16"
+DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
+DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.16"
+DEFAULT_TARGET="client"

 PUSH="${PUSH:-false}"
-TARGET="${TARGET:-${DEFAULT_TARGET}}"
+REPOS="${REPOS:-${DEFAULT_REPOS}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
+TARGET="${TARGET:-${DEFAULT_TARGET}}"

 case "$TARGET" in
  client)
-    DEFAULT_REPOS="tailscale/tailscale"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
    go run github.com/tailscale/mkctr \
      --gopaths="\
        tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
        tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
        tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.Long=${VERSION_LONG} \
+        -X tailscale.com/version.Short=${VERSION_SHORT} \
+        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
      --repos="${REPOS}" \
@@ -53,14 +52,12 @@ case "$TARGET" in
      /usr/local/bin/containerboot
    ;;
  operator)
-    DEFAULT_REPOS="tailscale/k8s-operator"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
    go run github.com/tailscale/mkctr \
      --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.Long=${VERSION_LONG} \
+        -X tailscale.com/version.Short=${VERSION_SHORT} \
+        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
      --repos="${REPOS}" \
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Package chirp implements a client to communicate with the BIRD Internet
 // Routing Daemon.
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 package chirp

 import (
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Package apitype contains types for the Tailscale LocalAPI and control plane API.
 package apitype
@@ -32,9 +33,3 @@ type WaitingFile struct {
 	Name string
 	Size int64
 }
-
-// SetPushDeviceTokenRequest is the body POSTed to the LocalAPI endpoint /set-device-token.
-type SetPushDeviceTokenRequest struct {
-	// PushDeviceToken is the iOS/macOS APNs device token (and any future Android equivalent).
-	PushDeviceToken string
-}
--- a/client/tailscale/apitype/controltype.go
+++ b/client/tailscale/apitype/controltype.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package apitype

--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

@@ -44,18 +45,17 @@ type Device struct {
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`

-	ClientVersion     string   `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool     `json:"updateAvailable"` // Empty for external devices.
-	OS                string   `json:"os"`
-	Tags              []string `json:"tags"`
-	Created           string   `json:"created"` // Empty for external devices.
-	LastSeen          string   `json:"lastSeen"`
-	KeyExpiryDisabled bool     `json:"keyExpiryDisabled"`
-	Expires           string   `json:"expires"`
-	Authorized        bool     `json:"authorized"`
-	IsExternal        bool     `json:"isExternal"`
-	MachineKey        string   `json:"machineKey"` // Empty for external devices.
-	NodeKey           string   `json:"nodeKey"`
+	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
+	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
+	OS                string `json:"os"`
+	Created           string `json:"created"` // Empty for external devices.
+	LastSeen          string `json:"lastSeen"`
+	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
+	Expires           string `json:"expires"`
+	Authorized        bool   `json:"authorized"`
+	IsExternal        bool   `json:"isExternal"`
+	MachineKey        string `json:"machineKey"` // Empty for external devices.
+	NodeKey           string `json:"nodeKey"`

 	// BlocksIncomingConnections is configured via the device's
 	// Tailscale client preferences. This field is only reported
--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

--- a/client/tailscale/example/servetls/servetls.go
+++ b/client/tailscale/example/servetls/servetls.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The servetls program shows how to run an HTTPS server
 // using a Tailscale cert via LetsEncrypt.
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package tailscale

@@ -54,14 +55,14 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, handleErrorResponse(b, resp)
 	}

-	var keys struct {
-		Keys []*Key `json:"keys"`
+	var keys []struct {
+		ID string `json:"id"`
 	}
 	if err := json.Unmarshal(b, &keys); err != nil {
 		return nil, err
 	}
-	ret := make([]string, 0, len(keys.Keys))
-	for _, k := range keys.Keys {
+	ret := make([]string, 0, len(keys))
+	for _, k := range keys {
 		ret = append(ret, k.ID)
 	}
 	return ret, nil
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

@@ -113,7 +114,6 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 //
 // DoLocalRequest may mutate the request to add Authorization headers.
 func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
-	req.Header.Set("Tailscale-Cap", strconv.Itoa(int(tailcfg.CurrentCapabilityVersion)))
 	lc.tsClientOnce.Do(func() {
 		lc.tsClient = &http.Client{
 			Transport: &http.Transport{
@@ -257,23 +257,6 @@ func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
 	return lc.get200(ctx, "/localapi/v0/metrics")
 }

-// TailDaemonLogs returns a stream the Tailscale daemon's logs as they arrive.
-// Close the context to stop the stream.
-func (lc *LocalClient) TailDaemonLogs(ctx context.Context) (io.Reader, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/logtap", nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != 200 {
-		return nil, errors.New(res.Status)
-	}
-	return res.Body, nil
-}
-
 // Pprof returns a pprof profile of the Tailscale daemon.
 func (lc *LocalClient) Pprof(ctx context.Context, pprofType string, sec int) ([]byte, error) {
 	var secArg string
@@ -1019,36 +1002,6 @@ func (lc *LocalClient) DebugDERPRegion(ctx context.Context, regionIDOrCode strin
 	return decodeJSON[*ipnstate.DebugDERPRegionReport](body)
 }

-// DebugSetExpireIn marks the current node key to expire in d.
-//
-// This is meant primarily for debug and testing.
-func (lc *LocalClient) DebugSetExpireIn(ctx context.Context, d time.Duration) error {
-	v := url.Values{"expiry": {fmt.Sprint(time.Now().Add(d).Unix())}}
-	_, err := lc.send(ctx, "POST", "/localapi/v0/set-expiry-sooner?"+v.Encode(), 200, nil)
-	return err
-}
-
-// StreamDebugCapture streams a pcap-formatted packet capture.
-//
-// The provided context does not determine the lifetime of the
-// returned io.ReadCloser.
-func (lc *LocalClient) StreamDebugCapture(ctx context.Context) (io.ReadCloser, error) {
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-capture", nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		res.Body.Close()
-		return nil, err
-	}
-	if res.StatusCode != 200 {
-		res.Body.Close()
-		return nil, errors.New(res.Status)
-	}
-	return res.Body, nil
-}
-
 // WatchIPNBus subscribes to the IPN notification bus. It returns a watcher
 // once the bus is connected successfully.
 //
--- a/client/tailscale/localclient_test.go
+++ b/client/tailscale/localclient_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -1,10 +1,11 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

-//go:build !go1.20
+//go:build !go1.19

 package tailscale

 func init() {
-	you_need_Go_1_20_to_compile_Tailscale()
+	you_need_Go_1_19_to_compile_Tailscale()
 }
--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

@@ -10,8 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-
-	"tailscale.com/util/httpm"
 )

 // TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
@@ -23,7 +22,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 	}()

 	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
 	if err != nil {
 		return err
 	}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build go1.19

--- a/cmd/addlicense/main.go
+++ b/cmd/addlicense/main.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Program addlicense adds a license header to a file.
 // It is intended for use with 'go generate',
@@ -14,24 +15,26 @@ import (
 )

 var (
+	year = flag.Int("year", 0, "copyright year")
 	file = flag.String("file", "", "file to modify")
 )

 func usage() {
 	fmt.Fprintf(os.Stderr, `
-usage: addlicense -file FILE <subcommand args...>
+usage: addlicense -year YEAR -file FILE <subcommand args...>
 `[1:])

 	flag.PrintDefaults()
 	fmt.Fprintf(os.Stderr, `
-addlicense adds a Tailscale license to the beginning of file.
+addlicense adds a Tailscale license to the beginning of file,
+using year as the copyright year.

 It is intended for use with 'go generate', so it also runs a subcommand,
 which presumably creates the file.

 Sample usage:

-addlicense -file pull_strings.go stringer -type=pull
+addlicense -year 2021 -file pull_strings.go stringer -type=pull
 `[1:])
 	os.Exit(2)
 }
@@ -51,7 +54,7 @@ func main() {
 	check(err)
 	f, err := os.OpenFile(*file, os.O_TRUNC|os.O_WRONLY, 0644)
 	check(err)
-	_, err = fmt.Fprint(f, license)
+	_, err = fmt.Fprintf(f, license, *year)
 	check(err)
 	_, err = f.Write(b)
 	check(err)
@@ -67,7 +70,8 @@ func check(err error) {
 }

 var license = `
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) %d Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 `[1:]
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Cloner is a tool to automate the creation of a Clone method.
 //
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build linux

--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build linux

@@ -11,8 +12,7 @@
 // As with most container things, configuration is passed through environment
 // variables. All configuration is optional.
 //
-//   - TS_AUTHKEY: the authkey to use for login.
-//   - TS_HOSTNAME: the hostname to request for the node.
+//   - TS_AUTH_KEY: the authkey to use for login.
 //   - TS_ROUTES: subnet routes to advertise.
 //   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
 //     destination.
@@ -42,7 +42,7 @@
 // TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir. The state dir should
 // be persistent storage.
 //
-// Additionally, if TS_AUTHKEY is not set and the TS_KUBE_SECRET contains an
+// Additionally, if TS_AUTH_KEY is not set and the TS_KUBE_SECRET contains an
 // "authkey" field, that key is used as the tailscale authkey.
 package main

@@ -73,8 +73,7 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	cfg := &settings{
-		AuthKey:         defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:        defaultEnv("TS_HOSTNAME", ""),
+		AuthKey:         defaultEnv("TS_AUTH_KEY", ""),
 		Routes:          defaultEnv("TS_ROUTES", ""),
 		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
 		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
@@ -356,11 +355,7 @@ func tailscaledArgs(cfg *settings) []string {
 	args := []string{"--socket=" + cfg.Socket}
 	switch {
 	case cfg.InKubernetes && cfg.KubeSecret != "":
-		args = append(args, "--state=kube:"+cfg.KubeSecret)
-		if cfg.StateDir == "" {
-			cfg.StateDir = "/tmp"
-		}
-		fallthrough
+		args = append(args, "--state=kube:"+cfg.KubeSecret, "--statedir=/tmp")
 	case cfg.StateDir != "":
 		args = append(args, "--statedir="+cfg.StateDir)
 	default:
@@ -399,9 +394,6 @@ func tailscaleUp(ctx context.Context, cfg *settings) error {
 	if cfg.Routes != "" {
 		args = append(args, "--advertise-routes="+cfg.Routes)
 	}
-	if cfg.Hostname != "" {
-		args = append(args, "--hostname="+cfg.Hostname)
-	}
 	if cfg.ExtraArgs != "" {
 		args = append(args, strings.Fields(cfg.ExtraArgs)...)
 	}
@@ -530,7 +522,6 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefi
 // settings is all the configuration for containerboot.
 type settings struct {
 	AuthKey            string
-	Hostname           string
 	Routes             string
 	ProxyTo            string
 	DaemonExtraArgs    string
@@ -557,15 +548,6 @@ func defaultEnv(name, defVal string) string {
 	return defVal
 }

-func defaultEnvs(names []string, defVal string) string {
-	for _, name := range names {
-		if v, ok := os.LookupEnv(name); ok {
-			return v
-		}
-	}
-	return defVal
-}
-
 // defaultBool returns the boolean value of the given envvar name, or
 // defVal if unset or not a bool.
 func defaultBool(name string, defVal bool) bool {
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build linux

@@ -145,24 +146,6 @@ func TestContainerBoot(t *testing.T) {
 		{
 			// Userspace mode, ephemeral storage, authkey provided on every run.
 			Name: "authkey",
-			Env: map[string]string{
-				"TS_AUTHKEY": "tskey-key",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-				},
-				{
-					Notify: runningNotify,
-				},
-			},
-		},
-		{
-			// Userspace mode, ephemeral storage, authkey provided on every run.
-			Name: "authkey-old-flag",
 			Env: map[string]string{
 				"TS_AUTH_KEY": "tskey-key",
 			},
@@ -181,7 +164,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "authkey_disk_state",
 			Env: map[string]string{
-				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
 				"TS_STATE_DIR": filepath.Join(d, "tmp"),
 			},
 			Phases: []phase{
@@ -199,8 +182,8 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes",
 			Env: map[string]string{
-				"TS_AUTHKEY": "tskey-key",
-				"TS_ROUTES":  "1.2.3.0/24,10.20.30.0/24",
+				"TS_AUTH_KEY": "tskey-key",
+				"TS_ROUTES":   "1.2.3.0/24,10.20.30.0/24",
 			},
 			Phases: []phase{
 				{
@@ -221,7 +204,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes_kernel_ipv4",
 			Env: map[string]string{
-				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
 				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
 				"TS_USERSPACE": "false",
 			},
@@ -244,7 +227,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes_kernel_ipv6",
 			Env: map[string]string{
-				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
 				"TS_ROUTES":    "::/64,1::/64",
 				"TS_USERSPACE": "false",
 			},
@@ -267,7 +250,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes_kernel_all_families",
 			Env: map[string]string{
-				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
 				"TS_ROUTES":    "::/64,1.2.3.0/24",
 				"TS_USERSPACE": "false",
 			},
@@ -290,7 +273,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "proxy",
 			Env: map[string]string{
-				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
 				"TS_USERSPACE": "false",
 			},
@@ -312,7 +295,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
-				"TS_AUTHKEY":   "tskey-key",
+				"TS_AUTH_KEY":  "tskey-key",
 				"TS_AUTH_ONCE": "true",
 			},
 			Phases: []phase{
@@ -371,7 +354,7 @@ func TestContainerBoot(t *testing.T) {
 				// Explicitly set to an empty value, to override the default of "tailscale".
 				"TS_KUBE_SECRET": "",
 				"TS_STATE_DIR":   filepath.Join(d, "tmp"),
-				"TS_AUTHKEY":     "tskey-key",
+				"TS_AUTH_KEY":    "tskey-key",
 			},
 			KubeSecret: map[string]string{},
 			Phases: []phase{
@@ -393,7 +376,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_AUTHKEY":                    "tskey-key",
+				"TS_AUTH_KEY":                   "tskey-key",
 			},
 			KubeSecret:    map[string]string{},
 			KubeDenyPatch: true,
@@ -549,22 +532,6 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
-		{
-			Name: "hostname",
-			Env: map[string]string{
-				"TS_HOSTNAME": "my-server",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --hostname=my-server",
-					},
-				}, {
-					Notify: runningNotify,
-				},
-			},
-		},
 	}

 	for _, test := range tests {
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -11,7 +11,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+  LW    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -34,7 +34,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
        tailscale.com/disco                                          from tailscale.com/derp
        tailscale.com/envknob                                        from tailscale.com/derp+
-        tailscale.com/health                                         from tailscale.com/net/tlsdial
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/client/tailscale
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
@@ -65,13 +64,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
-        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/ipn
-        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
+        tailscale.com/types/ptr                                      from tailscale.com/hostinfo
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
@@ -80,13 +78,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/mak                                       from tailscale.com/syncs+
-        tailscale.com/util/multierr                                  from tailscale.com/health
-        tailscale.com/util/set                                       from tailscale.com/health
+        tailscale.com/util/mak                                       from tailscale.com/syncs
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
+        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -100,7 +95,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
@@ -138,7 +133,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509
-        crypto/ecdh                                                  from crypto/ecdsa+
        crypto/ecdsa                                                 from crypto/tls+
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The derper binary is a simple DERP server.
 package main // import "tailscale.com/cmd/derper"
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

@@ -16,6 +17,7 @@ import (
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/strs"
 )

 func startMesh(s *derp.Server) error {
@@ -49,7 +51,7 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		}
 		var d net.Dialer
 		var r net.Resolver
-		if base, ok := strings.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
+		if base, ok := strs.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
 			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
 			defer cancel()
 			vpcHost := base + "-vpc.tailscale.com"
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -1,46 +1,74 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The derpprobe binary probes derpers.
-package main
+package main // import "tailscale.com/cmd/derper/derpprobe"

 import (
-	"expvar"
+	"bytes"
+	"context"
+	crand "crypto/rand"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"html"
 	"io"
 	"log"
+	"net"
 	"net/http"
+	"os"
 	"sort"
+	"strings"
+	"sync"
 	"time"

-	"tailscale.com/prober"
-	"tailscale.com/tsweb"
+	"tailscale.com/derp"
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/net/stun"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 )

 var (
 	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
 	listen     = flag.String("listen", ":8030", "HTTP listen address")
 	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-	interval   = flag.Duration("interval", 15*time.Second, "probe interval")
+)
+
+// certReissueAfter is the time after which we expect all certs to be
+// reissued, at minimum.
+//
+// This is currently set to the date of the LetsEncrypt ALPN revocation event of Jan 2022:
+// https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449
+//
+// If there's another revocation event, bump this again.
+var certReissueAfter = time.Unix(1643226768, 0)
+
+var (
+	mu            sync.Mutex
+	state         = map[nodePair]pairStatus{}
+	lastDERPMap   *tailcfg.DERPMap
+	lastDERPMapAt time.Time
+	certs         = map[string]*x509.Certificate{}
 )

 func main() {
 	flag.Parse()

-	p := prober.New().WithSpread(true).WithOnce(*probeOnce)
-	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
-	if err != nil {
-		log.Fatal(err)
-	}
-	p.Run("derpmap-probe", *interval, nil, dp.ProbeMap)
+	// proactively load the DERP map. Nothing terrible happens if this fails, so we ignore
+	// the error. The Slack bot will print a notification that the DERP map was empty.
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	_, _ = getDERPMap(ctx)

 	if *probeOnce {
-		log.Printf("Waiting for all probes (may take up to 1m)")
-		p.Wait()
-
-		st := getOverallStatus(p)
+		log.Printf("Starting probe (may take up to 1m)")
+		probe()
+		log.Printf("Probe results:")
+		st := getOverallStatus()
 		for _, s := range st.good {
 			log.Printf("good: %s", s)
 		}
@@ -50,11 +78,15 @@ func main() {
 		return
 	}

-	mux := http.NewServeMux()
-	tsweb.Debugger(mux)
-	expvar.Publish("derpprobe", p.Expvar())
-	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
-	log.Fatal(http.ListenAndServe(*listen, mux))
+	go probeLoop()
+	go slackLoop()
+	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
+}
+
+func setCert(name string, cert *x509.Certificate) {
+	mu.Lock()
+	defer mu.Unlock()
+	certs[name] = cert
 }

 type overallStatus struct {
@@ -69,43 +101,471 @@ func (st *overallStatus) addGoodf(format string, a ...any) {
 	st.good = append(st.good, fmt.Sprintf(format, a...))
 }

-func getOverallStatus(p *prober.Prober) (o overallStatus) {
-	for p, i := range p.ProbeInfo() {
-		if i.End.IsZero() {
-			// Do not show probes that have not finished yet.
-			continue
-		}
-		if i.Result {
-			o.addGoodf("%s: %s", p, i.Latency)
-		} else {
-			o.addBadf("%s: %s", p, i.Error)
+func getOverallStatus() (o overallStatus) {
+	mu.Lock()
+	defer mu.Unlock()
+	if lastDERPMap == nil {
+		o.addBadf("no DERP map")
+		return
+	}
+	now := time.Now()
+	if age := now.Sub(lastDERPMapAt); age > time.Minute {
+		o.addBadf("DERPMap hasn't been successfully refreshed in %v", age.Round(time.Second))
+	}
+
+	addPairMeta := func(pair nodePair) {
+		st, ok := state[pair]
+		age := now.Sub(st.at).Round(time.Second)
+		switch {
+		case !ok:
+			o.addBadf("no state for %v", pair)
+		case st.err != nil:
+			o.addBadf("%v: %v", pair, st.err)
+		case age > 90*time.Second:
+			o.addBadf("%v: update is %v old", pair, age)
+		default:
+			o.addGoodf("%v: %v, %v ago", pair, st.latency.Round(time.Millisecond), age)
 		}
 	}

-	sort.Strings(o.bad)
-	sort.Strings(o.good)
+	for _, reg := range sortedRegions(lastDERPMap) {
+		for _, from := range reg.Nodes {
+			addPairMeta(nodePair{"UDP", from.Name})
+			for _, to := range reg.Nodes {
+				addPairMeta(nodePair{from.Name, to.Name})
+			}
+		}
+	}
+
+	var subjs []string
+	for k := range certs {
+		subjs = append(subjs, k)
+	}
+	sort.Strings(subjs)
+
+	soon := time.Now().Add(14 * 24 * time.Hour) // in 2 weeks; autocert does 30 days by default
+	for _, s := range subjs {
+		cert := certs[s]
+		if cert.NotBefore.Before(certReissueAfter) {
+			o.addBadf("cert %q needs reissuing; NotBefore=%v", s, cert.NotBefore.Format(time.RFC3339))
+			continue
+		}
+		if cert.NotAfter.Before(soon) {
+			o.addBadf("cert %q expiring soon (%v); wasn't auto-refreshed", s, cert.NotAfter.Format(time.RFC3339))
+			continue
+		}
+		o.addGoodf("cert %q good %v - %v", s, cert.NotBefore.Format(time.RFC3339), cert.NotAfter.Format(time.RFC3339))
+	}
+
 	return
 }

-func serveFunc(p *prober.Prober) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		st := getOverallStatus(p)
-		summary := "All good"
-		if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
-			// Returning a 500 allows monitoring this server externally and configuring
-			// an alert on HTTP response code.
-			w.WriteHeader(500)
-			summary = fmt.Sprintf("%d problems", len(st.bad))
+func serve(w http.ResponseWriter, r *http.Request) {
+	st := getOverallStatus()
+	summary := "All good"
+	if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
+		// This will generate an alert and page a human.
+		// It also ends up in Slack, but as part of the alert handling pipeline not
+		// because we generated a Slack notification from here.
+		w.WriteHeader(500)
+		summary = fmt.Sprintf("%d problems", len(st.bad))
+	}
+
+	io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
+	fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
+	for _, s := range st.bad {
+		fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
+	}
+	for _, s := range st.good {
+		fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
+	}
+	io.WriteString(w, "</ul></body></html>\n")
+}
+
+func notifySlack(text string) error {
+	type SlackRequestBody struct {
+		Text string `json:"text"`
+	}
+
+	slackBody, err := json.Marshal(SlackRequestBody{Text: text})
+	if err != nil {
+		return err
+	}
+
+	webhookUrl := os.Getenv("SLACK_WEBHOOK")
+	if webhookUrl == "" {
+		return errors.New("No SLACK_WEBHOOK configured")
+	}
+
+	req, err := http.NewRequest("POST", webhookUrl, bytes.NewReader(slackBody))
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-Type", "application/json")
+
+	client := &http.Client{Timeout: 10 * time.Second}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return errors.New(resp.Status)
+	}
+
+	body, _ := io.ReadAll(resp.Body)
+	if string(body) != "ok" {
+		return errors.New("Non-ok response returned from Slack")
+	}
+	return nil
+}
+
+// We only page a human if it looks like there is a significant outage across multiple regions.
+// To Slack, we report all failures great and small.
+func slackLoop() {
+	inBadState := false
+	for {
+		time.Sleep(time.Second * 30)
+		st := getOverallStatus()
+
+		if len(st.bad) > 0 && !inBadState {
+			err := notifySlack(strings.Join(st.bad, "\n"))
+			if err == nil {
+				inBadState = true
+			} else {
+				log.Printf("%d problems, notify Slack failed: %v", len(st.bad), err)
+			}
 		}

-		io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
-		fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
-		for _, s := range st.bad {
-			fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
+		if len(st.bad) == 0 && inBadState {
+			err := notifySlack("All DERPs recovered.")
+			if err == nil {
+				inBadState = false
+			}
 		}
-		for _, s := range st.good {
-			fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
-		}
-		io.WriteString(w, "</ul></body></html>\n")
 	}
 }
+
+func sortedRegions(dm *tailcfg.DERPMap) []*tailcfg.DERPRegion {
+	ret := make([]*tailcfg.DERPRegion, 0, len(dm.Regions))
+	for _, r := range dm.Regions {
+		ret = append(ret, r)
+	}
+	sort.Slice(ret, func(i, j int) bool { return ret[i].RegionID < ret[j].RegionID })
+	return ret
+}
+
+type nodePair struct {
+	from string // DERPNode.Name, or "UDP" for a STUN query to 'to'
+	to   string // DERPNode.Name
+}
+
+func (p nodePair) String() string { return fmt.Sprintf("(%s→%s)", p.from, p.to) }
+
+type pairStatus struct {
+	err     error
+	latency time.Duration
+	at      time.Time
+}
+
+func setDERPMap(dm *tailcfg.DERPMap) {
+	mu.Lock()
+	defer mu.Unlock()
+	lastDERPMap = dm
+	lastDERPMapAt = time.Now()
+}
+
+func setState(p nodePair, latency time.Duration, err error) {
+	mu.Lock()
+	defer mu.Unlock()
+	st := pairStatus{
+		err:     err,
+		latency: latency,
+		at:      time.Now(),
+	}
+	state[p] = st
+	if err != nil {
+		log.Printf("%+v error: %v", p, err)
+	} else {
+		log.Printf("%+v: %v", p, latency.Round(time.Millisecond))
+	}
+}
+
+func probeLoop() {
+	ticker := time.NewTicker(15 * time.Second)
+	for {
+		err := probe()
+		if err != nil {
+			log.Printf("probe: %v", err)
+		}
+		<-ticker.C
+	}
+}
+
+func probe() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+	dm, err := getDERPMap(ctx)
+	if err != nil {
+		return err
+	}
+
+	var wg sync.WaitGroup
+	wg.Add(len(dm.Regions))
+	for _, reg := range dm.Regions {
+		reg := reg
+		go func() {
+			defer wg.Done()
+			for _, from := range reg.Nodes {
+				latency, err := probeUDP(ctx, dm, from)
+				setState(nodePair{"UDP", from.Name}, latency, err)
+				for _, to := range reg.Nodes {
+					latency, err := probeNodePair(ctx, dm, from, to)
+					setState(nodePair{from.Name, to.Name}, latency, err)
+				}
+			}
+		}()
+	}
+
+	wg.Wait()
+	return ctx.Err()
+}
+
+func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (latency time.Duration, err error) {
+	pc, err := net.ListenPacket("udp", ":0")
+	if err != nil {
+		return 0, err
+	}
+	defer pc.Close()
+	uc := pc.(*net.UDPConn)
+
+	tx := stun.NewTxID()
+	req := stun.Request(tx)
+
+	for _, ipStr := range []string{n.IPv4, n.IPv6} {
+		if ipStr == "" {
+			continue
+		}
+		port := n.STUNPort
+		if port == -1 {
+			continue
+		}
+		if port == 0 {
+			port = 3478
+		}
+		for {
+			ip := net.ParseIP(ipStr)
+			_, err := uc.WriteToUDP(req, &net.UDPAddr{IP: ip, Port: port})
+			if err != nil {
+				return 0, err
+			}
+			buf := make([]byte, 1500)
+			uc.SetReadDeadline(time.Now().Add(2 * time.Second))
+			t0 := time.Now()
+			n, _, err := uc.ReadFromUDP(buf)
+			d := time.Since(t0)
+			if err != nil {
+				if ctx.Err() != nil {
+					return 0, fmt.Errorf("timeout reading from %v: %v", ip, err)
+				}
+				if d < time.Second {
+					return 0, fmt.Errorf("error reading from %v: %v", ip, err)
+				}
+				time.Sleep(100 * time.Millisecond)
+				continue
+			}
+			txBack, _, err := stun.ParseResponse(buf[:n])
+			if err != nil {
+				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
+			}
+			if txBack != tx {
+				return 0, fmt.Errorf("read wrong tx back from %v", ip)
+			}
+			if latency == 0 || d < latency {
+				latency = d
+			}
+			break
+		}
+	}
+	return latency, nil
+}
+
+func probeNodePair(ctx context.Context, dm *tailcfg.DERPMap, from, to *tailcfg.DERPNode) (latency time.Duration, err error) {
+	// The passed in context is a minute for the whole region. The
+	// idea is that each node pair in the region will be done
+	// serially and regularly in the future, reusing connections
+	// (at least in the happy path). For now they don't reuse
+	// connections and probe at most once every 15 seconds. We
+	// bound the duration of a single node pair within a region
+	// so one bad one can't starve others.
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	fromc, err := newConn(ctx, dm, from)
+	if err != nil {
+		return 0, err
+	}
+	defer fromc.Close()
+	toc, err := newConn(ctx, dm, to)
+	if err != nil {
+		return 0, err
+	}
+	defer toc.Close()
+
+	// Wait a bit for from's node to hear about to existing on the
+	// other node in the region, in the case where the two nodes
+	// are different.
+	if from.Name != to.Name {
+		time.Sleep(100 * time.Millisecond) // pretty arbitrary
+	}
+
+	// Make a random packet
+	pkt := make([]byte, 8)
+	crand.Read(pkt)
+
+	t0 := time.Now()
+
+	// Send the random packet.
+	sendc := make(chan error, 1)
+	go func() {
+		sendc <- fromc.Send(toc.SelfPublicKey(), pkt)
+	}()
+	select {
+	case <-ctx.Done():
+		return 0, fmt.Errorf("timeout sending via %q: %w", from.Name, ctx.Err())
+	case err := <-sendc:
+		if err != nil {
+			return 0, fmt.Errorf("error sending via %q: %w", from.Name, err)
+		}
+	}
+
+	// Receive the random packet.
+	recvc := make(chan any, 1) // either derp.ReceivedPacket or error
+	go func() {
+		for {
+			m, err := toc.Recv()
+			if err != nil {
+				recvc <- err
+				return
+			}
+			switch v := m.(type) {
+			case derp.ReceivedPacket:
+				recvc <- v
+			default:
+				log.Printf("%v: ignoring Recv frame type %T", to.Name, v)
+				// Loop.
+			}
+		}
+	}()
+	select {
+	case <-ctx.Done():
+		return 0, fmt.Errorf("timeout receiving from %q: %w", to.Name, ctx.Err())
+	case v := <-recvc:
+		if err, ok := v.(error); ok {
+			return 0, fmt.Errorf("error receiving from %q: %w", to.Name, err)
+		}
+		p := v.(derp.ReceivedPacket)
+		if p.Source != fromc.SelfPublicKey() {
+			return 0, fmt.Errorf("got data packet from unexpected source, %v", p.Source)
+		}
+		if !bytes.Equal(p.Data, pkt) {
+			return 0, fmt.Errorf("unexpected data packet %q", p.Data)
+		}
+	}
+	return time.Since(t0), nil
+}
+
+func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (*derphttp.Client, error) {
+	priv := key.NewNode()
+	dc := derphttp.NewRegionClient(priv, log.Printf, func() *tailcfg.DERPRegion {
+		rid := n.RegionID
+		return &tailcfg.DERPRegion{
+			RegionID:   rid,
+			RegionCode: fmt.Sprintf("%s-%s", dm.Regions[rid].RegionCode, n.Name),
+			RegionName: dm.Regions[rid].RegionName,
+			Nodes:      []*tailcfg.DERPNode{n},
+		}
+	})
+	dc.IsProber = true
+	err := dc.Connect(ctx)
+	if err != nil {
+		return nil, err
+	}
+	cs, ok := dc.TLSConnectionState()
+	if !ok {
+		dc.Close()
+		return nil, errors.New("no TLS state")
+	}
+	if len(cs.PeerCertificates) == 0 {
+		dc.Close()
+		return nil, errors.New("no peer certificates")
+	}
+	if cs.ServerName != n.HostName {
+		dc.Close()
+		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
+	}
+	setCert(cs.ServerName, cs.PeerCertificates[0])
+
+	errc := make(chan error, 1)
+	go func() {
+		m, err := dc.Recv()
+		if err != nil {
+			errc <- err
+			return
+		}
+		switch m.(type) {
+		case derp.ServerInfoMessage:
+			errc <- nil
+		default:
+			errc <- fmt.Errorf("unexpected first message type %T", errc)
+		}
+	}()
+	select {
+	case err := <-errc:
+		if err != nil {
+			go dc.Close()
+			return nil, err
+		}
+	case <-ctx.Done():
+		go dc.Close()
+		return nil, fmt.Errorf("timeout waiting for ServerInfoMessage: %w", ctx.Err())
+	}
+	return dc, nil
+}
+
+var httpOrFileClient = &http.Client{Transport: httpOrFileTransport()}
+
+func httpOrFileTransport() http.RoundTripper {
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.RegisterProtocol("file", http.NewFileTransport(http.Dir("/")))
+	return tr
+}
+
+func getDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", *derpMapURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	res, err := httpOrFileClient.Do(req)
+	if err != nil {
+		mu.Lock()
+		defer mu.Unlock()
+		if lastDERPMap != nil && time.Since(lastDERPMapAt) < 10*time.Minute {
+			// Assume that control is restarting and use
+			// the same one for a bit.
+			return lastDERPMap, nil
+		}
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("fetching %s: %s", *derpMapURL, res.Status)
+	}
+	dm := new(tailcfg.DERPMap)
+	if err := json.NewDecoder(res.Body).Decode(dm); err != nil {
+		return nil, fmt.Errorf("decoding %s JSON: %v", *derpMapURL, err)
+	}
+	setDERPMap(dm)
+	return dm, nil
+}
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -1,28 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The dist command builds Tailscale release packages for distribution.
-package main
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"log"
-	"os"
-
-	"tailscale.com/release/dist"
-	"tailscale.com/release/dist/cli"
-	"tailscale.com/release/dist/unixpkgs"
-)
-
-func getTargets() ([]dist.Target, error) {
-	return unixpkgs.Targets(), nil
-}
-
-func main() {
-	cmd := cli.CLI(getTargets)
-	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
-		log.Fatal(err)
-	}
-}
--- a/cmd/get-authkey/.gitignore
+++ b/cmd/get-authkey/.gitignore
@@ -1 +0,0 @@
-get-authkey
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@@ -1,76 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// get-authkey allocates an authkey using an OAuth API client
-// https://tailscale.com/kb/1215/oauth-clients/ and prints it
-// to stdout for scripts to capture and use.
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"log"
-	"os"
-	"strings"
-
-	"golang.org/x/oauth2/clientcredentials"
-	"tailscale.com/client/tailscale"
-)
-
-func main() {
-	// Required to use our client API. We're fine with the instability since the
-	// client lives in the same repo as this code.
-	tailscale.I_Acknowledge_This_API_Is_Unstable = true
-
-	reusable := flag.Bool("reusable", false, "allocate a reusable authkey")
-	ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")
-	preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")
-	tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
-	flag.Parse()
-
-	clientId := os.Getenv("TS_API_CLIENT_ID")
-	clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
-	if clientId == "" || clientSecret == "" {
-		log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
-	}
-
-	if *tags == "" {
-		log.Fatal("at least one tag must be specified")
-	}
-
-	baseUrl := os.Getenv("TS_BASE_URL")
-	if baseUrl == "" {
-		baseUrl = "https://api.tailscale.com"
-	}
-
-	credentials := clientcredentials.Config{
-		ClientID:     clientId,
-		ClientSecret: clientSecret,
-		TokenURL:     baseUrl + "/api/v2/oauth/token",
-		Scopes:       []string{"device"},
-	}
-
-	ctx := context.Background()
-	tsClient := tailscale.NewClient("-", nil)
-	tsClient.HTTPClient = credentials.Client(ctx)
-	tsClient.BaseURL = baseUrl
-
-	caps := tailscale.KeyCapabilities{
-		Devices: tailscale.KeyDeviceCapabilities{
-			Create: tailscale.KeyDeviceCreateCapabilities{
-				Reusable:      *reusable,
-				Ephemeral:     *ephemeral,
-				Preauthorized: *preauth,
-				Tags:          strings.Split(*tags, ","),
-			},
-		},
-	}
-
-	authkey, _, err := tsClient.CreateKey(ctx, caps)
-	if err != nil {
-		log.Fatal(err.Error())
-	}
-
-	fmt.Println(authkey)
-}
--- a/cmd/gitops-pusher/cache.go
+++ b/cmd/gitops-pusher/cache.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Command gitops-pusher allows users to use a GitOps flow for managing Tailscale ACLs.
 //
@@ -22,7 +23,6 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/tailscale/hujson"
-	"tailscale.com/util/httpm"
 )

 var (
@@ -235,7 +235,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 	}
 	defer fin.Close()

-	req, err := http.NewRequestWithContext(ctx, httpm.POST, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), fin)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), fin)
 	if err != nil {
 		return err
 	}
@@ -275,7 +275,7 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 		return err
 	}

-	req, err := http.NewRequestWithContext(ctx, httpm.POST, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl/validate", *apiServer, tailnet), bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl/validate", *apiServer, tailnet), bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -347,7 +347,7 @@ type ACLTestErrorDetail struct {
 }

 func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {
 		return "", err
 	}
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The hello binary runs hello.ts.net.
 package main // import "tailscale.com/cmd/hello"
--- a/cmd/k8s-operator/manifests/authproxy-rbac.yaml
+++ b/cmd/k8s-operator/manifests/authproxy-rbac.yaml
@@ -1,24 +0,0 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: tailscale-auth-proxy
-rules:
- apiGroups: [""]
-  resources: ["users"]
-  verbs: ["impersonate"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: tailscale-auth-proxy
-subjects:
- kind: ServiceAccount
-  name: operator
-  namespace: tailscale
-roleRef:
-  kind: ClusterRole
-  name: tailscale-auth-proxy
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@@ -1,5 +1,6 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
+# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.

 apiVersion: v1
 kind: Namespace
@@ -124,7 +125,7 @@ spec:
          secretName: operator-oauth
      containers:
        - name: operator
-          image: tailscale/k8s-operator:unstable
+          image: tailscale/k8s-operator:latest
          resources:
            requests:
              cpu: 500m
@@ -145,11 +146,9 @@ spec:
            - name: CLIENT_SECRET_FILE
              value: /oauth/client_secret
            - name: PROXY_IMAGE
-              value: tailscale/tailscale:unstable
+              value: tailscale/tailscale:latest
            - name: PROXY_TAGS
              value: tag:k8s
-            - name: AUTH_PROXY
-              value: "false"
          volumeMounts:
          - name: oauth
            mountPath: /oauth
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // tailscale-operator provides a way to expose services running in a Kubernetes
 // cluster to your Tailnet.
@@ -25,7 +26,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -39,13 +39,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/kubestore"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/opt"
-	"tailscale.com/util/dnsname"
 )

 func main() {
@@ -54,16 +51,15 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	var (
-		hostname           = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
-		kubeSecret         = defaultEnv("OPERATOR_SECRET", "")
-		operatorTags       = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
-		tsNamespace        = defaultEnv("OPERATOR_NAMESPACE", "")
-		tslogging          = defaultEnv("OPERATOR_LOGGING", "info")
-		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
-		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
-		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
-		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
+		hostname         = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
+		kubeSecret       = defaultEnv("OPERATOR_SECRET", "")
+		operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
+		tsNamespace      = defaultEnv("OPERATOR_NAMESPACE", "")
+		tslogging        = defaultEnv("OPERATOR_LOGGING", "info")
+		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
+		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
+		image            = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		tags             = defaultEnv("PROXY_TAGS", "tag:k8s")
 	)

 	var opts []kzap.Opts
@@ -97,13 +93,6 @@ func main() {
 	}
 	tsClient := tailscale.NewClient("-", nil)
 	tsClient.HTTPClient = credentials.Client(context.Background())
-
-	if shouldRunAuthProxy {
-		hostinfo.SetPackage("k8s-operator-proxy")
-	} else {
-		hostinfo.SetPackage("k8s-operator")
-	}
-
 	s := &tsnet.Server{
 		Hostname: hostname,
 		Logf:     zlog.Named("tailscaled").Debugf,
@@ -175,6 +164,14 @@ waitOnline:
 		time.Sleep(time.Second)
 	}

+	sr := &ServiceReconciler{
+		tsClient:          tsClient,
+		defaultTags:       strings.Split(tags, ","),
+		operatorNamespace: tsNamespace,
+		proxyImage:        image,
+		logger:            zlog.Named("service-reconciler"),
+	}
+
 	// For secrets and statefulsets, we only get permission to touch the objects
 	// in the controller's own namespace. This cannot be expressed by
 	// .Watches(...) below, instead you have to add a per-type field selector to
@@ -184,8 +181,7 @@ waitOnline:
 	nsFilter := cache.ObjectSelector{
 		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
 	}
-	restConfig := config.GetConfigOrDie()
-	mgr, err := manager.New(restConfig, manager.Options{
+	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{
 		NewCache: cache.BuilderWithOptions(cache.Options{
 			SelectorsByObject: map[client.Object]cache.ObjectSelector{
 				&corev1.Secret{}:      nsFilter,
@@ -197,15 +193,6 @@ waitOnline:
 		startlog.Fatalf("could not create manager: %v", err)
 	}

-	sr := &ServiceReconciler{
-		Client:            mgr.GetClient(),
-		tsClient:          tsClient,
-		defaultTags:       strings.Split(tags, ","),
-		operatorNamespace: tsNamespace,
-		proxyImage:        image,
-		logger:            zlog.Named("service-reconciler"),
-	}
-
 	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
@@ -234,17 +221,6 @@ waitOnline:
 	}

 	startlog.Infof("Startup complete, operator running")
-	if shouldRunAuthProxy {
-		rc, err := rest.TransportFor(restConfig)
-		if err != nil {
-			startlog.Fatalf("could not get rest transport: %v", err)
-		}
-		authProxyListener, err := s.Listen("tcp", ":443")
-		if err != nil {
-			startlog.Fatalf("could not listen on :443: %v", err)
-		}
-		go runAuthProxy(lc, authProxyListener, rc, zlog.Named("auth-proxy").Infof)
-	}
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)
 	}
@@ -258,9 +234,8 @@ const (

 	FinalizerName = "tailscale.com/finalizer"

-	AnnotationExpose   = "tailscale.com/expose"
-	AnnotationTags     = "tailscale.com/tags"
-	AnnotationHostname = "tailscale.com/hostname"
+	AnnotationExpose = "tailscale.com/expose"
+	AnnotationTags   = "tailscale.com/tags"
 )

 // ServiceReconciler is a simple ControllerManagedBy example implementation.
@@ -394,11 +369,6 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 // This function adds a finalizer to svc, ensuring that we can handle orderly
 // deprovisioning later.
 func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
-	hostname, err := nameForService(svc)
-	if err != nil {
-		return err
-	}
-
 	if !slices.Contains(svc.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -425,7 +395,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	if err != nil {
 		return fmt.Errorf("failed to create or get API key secret: %w", err)
 	}
-	_, err = a.reconcileSTS(ctx, logger, svc, hsvc, secretName, hostname)
+	_, err = a.reconcileSTS(ctx, logger, svc, hsvc, secretName)
 	if err != nil {
 		return fmt.Errorf("failed to reconcile statefulset: %w", err)
 	}
@@ -587,7 +557,7 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 //go:embed manifests/proxy.yaml
 var proxyYaml []byte

-func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, parentSvc, headlessSvc *corev1.Service, authKeySecret, hostname string) (*appsv1.StatefulSet, error) {
+func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, parentSvc, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
 	var ss appsv1.StatefulSet
 	if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
@@ -602,10 +572,6 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 		corev1.EnvVar{
 			Name:  "TS_KUBE_SECRET",
 			Value: authKeySecret,
-		},
-		corev1.EnvVar{
-			Name:  "TS_HOSTNAME",
-			Value: hostname,
 		})
 	ss.ObjectMeta = metav1.ObjectMeta{
 		Name:      headlessSvc.Name,
@@ -625,6 +591,11 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }

+func (a *ServiceReconciler) InjectClient(c client.Client) error {
+	a.Client = c
+	return nil
+}
+
 // ptrObject is a type constraint for pointer types that implement
 // client.Object.
 type ptrObject[T any] interface {
@@ -705,15 +676,6 @@ func getSingleObject[T any, O ptrObject[T]](ctx context.Context, c client.Client
 	return ret, nil
 }

-func defaultBool(envName string, defVal bool) bool {
-	vs := os.Getenv(envName)
-	if vs == "" {
-		return defVal
-	}
-	v, _ := opt.Bool(vs).Get()
-	return v
-}
-
 func defaultEnv(envName, defVal string) string {
 	v := os.Getenv(envName)
 	if v == "" {
@@ -721,13 +683,3 @@ func defaultEnv(envName, defVal string) string {
 	}
 	return v
 }
-
-func nameForService(svc *corev1.Service) (string, error) {
-	if h, ok := svc.Annotations[AnnotationHostname]; ok {
-		if err := dnsname.ValidLabel(h); err != nil {
-			return "", fmt.Errorf("invalid Tailscale hostname %q: %w", h, err)
-		}
-		return h, nil
-	}
-	return svc.Namespace + "-" + svc.Name, nil
-}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package main

@@ -65,7 +66,7 @@ func TestLoadBalancerClass(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -186,7 +187,7 @@ func TestAnnotations(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -283,7 +284,7 @@ func TestAnnotationIntoLB(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -327,7 +328,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@@ -399,7 +400,7 @@ func TestLBIntoAnnotation(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -456,7 +457,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
+	expectEqual(t, fc, expectedSTS(shortName, fullName))

 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -480,108 +481,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectEqual(t, fc, want)
 }

-func TestCustomHostname(t *testing.T) {
-	fc := fake.NewFakeClient()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	sr := &ServiceReconciler{
-		Client:            fc,
-		tsClient:          ft,
-		defaultTags:       []string{"tag:k8s"},
-		operatorNamespace: "operator-ns",
-		proxyImage:        "tailscale/tailscale",
-		logger:            zl.Sugar(),
-	}
-
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
-	mustCreate(t, fc, &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			// The apiserver is supposed to set the UID, but the fake client
-			// doesn't. So, set it explicitly because other code later depends
-			// on it being set.
-			UID: types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/expose":   "true",
-				"tailscale.com/hostname": "reindeer-flotilla",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeClusterIP,
-		},
-	})
-
-	expectReconciled(t, sr, "default", "test")
-
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
-	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "test",
-			Namespace:  "default",
-			Finalizers: []string{"tailscale.com/finalizer"},
-			UID:        types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/expose":   "true",
-				"tailscale.com/hostname": "reindeer-flotilla",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeClusterIP,
-		},
-	}
-	expectEqual(t, fc, want)
-
-	// Turn the service back into a ClusterIP service, which should make the
-	// operator clean up.
-	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
-		delete(s.ObjectMeta.Annotations, "tailscale.com/expose")
-	})
-	// synchronous StatefulSet deletion triggers a requeue. But, the StatefulSet
-	// didn't create any child resources since this is all faked, so the
-	// deletion goes through immediately.
-	expectReconciled(t, sr, "default", "test")
-	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
-	// Second time around, the rest of cleanup happens.
-	expectReconciled(t, sr, "default", "test")
-	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
-	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
-	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
-	want = &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/hostname": "reindeer-flotilla",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeClusterIP,
-		},
-	}
-	expectEqual(t, fc, want)
-}
-
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -630,7 +529,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }

-func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@@ -679,7 +578,6 @@ func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 								{Name: "TS_AUTH_ONCE", Value: "true"},
 								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
 								{Name: "TS_KUBE_SECRET", Value: secretName},
-								{Name: "TS_HOSTNAME", Value: hostname},
 							},
 							SecurityContext: &corev1.SecurityContext{
 								Capabilities: &corev1.Capabilities{
--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@@ -1,80 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"log"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"strings"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/types/logger"
-)
-
-type whoIsKey struct{}
-
-// authProxy is an http.Handler that authenticates requests using the Tailscale
-// LocalAPI and then proxies them to the Kubernetes API.
-type authProxy struct {
-	logf logger.Logf
-	lc   *tailscale.LocalClient
-	rp   *httputil.ReverseProxy
-}
-
-func (h *authProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	who, err := h.lc.WhoIs(r.Context(), r.RemoteAddr)
-	if err != nil {
-		h.logf("failed to authenticate caller: %v", err)
-		http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
-		return
-	}
-	r = r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
-	h.rp.ServeHTTP(w, r)
-}
-
-func runAuthProxy(lc *tailscale.LocalClient, ls net.Listener, rt http.RoundTripper, logf logger.Logf) {
-	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
-	if err != nil {
-		log.Fatalf("runAuthProxy: failed to parse URL %v", err)
-	}
-	ap := &authProxy{
-		logf: logf,
-		lc:   lc,
-		rp: &httputil.ReverseProxy{
-			Director: func(r *http.Request) {
-				// Replace the request with the user's identity.
-				who := r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
-				r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
-
-				// Remove all authentication headers.
-				r.Header.Del("Authorization")
-				r.Header.Del("Impersonate-Group")
-				r.Header.Del("Impersonate-Uid")
-				for k := range r.Header {
-					if strings.HasPrefix(k, "Impersonate-Extra-") {
-						r.Header.Del(k)
-					}
-				}
-
-				// Replace the URL with the Kubernetes APIServer.
-				r.URL.Scheme = u.Scheme
-				r.URL.Host = u.Host
-			},
-			Transport: rt,
-		},
-	}
-	if err := http.Serve(tls.NewListener(ls, &tls.Config{
-		GetCertificate: lc.GetCertificate,
-	}), ap); err != nil {
-		log.Fatalf("runAuthProxy: failed to serve %v", err)
-	}
-}
--- a/cmd/mkmanifest/main.go
+++ b/cmd/mkmanifest/main.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The mkmanifest command is a simple helper utility to create a '.syso' file
 // that contains a Windows manifest file.
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // mkpkg builds the Tailscale rpm and deb packages.
 package main
@@ -57,7 +58,6 @@ func main() {
 	postrm := flag.String("postrm", "", "debian postrm script path")
 	replaces := flag.String("replaces", "", "package which this package replaces, if any")
 	depends := flag.String("depends", "", "comma-separated list of packages this package depends on")
-	recommends := flag.String("recommends", "", "comma-separated list of packages this package recommends")
 	flag.Parse()

 	filesMap, err := parseFiles(*files)
@@ -93,9 +93,6 @@ func main() {
 	if len(*depends) != 0 {
 		info.Overridables.Depends = strings.Split(*depends, ",")
 	}
-	if len(*recommends) != 0 {
-		info.Overridables.Recommends = strings.Split(*recommends, ",")
-	}
 	if *replaces != "" {
 		info.Overridables.Replaces = []string{*replaces}
 		info.Overridables.Conflicts = []string{*replaces}
--- a/cmd/mkversion/mkversion.go
+++ b/cmd/mkversion/mkversion.go
@@ -1,44 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// mkversion gets version info from git and outputs a bunch of shell variables
-// that get used elsewhere in the build system to embed version numbers into
-// binaries.
-package main
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"time"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/version/mkversion"
-)
-
-func main() {
-	prefix := ""
-	if len(os.Args) > 1 {
-		if os.Args[1] == "--export" {
-			prefix = "export "
-		} else {
-			fmt.Println("usage: mkversion [--export|-h|--help]")
-			os.Exit(1)
-		}
-	}
-
-	var b bytes.Buffer
-	io.WriteString(&b, mkversion.Info().String())
-	// Copyright and the client capability are not part of the version
-	// information, but similarly used in Xcode builds to embed in the metadata,
-	// thus generate them now.
-	copyright := fmt.Sprintf("Copyright © %d Tailscale Inc. All Rights Reserved.", time.Now().Year())
-	fmt.Fprintf(&b, "VERSION_COPYRIGHT=%q\n", copyright)
-	fmt.Fprintf(&b, "VERSION_CAPABILITY=%d\n", tailcfg.CurrentCapabilityVersion)
-	s := bufio.NewScanner(&b)
-	for s.Scan() {
-		fmt.Println(prefix + s.Text())
-	}
-}
--- a/cmd/nardump/nardump.go
+++ b/cmd/nardump/nardump.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // nardump is like nix-store --dump, but in Go, writing a NAR
 // file (tar-like, but focused on being reproducible) to stdout
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // netlogfmt parses a stream of JSON log messages from stdin and
 // formats the network traffic logs produced by "tailscale.com/wgengine/netlog"
--- a/cmd/nginx-auth/README.md
+++ b/cmd/nginx-auth/README.md
@@ -129,7 +129,7 @@ the `Expected-Tailnet` header to your auth request:
 ```nginx
 location /auth {
  # ...
-  proxy_set_header Expected-Tailnet "tailnet012345.ts.net";
+  proxy_set_header Expected-Tailnet "tailscale.com";
 }
 ```

@@ -146,8 +146,6 @@ generic "forbidden" error page:
 </html>
 ```

-You can get the tailnet name from [the admin panel](https://login.tailscale.com/admin/dns).
-
 ## Building

 Install `cmd/mkpkg`:
--- a/cmd/nginx-auth/mkdeb.sh
+++ b/cmd/nginx-auth/mkdeb.sh
@@ -2,31 +2,30 @@

 set -e

-VERSION=0.1.3
-for ARCH in amd64 arm64; do
-    CGO_ENABLED=0 GOARCH=${ARCH} GOOS=linux go build -o tailscale.nginx-auth .
+CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .

-    mkpkg \
-        --out=tailscale-nginx-auth-${VERSION}-${ARCH}.deb \
-        --name=tailscale-nginx-auth \
-        --version=${VERSION} \
-        --type=deb \
-        --arch=${ARCH} \
-        --postinst=deb/postinst.sh \
-        --postrm=deb/postrm.sh \
-        --prerm=deb/prerm.sh \
-        --description="Tailscale NGINX authentication protocol handler" \
-        --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+VERSION=0.1.2

-    mkpkg \
-        --out=tailscale-nginx-auth-${VERSION}-${ARCH}.rpm \
-        --name=tailscale-nginx-auth \
-        --version=${VERSION} \
-        --type=rpm \
-        --arch=${ARCH} \
-        --postinst=rpm/postinst.sh \
-        --postrm=rpm/postrm.sh \
-        --prerm=rpm/prerm.sh \
-        --description="Tailscale NGINX authentication protocol handler" \
-        --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
-done
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
+    --type=deb \
+    --arch=amd64 \
+    --postinst=deb/postinst.sh \
+    --postrm=deb/postrm.sh \
+    --prerm=deb/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
+    --type=rpm \
+    --arch=amd64 \
+    --postinst=rpm/postinst.sh \
+    --postrm=rpm/postrm.sh \
+    --prerm=rpm/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build linux

--- a/cmd/pgproxy/pgproxy.go
+++ b/cmd/pgproxy/pgproxy.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The pgproxy server is a proxy for the Postgres wire protocol.
 package main
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The printdep command is a build system tool for printing out information
 // about dependencies.
@@ -18,6 +19,7 @@ import (
 var (
 	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
 	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
+	goToolchainSRI = flag.Bool("go-sri", false, "print the SRI hash of the Tailscale Go toolchain")
 	alpine         = flag.Bool("alpine", false, "print the tag of alpine docker image")
 )

@@ -31,11 +33,23 @@ func main() {
 		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
 	}
 	if *goToolchainURL {
+		var suffix string
+		switch runtime.GOARCH {
+		case "amd64":
+			// None
+		case "arm64":
+			suffix = "-" + runtime.GOARCH
+		default:
+			log.Fatalf("unsupported GOARCH %q", runtime.GOARCH)
+		}
 		switch runtime.GOOS {
 		case "linux", "darwin":
 		default:
 			log.Fatalf("unsupported GOOS %q", runtime.GOOS)
 		}
-		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s-%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, runtime.GOARCH)
+		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
+	}
+	if *goToolchainSRI {
+		fmt.Println(strings.TrimSpace(ts.GoToolchainSRI))
 	}
 }
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // proxy-to-grafana is a reverse proxy which identifies users based on their
 // originating Tailscale identity and maps them to corresponding Grafana
--- a/cmd/speedtest/speedtest.go
+++ b/cmd/speedtest/speedtest.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Program speedtest provides the speedtest command. The reason to keep it separate from
 // the normal tailscale cli is because it is not yet ready to go in the tailscale binary.
--- a/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
+++ b/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // ssh-auth-none-demo is a demo SSH server that's meant to run on the
 // public internet (at 188.166.70.128 port 2222) and
--- a/cmd/stunc/stunc.go
+++ b/cmd/stunc/stunc.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Command stunc makes a STUN request to a STUN server and prints the result.
 package main
--- a/cmd/sync-containers/main.go
+++ b/cmd/sync-containers/main.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // The sync-containers command synchronizes container image tags from one
 // registry to another.
@@ -23,7 +24,6 @@ import (
 	"strings"

 	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/authn/github"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -47,9 +47,8 @@ func main() {
 		log.Fatalf("--dst is required")
 	}

-	keychain := authn.NewMultiKeychain(authn.DefaultKeychain, github.Keychain)
 	opts := []remote.Option{
-		remote.WithAuthFromKeychain(keychain),
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
 		remote.WithContext(context.Background()),
 	}

@@ -85,15 +84,6 @@ func main() {
 		log.Printf("%d tags to remove: %s\n", len(remove), strings.Join(remove, ", "))
 		log.Printf("Not removing any tags for safety.\n")
 	}
-
-	var wellKnown = [...]string{"latest", "stable"}
-	for _, tag := range wellKnown {
-		if needsUpdate(*src, *dst, tag) {
-			if err := copyTag(*src, *dst, tag, opts...); err != nil {
-				log.Printf("Updating tag %q: progress error: %v", tag, err)
-			}
-		}
-	}
 }

 func copyTag(srcStr, dstStr, tag string, opts ...remote.Option) error {
@@ -187,26 +177,3 @@ func diffTags(src, dst []string) (add, remove []string) {
 	sort.Strings(remove)
 	return add, remove
 }
-
-func needsUpdate(srcStr, dstStr, tag string) bool {
-	src, err := name.ParseReference(fmt.Sprintf("%s:%s", srcStr, tag))
-	if err != nil {
-		return false
-	}
-	dst, err := name.ParseReference(fmt.Sprintf("%s:%s", dstStr, tag))
-	if err != nil {
-		return false
-	}
-
-	srcDesc, err := remote.Get(src)
-	if err != nil {
-		return false
-	}
-
-	dstDesc, err := remote.Get(dst)
-	if err != nil {
-		return true
-	}
-
-	return srcDesc.Digest != dstDesc.Digest
-}
--- a/cmd/tailscale/cli/authenticode_windows.go
+++ b/cmd/tailscale/cli/authenticode_windows.go
@@ -1,38 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved.
- */
-
-package cli
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-func init() {
-	verifyAuthenticode = verifyAuthenticodeWindows
-}
-
-func verifyAuthenticodeWindows(path string) error {
-	path16, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return err
-	}
-	data := &windows.WinTrustData{
-		Size:             uint32(unsafe.Sizeof(windows.WinTrustData{})),
-		UIChoice:         windows.WTD_UI_NONE,
-		RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
-		UnionChoice:      windows.WTD_CHOICE_FILE,
-		StateAction:      windows.WTD_STATEACTION_VERIFY,
-		FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{
-			Size:     uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})),
-			FilePath: path16,
-		}),
-	}
-	err = windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
-	data.StateAction = windows.WTD_STATEACTION_CLOSE
-	windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
-	return err
-}
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package cli

--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package cli

--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 // Package cli contains the cmd/tailscale CLI code in a package that can be included
 // in other wrapper binaries such as the Mac and Windows clients.
@@ -14,6 +15,7 @@ import (
 	"log"
 	"os"
 	"runtime"
+	"strconv"
 	"strings"
 	"sync"
 	"text/tabwriter"
@@ -46,6 +48,52 @@ func outln(a ...any) {
 	fmt.Fprintln(Stdout, a...)
 }

+// ActLikeCLI reports whether a GUI application should act like the
+// CLI based on os.Args, GOOS, the context the process is running in
+// (pty, parent PID), etc.
+func ActLikeCLI() bool {
+	// This function is only used on macOS.
+	if runtime.GOOS != "darwin" {
+		return false
+	}
+
+	// Escape hatch to let people force running the macOS
+	// GUI Tailscale binary as the CLI.
+	if v, _ := strconv.ParseBool(os.Getenv("TAILSCALE_BE_CLI")); v {
+		return true
+	}
+
+	// If our parent is launchd, we're definitely not
+	// being run as a CLI.
+	if os.Getppid() == 1 {
+		return false
+	}
+
+	// Xcode adds the -NSDocumentRevisionsDebugMode flag on execution.
+	// If present, we are almost certainly being run as a GUI.
+	for _, arg := range os.Args {
+		if arg == "-NSDocumentRevisionsDebugMode" {
+			return false
+		}
+	}
+
+	// Looking at the environment of the GUI Tailscale app (ps eww
+	// $PID), empirically none of these environment variables are
+	// present. But all or some of these should be present with
+	// Terminal.all and bash or zsh.
+	for _, e := range []string{
+		"SHLVL",
+		"TERM",
+		"TERM_PROGRAM",
+		"PS1",
+	} {
+		if os.Getenv(e) != "" {
+			return true
+		}
+	}
+	return false
+}
+
 func newFlagSet(name string) *flag.FlagSet {
 	onError := flag.ExitOnError
 	if runtime.GOOS == "js" {
@@ -148,10 +196,6 @@ change in the future.
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
 	case slices.Contains(args, "serve"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
-	case slices.Contains(args, "update"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
-	case slices.Contains(args, "configure"):
-		rootCmd.Subcommands = append(rootCmd.Subcommands, configureCmd)
 	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package cli

@@ -1078,13 +1079,6 @@ func TestUpdatePrefs(t *testing.T) {
 				old := getSSHClientEnvVar
 				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
 				t.Cleanup(func() { getSSHClientEnvVar = old })
-			} else if isSSHOverTailscale() {
-				// The test is being executed over a "real" tailscale SSH
-				// session, but sshOverTailscale is unset. Make the test appear
-				// as if it's not over tailscale SSH.
-				old := getSSHClientEnvVar
-				getSSHClientEnvVar = func() string { return "" }
-				t.Cleanup(func() { getSSHClientEnvVar = old })
 			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
--- a/cmd/tailscale/cli/configure-synology.go
+++ b/cmd/tailscale/cli/configure-synology.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package cli

@@ -18,23 +19,9 @@ import (
 	"tailscale.com/version/distro"
 )

-// configureHostCmd is the "tailscale configure-host" command which was once
-// used to configure Synology devices, but is now a compatibility alias to
-// "tailscale configure synology".
 var configureHostCmd = &ffcli.Command{
 	Name:      "configure-host",
-	Exec:      runConfigureSynology,
-	ShortHelp: synologyConfigureCmd.ShortHelp,
-	LongHelp:  synologyConfigureCmd.LongHelp,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure-host")
-		return fs
-	})(),
-}
-
-var synologyConfigureCmd = &ffcli.Command{
-	Name:      "synology",
-	Exec:      runConfigureSynology,
+	Exec:      runConfigureHost,
 	ShortHelp: "Configure Synology to enable more Tailscale features",
 	LongHelp: strings.TrimSpace(`
 The 'configure-host' command is intended to run at boot as root
@@ -44,12 +31,14 @@ permission to use it.
 See: https://tailscale.com/kb/1152/synology-outbound/
 `),
 	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("synology")
+		fs := newFlagSet("configure-host")
 		return fs
 	})(),
 }

-func runConfigureSynology(ctx context.Context, args []string) error {
+var configureHostArgs struct{}
+
+func runConfigureHost(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
--- a/cmd/tailscale/cli/configure-kube.go
+++ b/cmd/tailscale/cli/configure-kube.go
@@ -1,182 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-//go:build !ts_omit_kube
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/slices"
-	"k8s.io/client-go/util/homedir"
-	"sigs.k8s.io/yaml"
-	"tailscale.com/version"
-)
-
-func init() {
-	configureCmd.Subcommands = append(configureCmd.Subcommands, configureKubeconfigCmd)
-}
-
-var configureKubeconfigCmd = &ffcli.Command{
-	Name:       "kubeconfig",
-	ShortHelp:  "Configure kubeconfig to use Tailscale",
-	ShortUsage: "kubeconfig <hostname-or-fqdn>",
-	LongHelp: strings.TrimSpace(`
-Run this command to configure your kubeconfig to use Tailscale for authentication to a Kubernetes cluster.
-
-The hostname argument should be set to the Tailscale hostname of the peer running as an auth proxy in the cluster.
-`),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("kubeconfig")
-		return fs
-	})(),
-	Exec: runConfigureKubeconfig,
-}
-
-// kubeconfigPath returns the path to the kubeconfig file for the current user.
-func kubeconfigPath() string {
-	var dir string
-	if version.IsSandboxedMacOS() {
-		// The HOME environment variable in macOS sandboxed apps is set to
-		// ~/Library/Containers/<app-id>/Data, but the kubeconfig file is
-		// located in ~/.kube/config. We rely on the "com.apple.security.temporary-exception.files.home-relative-path.read-write"
-		// entitlement to access the file.
-		containerHome := os.Getenv("HOME")
-		dir, _, _ = strings.Cut(containerHome, "/Library/Containers/")
-	} else {
-		dir = homedir.HomeDir()
-	}
-	return filepath.Join(dir, ".kube", "config")
-}
-
-func runConfigureKubeconfig(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("unknown arguments")
-	}
-	hostOrFQDN := args[0]
-
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return err
-	}
-	if st.BackendState != "Running" {
-		return errors.New("Tailscale is not running")
-	}
-	targetFQDN, ok := nodeDNSNameFromArg(st, hostOrFQDN)
-	if !ok {
-		return fmt.Errorf("no peer found with hostname %q", hostOrFQDN)
-	}
-	targetFQDN = strings.TrimSuffix(targetFQDN, ".")
-	if err := setKubeconfigForPeer(targetFQDN, kubeconfigPath()); err != nil {
-		return err
-	}
-	printf("kubeconfig configured for %q\n", hostOrFQDN)
-	return nil
-}
-
-// appendOrSetNamed finds a map with a "name" key matching name in dst, and
-// replaces it with val. If no such map is found, val is appended to dst.
-func appendOrSetNamed(dst []any, name string, val map[string]any) []any {
-	if got := slices.IndexFunc(dst, func(m any) bool {
-		if m, ok := m.(map[string]any); ok {
-			return m["name"] == name
-		}
-		return false
-	}); got != -1 {
-		dst[got] = val
-	} else {
-		dst = append(dst, val)
-	}
-	return dst
-}
-
-var errInvalidKubeconfig = errors.New("invalid kubeconfig")
-
-func updateKubeconfig(cfgYaml []byte, fqdn string) ([]byte, error) {
-	var cfg map[string]any
-	if len(cfgYaml) > 0 {
-		if err := yaml.Unmarshal(cfgYaml, &cfg); err != nil {
-			return nil, errInvalidKubeconfig
-		}
-	}
-	if cfg == nil {
-		cfg = map[string]any{
-			"apiVersion": "v1",
-			"kind":       "Config",
-		}
-	} else if cfg["apiVersion"] != "v1" || cfg["kind"] != "Config" {
-		return nil, errInvalidKubeconfig
-	}
-
-	var clusters []any
-	if cm, ok := cfg["clusters"]; ok {
-		clusters = cm.([]any)
-	}
-	cfg["clusters"] = appendOrSetNamed(clusters, fqdn, map[string]any{
-		"name": fqdn,
-		"cluster": map[string]string{
-			"server": "https://" + fqdn,
-		},
-	})
-
-	var users []any
-	if um, ok := cfg["users"]; ok {
-		users = um.([]any)
-	}
-	cfg["users"] = appendOrSetNamed(users, "tailscale-auth", map[string]any{
-		// We just need one of these, and can reuse it for all clusters.
-		"name": "tailscale-auth",
-		"user": map[string]string{
-			// We do not use the token, but if we do not set anything here
-			// kubectl will prompt for a username and password.
-			"token": "unused",
-		},
-	})
-
-	var contexts []any
-	if cm, ok := cfg["contexts"]; ok {
-		contexts = cm.([]any)
-	}
-	cfg["contexts"] = appendOrSetNamed(contexts, fqdn, map[string]any{
-		"name": fqdn,
-		"context": map[string]string{
-			"cluster": fqdn,
-			"user":    "tailscale-auth",
-		},
-	})
-	cfg["current-context"] = fqdn
-	return yaml.Marshal(cfg)
-}
-
-func setKubeconfigForPeer(fqdn, filePath string) error {
-	dir := filepath.Dir(filePath)
-	if _, err := os.Stat(dir); err != nil {
-		if !os.IsNotExist(err) {
-			return err
-		}
-		if err := os.Mkdir(dir, 0755); err != nil {
-			if version.IsSandboxedMacOS() && errors.Is(err, os.ErrPermission) {
-				// macOS sandboxing prevents us from creating the .kube directory
-				// in the home directory.
-				return errors.New("unable to create .kube directory in home directory, please create it manually (e.g. mkdir ~/.kube")
-			}
-			return err
-		}
-	}
-	b, err := os.ReadFile(filePath)
-	if err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("reading kubeconfig: %w", err)
-	}
-	b, err = updateKubeconfig(b, fqdn)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(filePath, b, 0600)
-}
--- a/cmd/tailscale/cli/configure-kube_test.go
+++ b/cmd/tailscale/cli/configure-kube_test.go
@@ -1,196 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-//go:build !ts_omit_kube
-
-package cli
-
-import (
-	"bytes"
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-)
-
-func TestKubeconfig(t *testing.T) {
-	const fqdn = "foo.tail-scale.ts.net"
-	tests := []struct {
-		name    string
-		in      string
-		want    string
-		wantErr error
-	}{
-		{
-			name: "invalid-yaml",
-			in: `apiVersion: v1
-kind: ,asdf`,
-			wantErr: errInvalidKubeconfig,
-		},
-		{
-			name: "invalid-cfg",
-			in: `apiVersion: v1
-kind: Pod`,
-			wantErr: errInvalidKubeconfig,
-		},
-		{
-			name: "empty",
-			in:   "",
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-		{
-			name: "already-configured",
-			in: `apiVersion: v1
-clusters:
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-kind: Config
-current-context: foo.tail-scale.ts.net
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-		{
-			name: "other-cluster",
-			in: `apiVersion: v1
-clusters:
- cluster:
-    server: https://192.168.1.1:8443
-  name: some-cluster
-contexts:
- context:
-    cluster: some-cluster
-    user: some-auth
-  name: some-cluster
-kind: Config
-current-context: some-cluster
-users:
- name: some-auth
-  user:
-    token: asdfasdf`,
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://192.168.1.1:8443
-  name: some-cluster
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: some-cluster
-    user: some-auth
-  name: some-cluster
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: some-auth
-  user:
-    token: asdfasdf
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-		{
-			name: "already-using-tailscale",
-			in: `apiVersion: v1
-clusters:
- cluster:
-    server: https://bar.tail-scale.ts.net
-  name: bar.tail-scale.ts.net
-contexts:
- context:
-    cluster: bar.tail-scale.ts.net
-    user: tailscale-auth
-  name: bar.tail-scale.ts.net
-kind: Config
-current-context: bar.tail-scale.ts.net
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-			want: `apiVersion: v1
-clusters:
- cluster:
-    server: https://bar.tail-scale.ts.net
-  name: bar.tail-scale.ts.net
- cluster:
-    server: https://foo.tail-scale.ts.net
-  name: foo.tail-scale.ts.net
-contexts:
- context:
-    cluster: bar.tail-scale.ts.net
-    user: tailscale-auth
-  name: bar.tail-scale.ts.net
- context:
-    cluster: foo.tail-scale.ts.net
-    user: tailscale-auth
-  name: foo.tail-scale.ts.net
-current-context: foo.tail-scale.ts.net
-kind: Config
-users:
- name: tailscale-auth
-  user:
-    token: unused`,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := updateKubeconfig([]byte(tt.in), fqdn)
-			if err != nil {
-				if err != tt.wantErr {
-					t.Fatalf("updateKubeconfig() error = %v, wantErr %v", err, tt.wantErr)
-				}
-				return
-			} else if tt.wantErr != nil {
-				t.Fatalf("updateKubeconfig() error = %v, wantErr %v", err, tt.wantErr)
-			}
-			got = bytes.TrimSpace(got)
-			want := []byte(strings.TrimSpace(tt.want))
-			if d := cmp.Diff(want, got); d != "" {
-				t.Errorf("Kubeconfig() mismatch (-want +got):\n%s", d)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/configure.go
+++ b/cmd/tailscale/cli/configure.go
@@ -1,38 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"runtime"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/version/distro"
-)
-
-var configureCmd = &ffcli.Command{
-	Name:      "configure",
-	ShortHelp: "Configure the host to enable more Tailscale features",
-	LongHelp: strings.TrimSpace(`
-The 'configure' command is intended to provide a way to configure different
-services on the host to enable more Tailscale features.
-`),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure")
-		return fs
-	})(),
-	Subcommands: configureSubcommands(),
-	Exec: func(ctx context.Context, args []string) error {
-		return flag.ErrHelp
-	},
-}
-
-func configureSubcommands() (out []*ffcli.Command) {
-	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
-		out = append(out, synologyConfigureCmd)
-	}
-	return out
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 package cli

@@ -20,7 +21,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
-	"os/exec"
 	"runtime"
 	"strconv"
 	"strings"
@@ -40,7 +40,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/must"
-	"tailscale.com/wgengine/capture"
+	"tailscale.com/util/strs"
 )

 var debugCmd = &ffcli.Command{
@@ -76,17 +76,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDaemonGoroutines,
 			ShortHelp: "print tailscaled's goroutines",
 		},
-		{
-			Name:      "daemon-logs",
-			Exec:      runDaemonLogs,
-			ShortHelp: "watch tailscaled's server logs",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("daemon-logs")
-				fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
-				fs.BoolVar(&daemonLogsArgs.time, "time", false, "include client time")
-				return fs
-			})(),
-		},
 		{
 			Name:      "metrics",
 			Exec:      runDaemonMetrics,
@@ -145,7 +134,6 @@ var debugCmd = &ffcli.Command{
 				fs := newFlagSet("watch-ipn")
 				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
 				fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
-				fs.BoolVar(&watchIPNArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
 				return fs
 			})(),
 		},
@@ -166,16 +154,6 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
-		{
-			Name:      "set-expire",
-			Exec:      runSetExpire,
-			ShortHelp: "manipulate node key expiry for testing",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("set-expire")
-				fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
-				return fs
-			})(),
-		},
 		{
 			Name:      "dev-store-set",
 			Exec:      runDevStoreSet,
@@ -191,16 +169,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDebugDERP,
 			ShortHelp: "test a DERP configuration",
 		},
-		{
-			Name:      "capture",
-			Exec:      runCapture,
-			ShortHelp: "streams pcaps for debugging",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("capture")
-				fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
-				return fs
-			})(),
-		},
 	},
 }

@@ -270,7 +238,7 @@ func runDebug(ctx context.Context, args []string) error {
 			e.Encode(wfs)
 			return nil
 		}
-		if name, ok := strings.CutPrefix(debugArgs.file, "delete:"); ok {
+		if name, ok := strs.CutPrefix(debugArgs.file, "delete:"); ok {
 			return localClient.DeleteWaitingFile(ctx, name)
 		}
 		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
@@ -351,9 +319,8 @@ func runPrefs(ctx context.Context, args []string) error {
 }

 var watchIPNArgs struct {
-	netmap         bool
-	initial        bool
-	showPrivateKey bool
+	netmap  bool
+	initial bool
 }

 func runWatchIPN(ctx context.Context, args []string) error {
@@ -361,9 +328,6 @@ func runWatchIPN(ctx context.Context, args []string) error {
 	if watchIPNArgs.initial {
 		mask = ipn.NotifyInitialState | ipn.NotifyInitialPrefs | ipn.NotifyInitialNetMap
 	}
-	if !watchIPNArgs.showPrivateKey {
-		mask |= ipn.NotifyNoPrivateKeys
-	}
 	watcher, err := localClient.WatchIPNBus(ctx, mask)
 	if err != nil {
 		return err
@@ -450,39 +414,6 @@ func runDaemonGoroutines(ctx context.Context, args []string) error {
 	return nil
 }

-var daemonLogsArgs struct {
-	verbose int
-	time    bool
-}
-
-func runDaemonLogs(ctx context.Context, args []string) error {
-	logs, err := localClient.TailDaemonLogs(ctx)
-	if err != nil {
-		return err
-	}
-	d := json.NewDecoder(logs)
-	for {
-		var line struct {
-			Text    string `json:"text"`
-			Verbose int    `json:"v"`
-			Time    string `json:"client_time"`
-		}
-		err := d.Decode(&line)
-		if err != nil {
-			return err
-		}
-		line.Text = strings.TrimSpace(line.Text)
-		if line.Text == "" || line.Verbose > daemonLogsArgs.verbose {
-			continue
-		}
-		if daemonLogsArgs.time {
-			fmt.Printf("%s %s\n", line.Time, line.Text)
-		} else {
-			fmt.Println(line.Text)
-		}
-	}
-}
-
 var metricsArgs struct {
 	watch bool
 }
@@ -734,58 +665,3 @@ func runDebugDERP(ctx context.Context, args []string) error {
 	fmt.Printf("%s\n", must.Get(json.MarshalIndent(st, "", " ")))
 	return nil
 }
-
-var setExpireArgs struct {
-	in time.Duration
-}
-
-func runSetExpire(ctx context.Context, args []string) error {
-	if len(args) != 0 || setExpireArgs.in == 0 {
-		return errors.New("usage --in=<duration>")
-	}
-	return localClient.DebugSetExpireIn(ctx, setExpireArgs.in)
-}
-
-var captureArgs struct {
-	outFile string
-}
-
-func runCapture(ctx context.Context, args []string) error {
-	stream, err := localClient.StreamDebugCapture(ctx)
-	if err != nil {
-		return err
-	}
-	defer stream.Close()
-
-	switch captureArgs.outFile {
-	case "-":
-		fmt.Fprintln(os.Stderr, "Press Ctrl-C to stop the capture.")
-		_, err = io.Copy(os.Stdout, stream)
-		return err
-	case "":
-		lua, err := os.CreateTemp("", "ts-dissector")
-		if err != nil {
-			return err
-		}
-		defer os.Remove(lua.Name())
-		lua.Write([]byte(capture.DissectorLua))
-		if err := lua.Close(); err != nil {
-			return err
-		}
-
-		wireshark := exec.CommandContext(ctx, "wireshark", "-X", "lua_script:"+lua.Name(), "-k", "-i", "-")
-		wireshark.Stdin = stream
-		wireshark.Stdout = os.Stdout
-		wireshark.Stderr = os.Stderr
-		return wireshark.Run()
-	}
-
-	f, err := os.OpenFile(captureArgs.outFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	fmt.Fprintln(os.Stderr, "Press Ctrl-C to stop the capture.")
-	_, err = io.Copy(f, stream)
-	return err
-}
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build linux || windows || darwin

@@ -7,13 +8,11 @@ package cli

 import (
 	"fmt"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"

 	ps "github.com/mitchellh/go-ps"
-	"tailscale.com/version/distro"
 )

 // fixTailscaledConnectError is called when the local tailscaled has
@@ -48,27 +47,9 @@ func fixTailscaledConnectError(origErr error) error {
 		case "darwin":
 			return fmt.Errorf("failed to connect to local Tailscale service; is Tailscale running?")
 		case "linux":
-			var hint string
-			if isSystemdSystem() {
-				hint = " (sudo systemctl start tailscaled ?)"
-			}
-			return fmt.Errorf("failed to connect to local tailscaled; it doesn't appear to be running%s", hint)
+			return fmt.Errorf("failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)")
 		}
 		return fmt.Errorf("failed to connect to local tailscaled process; it doesn't appear to be running")
 	}
 	return fmt.Errorf("failed to connect to local tailscaled (which appears to be running as %v, pid %v). Got error: %w", foundProc.Executable(), foundProc.Pid(), origErr)
 }
-
-// isSystemdSystem reports whether the current machine uses systemd
-// and in particular whether the systemctl command is available.
-func isSystemdSystem() bool {
-	if runtime.GOOS != "linux" {
-		return false
-	}
-	switch distro.Get() {
-	case distro.QNAP, distro.Gokrazy, distro.Synology:
-		return false
-	}
-	_, err := exec.LookPath("systemctl")
-	return err == nil
-}
--- a/cmd/tailscale/cli/diag_other.go
+++ b/cmd/tailscale/cli/diag_other.go
@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.

 //go:build !linux && !windows && !darwin

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .37.0
 .35.0