WIP

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.github/workflows/codeql-analysis.yml

@@ -45,7 +45,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/docker-file-build.yml

@@ -10,6 +10,6 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: "Build Docker image"
       run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -1,27 +0,0 @@
-name: update-flakehub
-
-on:
-  push:
-    tags:
-      - "v[0-9]+.*[02468].[0-9]+"
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The existing tag to publish to FlakeHub"
-        type: "string"
-        required: true
-jobs:
-  flakehub-publish:
-    runs-on: "ubuntu-latest"
-    permissions:
-      id-token: "write"
-      contents: "read"
-    steps:
-      - uses: "actions/checkout@v4"
-        with:
-          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
-      - uses: "DeterminateSystems/nix-installer-action@main"
-      - uses: "DeterminateSystems/flakehub-push@main"
-        with:
-          visibility: "public"
-          tag: "${{ inputs.tag }}"

.github/workflows/go-licenses.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Set up Go
         uses: actions/setup-go@v4

.github/workflows/golangci-lint.yml

@@ -23,7 +23,7 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
 
       - uses: actions/setup-go@v4
         with:

.github/workflows/govulncheck.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Install govulncheck
         run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest

.github/workflows/installer.yml

@@ -91,7 +91,7 @@ jobs:
         || contains(matrix.image, 'parrotsec')
         || contains(matrix.image, 'kalilinux')
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: run installer
       run: scripts/installer.sh
       # Package installation can fail in docker because systemd is not running

.github/workflows/test.yml

@@ -51,7 +51,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Restore Cache
       uses: actions/cache@v3
       with:
@@ -74,7 +74,6 @@ jobs:
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: build variant CLIs
-      if: matrix.buildflags == '' # skip on race builder
       run: |
         export TS_USE_TOOLCHAIN=1
         ./build_dist.sh --extra-small ./cmd/tailscaled
@@ -84,7 +83,7 @@ jobs:
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: get qemu # for tstest/archtest
-      if: matrix.goarch == 'amd64' && matrix.buildflags == ''
+      if: matrix.goarch == 'amd64' && matrix.variant == ''
       run: |
         sudo apt-get -y update
         sudo apt-get -y install qemu-user
@@ -95,7 +94,7 @@ jobs:
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: bench all
-      run: ./tool/go test ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ $(for x in $(git grep -l "^func Benchmark" | xargs dirname | sort | uniq); do echo "./$x"; done)
+      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ 
       env:
         GOARCH: ${{ matrix.goarch }}
     - name: check that no tracked files changed
@@ -116,7 +115,7 @@ jobs:
     runs-on: windows-2022
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
 
     - name: Install Go
       uses: actions/setup-go@v4
@@ -142,12 +141,10 @@ jobs:
           ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
           ${{ github.job }}-${{ runner.os }}-go-2-
     - name: test
-      run: go run ./cmd/testwrapper ./...
-    - name: bench all
       # Don't use -bench=. -benchtime=1x.
       # Somewhere in the layers (powershell?)
       # the equals signs cause great confusion.
-      run: go test ./... -bench . -benchtime 1x -run "^$"
+      run: go run ./cmd/testwrapper ./... -bench . -benchtime 1x
 
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
@@ -155,7 +152,7 @@ jobs:
     if: github.repository == 'tailscale/tailscale'
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Run VM tests
       run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
       env:
@@ -197,14 +194,11 @@ jobs:
             goarch: amd64
           - goos: openbsd
             goarch: amd64
-          # Plan9
-          - goos: plan9
-            goarch: amd64
 
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Restore Cache
       uses: actions/cache@v3
       with:
@@ -241,7 +235,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: build some
       run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
       env:
@@ -255,7 +249,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
       # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
       # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
       # some Android breakages early.
@@ -270,7 +264,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: Restore Cache
       uses: actions/cache@v3
       with:
@@ -304,7 +298,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: test tailscale_go
       run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
 
@@ -372,7 +366,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: check depaware
       run: |
         export PATH=$(./tool/go env GOROOT)/bin:$PATH
@@ -382,7 +376,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: check that 'go generate' is clean
       run: |
         pkgs=$(./tool/go list ./... | grep -v dnsfallback)
@@ -395,7 +389,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: check that 'go mod tidy' is clean
       run: |
         ./tool/go mod tidy
@@ -407,7 +401,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: check licenses
       run: ./scripts/check_license_headers.sh .
 
@@ -423,7 +417,7 @@ jobs:
             goarch: "386"
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
     - name: install staticcheck
       run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
     - name: run staticcheck

.github/workflows/update-flake.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Run update-flakes
         run: ./update-flake.sh

.gitignore

@@ -38,7 +38,7 @@ cmd/tailscaled/tailscaled
 # Ignore web client node modules
 .vite/
 client/web/node_modules
-client/web/build/assets
+client/web/build
 
 /gocross
 /dist

CODEOWNERS

@@ -1 +0,0 @@
-/tailcfg/ @tailscale/control-protocol-owners

Makefile

@@ -36,9 +36,6 @@ buildlinuxarm: ## Build tailscale CLI for linux/arm
 buildwasm: ## Build tailscale CLI for js/wasm
 	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
 
-buildplan9:
-	GOOS=plan9 GOARCH=amd64 ./tool/go install ./cmd/tailscale ./cmd/tailscaled
-
 buildlinuxloong64: ## Build tailscale CLI for linux/loong64
 	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
 

README.md

@@ -41,16 +41,6 @@ We always require the latest Go release, currently Go 1.21. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)
 
-To include the embedded web client (accessed via the `tailscale web` command),
-first build the client assets using:
-
-```
-./tool/yarn --cwd client/web install
-./tool/yarn --cwd client/web build
-```
-
-Build the `tailscale` and `tailscaled` binaries:
-
 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```

build_dist.sh

@@ -5,9 +5,6 @@
 # information into the binaries, so that we can track down user
 # issues.
 #
-# To include the embedded web client, build the web client assets
-# before running this script. See README.md for details.
-#
 # If you're packaging Tailscale for a distro, please consider using
 # this script, or executing equivalent commands in your
 # distro-specific build system.

client/tailscale/apitype/controltype.go

@@ -4,13 +4,13 @@
 package apitype
 
 type DNSConfig struct {
-	Resolvers          []DNSResolver            `json:"resolvers"`
-	FallbackResolvers  []DNSResolver            `json:"fallbackResolvers"`
-	Routes             map[string][]DNSResolver `json:"routes"`
-	Domains            []string                 `json:"domains"`
-	Nameservers        []string                 `json:"nameservers"`
-	Proxied            bool                     `json:"proxied"`
-	TempCorpIssue13969 string                   `json:"TempCorpIssue13969,omitempty"`
+	Resolvers         []DNSResolver            `json:"resolvers"`
+	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
+	Routes            map[string][]DNSResolver `json:"routes"`
+	Domains           []string                 `json:"domains"`
+	Nameservers       []string                 `json:"nameservers"`
+	Proxied           bool                     `json:"proxied"`
+	DNSFilterURL      string                   `json:"DNSFilterURL"`
 }
 
 type DNSResolver struct {

client/tailscale/localclient.go

@@ -37,7 +37,6 @@ import (
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
-	"tailscale.com/util/cmpx"
 )
 
 // defaultLocalClient is the default LocalClient when using the legacy
@@ -392,65 +391,15 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }
 
-// DebugResultJSON invokes a debug action and returns its result as something JSON-able.
-// These are development tools and subject to change or removal over time.
-func (lc *LocalClient) DebugResultJSON(ctx context.Context, action string) (any, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	var x any
-	if err := json.Unmarshal(body, &x); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-// DebugPortmapOpts contains options for the DebugPortmap command.
-type DebugPortmapOpts struct {
-	// Duration is how long the mapping should be created for. It defaults
-	// to 5 seconds if not set.
-	Duration time.Duration
-
-	// Type is the kind of portmap to debug. The empty string instructs the
-	// portmap client to perform all known types. Other valid options are
-	// "pmp", "pcp", and "upnp".
-	Type string
-
-	// GatewayAddr specifies the gateway address used during portmapping.
-	// If set, SelfAddr must also be set. If unset, it will be
-	// autodetected.
-	GatewayAddr netip.Addr
-
-	// SelfAddr specifies the gateway address used during portmapping. If
-	// set, GatewayAddr must also be set. If unset, it will be
-	// autodetected.
-	SelfAddr netip.Addr
-
-	// LogHTTP instructs the debug-portmap endpoint to print all HTTP
-	// requests and responses made to the logs.
-	LogHTTP bool
-}
-
 // DebugPortmap invokes the debug-portmap endpoint, and returns an
 // io.ReadCloser that can be used to read the logs that are printed during this
 // process.
-//
-// opts can be nil; if so, default values will be used.
-func (lc *LocalClient) DebugPortmap(ctx context.Context, opts *DebugPortmapOpts) (io.ReadCloser, error) {
+func (lc *LocalClient) DebugPortmap(ctx context.Context, duration time.Duration, ty, gwSelf string) (io.ReadCloser, error) {
 	vals := make(url.Values)
-	if opts == nil {
-		opts = &DebugPortmapOpts{}
-	}
-
-	vals.Set("duration", cmpx.Or(opts.Duration, 5*time.Second).String())
-	vals.Set("type", opts.Type)
-	vals.Set("log_http", strconv.FormatBool(opts.LogHTTP))
-
-	if opts.GatewayAddr.IsValid() != opts.SelfAddr.IsValid() {
-		return nil, fmt.Errorf("both GatewayAddr and SelfAddr must be provided if one is")
-	} else if opts.GatewayAddr.IsValid() {
-		vals.Set("gateway_and_self", fmt.Sprintf("%s/%s", opts.GatewayAddr, opts.SelfAddr))
+	vals.Set("duration", duration.String())
+	vals.Set("type", ty)
+	if gwSelf != "" {
+		vals.Set("gateway_and_self", gwSelf)
 	}
 
 	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-portmap?"+vals.Encode(), nil)

client/web/auth-redirect.html

@@ -0,0 +1,57 @@
+<html>
+<head>
+	<title>Redirecting...</title>
+	<style>
+		html,
+		body {
+			height: 100%;
+		}
+
+		html {
+			background-color: rgb(249, 247, 246);
+			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
+			line-height: 1.5;
+			-webkit-text-size-adjust: 100%;
+			-webkit-font-smoothing: antialiased;
+			-moz-osx-font-smoothing: grayscale;
+		}
+
+		body {
+			display: flex;
+			flex-direction: column;
+			align-items: center;
+			justify-content: center;
+		}
+
+		.spinner {
+			margin-bottom: 2rem;
+			border: 4px rgba(112, 110, 109, 0.5) solid;
+			border-left-color: transparent;
+			border-radius: 9999px;
+			width: 4rem;
+			height: 4rem;
+			-webkit-animation: spin 700ms linear infinite;
+      animation: spin 800ms linear infinite;
+		}
+
+		.label {
+			color: rgb(112, 110, 109);
+			padding-left: 0.4rem;
+		}
+
+		@-webkit-keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+
+		@keyframes spin {
+			to {
+				transform: rotate(360deg);
+			}
+		}
+	</style>
+</head> <body>
+	<div class="spinner"></div>
+	<div class="label">Redirecting...</div>
+</body>

client/web/build/index.html

@@ -1,28 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-  <head>
-    <title>Tailscale</title>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-    
-    <script type="module" crossorigin src="./assets/index-4d1f45ea.js"></script>
-    <link rel="stylesheet" href="./assets/index-8612dca6.css">
-  </head>
-  <body>
-    <noscript>
-      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
-      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
-    </noscript>
-    
-    <script>
-      window.addEventListener("load", () => {
-        if (!window.Tailscale) {
-          const rootEl = document.createElement("p")
-          rootEl.innerHTML = 'Tailscale was built without the web client. See <a href="https://github.com/tailscale/tailscale#building-the-web-client">Building the web client</a> for more information.'
-          document.body.append(rootEl)
-        }
-      });
-    </script>
-  </body>
-</html>

client/web/dev.go

@@ -4,8 +4,6 @@
 package web
 
 import (
-	"embed"
-	"io/fs"
 	"log"
 	"net/http"
 	"net/http/httputil"
@@ -14,42 +12,11 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
-
-	"tailscale.com/util/must"
 )
 
-// This contains all files needed to build the frontend assets.
-// Because we assign this to the blank identifier, it does not actually embed the files.
-// However, this does cause `go mod vendor` to include the files when vendoring the package.
-// External packages that use the web client can `go mod vendor`, run `yarn build` to
-// build the assets, then those asset bundles will be embedded.
-//
-//go:embed yarn.lock index.html *.js *.json src/*
-var _ embed.FS
-
-//go:embed build/*
-var embeddedFS embed.FS
-
-// staticfiles serves static files from the build directory.
-var staticfiles http.Handler
-
-func init() {
-	buildFiles := must.Get(fs.Sub(embeddedFS, "build"))
-	staticfiles = http.FileServer(http.FS(buildFiles))
-}
-
-func assetsHandler(devMode bool) (_ http.Handler, cleanup func()) {
-	if devMode {
-		// When in dev mode, proxy asset requests to the Vite dev server.
-		cleanup := startDevServer()
-		return devServerProxy(), cleanup
-	}
-	return staticfiles, nil
-}
-
 // startDevServer starts the JS dev server that does on-demand rebuilding
 // and serving of web client JS and CSS resources.
-func startDevServer() (cleanup func()) {
+func (s *Server) startDevServer() (cleanup func()) {
 	root := gitRootDir()
 	webClientPath := filepath.Join(root, "client", "web")
 
@@ -78,8 +45,10 @@ func startDevServer() (cleanup func()) {
 	}
 }
 
-// devServerProxy returns a reverse proxy to the vite dev server.
-func devServerProxy() *httputil.ReverseProxy {
+func (s *Server) addProxyToDevServer() {
+	if !s.devMode {
+		return // only using Vite proxy in dev mode
+	}
 	// We use Vite to develop on the web client.
 	// Vite starts up its own local server for development,
 	// which we proxy requests to from Server.ServeHTTP.
@@ -93,9 +62,8 @@ func devServerProxy() *httputil.ReverseProxy {
 		w.Write([]byte("\n\nError: " + err.Error()))
 	}
 	viteTarget, _ := url.Parse("http://127.0.0.1:4000")
-	devProxy := httputil.NewSingleHostReverseProxy(viteTarget)
-	devProxy.ErrorHandler = handleErr
-	return devProxy
+	s.devProxy = httputil.NewSingleHostReverseProxy(viteTarget)
+	s.devProxy.ErrorHandler = handleErr
 }
 
 func gitRootDir() string {

client/web/index.html

@@ -8,19 +8,22 @@
     <link rel="stylesheet" type="text/css" href="/src/index.css" />
   </head>
   <body>
+    <div class="min-h-screen py-10 flex justify-center items-center" style="display: none">
+      <div class="max-w-md">
+        <h3 class="font-semibold text-lg mb-4">Your web browser is unsupported.</h3>
+        <p class="mb-2">
+          Update to a modern browser to access the Tailscale web client. You can use
+          <a class="link" href="https://www.mozilla.org/en-US/firefox/new/" target="_blank">Firefox</a>,
+          <a class="link" href="https://www.microsoft.com/en-us/edge" target="_blank">Edge</a>,
+          <a class="link" href="https://www.apple.com/safari/" target="_blank">Safari</a>,
+          or <a class="link" href="https://www.google.com/chrome/" target="_blank">Chrome</a>.</p>
+        <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a></p>
+      </div>
+    </div>
     <noscript>
       <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
       <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
     </noscript>
     <script type="module" src="/src/index.tsx"></script>
-    <script>
-      window.addEventListener("load", () => {
-        if (!window.Tailscale) {
-          const rootEl = document.createElement("p")
-          rootEl.innerHTML = 'Tailscale was built without the web client. See <a href="https://github.com/tailscale/tailscale#building-the-web-client">Building the web client</a> for more information.'
-          document.body.append(rootEl)
-        }
-      });
-    </script>
   </body>
 </html>

client/web/package.json

@@ -8,12 +8,10 @@
   },
   "private": true,
   "dependencies": {
-    "classnames": "^2.3.1",
     "react": "^18.2.0",
     "react-dom": "^18.2.0"
   },
   "devDependencies": {
-    "@types/classnames": "^2.2.10",
     "@types/react": "^18.0.20",
     "@types/react-dom": "^18.0.6",
     "@vitejs/plugin-react-swc": "^3.3.2",

client/web/qnap.go

@@ -1,128 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// qnap.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on QNAP.
-
-package web
-
-import (
-	"crypto/tls"
-	"encoding/xml"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-)
-
-// authorizeQNAP authenticates the logged-in QNAP user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeQNAP(w http.ResponseWriter, r *http.Request) (handled bool) {
-	_, resp, err := qnapAuthn(r)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusUnauthorized)
-		return true
-	}
-	if resp.IsAdmin == 0 {
-		http.Error(w, "user is not an admin", http.StatusForbidden)
-		return true
-	}
-
-	return false
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
-	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
-	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
-	// SAN. See https://github.com/tailscale/tailscale/issues/6903
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	resp, err := client.Get(url)
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user, authResp, nil
-}

client/web/src/api.ts

@@ -1,67 +0,0 @@
-let csrfToken: string
-let unraidCsrfToken: string | undefined // required for unraid POST requests (#8062)
-
-// apiFetch wraps the standard JS fetch function with csrf header
-// management and param additions specific to the web client.
-//
-// apiFetch adds the `api` prefix to the request URL,
-// so endpoint should be provided without the `api` prefix
-// (i.e. provide `/data` rather than `api/data`).
-export function apiFetch(
-  endpoint: string,
-  method: "GET" | "POST",
-  body?: any,
-  params?: Record<string, string>
-): Promise<Response> {
-  const urlParams = new URLSearchParams(window.location.search)
-  const nextParams = new URLSearchParams(params)
-  const token = urlParams.get("SynoToken")
-  if (token) {
-    nextParams.set("SynoToken", token)
-  }
-  const search = nextParams.toString()
-  const url = `api${endpoint}${search ? `?${search}` : ""}`
-
-  var contentType: string
-  if (unraidCsrfToken && method === "POST") {
-    const params = new URLSearchParams()
-    params.append("csrf_token", unraidCsrfToken)
-    if (body) {
-      params.append("ts_data", JSON.stringify(body))
-    }
-    body = params.toString()
-    contentType = "application/x-www-form-urlencoded;charset=UTF-8"
-  } else {
-    body = body ? JSON.stringify(body) : undefined
-    contentType = "application/json"
-  }
-
-  return fetch(url, {
-    method: method,
-    headers: {
-      Accept: "application/json",
-      "Content-Type": contentType,
-      "X-CSRF-Token": csrfToken,
-    },
-    body,
-  }).then((r) => {
-    updateCsrfToken(r)
-    if (!r.ok) {
-      return r.text().then((err) => {
-        throw new Error(err)
-      })
-    }
-    return r
-  })
-}
-
-function updateCsrfToken(r: Response) {
-  const tok = r.headers.get("X-CSRF-Token")
-  if (tok) {
-    csrfToken = tok
-  }
-}
-
-export function setUnraidCsrfToken(token?: string) {
-  unraidCsrfToken = token
-}

client/web/src/components/app.tsx

@@ -3,9 +3,7 @@ import { Footer, Header, IP, State } from "src/components/legacy"
 import useNodeData from "src/hooks/node-data"
 
 export default function App() {
-  // TODO(sonia): use isPosting value from useNodeData
-  // to fill loading states.
-  const { data, refreshData, updateNode } = useNodeData()
+  const data = useNodeData()
 
   return (
     <div className="py-14">
@@ -15,13 +13,9 @@ export default function App() {
       ) : (
         <>
           <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
-            <Header
-              data={data}
-              refreshData={refreshData}
-              updateNode={updateNode}
-            />
+            <Header data={data} />
             <IP data={data} />
-            <State data={data} updateNode={updateNode} />
+            <State data={data} />
           </main>
           <Footer data={data} />
         </>

client/web/src/components/legacy.tsx

@@ -1,22 +1,14 @@
-import cx from "classnames"
 import React from "react"
-import { apiFetch } from "src/api"
-import { NodeData, NodeUpdate } from "src/hooks/node-data"
+import { NodeData } from "src/hooks/node-data"
 
 // TODO(tailscale/corp#13775): legacy.tsx contains a set of components
 // that (crudely) implement the pre-2023 web client. These are implemented
 // purely to ease migration to the new React-based web client, and will
 // eventually be completely removed.
 
-export function Header({
-  data,
-  refreshData,
-  updateNode,
-}: {
-  data: NodeData
-  refreshData: () => void
-  updateNode: (update: NodeUpdate) => void
-}) {
+export function Header(props: { data: NodeData }) {
+  const { data } = props
+
   return (
     <header className="flex justify-between items-center min-width-0 py-2 mb-8">
       <svg
@@ -68,56 +60,41 @@ export function Header({
         ></circle>
       </svg>
       <div className="flex items-center justify-end space-x-2 w-2/3">
-        {data.Profile &&
-          data.Status !== "NoState" &&
-          data.Status !== "NeedsLogin" && (
-            <>
-              <div className="text-right w-full leading-4">
-                <h4 className="truncate leading-normal">
-                  {data.Profile.LoginName}
-                </h4>
-                <div className="text-xs text-gray-500 text-right">
-                  <button
-                    onClick={() => updateNode({ Reauthenticate: true })}
-                    className="hover:text-gray-700"
-                  >
-                    Switch account
-                  </button>{" "}
-                  |{" "}
-                  <button
-                    onClick={() => updateNode({ Reauthenticate: true })}
-                    className="hover:text-gray-700"
-                  >
-                    Reauthenticate
-                  </button>{" "}
-                  |{" "}
-                  <button
-                    onClick={() =>
-                      apiFetch("/local/v0/logout", "POST")
-                        .then(refreshData)
-                        .catch((err) => alert("Logout failed: " + err.message))
-                    }
-                    className="hover:text-gray-700"
-                  >
-                    Logout
-                  </button>
-                </div>
+        {data.Profile && (
+          <>
+            <div className="text-right w-full leading-4">
+              <h4 className="truncate leading-normal">
+                {data.Profile.LoginName}
+              </h4>
+              <div className="text-xs text-gray-500 text-right">
+                <a href="#" className="hover:text-gray-700 js-loginButton">
+                  Switch account
+                </a>{" "}
+                |{" "}
+                <a href="#" className="hover:text-gray-700 js-loginButton">
+                  Reauthenticate
+                </a>{" "}
+                |{" "}
+                <a href="#" className="hover:text-gray-700 js-logoutButton">
+                  Logout
+                </a>
               </div>
-              <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
-                {data.Profile.ProfilePicURL ? (
-                  <div
-                    className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
-                    style={{
-                      backgroundImage: `url(${data.Profile.ProfilePicURL})`,
-                      backgroundSize: "cover",
-                    }}
-                  />
-                ) : (
-                  <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
-                )}
-              </div>
-            </>
-          )}
+            </div>
+            <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
+              {data.Profile.ProfilePicURL ? (
+                <div
+                  className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
+                  style={{
+                    backgroundImage: `url(${data.Profile.ProfilePicURL})`,
+                    backgroundSize: "cover",
+                  }}
+                />
+              ) : (
+                <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
+              )}
+            </div>
+          </>
+        )}
       </div>
     </header>
   )
@@ -151,9 +128,9 @@ export function IP(props: { data: NodeData }) {
             <line x1="6" y1="6" x2="6.01" y2="6"></line>
             <line x1="6" y1="18" x2="6.01" y2="18"></line>
           </svg>
-          <h4 className="font-semibold truncate mr-2">
-            {data.DeviceName || "Your device"}
-          </h4>
+          <div>
+            <h4 className="font-semibold truncate mr-2">{data.DeviceName}</h4>
+          </div>
         </div>
         <h5>{data.IP}</h5>
       </div>
@@ -185,13 +162,9 @@ export function IP(props: { data: NodeData }) {
   )
 }
 
-export function State({
-  data,
-  updateNode,
-}: {
-  data: NodeData
-  updateNode: (update: NodeUpdate) => void
-}) {
+export function State(props: { data: NodeData }) {
+  const { data } = props
+
   switch (data.Status) {
     case "NeedsLogin":
     case "NoState":
@@ -212,12 +185,11 @@ export function State({
                 .
               </p>
             </div>
-            <button
-              onClick={() => updateNode({ Reauthenticate: true })}
-              className="button button-blue w-full mb-4"
-            >
-              Reauthenticate
-            </button>
+            <a href="#" className="mb-4 js-loginButton" target="_blank">
+              <button className="button button-blue w-full">
+                Reauthenticate
+              </button>
+            </a>
           </>
         )
       } else {
@@ -238,12 +210,9 @@ export function State({
                 .
               </p>
             </div>
-            <button
-              onClick={() => updateNode({ Reauthenticate: true })}
-              className="button button-blue w-full mb-4"
-            >
-              Log In
-            </button>
+            <a href="#" className="mb-4 js-loginButton" target="_blank">
+              <button className="button button-blue w-full">Log In</button>
+            </a>
           </>
         )
       }
@@ -263,20 +232,25 @@ export function State({
               device name or IP address above.
             </p>
           </div>
-          <button
-            className={cx("button button-medium mb-4", {
-              "button-red": data.AdvertiseExitNode,
-              "button-blue": !data.AdvertiseExitNode,
-            })}
-            id="enabled"
-            onClick={() =>
-              updateNode({ AdvertiseExitNode: !data.AdvertiseExitNode })
-            }
-          >
-            {data.AdvertiseExitNode
-              ? "Stop advertising Exit Node"
-              : "Advertise as Exit Node"}
-          </button>
+          <div className="mb-4">
+            <a href="#" className="mb-4 js-advertiseExitNode">
+              {data.AdvertiseExitNode ? (
+                <button
+                  className="button button-red button-medium"
+                  id="enabled"
+                >
+                  Stop advertising Exit Node
+                </button>
+              ) : (
+                <button
+                  className="button button-blue button-medium"
+                  id="enabled"
+                >
+                  Advertise as Exit Node
+                </button>
+              )}
+            </a>
+          </div>
         </>
       )
   }

client/web/src/hooks/node-data.ts

@@ -1,5 +1,4 @@
-import { useCallback, useEffect, useState } from "react"
-import { apiFetch, setUnraidCsrfToken } from "src/api"
+import { useEffect, useState } from "react"
 
 export type NodeData = {
   Profile: UserProfile
@@ -23,93 +22,16 @@ export type UserProfile = {
   ProfilePicURL: string
 }
 
-export type NodeUpdate = {
-  AdvertiseRoutes?: string
-  AdvertiseExitNode?: boolean
-  Reauthenticate?: boolean
-  ForceLogout?: boolean
-}
-
 // useNodeData returns basic data about the current node.
 export default function useNodeData() {
   const [data, setData] = useState<NodeData>()
-  const [isPosting, setIsPosting] = useState<boolean>(false)
 
-  const refreshData = useCallback(
-    () =>
-      apiFetch("/data", "GET")
-        .then((r) => r.json())
-        .then((d: NodeData) => {
-          setData(d)
-          setUnraidCsrfToken(d.IsUnraid ? d.UnraidToken : undefined)
-        })
-        .catch((error) => console.error(error)),
-    [setData]
-  )
+  useEffect(() => {
+    fetch("/api/data")
+      .then((response) => response.json())
+      .then((json) => setData(json))
+      .catch((error) => console.error(error))
+  }, [])
 
-  const updateNode = useCallback(
-    (update: NodeUpdate) => {
-      // The contents of this function are mostly copied over
-      // from the legacy client's web.html file.
-      // It makes all data updates through one API endpoint.
-      // As we build out the web client in React,
-      // this endpoint will eventually be deprecated.
-
-      if (isPosting || !data) {
-        return
-      }
-      setIsPosting(true)
-
-      update = {
-        ...update,
-        // Default to current data value for any unset fields.
-        AdvertiseRoutes:
-          update.AdvertiseRoutes !== undefined
-            ? update.AdvertiseRoutes
-            : data.AdvertiseRoutes,
-        AdvertiseExitNode:
-          update.AdvertiseExitNode !== undefined
-            ? update.AdvertiseExitNode
-            : data.AdvertiseExitNode,
-      }
-
-      apiFetch("/data", "POST", update, { up: "true" })
-        .then((r) => r.json())
-        .then((r) => {
-          setIsPosting(false)
-          const err = r["error"]
-          if (err) {
-            throw new Error(err)
-          }
-          const url = r["url"]
-          if (url) {
-            window.open(url, "_blank")
-          }
-          refreshData()
-        })
-        .catch((err) => alert("Failed operation: " + err.message))
-    },
-    [data]
-  )
-
-  useEffect(
-    () => {
-      // Initial data load.
-      refreshData()
-
-      // Refresh on browser tab focus.
-      const onVisibilityChange = () => {
-        document.visibilityState === "visible" && refreshData()
-      }
-      window.addEventListener("visibilitychange", onVisibilityChange)
-      return () => {
-        // Cleanup browser tab listener.
-        window.removeEventListener("visibilitychange", onVisibilityChange)
-      }
-    },
-    // Run once.
-    []
-  )
-
-  return { data, refreshData, updateNode, isPosting }
+  return data
 }

client/web/src/index.tsx

@@ -2,10 +2,6 @@ import React from "react"
 import { createRoot } from "react-dom/client"
 import App from "src/components/app"
 
-declare var window: any
-// This is used to determine if the react client is built.
-window.Tailscale = true
-
 const rootEl = document.createElement("div")
 rootEl.id = "app-root"
 rootEl.classList.add("relative", "z-0")

client/web/synology.go

@@ -1,76 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// synology.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on Synology.
-
-package web
-
-import (
-	"fmt"
-	"net/http"
-	"os/exec"
-	"strings"
-
-	"tailscale.com/util/groupmember"
-)
-
-// authorizeSynology authenticates the logged-in Synology user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
-	if synoTokenRedirect(w, r) {
-		return true
-	}
-
-	// authenticate the Synology user
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		http.Error(w, fmt.Sprintf("auth: %v: %s", err, out), http.StatusUnauthorized)
-		return true
-	}
-	user := strings.TrimSpace(string(out))
-
-	// check if the user is in the administrators group
-	isAdmin, err := groupmember.IsMemberOfGroup("administrators", user)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusForbidden)
-		return true
-	}
-	if !isAdmin {
-		http.Error(w, "not a member of administrators group", http.StatusForbidden)
-		return true
-	}
-
-	return false
-}
-
-func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if r.Header.Get("X-Syno-Token") != "" {
-		return false
-	}
-	if r.URL.Query().Get("SynoToken") != "" {
-		return false
-	}
-	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
-		return false
-	}
-	// We need a SynoToken for authenticate.cgi.
-	// So we tell the client to get one.
-	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
-	return true
-}
-
-const synoTokenRedirectHTML = `<html>
-Redirecting with session token...
-<script>
-  fetch("/webman/login.cgi")
-    .then(r => r.json())
-    .then(data => {
-	u = new URL(window.location)
-	u.searchParams.set("SynoToken", data.SynoToken)
-	document.location = u
-    })
-</script>
-`

client/web/vite.config.ts

@@ -20,7 +20,7 @@ filteringLogger.info = (...args) => {
 
 // https://vitejs.dev/config/
 export default defineConfig({
-  base: "./",
+  base: "/",
   plugins: [
     paths(),
     svgr(),

client/web/web.go

@@ -5,160 +5,317 @@
 package web
 
 import (
+	"bytes"
 	"context"
-	"crypto/rand"
+	"crypto/tls"
+	_ "embed"
 	"encoding/json"
+	"encoding/xml"
 	"fmt"
+	"html/template"
 	"io"
 	"log"
 	"net/http"
+	"net/http/httputil"
 	"net/netip"
+	"net/url"
 	"os"
-	"path/filepath"
-	"slices"
+	"os/exec"
 	"strings"
 
-	"github.com/gorilla/csrf"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/licenses"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/groupmember"
 	"tailscale.com/util/httpm"
 	"tailscale.com/version/distro"
 )
 
+//go:embed web.html
+var webHTML string
+
+//go:embed web.css
+var webCSS string
+
+//go:embed auth-redirect.html
+var authenticationRedirectHTML string
+
+var tmpl *template.Template
+
 // Server is the backend server for a Tailscale web client.
 type Server struct {
 	lc *tailscale.LocalClient
 
-	devMode bool
-
-	cgiMode    bool
-	pathPrefix string
-
-	assetsHandler http.Handler // serves frontend assets
-	apiHandler    http.Handler // serves api endpoints; csrf-protected
-}
-
-// ServerOpts contains options for constructing a new Server.
-type ServerOpts struct {
-	DevMode bool
-
-	// CGIMode indicates if the server is running as a CGI script.
-	CGIMode bool
-
-	// PathPrefix is the URL prefix added to requests by CGI or reverse proxy.
-	PathPrefix string
-
-	// LocalClient is the tailscale.LocalClient to use for this web server.
-	// If nil, a new one will be created.
-	LocalClient *tailscale.LocalClient
+	devMode  bool
+	devProxy *httputil.ReverseProxy // only filled when devMode is on
 }
 
 // NewServer constructs a new Tailscale web client server.
-// The provided context should live for the duration of the Server's lifetime.
-func NewServer(ctx context.Context, opts ServerOpts) (s *Server, cleanup func()) {
-	if opts.LocalClient == nil {
-		opts.LocalClient = &tailscale.LocalClient{}
+//
+// lc is an optional parameter. When not filled, NewServer
+// initializes its own tailscale.LocalClient.
+func NewServer(devMode bool, lc *tailscale.LocalClient) (s *Server, cleanup func()) {
+	if lc == nil {
+		lc = &tailscale.LocalClient{}
 	}
 	s = &Server{
-		devMode:    opts.DevMode,
-		lc:         opts.LocalClient,
-		cgiMode:    opts.CGIMode,
-		pathPrefix: opts.PathPrefix,
+		devMode: devMode,
+		lc:      lc,
+	}
+	cleanup = func() {}
+	if s.devMode {
+		cleanup = s.startDevServer()
+		s.addProxyToDevServer()
 	}
-	s.assetsHandler, cleanup = assetsHandler(opts.DevMode)
-
-	// Create handler for "/api" requests with CSRF protection.
-	// We don't require secure cookies, since the web client is regularly used
-	// on network appliances that are served on local non-https URLs.
-	// The client is secured by limiting the interface it listens on,
-	// or by authenticating requests before they reach the web client.
-	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-	s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
-
-	s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)
 	return s, cleanup
 }
 
-// ServeHTTP processes all requests for the Tailscale web client.
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	handler := s.serve
-
-	// if path prefix is defined, strip it from requests.
-	if s.pathPrefix != "" {
-		handler = enforcePrefix(s.pathPrefix, handler)
-	}
-
-	handler(w, r)
+func init() {
+	tmpl = template.Must(template.New("web.html").Parse(webHTML))
+	template.Must(tmpl.New("web.css").Parse(webCSS))
 }
 
-// authorize checks if the request is authorized to access the web client for those platforms that support it.
-func authorize(w http.ResponseWriter, r *http.Request) (handled bool) {
-	if strings.HasPrefix(r.URL.Path, "/assets/") {
-		// don't require authorization for static assets
-		return false
-	}
-
+// authorize returns the name of the user accessing the web UI after verifying
+// whether the user has access to the web UI. The function will write the
+// error to the provided http.ResponseWriter.
+// Note: This is different from a tailscale user, and is typically the local
+// user on the node.
+func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
 	switch distro.Get() {
 	case distro.Synology:
-		return authorizeSynology(w, r)
+		user, err := synoAuthn()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if err := authorizeSynology(user); err != nil {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
 	case distro.QNAP:
-		return authorizeQNAP(w, r)
+		user, resp, err := qnapAuthn(r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if resp.IsAdmin == 0 {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
+	}
+	return "", nil
+}
+
+// authorizeSynology checks whether the provided user has access to the web UI
+// by consulting the membership of the "administrators" group.
+func authorizeSynology(name string) error {
+	yes, err := groupmember.IsMemberOfGroup("administrators", name)
+	if err != nil {
+		return err
+	}
+	if !yes {
+		return fmt.Errorf("not a member of administrators group")
+	}
+	return nil
+}
+
+type qnapAuthResponse struct {
+	AuthPassed int    `xml:"authPassed"`
+	IsAdmin    int    `xml:"isAdmin"`
+	AuthSID    string `xml:"authSid"`
+	ErrorValue int    `xml:"errorValue"`
+}
+
+func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
+	user, err := r.Cookie("NAS_USER")
+	if err != nil {
+		return "", nil, err
+	}
+	token, err := r.Cookie("qtoken")
+	if err == nil {
+		return qnapAuthnQtoken(r, user.Value, token.Value)
+	}
+	sid, err := r.Cookie("NAS_SID")
+	if err == nil {
+		return qnapAuthnSid(r, user.Value, sid.Value)
+	}
+	return "", nil, fmt.Errorf("not authenticated by any mechanism")
+}
+
+// qnapAuthnURL returns the auth URL to use by inferring where the UI is
+// running based on the request URL. This is necessary because QNAP has so
+// many options, see https://github.com/tailscale/tailscale/issues/7108
+// and https://github.com/tailscale/tailscale/issues/6903
+func qnapAuthnURL(requestUrl string, query url.Values) string {
+	in, err := url.Parse(requestUrl)
+	scheme := ""
+	host := ""
+	if err != nil || in.Scheme == "" {
+		log.Printf("Cannot parse QNAP login URL %v", err)
+
+		// try localhost and hope for the best
+		scheme = "http"
+		host = "localhost"
+	} else {
+		scheme = in.Scheme
+		host = in.Host
 	}
 
+	u := url.URL{
+		Scheme:   scheme,
+		Host:     host,
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return u.String()
+}
+
+func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"qtoken": []string{token},
+		"user":   []string{user},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"sid": []string{sid},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
+	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
+	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
+	// SAN. See https://github.com/tailscale/tailscale/issues/6903
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+	resp, err := client.Get(url)
+	if err != nil {
+		return "", nil, err
+	}
+	defer resp.Body.Close()
+	out, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", nil, err
+	}
+	authResp := &qnapAuthResponse{}
+	if err := xml.Unmarshal(out, authResp); err != nil {
+		return "", nil, err
+	}
+	if authResp.AuthPassed == 0 {
+		return "", nil, fmt.Errorf("not authenticated")
+	}
+	return user, authResp, nil
+}
+
+func synoAuthn() (string, error) {
+	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("auth: %v: %s", err, out)
+	}
+	return strings.TrimSpace(string(out)), nil
+}
+
+func authRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if distro.Get() == distro.Synology {
+		return synoTokenRedirect(w, r)
+	}
 	return false
 }
 
-func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
-	switch {
-	case authorize(w, r):
-		// Authenticate and authorize the request for platforms that support it.
-		// Return if the request was processed.
-		return
-	case strings.HasPrefix(r.URL.Path, "/api/"):
-		// Pass API requests through to the API handler.
-		s.apiHandler.ServeHTTP(w, r)
-		return
-	default:
-		if !s.devMode {
-			s.lc.IncrementCounter(context.Background(), "web_client_page_load", 1)
-		}
-		s.assetsHandler.ServeHTTP(w, r)
-		return
+func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if r.Header.Get("X-Syno-Token") != "" {
+		return false
 	}
+	if r.URL.Query().Get("SynoToken") != "" {
+		return false
+	}
+	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
+		return false
+	}
+	// We need a SynoToken for authenticate.cgi.
+	// So we tell the client to get one.
+	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
+	return true
 }
 
-// serveAPI serves requests for the web client api.
-// It should only be called by Server.ServeHTTP, via Server.apiHandler,
-// which protects the handler using gorilla csrf.
-func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-CSRF-Token", csrf.Token(r))
-	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch {
-	case path == "/data":
-		switch r.Method {
-		case httpm.GET:
-			s.serveGetNodeDataJSON(w, r)
-		case httpm.POST:
-			s.servePostNodeUpdate(w, r)
-		default:
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+const synoTokenRedirectHTML = `<html><body>
+Redirecting with session token...
+<script>
+var serverURL = window.location.protocol + "//" + window.location.host;
+var req = new XMLHttpRequest();
+req.overrideMimeType("application/json");
+req.open("GET", serverURL + "/webman/login.cgi", true);
+req.onload = function() {
+	var jsonResponse = JSON.parse(req.responseText);
+	var token = jsonResponse["SynoToken"];
+	document.location.href = serverURL + "/webman/3rdparty/Tailscale/?SynoToken=" + token;
+};
+req.send(null);
+</script>
+</body></html>
+`
+
+// ServeHTTP processes all requests for the Tailscale web client.
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if s.devMode {
+		if r.URL.Path == "/api/data" {
+			user, err := authorize(w, r)
+			if err != nil {
+				return
+			}
+			switch r.Method {
+			case httpm.GET:
+				s.serveGetNodeDataJSON(w, r, user)
+			case httpm.POST:
+				s.servePostNodeUpdate(w, r)
+			default:
+				http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			}
+			return
 		}
-		return
-	case strings.HasPrefix(path, "/local/"):
-		s.proxyRequestToLocalAPI(w, r)
+		// When in dev mode, proxy to the Vite dev server.
+		s.devProxy.ServeHTTP(w, r)
+		return
+	}
+
+	if authRedirect(w, r) {
+		return
+	}
+
+	user, err := authorize(w, r)
+	if err != nil {
+		return
+	}
+
+	switch {
+	case r.URL.Path == "/redirect" || r.URL.Path == "/redirect/":
+		io.WriteString(w, authenticationRedirectHTML)
+		return
+	case r.Method == "POST":
+		s.servePostNodeUpdate(w, r)
+		return
+	default:
+		s.serveGetNodeData(w, r, user)
 		return
 	}
-	http.Error(w, "invalid endpoint", http.StatusNotFound)
 }
 
 type nodeData struct {
 	Profile           tailcfg.UserProfile
+	SynologyUser      string
 	Status            string
 	DeviceName        string
 	IP                string
@@ -173,7 +330,7 @@ type nodeData struct {
 	IPNVersion        string
 }
 
-func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
+func (s *Server) getNodeData(ctx context.Context, user string) (*nodeData, error) {
 	st, err := s.lc.Status(ctx)
 	if err != nil {
 		return nil, err
@@ -186,16 +343,17 @@ func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
 	deviceName := strings.Split(st.Self.DNSName, ".")[0]
 	versionShort := strings.Split(st.Version, "-")[0]
 	data := &nodeData{
-		Profile:     profile,
-		Status:      st.BackendState,
-		DeviceName:  deviceName,
-		LicensesURL: licenses.LicensesURL(),
-		TUNMode:     st.TUN,
-		IsSynology:  distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:  distro.DSMVersion(),
-		IsUnraid:    distro.Get() == distro.Unraid,
-		UnraidToken: os.Getenv("UNRAID_CSRF_TOKEN"),
-		IPNVersion:  versionShort,
+		SynologyUser: user,
+		Profile:      profile,
+		Status:       st.BackendState,
+		DeviceName:   deviceName,
+		LicensesURL:  licenses.LicensesURL(),
+		TUNMode:      st.TUN,
+		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
+		DSMVersion:   distro.DSMVersion(),
+		IsUnraid:     distro.Get() == distro.Unraid,
+		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
+		IPNVersion:   versionShort,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
 	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
@@ -215,8 +373,22 @@ func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
 	return data, nil
 }
 
-func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request) {
-	data, err := s.getNodeData(r.Context())
+func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request, user string) {
+	data, err := s.getNodeData(r.Context(), user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	buf := new(bytes.Buffer)
+	if err := tmpl.Execute(buf, *data); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Write(buf.Bytes())
+}
+
+func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request, user string) {
+	data, err := s.getNodeData(r.Context(), user)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -226,6 +398,7 @@ func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
+	return
 }
 
 type nodeUpdate struct {
@@ -293,6 +466,7 @@ func (s *Server) servePostNodeUpdate(w http.ResponseWriter, r *http.Request) {
 	} else {
 		io.WriteString(w, "{}")
 	}
+	return
 }
 
 func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData nodeUpdate) (authURL string, retErr error) {
@@ -353,117 +527,3 @@ func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData
 		}
 	}
 }
-
-// proxyRequestToLocalAPI proxies the web API request to the localapi.
-//
-// The web API request path is expected to exactly match a localapi path,
-// with prefix /api/local/ rather than /localapi/.
-//
-// If the localapi path is not included in localapiAllowlist,
-// the request is rejected.
-func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request) {
-	path := strings.TrimPrefix(r.URL.Path, "/api/local")
-	if r.URL.Path == path { // missing prefix
-		http.Error(w, "invalid request", http.StatusBadRequest)
-		return
-	}
-	if !slices.Contains(localapiAllowlist, path) {
-		http.Error(w, fmt.Sprintf("%s not allowed from localapi proxy", path), http.StatusForbidden)
-		return
-	}
-
-	localAPIURL := "http://" + apitype.LocalAPIHost + "/localapi" + path
-	req, err := http.NewRequestWithContext(r.Context(), r.Method, localAPIURL, r.Body)
-	if err != nil {
-		http.Error(w, "failed to construct request", http.StatusInternalServerError)
-		return
-	}
-
-	// Make request to tailscaled localapi.
-	resp, err := s.lc.DoLocalRequest(req)
-	if err != nil {
-		http.Error(w, err.Error(), resp.StatusCode)
-		return
-	}
-	defer resp.Body.Close()
-
-	// Send response back to web frontend.
-	w.Header().Set("Content-Type", resp.Header.Get("Content-Type"))
-	w.WriteHeader(resp.StatusCode)
-	if _, err := io.Copy(w, resp.Body); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-	}
-}
-
-// localapiAllowlist is an allowlist of localapi endpoints the
-// web client is allowed to proxy to the client's localapi.
-//
-// Rather than exposing all localapi endpoints over the proxy,
-// this limits to just the ones actually used from the web
-// client frontend.
-//
-// TODO(sonia,will): Shouldn't expand this beyond the existing
-// localapi endpoints until the larger web client auth story
-// is worked out (tailscale/corp#14335).
-var localapiAllowlist = []string{
-	"/v0/logout",
-}
-
-// csrfKey returns a key that can be used for CSRF protection.
-// If an error occurs during key creation, the error is logged and the active process terminated.
-// If the server is running in CGI mode, the key is cached to disk and reused between requests.
-// If an error occurs during key storage, the error is logged and the active process terminated.
-func (s *Server) csrfKey() []byte {
-	csrfFile := filepath.Join(os.TempDir(), "tailscale-web-csrf.key")
-
-	// if running in CGI mode, try to read from disk, but ignore errors
-	if s.cgiMode {
-		key, _ := os.ReadFile(csrfFile)
-		if len(key) == 32 {
-			return key
-		}
-	}
-
-	// create a new key
-	key := make([]byte, 32)
-	if _, err := rand.Read(key); err != nil {
-		log.Fatalf("error generating CSRF key: %v", err)
-	}
-
-	// if running in CGI mode, try to write the newly created key to disk, and exit if it fails.
-	if s.cgiMode {
-		if err := os.WriteFile(csrfFile, key, 0600); err != nil {
-			log.Fatalf("unable to store CSRF key: %v", err)
-		}
-	}
-
-	return key
-}
-
-// enforcePrefix returns a HandlerFunc that enforces a given path prefix is used in requests,
-// then strips it before invoking h.
-// Unlike http.StripPrefix, it does not return a 404 if the prefix is not present.
-// Instead, it returns a redirect to the prefix path.
-func enforcePrefix(prefix string, h http.HandlerFunc) http.HandlerFunc {
-	if prefix == "" {
-		return h
-	}
-
-	// ensure that prefix always has both a leading and trailing slash so
-	// that relative links for JS and CSS assets work correctly.
-	if !strings.HasPrefix(prefix, "/") {
-		prefix = "/" + prefix
-	}
-	if !strings.HasSuffix(prefix, "/") {
-		prefix += "/"
-	}
-
-	return func(w http.ResponseWriter, r *http.Request) {
-		if !strings.HasPrefix(r.URL.Path, prefix) {
-			http.Redirect(w, r, prefix, http.StatusFound)
-			return
-		}
-		prefix = strings.TrimSuffix(prefix, "/")
-		http.StripPrefix(prefix, h).ServeHTTP(w, r)
-	}
-}

client/web/web.html

@@ -0,0 +1,210 @@
+<!doctype html>
+<html class="bg-gray-50">
+
+<head>
+	<meta charset="utf-8" />
+	<meta name="viewport" content="width=device-width, initial-scale=1" />
+	<link rel="shortcut icon"
+		href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
+	<title>Tailscale</title>
+	<style>{{template "web.css"}}</style>
+</head>
+
+<body class="py-14">
+<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
+	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
+		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
+			class="flex-shrink-0 mr-4">
+			<circle opacity="0.2" cx="3.4" cy="3.25" r="2.7" fill="currentColor"></circle>
+			<circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
+			<circle opacity="0.2" cx="3.4" cy="19.5" r="2.7" fill="currentColor"></circle>
+			<circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
+			<circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
+			<circle opacity="0.2" cx="11.5" cy="3.25" r="2.7" fill="currentColor"></circle>
+			<circle opacity="0.2" cx="19.5" cy="3.25" r="2.7" fill="currentColor"></circle>
+			<circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
+			<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
+		</svg>
+		<div class="flex items-center justify-end space-x-2 w-2/3">
+			{{ with .Profile }}
+			<div class="text-right w-full leading-4">
+				<h4 class="truncate leading-normal">{{.LoginName}}</h4>
+				<div class="text-xs text-gray-500 text-right">
+					<a href="#" class="hover:text-gray-700 js-loginButton">Switch account</a> | <a href="#"
+						class="hover:text-gray-700 js-loginButton">Reauthenticate</a> | <a href="#"
+						class="hover:text-gray-700 js-logoutButton">Logout</a>
+				</div>
+			</div>
+			{{ end }}
+			<div class="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
+				{{ with .Profile.ProfilePicURL }}
+				<div class="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
+					style="background-image: url('{{.}}'); background-size: cover;"></div>
+				{{ else }}
+				<div class="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed"></div>
+				{{ end }}
+			</div>
+		</div>
+	</header>
+	{{ if .IP }}
+	<div
+		class="border border-gray-200 bg-gray-0 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
+		<div class="flex items-center min-width-0">
+			<svg class="flex-shrink-0 text-gray-600 mr-3 ml-1" xmlns="http://www.w3.org/2000/svg" width="20" height="20"
+				viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
+				stroke-linejoin="round">
+				<rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
+				<rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
+				<line x1="6" y1="6" x2="6.01" y2="6"></line>
+				<line x1="6" y1="18" x2="6.01" y2="18"></line>
+			</svg>
+			<div>
+				<h4 class="font-semibold truncate mr-2">{{.DeviceName}}</h4>
+			</div>
+		</div>
+		<h5>{{.IP}}</h5>
+	</div>
+	<p class="mt-1 ml-1 mb-6 text-xs text-gray-600">
+		Debug info: Tailscale {{ .IPNVersion }}, tun={{.TUNMode}}{{ if .IsSynology }}, DSM{{ .DSMVersion}}
+			{{if not .TUNMode}}
+			(<a href="https://tailscale.com/kb/1152/synology-outbound/" class="link-underline text-gray-600" target="_blank"
+				aria-label="Configure outbound synology traffic"
+				rel="noopener noreferrer">outgoing access not configured</a>)
+			{{end}}
+		{{end}}
+	</p>
+	{{ end }}
+	{{ if or (eq .Status "NeedsLogin") (eq .Status "NoState") }}
+	{{ if .IP }}
+	<div class="mb-6">
+		<p class="text-gray-700">Your device's key has expired. Reauthenticate this device by logging in again, or <a
+				href="https://tailscale.com/kb/1028/key-expiry" class="link" target="_blank">learn more</a>.</p>
+	</div>
+	<a href="#" class="mb-4 js-loginButton" target="_blank">
+		<button class="button button-blue w-full">Reauthenticate</button>
+	</a>
+	{{ else }}
+	<div class="mb-6">
+		<h3 class="text-3xl font-semibold mb-3">Log in</h3>
+		<p class="text-gray-700">Get started by logging in to your Tailscale network. Or,&nbsp;learn&nbsp;more at <a
+				href="https://tailscale.com/" class="link" target="_blank">tailscale.com</a>.</p>
+	</div>
+	<a href="#" class="mb-4 js-loginButton" target="_blank">
+		<button class="button button-blue w-full">Log In</button>
+	</a>
+	{{ end }}
+	{{ else if eq .Status "NeedsMachineAuth" }}
+	<div class="mb-4">
+		This device is authorized, but needs approval from a network admin before it can connect to the network.
+	</div>
+	{{ else }}
+	<div class="mb-4">
+		<p>You are connected! Access this device over Tailscale using the device name or IP address above.</p>
+	</div>
+	<div class="mb-4">
+	<a href="#" class="mb-4 js-advertiseExitNode">
+		{{if .AdvertiseExitNode}}
+		<button class="button button-red button-medium" id="enabled">Stop advertising Exit Node</button>
+		{{else}}
+		<button class="button button-blue button-medium" id="enabled">Advertise as Exit Node</button>
+		{{end}}
+	</a>
+	</div>
+	{{ end }}
+</main>
+<footer class="container max-w-lg mx-auto text-center">
+	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
+</footer>
+<script>(function () {
+const advertiseExitNode = {{ .AdvertiseExitNode }};
+const isUnraid = {{ .IsUnraid }};
+const unraidCsrfToken = "{{ .UnraidToken }}";
+let fetchingUrl = false;
+var data = {
+	AdvertiseRoutes: "{{ .AdvertiseRoutes }}",
+	AdvertiseExitNode: advertiseExitNode,
+	Reauthenticate: false,
+	ForceLogout: false
+};
+
+function postData(e) {
+	e.preventDefault();
+
+	if (fetchingUrl) {
+		return;
+	}
+
+	fetchingUrl = true;
+	const urlParams = new URLSearchParams(window.location.search);
+	const token = urlParams.get("SynoToken");
+	const nextParams = new URLSearchParams({ up: true });
+	if (token) {
+		nextParams.set("SynoToken", token)
+	}
+	const nextUrl = new URL(window.location);
+	nextUrl.search = nextParams.toString()
+
+	let body = JSON.stringify(data);
+	let contentType = "application/json";
+
+	if (isUnraid) {
+		const params = new URLSearchParams();
+		params.append("csrf_token", unraidCsrfToken);
+		params.append("ts_data", JSON.stringify(data));
+
+		body = params.toString();
+		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
+	}
+
+	const url = nextUrl.toString();
+	fetch(url, {
+		method: "POST",
+		headers: {
+			"Accept": "application/json",
+			"Content-Type": contentType,
+		},
+		body: body
+	}).then(res => res.json()).then(res => {
+		fetchingUrl = false;
+		const err = res["error"];
+		if (err) {
+			throw new Error(err);
+		}
+		const url = res["url"];
+		if (url) {
+			if(isUnraid) {
+				window.open(url, "_blank");
+			} else {
+				document.location.href = url;
+			}
+		} else {
+			location.reload();
+		}
+	}).catch(err => {
+		alert("Failed operation: " + err.message);
+	});
+}
+
+document.querySelectorAll(".js-loginButton").forEach(function (el){
+	el.addEventListener("click", function(e) {
+		data.Reauthenticate = true;
+		postData(e);
+	});
+})
+document.querySelectorAll(".js-logoutButton").forEach(function(el) {
+	el.addEventListener("click", function (e) {
+		data.ForceLogout = true;
+		postData(e);
+	});
+})
+document.querySelectorAll(".js-advertiseExitNode").forEach(function (el) {
+	el.addEventListener("click", function(e) {
+		data.AdvertiseExitNode = !advertiseExitNode;
+		postData(e);
+	});
+})
+
+})();</script>
+</body>
+
+</html>

client/web/web_test.go

@@ -4,16 +4,8 @@
 package web
 
 import (
-	"fmt"
-	"io"
-	"net/http"
-	"net/http/httptest"
 	"net/url"
-	"strings"
 	"testing"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/net/memnet"
 )
 
 func TestQnapAuthnURL(t *testing.T) {
@@ -70,62 +62,3 @@ func TestQnapAuthnURL(t *testing.T) {
 		})
 	}
 }
-
-// TestServeAPI tests the web client api's handling of
-//  1. invalid endpoint errors
-//  2. localapi proxy allowlist
-func TestServeAPI(t *testing.T) {
-	lal := memnet.Listen("local-tailscaled.sock:80")
-	defer lal.Close()
-	// Serve dummy localapi. Just returns "success".
-	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "success")
-	})}
-	defer localapi.Close()
-
-	go localapi.Serve(lal)
-	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}
-
-	tests := []struct {
-		name       string
-		reqPath    string
-		wantResp   string
-		wantStatus int
-	}{{
-		name:       "invalid_endpoint",
-		reqPath:    "/not-an-endpoint",
-		wantResp:   "invalid endpoint",
-		wantStatus: http.StatusNotFound,
-	}, {
-		name:       "not_in_localapi_allowlist",
-		reqPath:    "/local/v0/not-allowlisted",
-		wantResp:   "/v0/not-allowlisted not allowed from localapi proxy",
-		wantStatus: http.StatusForbidden,
-	}, {
-		name:       "in_localapi_allowlist",
-		reqPath:    "/local/v0/logout",
-		wantResp:   "success", // Successfully allowed to hit localapi.
-		wantStatus: http.StatusOK,
-	}}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			r := httptest.NewRequest("POST", "/api"+tt.reqPath, nil)
-			w := httptest.NewRecorder()
-
-			s.serveAPI(w, r)
-			res := w.Result()
-			defer res.Body.Close()
-			if gotStatus := res.StatusCode; tt.wantStatus != gotStatus {
-				t.Errorf("wrong status; want=%q, got=%q", tt.wantStatus, gotStatus)
-			}
-			body, err := io.ReadAll(res.Body)
-			if err != nil {
-				t.Fatal(err)
-			}
-			gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
-			if tt.wantResp != gotResp {
-				t.Errorf("wrong response; want=%q, got=%q", tt.wantResp, gotResp)
-			}
-		})
-	}
-}

client/web/yarn.lock

@@ -543,13 +543,6 @@
   resolved "https://registry.yarnpkg.com/@types/chai/-/chai-4.3.5.tgz#ae69bcbb1bebb68c4ac0b11e9d8ed04526b3562b"
   integrity sha512-mEo1sAde+UCE6b2hxn332f1g1E8WfYRu6p5SvTKr2ZKC1f7gFJXk4h5PyGP9Dt6gCaG8y8XhwnXWC6Iy2cmBng==
 
-"@types/classnames@^2.2.10":
-  version "2.3.1"
-  resolved "https://registry.yarnpkg.com/@types/classnames/-/classnames-2.3.1.tgz#3c2467aa0f1a93f1f021e3b9bcf938bd5dfdc0dd"
-  integrity sha512-zeOWb0JGBoVmlQoznvqXbE0tEC/HONsnoUNH19Hc96NFsTAwTXbTqb8FMYkru1F/iqp7a18Ws3nWJvtA1sHD1A==
-  dependencies:
-    classnames "*"
-
 "@types/estree@^1.0.0":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@types/estree/-/estree-1.0.1.tgz#aa22750962f3bf0e79d753d3cc067f010c95f194"
@@ -805,11 +798,6 @@ chokidar@^3.5.3:
   optionalDependencies:
     fsevents "~2.3.2"
 
-classnames@*, classnames@^2.3.1:
-  version "2.3.2"
-  resolved "https://registry.yarnpkg.com/classnames/-/classnames-2.3.2.tgz#351d813bf0137fcc6a76a16b88208d2560a0d924"
-  integrity sha512-CSbhY4cFEJRe6/GQzIk5qXZ4Jeg5pcsP7b5peFSDpffpe1cqjASH/n9UTjBwOp6XpMSTwQ8Za2K5V02ueA7Tmw==
-
 color-convert@^1.9.0:
   version "1.9.3"
   resolved "https://registry.yarnpkg.com/color-convert/-/color-convert-1.9.3.tgz#bb71850690e1f136567de629d2d5471deda4c1e8"

clientupdate/clientupdate.go

@@ -7,16 +7,15 @@
 package clientupdate
 
 import (
-	"archive/tar"
 	"bufio"
 	"bytes"
-	"compress/gzip"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"maps"
 	"net/http"
 	"os"
 	"os/exec"
@@ -26,10 +25,14 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/google/uuid"
-	"tailscale.com/clientupdate/distsign"
+	"tailscale.com/hostinfo"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/must"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -60,8 +63,14 @@ func versionToTrack(v string) (string, error) {
 	return "unstable", nil
 }
 
-// Arguments contains arguments needed to run an update.
-type Arguments struct {
+type updater struct {
+	UpdateArgs
+	track  string
+	update func() error
+}
+
+// UpdateArgs contains arguments needed to run an update.
+type UpdateArgs struct {
 	// Version can be a specific version number or one of the predefined track
 	// constants:
 	//
@@ -73,7 +82,7 @@ type Arguments struct {
 	// Leaving this empty is the same as using CurrentTrack.
 	Version string
 	// AppStore forces a local app store check, even if the current binary was
-	// not installed via an app store. TODO(cpalmer): Remove this.
+	// not installed via an app store.
 	AppStore bool
 	// Logf is a logger for update progress messages.
 	Logf logger.Logf
@@ -81,36 +90,29 @@ type Arguments struct {
 	// if this new version should be installed. When Confirm returns false, the
 	// update is aborted.
 	Confirm func(newVer string) bool
-	// PkgsAddr is the address of the pkgs server to fetch updates from.
-	// Defaults to "https://pkgs.tailscale.com".
-	PkgsAddr string
 }
 
-func (args Arguments) validate() error {
+func (args UpdateArgs) validate() error {
 	if args.Confirm == nil {
-		return errors.New("missing Confirm callback in Arguments")
+		return errors.New("missing Confirm callback in UpdateArgs")
 	}
 	if args.Logf == nil {
-		return errors.New("missing Logf callback in Arguments")
+		return errors.New("missing Logf callback in UpdateArgs")
 	}
 	return nil
 }
 
-type Updater struct {
-	Arguments
-	track string
-	// Update is a platform-specific method that updates the installation. May be
-	// nil (not all platforms support updates from within Tailscale).
-	Update func() error
-}
-
-func NewUpdater(args Arguments) (*Updater, error) {
-	up := Updater{
-		Arguments: args,
+// Update runs a single update attempt using the platform-specific mechanism.
+//
+// On Windows, this copies the calling binary and re-executes it to apply the
+// update. The calling binary should handle an "update" subcommand and call
+// this function again for the re-executed binary to proceed.
+func Update(args UpdateArgs) error {
+	if err := args.validate(); err != nil {
+		return err
 	}
-	up.Update = up.getUpdateFunction()
-	if up.Update == nil {
-		return nil, errors.ErrUnsupported
+	up := &updater{
+		UpdateArgs: args,
 	}
 	switch up.Version {
 	case StableTrack, UnstableTrack:
@@ -125,82 +127,56 @@ func NewUpdater(args Arguments) (*Updater, error) {
 		var err error
 		up.track, err = versionToTrack(args.Version)
 		if err != nil {
-			return nil, err
+			return err
 		}
 	}
-	if up.Arguments.PkgsAddr == "" {
-		up.Arguments.PkgsAddr = "https://pkgs.tailscale.com"
-	}
-	return &up, nil
-}
-
-type updateFunction func() error
-
-func (up *Updater) getUpdateFunction() updateFunction {
 	switch runtime.GOOS {
 	case "windows":
-		return up.updateWindows
+		up.update = up.updateWindows
 	case "linux":
 		switch distro.Get() {
 		case distro.Synology:
-			return up.updateSynology
+			up.update = up.updateSynology
 		case distro.Debian: // includes Ubuntu
-			return up.updateDebLike
+			up.update = up.updateDebLike
 		case distro.Arch:
-			return up.updateArchLike
+			up.update = up.updateArchLike
 		case distro.Alpine:
-			return up.updateAlpineLike
+			up.update = up.updateAlpineLike
 		}
 		switch {
 		case haveExecutable("pacman"):
-			return up.updateArchLike
+			up.update = up.updateArchLike
 		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
 			// The distro.Debian switch case above should catch most apt-based
 			// systems, but add this fallback just in case.
-			return up.updateDebLike
+			up.update = up.updateDebLike
 		case haveExecutable("dnf"):
-			return up.updateFedoraLike("dnf")
+			up.update = up.updateFedoraLike("dnf")
 		case haveExecutable("yum"):
-			return up.updateFedoraLike("yum")
+			up.update = up.updateFedoraLike("yum")
 		case haveExecutable("apk"):
-			return up.updateAlpineLike
-		}
-		// If nothing matched, fall back to tarball updates.
-		if up.Update == nil {
-			return up.updateLinuxBinary
+			up.update = up.updateAlpineLike
 		}
 	case "darwin":
 		switch {
-		case !up.Arguments.AppStore && !version.IsSandboxedMacOS():
-			return nil
-		case !up.Arguments.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
-			return up.updateMacSys
+		case !args.AppStore && !version.IsSandboxedMacOS():
+			return errors.ErrUnsupported
+		case !args.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
+			up.update = up.updateMacSys
 		default:
-			return up.updateMacAppStore
+			up.update = up.updateMacAppStore
 		}
 	case "freebsd":
-		return up.updateFreeBSD
+		up.update = up.updateFreeBSD
 	}
-	return nil
+	if up.update == nil {
+		return errors.ErrUnsupported
+	}
+	return up.update()
 }
 
-// Update runs a single update attempt using the platform-specific mechanism.
-//
-// On Windows, this copies the calling binary and re-executes it to apply the
-// update. The calling binary should handle an "update" subcommand and call
-// this function again for the re-executed binary to proceed.
-func Update(args Arguments) error {
-	if err := args.validate(); err != nil {
-		return err
-	}
-	up, err := NewUpdater(args)
-	if err != nil {
-		return err
-	}
-	return up.Update()
-}
-
-func (up *Updater) confirm(ver string) bool {
+func (up *updater) confirm(ver string) bool {
 	if version.Short() == ver {
 		up.Logf("already running %v; no update needed", ver)
 		return false
@@ -211,17 +187,14 @@ func (up *Updater) confirm(ver string) bool {
 	return true
 }
 
-const synoinfoConfPath = "/etc/synoinfo.conf"
-
-func (up *Updater) updateSynology() error {
+func (up *updater) updateSynology() error {
 	if up.Version != "" {
 		return errors.New("installing a specific version on Synology is not supported")
 	}
 
 	// Get the latest version and list of SPKs from pkgs.tailscale.com.
-	dsmVersion := distro.DSMVersion()
-	osName := fmt.Sprintf("dsm%d", dsmVersion)
-	arch, err := synoArch(runtime.GOARCH, synoinfoConfPath)
+	osName := fmt.Sprintf("dsm%d", distro.DSMVersion())
+	arch, err := synoArch(hostinfo.New())
 	if err != nil {
 		return err
 	}
@@ -229,12 +202,15 @@ func (up *Updater) updateSynology() error {
 	if err != nil {
 		return err
 	}
+	if latest.Version == "" {
+		return fmt.Errorf("no latest version found for %q track", up.track)
+	}
 	spkName := latest.SPKs[osName][arch]
 	if spkName == "" {
 		return fmt.Errorf("cannot find Synology package for os=%s arch=%s, please report a bug with your device model", osName, arch)
 	}
 
-	if !up.confirm(latest.SPKsVersion) {
+	if !up.confirm(latest.Version) {
 		return nil
 	}
 	if err := requireRoot(); err != nil {
@@ -246,9 +222,10 @@ func (up *Updater) updateSynology() error {
 	if err != nil {
 		return err
 	}
-	pkgsPath := fmt.Sprintf("%s/%s", up.track, spkName)
-	spkPath := filepath.Join(spkDir, path.Base(pkgsPath))
-	if err := up.downloadURLToFile(pkgsPath, spkPath); err != nil {
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/%s", up.track, spkName)
+	spkPath := filepath.Join(spkDir, path.Base(url))
+	// TODO(awly): we should sign SPKs and validate signatures here too.
+	if err := up.downloadURLToFile(url, spkPath); err != nil {
 		return err
 	}
 
@@ -261,90 +238,59 @@ func (up *Updater) updateSynology() error {
 	// just spits out a JSON result when done.
 	out, err := cmd.CombinedOutput()
 	if err != nil {
-		if dsmVersion == 6 && bytes.Contains(out, []byte("error = [290]")) {
-			return fmt.Errorf("synopkg install failed: %w\noutput:\n%s\nplease make sure that packages from 'Any publisher' are allowed in the Package Center (Package Center -> Settings -> Trust Level -> Any publisher)", err, out)
-		}
 		return fmt.Errorf("synopkg install failed: %w\noutput:\n%s", err, out)
 	}
-	if dsmVersion == 6 {
-		// DSM6 does not automatically restart the package on install. Do it
-		// manually.
-		cmd := exec.Command("nohup", "synopkg", "start", "Tailscale")
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			return fmt.Errorf("synopkg start failed: %w\noutput:\n%s", err, out)
-		}
-	}
 	return nil
 }
 
 // synoArch returns the Synology CPU architecture matching one of the SPK
 // architectures served from pkgs.tailscale.com.
-func synoArch(goArch, synoinfoPath string) (string, error) {
+func synoArch(hinfo *tailcfg.Hostinfo) (string, error) {
 	// Most Synology boxes just use a different arch name from GOARCH.
 	arch := map[string]string{
 		"amd64": "x86_64",
 		"386":   "i686",
 		"arm64": "armv8",
-	}[goArch]
-
+	}[hinfo.GoArch]
+	// Here's the fun part, some older ARM boxes require you to use SPKs
+	// specifically for their CPU.
+	//
+	// See https://github.com/SynoCommunity/spksrc/wiki/Synology-and-SynoCommunity-Package-Architectures
+	// for a complete list. Here, we override GOARCH for those older boxes that
+	// support at least DSM6.
+	//
+	// This is an artisanal hand-crafted list based on the wiki page. Some
+	// values may be wrong, since we don't have all those devices to actually
+	// test with.
+	switch hinfo.DeviceModel {
+	case "DS213air", "DS213", "DS413j",
+		"DS112", "DS112+", "DS212", "DS212+", "RS212", "RS812", "DS212j", "DS112j",
+		"DS111", "DS211", "DS211+", "DS411slim", "DS411", "RS411", "DS211j", "DS411j":
+		arch = "88f6281"
+	case "NVR1218", "NVR216", "VS960HD", "VS360HD":
+		arch = "hi3535"
+	case "DS1517", "DS1817", "DS416", "DS2015xs", "DS715", "DS1515", "DS215+":
+		arch = "alpine"
+	case "DS216se", "DS115j", "DS114", "DS214se", "DS414slim", "RS214", "DS14", "EDS14", "DS213j":
+		arch = "armada370"
+	case "DS115", "DS215j":
+		arch = "armada375"
+	case "DS419slim", "DS218j", "RS217", "DS116", "DS216j", "DS216", "DS416slim", "RS816", "DS416j":
+		arch = "armada38x"
+	case "RS815", "DS214", "DS214+", "DS414", "RS814":
+		arch = "armadaxp"
+	case "DS414j":
+		arch = "comcerto2k"
+	case "DS216play":
+		arch = "monaco"
+	}
 	if arch == "" {
-		// Here's the fun part, some older ARM boxes require you to use SPKs
-		// specifically for their CPU. See
-		// https://github.com/SynoCommunity/spksrc/wiki/Synology-and-SynoCommunity-Package-Architectures
-		// for a complete list.
-		//
-		// Some CPUs will map to neither this list nor the goArch map above, and we
-		// don't have SPKs for them.
-		cpu, err := parseSynoinfo(synoinfoPath)
-		if err != nil {
-			return "", fmt.Errorf("failed to get CPU architecture: %w", err)
-		}
-		switch cpu {
-		case "88f6281", "88f6282", "hi3535", "alpine", "armada370",
-			"armada375", "armada38x", "armadaxp", "comcerto2k", "monaco":
-			arch = cpu
-		default:
-			return "", fmt.Errorf("unsupported Synology CPU architecture %q (Go arch %q), please report a bug at https://github.com/tailscale/tailscale/issues/new/choose", cpu, goArch)
-		}
+		return "", fmt.Errorf("cannot determine CPU architecture for Synology model %q (Go arch %q), please report a bug at https://github.com/tailscale/tailscale/issues/new/choose", hinfo.DeviceModel, hinfo.GoArch)
 	}
 	return arch, nil
 }
 
-func parseSynoinfo(path string) (string, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-
-	// Look for a line like:
-	// unique="synology_88f6282_413j"
-	// Extract the CPU in the middle (88f6282 in the above example).
-	s := bufio.NewScanner(f)
-	for s.Scan() {
-		l := s.Text()
-		if !strings.HasPrefix(l, "unique=") {
-			continue
-		}
-		parts := strings.SplitN(l, "_", 3)
-		if len(parts) != 3 {
-			return "", fmt.Errorf(`malformed %q: found %q, expected format like 'unique="synology_$cpu_$model'`, path, l)
-		}
-		return parts[1], nil
-	}
-	return "", fmt.Errorf(`missing "unique=" field in %q`, path)
-}
-
-func (up *Updater) updateDebLike() error {
-	if err := requireRoot(); err != nil {
-		return err
-	}
-	if err := exec.Command("dpkg", "--status", "tailscale").Run(); err != nil && isExitError(err) {
-		// Tailscale was not installed via apt, update via tarball download
-		// instead.
-		return up.updateLinuxBinary()
-	}
+func (up *updater) updateDebLike() error {
 	ver, err := requestedTailscaleVersion(up.Version, up.track)
 	if err != nil {
 		return err
@@ -353,6 +299,10 @@ func (up *Updater) updateDebLike() error {
 		return nil
 	}
 
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
 	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
 		return err
 	} else if updated {
@@ -442,17 +392,61 @@ func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []
 	return buf.Bytes(), nil
 }
 
-func (up *Updater) updateArchLike() error {
-	if err := exec.Command("pacman", "--query", "tailscale").Run(); err != nil && isExitError(err) {
-		// Tailscale was not installed via pacman, update via tarball download
-		// instead.
-		return up.updateLinuxBinary()
+func (up *updater) updateArchLike() (err error) {
+	if up.Version != "" {
+		return errors.New("installing a specific version on Arch-based distros is not supported")
 	}
-	// Arch maintainer asked us not to implement "tailscale update" or
-	// auto-updates on Arch-based distros:
-	// https://github.com/tailscale/tailscale/issues/6995#issuecomment-1687080106
-	return errors.New(`individual package updates are not supported on Arch-based distros, only full-system updates are: https://wiki.archlinux.org/title/System_maintenance#Partial_upgrades_are_unsupported.
-you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`)
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf(`%w; you can try updating using "pacman --sync --refresh tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("pacman", "--sync", "--refresh", "--info", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking pacman for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver, err := parsePacmanVersion(out)
+	if err != nil {
+		return err
+	}
+	if !up.confirm(ver) {
+		return nil
+	}
+
+	cmd := exec.Command("pacman", "--sync", "--noconfirm", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using pacman: %w", err)
+	}
+	return nil
+}
+
+func parsePacmanVersion(out []byte) (string, error) {
+	for _, line := range strings.Split(string(out), "\n") {
+		// The line we're looking for looks like this:
+		// Version         : 1.44.2-1
+		if !strings.HasPrefix(line, "Version") {
+			continue
+		}
+		parts := strings.SplitN(line, ":", 2)
+		if len(parts) != 2 {
+			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
+		}
+		ver := strings.TrimSpace(parts[1])
+		// Trim the Arch patch version.
+		ver = strings.Split(ver, "-")[0]
+		if ver == "" {
+			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
+		}
+		return ver, nil
+	}
+	return "", fmt.Errorf("could not find latest version of tailscale via pacman")
 }
 
 const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
@@ -460,16 +454,11 @@ const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
 // updateFedoraLike updates tailscale on any distros in the Fedora family,
 // specifically anything that uses "dnf" or "yum" package managers. The actual
 // package manager is passed via packageManager.
-func (up *Updater) updateFedoraLike(packageManager string) func() error {
+func (up *updater) updateFedoraLike(packageManager string) func() error {
 	return func() (err error) {
 		if err := requireRoot(); err != nil {
 			return err
 		}
-		if err := exec.Command(packageManager, "info", "--installed", "tailscale").Run(); err != nil && isExitError(err) {
-			// Tailscale was not installed via yum/dnf, update via tarball
-			// download instead.
-			return up.updateLinuxBinary()
-		}
 		defer func() {
 			if err != nil {
 				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
@@ -541,18 +530,13 @@ func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
 	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
 }
 
-func (up *Updater) updateAlpineLike() (err error) {
+func (up *updater) updateAlpineLike() (err error) {
 	if up.Version != "" {
 		return errors.New("installing a specific version on Alpine-based distros is not supported")
 	}
 	if err := requireRoot(); err != nil {
 		return err
 	}
-	if err := exec.Command("apk", "info", "--installed", "tailscale").Run(); err != nil && isExitError(err) {
-		// Tailscale was not installed via apk, update via tarball download
-		// instead.
-		return up.updateLinuxBinary()
-	}
 
 	defer func() {
 		if err != nil {
@@ -603,11 +587,11 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 	return "", errors.New("tailscale version not found in output")
 }
 
-func (up *Updater) updateMacSys() error {
+func (up *updater) updateMacSys() error {
 	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
 }
 
-func (up *Updater) updateMacAppStore() error {
+func (up *updater) updateMacAppStore() error {
 	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
@@ -668,7 +652,7 @@ var (
 	markTempFileFunc   func(string) error // or nil on non-Windows
 )
 
-func (up *Updater) updateWindows() error {
+func (up *updater) updateWindows() error {
 	if msi := os.Getenv(winMSIEnv); msi != "" {
 		up.Logf("installing %v ...", msi)
 		if err := up.installMSI(msi); err != nil {
@@ -704,9 +688,9 @@ func (up *Updater) updateWindows() error {
 	if err := os.MkdirAll(msiDir, 0700); err != nil {
 		return err
 	}
-	pkgsPath := fmt.Sprintf("%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
-	msiTarget := filepath.Join(msiDir, path.Base(pkgsPath))
-	if err := up.downloadURLToFile(pkgsPath, msiTarget); err != nil {
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
+	msiTarget := filepath.Join(msiDir, path.Base(url))
+	if err := up.downloadURLToFile(url, msiTarget); err != nil {
 		return err
 	}
 
@@ -738,7 +722,7 @@ func (up *Updater) updateWindows() error {
 	panic("unreachable")
 }
 
-func (up *Updater) installMSI(msi string) error {
+func (up *updater) installMSI(msi string) error {
 	var err error
 	for tries := 0; tries < 2; tries++ {
 		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
@@ -805,26 +789,115 @@ func makeSelfCopy() (tmpPathExe string, err error) {
 	return f2.Name(), f2.Close()
 }
 
-func (up *Updater) downloadURLToFile(pathSrc, fileDst string) (ret error) {
-	c, err := distsign.NewClient(up.Logf, up.PkgsAddr)
+func (up *updater) downloadURLToFile(urlSrc, fileDst string) (ret error) {
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	defer tr.CloseIdleConnections()
+	c := &http.Client{Transport: tr}
+
+	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
+
+	res, err := c.Do(headReq)
 	if err != nil {
 		return err
 	}
-	return c.Download(context.Background(), pathSrc, fileDst)
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
+	}
+	if res.ContentLength <= 0 {
+		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
+	}
+	up.Logf("Download size: %v", res.ContentLength)
+
+	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
+	hashRes, err := c.Do(hashReq)
+	if err != nil {
+		return err
+	}
+	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
+	hashRes.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
+	}
+	if err != nil {
+		return err
+	}
+	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
+	if err != nil {
+		return err
+	}
+	hash := sha256.New()
+
+	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
+	dlRes, err := c.Do(dlReq)
+	if err != nil {
+		return err
+	}
+	// TODO(bradfitz): resume from existing partial file on disk
+	if dlRes.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
+	}
+
+	of, err := os.Create(fileDst)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if ret != nil {
+			of.Close()
+			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
+		}
+	}()
+	pw := &progressWriter{total: res.ContentLength, logf: up.Logf}
+	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
+	if err != nil {
+		return err
+	}
+	if n != res.ContentLength {
+		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
+	}
+	if err := of.Close(); err != nil {
+		return err
+	}
+	pw.print()
+
+	if !bytes.Equal(hash.Sum(nil), wantHash) {
+		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
+	}
+	up.Logf("hash matched")
+
+	return nil
 }
 
-func (up *Updater) updateFreeBSD() (err error) {
+type progressWriter struct {
+	done      int64
+	total     int64
+	lastPrint time.Time
+	logf      logger.Logf
+}
+
+func (pw *progressWriter) Write(p []byte) (n int, err error) {
+	pw.done += int64(len(p))
+	if time.Since(pw.lastPrint) > 2*time.Second {
+		pw.print()
+	}
+	return len(p), nil
+}
+
+func (pw *progressWriter) print() {
+	pw.lastPrint = time.Now()
+	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
+}
+
+func (up *updater) updateFreeBSD() (err error) {
 	if up.Version != "" {
 		return errors.New("installing a specific version on FreeBSD is not supported")
 	}
 	if err := requireRoot(); err != nil {
 		return err
 	}
-	if err := exec.Command("pkg", "query", "%n", "tailscale").Run(); err != nil && isExitError(err) {
-		// Tailscale was not installed via pkg and we don't pre-compile
-		// binaries for it.
-		return errors.New("Tailscale was not installed via pkg, binary updates on FreeBSD are not supported; please reinstall Tailscale using pkg or update manually")
-	}
 
 	defer func() {
 		if err != nil {
@@ -854,165 +927,6 @@ func (up *Updater) updateFreeBSD() (err error) {
 	return nil
 }
 
-func (up *Updater) updateLinuxBinary() error {
-	ver, err := requestedTailscaleVersion(up.Version, up.track)
-	if err != nil {
-		return err
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-	// Root is needed to overwrite binaries and restart systemd unit.
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	dlPath, err := up.downloadLinuxTarball(ver)
-	if err != nil {
-		return err
-	}
-	up.Logf("Extracting %q", dlPath)
-	if err := up.unpackLinuxTarball(dlPath); err != nil {
-		return err
-	}
-	if err := os.Remove(dlPath); err != nil {
-		up.Logf("failed to clean up %q: %v", dlPath, err)
-	}
-	if err := restartSystemdUnit(context.Background()); err != nil {
-		if errors.Is(err, errors.ErrUnsupported) {
-			up.Logf("Tailscale binaries updated successfully.\nPlease restart tailscaled to finish the update.")
-		} else {
-			up.Logf("Tailscale binaries updated successfully, but failed to restart tailscaled: %s.\nPlease restart tailscaled to finish the update.", err)
-		}
-	} else {
-		up.Logf("Success")
-	}
-
-	return nil
-}
-
-func (up *Updater) downloadLinuxTarball(ver string) (string, error) {
-	dlDir, err := os.UserCacheDir()
-	if err != nil {
-		return "", err
-	}
-	dlDir = filepath.Join(dlDir, "tailscale-update")
-	if err := os.MkdirAll(dlDir, 0700); err != nil {
-		return "", err
-	}
-	pkgsPath := fmt.Sprintf("%s/tailscale_%s_%s.tgz", up.track, ver, runtime.GOARCH)
-	dlPath := filepath.Join(dlDir, path.Base(pkgsPath))
-	if err := up.downloadURLToFile(pkgsPath, dlPath); err != nil {
-		return "", err
-	}
-	return dlPath, nil
-}
-
-func (up *Updater) unpackLinuxTarball(path string) error {
-	tailscale, tailscaled, err := binaryPaths()
-	if err != nil {
-		return err
-	}
-	f, err := os.Open(path)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	gr, err := gzip.NewReader(f)
-	if err != nil {
-		return err
-	}
-	defer gr.Close()
-	tr := tar.NewReader(gr)
-	files := make(map[string]int)
-	wantFiles := map[string]int{
-		"tailscale":  1,
-		"tailscaled": 1,
-	}
-	for {
-		th, err := tr.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return fmt.Errorf("failed extracting %q: %w", path, err)
-		}
-		// TODO(awly): try to also extract tailscaled.service. The tricky part
-		// is fixing up binary paths in that file if they differ from where
-		// local tailscale/tailscaled are installed. Also, this may not be a
-		// systemd distro.
-		switch filepath.Base(th.Name) {
-		case "tailscale":
-			files["tailscale"]++
-			if err := writeFile(tr, tailscale+".new", 0755); err != nil {
-				return fmt.Errorf("failed extracting the new tailscale binary from %q: %w", path, err)
-			}
-		case "tailscaled":
-			files["tailscaled"]++
-			if err := writeFile(tr, tailscaled+".new", 0755); err != nil {
-				return fmt.Errorf("failed extracting the new tailscaled binary from %q: %w", path, err)
-			}
-		}
-	}
-	if !maps.Equal(files, wantFiles) {
-		return fmt.Errorf("%q has missing or duplicate files: got %v, want %v", path, files, wantFiles)
-	}
-
-	// Only place the files in final locations after everything extracted correctly.
-	if err := os.Rename(tailscale+".new", tailscale); err != nil {
-		return err
-	}
-	up.Logf("Updated %s", tailscale)
-	if err := os.Rename(tailscaled+".new", tailscaled); err != nil {
-		return err
-	}
-	up.Logf("Updated %s", tailscaled)
-	return nil
-}
-
-func writeFile(r io.Reader, path string, perm os.FileMode) error {
-	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("failed to remove existing file at %q: %w", path, err)
-	}
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	if _, err := io.Copy(f, r); err != nil {
-		return err
-	}
-	return f.Close()
-}
-
-// Var allows overriding this in tests.
-var binaryPaths = func() (tailscale, tailscaled string, err error) {
-	// This can be either tailscale or tailscaled.
-	this, err := os.Executable()
-	if err != nil {
-		return "", "", err
-	}
-	otherName := "tailscaled"
-	if filepath.Base(this) == "tailscaled" {
-		otherName = "tailscale"
-	}
-	// Try to find the other binary in the same directory.
-	other := filepath.Join(filepath.Dir(this), otherName)
-	_, err = os.Stat(other)
-	if os.IsNotExist(err) {
-		// If it's not in the same directory, try to find it in $PATH.
-		other, err = exec.LookPath(otherName)
-	}
-	if err != nil {
-		return "", "", fmt.Errorf("cannot find %q in neither %q nor $PATH: %w", otherName, filepath.Dir(this), err)
-	}
-	if otherName == "tailscaled" {
-		return this, other, nil
-	} else {
-		return other, this, nil
-	}
-}
-
 func haveExecutable(name string) bool {
 	path, err := exec.LookPath(name)
 	return err == nil && path != ""
@@ -1047,17 +961,12 @@ func LatestTailscaleVersion(track string) (string, error) {
 }
 
 type trackPackages struct {
-	Version         string
-	Tarballs        map[string]string
-	TarballsVersion string
-	Exes            []string
-	ExesVersion     string
-	MSIs            map[string]string
-	MSIsVersion     string
-	MacZips         map[string]string
-	MacZipsVersion  string
-	SPKs            map[string]map[string]string
-	SPKsVersion     string
+	Version  string
+	Tarballs map[string]string
+	Exes     []string
+	MSIs     map[string]string
+	MacZips  map[string]string
+	SPKs     map[string]map[string]string
 }
 
 func latestPackages(track string) (*trackPackages, error) {
@@ -1087,8 +996,3 @@ func requireRoot() error {
 		return errors.New("must be root")
 	}
 }
-
-func isExitError(err error) bool {
-	var exitErr *exec.ExitError
-	return errors.As(err, &exitErr)
-}

clientupdate/clientupdate_test.go

@@ -4,15 +4,12 @@
 package clientupdate
 
 import (
-	"archive/tar"
-	"compress/gzip"
 	"fmt"
-	"io/fs"
-	"maps"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
+
+	"tailscale.com/tailcfg"
 )
 
 func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
@@ -162,6 +159,108 @@ func TestParseSoftwareupdateList(t *testing.T) {
 	}
 }
 
+func TestParsePacmanVersion(t *testing.T) {
+	tests := []struct {
+		desc    string
+		out     string
+		want    string
+		wantErr bool
+	}{
+		{
+			desc: "valid version",
+			out: `
+:: Synchronizing package databases...
+ endeavouros is up to date
+ core is up to date
+ extra is up to date
+ multilib is up to date
+Repository      : extra
+Name            : tailscale
+Version         : 1.44.2-1
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+Architecture    : x86_64
+URL             : https://tailscale.com
+Licenses        : MIT
+Groups          : None
+Provides        : None
+Depends On      : glibc
+Optional Deps   : None
+Conflicts With  : None
+Replaces        : None
+Download Size   : 7.98 MiB
+Installed Size  : 32.47 MiB
+Packager        : Christian Heusel <gromit@archlinux.org>
+Build Date      : Tue 18 Jul 2023 12:28:37 PM PDT
+Validated By    : MD5 Sum  SHA-256 Sum  Signature
+`,
+			want: "1.44.2",
+		},
+		{
+			desc: "version without Arch patch number",
+			out: `
+... snip ...
+Name            : tailscale
+Version         : 1.44.2
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+... snip ...
+`,
+			want: "1.44.2",
+		},
+		{
+			desc: "missing version",
+			out: `
+... snip ...
+Name            : tailscale
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+... snip ...
+`,
+			wantErr: true,
+		},
+		{
+			desc: "empty version",
+			out: `
+... snip ...
+Name            : tailscale
+Version         :
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
+... snip ...
+`,
+			wantErr: true,
+		},
+		{
+			desc:    "empty input",
+			out:     "",
+			wantErr: true,
+		},
+		{
+			desc: "sneaky version in description",
+			out: `
+... snip ...
+Name            : tailscale
+Description     : A mesh VPN that makes it easy to connect your devices, wherever they are. Version : 1.2.3
+Version         : 1.44.2
+... snip ...
+`,
+			want: "1.44.2",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.desc, func(t *testing.T) {
+			got, err := parsePacmanVersion([]byte(tt.out))
+			if err == nil && tt.wantErr {
+				t.Fatalf("got nil error and version %q, want non-nil error", got)
+			}
+			if err != nil && !tt.wantErr {
+				t.Fatalf("got error: %q, want nil", err)
+			}
+			if got != tt.want {
+				t.Fatalf("got version: %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestUpdateYUMRepoTrack(t *testing.T) {
 	tests := []struct {
 		desc    string
@@ -347,151 +446,29 @@ tailscale installed size:
 
 func TestSynoArch(t *testing.T) {
 	tests := []struct {
-		goarch         string
-		synoinfoUnique string
-		want           string
-		wantErr        bool
-	}{
-		{goarch: "amd64", synoinfoUnique: "synology_x86_224", want: "x86_64"},
-		{goarch: "arm64", synoinfoUnique: "synology_armv8_124", want: "armv8"},
-		{goarch: "386", synoinfoUnique: "synology_i686_415play", want: "i686"},
-		{goarch: "arm", synoinfoUnique: "synology_88f6281_213air", want: "88f6281"},
-		{goarch: "arm", synoinfoUnique: "synology_88f6282_413j", want: "88f6282"},
-		{goarch: "arm", synoinfoUnique: "synology_hi3535_NVR1218", want: "hi3535"},
-		{goarch: "arm", synoinfoUnique: "synology_alpine_1517", want: "alpine"},
-		{goarch: "arm", synoinfoUnique: "synology_armada370_216se", want: "armada370"},
-		{goarch: "arm", synoinfoUnique: "synology_armada375_115", want: "armada375"},
-		{goarch: "arm", synoinfoUnique: "synology_armada38x_419slim", want: "armada38x"},
-		{goarch: "arm", synoinfoUnique: "synology_armadaxp_RS815", want: "armadaxp"},
-		{goarch: "arm", synoinfoUnique: "synology_comcerto2k_414j", want: "comcerto2k"},
-		{goarch: "arm", synoinfoUnique: "synology_monaco_216play", want: "monaco"},
-		{goarch: "ppc64", synoinfoUnique: "synology_qoriq_413", wantErr: true},
-	}
-
-	for _, tt := range tests {
-		t.Run(fmt.Sprintf("%s-%s", tt.goarch, tt.synoinfoUnique), func(t *testing.T) {
-			synoinfoConfPath := filepath.Join(t.TempDir(), "synoinfo.conf")
-			if err := os.WriteFile(
-				synoinfoConfPath,
-				[]byte(fmt.Sprintf("unique=%q\n", tt.synoinfoUnique)),
-				0600,
-			); err != nil {
-				t.Fatal(err)
-			}
-			got, err := synoArch(tt.goarch, synoinfoConfPath)
-			if err != nil {
-				if !tt.wantErr {
-					t.Fatalf("got unexpected error %v", err)
-				}
-				return
-			}
-			if tt.wantErr {
-				t.Fatalf("got %q, expected an error", got)
-			}
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestParseSynoinfo(t *testing.T) {
-	tests := []struct {
-		desc    string
-		content string
+		goarch  string
+		model   string
 		want    string
 		wantErr bool
 	}{
-		{
-			desc: "double-quoted",
-			content: `
-company_title="Synology"
-unique="synology_88f6281_213air"
-`,
-			want: "88f6281",
-		},
-		{
-			desc: "single-quoted",
-			content: `
-company_title="Synology"
-unique='synology_88f6281_213air'
-`,
-			want: "88f6281",
-		},
-		{
-			desc: "unquoted",
-			content: `
-company_title="Synology"
-unique=synology_88f6281_213air
-`,
-			want: "88f6281",
-		},
-		{
-			desc: "missing unique",
-			content: `
-company_title="Synology"
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty unique",
-			content: `
-company_title="Synology"
-unique=
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty unique double-quoted",
-			content: `
-company_title="Synology"
-unique=""
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty unique single-quoted",
-			content: `
-company_title="Synology"
-unique=''
-`,
-			wantErr: true,
-		},
-		{
-			desc: "malformed unique",
-			content: `
-company_title="Synology"
-unique="synology_88f6281"
-`,
-			wantErr: true,
-		},
-		{
-			desc:    "empty file",
-			content: ``,
-			wantErr: true,
-		},
-		{
-			desc: "empty lines and comments",
-			content: `
-
-# In a file named synoinfo? Shocking!
-company_title="Synology"
-
-
-# unique= is_a_field_that_follows
-unique="synology_88f6281_213air"
-
-`,
-			want: "88f6281",
-		},
+		{goarch: "amd64", model: "DS224+", want: "x86_64"},
+		{goarch: "arm64", model: "DS124", want: "armv8"},
+		{goarch: "386", model: "DS415play", want: "i686"},
+		{goarch: "arm", model: "DS213air", want: "88f6281"},
+		{goarch: "arm", model: "NVR1218", want: "hi3535"},
+		{goarch: "arm", model: "DS1517", want: "alpine"},
+		{goarch: "arm", model: "DS216se", want: "armada370"},
+		{goarch: "arm", model: "DS115", want: "armada375"},
+		{goarch: "arm", model: "DS419slim", want: "armada38x"},
+		{goarch: "arm", model: "RS815", want: "armadaxp"},
+		{goarch: "arm", model: "DS414j", want: "comcerto2k"},
+		{goarch: "arm", model: "DS216play", want: "monaco"},
+		{goarch: "riscv64", model: "DS999", wantErr: true},
 	}
+
 	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			synoinfoConfPath := filepath.Join(t.TempDir(), "synoinfo.conf")
-			if err := os.WriteFile(synoinfoConfPath, []byte(tt.content), 0600); err != nil {
-				t.Fatal(err)
-			}
-			got, err := parseSynoinfo(synoinfoConfPath)
+		t.Run(fmt.Sprintf("%s-%s", tt.goarch, tt.model), func(t *testing.T) {
+			got, err := synoArch(&tailcfg.Hostinfo{GoArch: tt.goarch, DeviceModel: tt.model})
 			if err != nil {
 				if !tt.wantErr {
 					t.Fatalf("got unexpected error %v", err)
@@ -507,257 +484,3 @@ unique="synology_88f6281_213air"
 		})
 	}
 }
-
-func TestUnpackLinuxTarball(t *testing.T) {
-	oldBinaryPaths := binaryPaths
-	t.Cleanup(func() { binaryPaths = oldBinaryPaths })
-
-	tests := []struct {
-		desc    string
-		tarball map[string]string
-		before  map[string]string
-		after   map[string]string
-		wantErr bool
-	}{
-		{
-			desc: "success",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			tarball: map[string]string{
-				"/usr/bin/tailscale":  "v2",
-				"/usr/bin/tailscaled": "v2",
-			},
-			after: map[string]string{
-				"tailscale":  "v2",
-				"tailscaled": "v2",
-			},
-		},
-		{
-			desc: "don't touch unrelated files",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-				"foo":        "bar",
-			},
-			tarball: map[string]string{
-				"/usr/bin/tailscale":  "v2",
-				"/usr/bin/tailscaled": "v2",
-			},
-			after: map[string]string{
-				"tailscale":  "v2",
-				"tailscaled": "v2",
-				"foo":        "bar",
-			},
-		},
-		{
-			desc: "unmodified",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			tarball: map[string]string{
-				"/usr/bin/tailscale":  "v1",
-				"/usr/bin/tailscaled": "v1",
-			},
-			after: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-		},
-		{
-			desc: "ignore extra tarball files",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			tarball: map[string]string{
-				"/usr/bin/tailscale":          "v2",
-				"/usr/bin/tailscaled":         "v2",
-				"/systemd/tailscaled.service": "v2",
-			},
-			after: map[string]string{
-				"tailscale":  "v2",
-				"tailscaled": "v2",
-			},
-		},
-		{
-			desc: "tarball missing tailscaled",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			tarball: map[string]string{
-				"/usr/bin/tailscale": "v2",
-			},
-			after: map[string]string{
-				"tailscale":     "v1",
-				"tailscale.new": "v2",
-				"tailscaled":    "v1",
-			},
-			wantErr: true,
-		},
-		{
-			desc: "duplicate tailscale binary",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			tarball: map[string]string{
-				"/usr/bin/tailscale":  "v2",
-				"/usr/sbin/tailscale": "v2",
-				"/usr/bin/tailscaled": "v2",
-			},
-			after: map[string]string{
-				"tailscale":      "v1",
-				"tailscale.new":  "v2",
-				"tailscaled":     "v1",
-				"tailscaled.new": "v2",
-			},
-			wantErr: true,
-		},
-		{
-			desc: "empty archive",
-			before: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			tarball: map[string]string{},
-			after: map[string]string{
-				"tailscale":  "v1",
-				"tailscaled": "v1",
-			},
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			// Swap out binaryPaths function to point at dummy file paths.
-			tmp := t.TempDir()
-			tailscalePath := filepath.Join(tmp, "tailscale")
-			tailscaledPath := filepath.Join(tmp, "tailscaled")
-			binaryPaths = func() (string, string, error) {
-				return tailscalePath, tailscaledPath, nil
-			}
-			for name, content := range tt.before {
-				if err := os.WriteFile(filepath.Join(tmp, name), []byte(content), 0755); err != nil {
-					t.Fatal(err)
-				}
-			}
-			tarPath := filepath.Join(tmp, "tailscale.tgz")
-			genTarball(t, tarPath, tt.tarball)
-
-			up := &Updater{Arguments: Arguments{Logf: t.Logf}}
-			err := up.unpackLinuxTarball(tarPath)
-			if err != nil {
-				if !tt.wantErr {
-					t.Fatalf("unexpected error: %v", err)
-				}
-			} else if tt.wantErr {
-				t.Fatalf("unpack succeeded, expected an error")
-			}
-
-			gotAfter := make(map[string]string)
-			err = filepath.WalkDir(tmp, func(path string, d fs.DirEntry, err error) error {
-				if err != nil {
-					return err
-				}
-				if d.Type().IsDir() {
-					return nil
-				}
-				if path == tarPath {
-					return nil
-				}
-				content, err := os.ReadFile(path)
-				if err != nil {
-					return err
-				}
-				path = filepath.ToSlash(path)
-				base := filepath.ToSlash(tmp)
-				gotAfter[strings.TrimPrefix(path, base+"/")] = string(content)
-				return nil
-			})
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if !maps.Equal(gotAfter, tt.after) {
-				t.Errorf("files after unpack: %+v, want %+v", gotAfter, tt.after)
-			}
-		})
-	}
-}
-
-func genTarball(t *testing.T, path string, files map[string]string) {
-	f, err := os.Create(path)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer f.Close()
-	gw := gzip.NewWriter(f)
-	defer gw.Close()
-	tw := tar.NewWriter(gw)
-	defer tw.Close()
-	for file, content := range files {
-		if err := tw.WriteHeader(&tar.Header{
-			Name: file,
-			Size: int64(len(content)),
-			Mode: 0755,
-		}); err != nil {
-			t.Fatal(err)
-		}
-		if _, err := tw.Write([]byte(content)); err != nil {
-			t.Fatal(err)
-		}
-	}
-}
-
-func TestWriteFileOverwrite(t *testing.T) {
-	path := filepath.Join(t.TempDir(), "test")
-	for i := 0; i < 2; i++ {
-		content := fmt.Sprintf("content %d", i)
-		if err := writeFile(strings.NewReader(content), path, 0600); err != nil {
-			t.Fatal(err)
-		}
-		got, err := os.ReadFile(path)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if string(got) != content {
-			t.Errorf("got content: %q, want: %q", got, content)
-		}
-	}
-}
-
-func TestWriteFileSymlink(t *testing.T) {
-	// Test for a malicious symlink at the destination path.
-	// f2 points to f1 and writeFile(f2) should not end up overwriting f1.
-	tmp := t.TempDir()
-	f1 := filepath.Join(tmp, "f1")
-	if err := os.WriteFile(f1, []byte("old"), 0600); err != nil {
-		t.Fatal(err)
-	}
-	f2 := filepath.Join(tmp, "f2")
-	if err := os.Symlink(f1, f2); err != nil {
-		t.Fatal(err)
-	}
-
-	if err := writeFile(strings.NewReader("new"), f2, 0600); err != nil {
-		t.Errorf("writeFile(%q) failed: %v", f2, err)
-	}
-	want := map[string]string{
-		f1: "old",
-		f2: "new",
-	}
-	for f, content := range want {
-		got, err := os.ReadFile(f)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if string(got) != content {
-			t.Errorf("%q: got content %q, want %q", f, got, content)
-		}
-	}
-}

clientupdate/distsign/distsign.go

@@ -1,485 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package distsign implements signature and validation of arbitrary
-// distributable files.
-//
-// There are 3 parties in this exchange:
-//   - builder, which creates files, signs them with signing keys and publishes
-//     to server
-//   - server, which distributes public signing keys, files and signatures
-//   - client, which downloads files and signatures from server, and validates
-//     the signatures
-//
-// There are 2 types of keys:
-//   - signing keys, that sign individual distributable files on the builder
-//   - root keys, that sign signing keys and are kept offline
-//
-// root keys -(sign)-> signing keys -(sign)-> files
-//
-// All keys are asymmetric Ed25519 key pairs.
-//
-// The server serves static files under some known prefix. The kinds of files are:
-//   - distsign.pub - bundle of PEM-encoded public signing keys
-//   - distsign.pub.sig - signature of distsign.pub using one of the root keys
-//   - $file - any distributable file
-//   - $file.sig - signature of $file using any of the signing keys
-//
-// The root public keys are baked into the client software at compile time.
-// These keys are long-lived and prove the validity of current signing keys
-// from distsign.pub. To rotate root keys, a new client release must be
-// published, they are not rotated dynamically. There are multiple root keys in
-// different locations specifically to allow this rotation without using the
-// discarded root key for any new signatures.
-//
-// The signing public keys are fetched by the client dynamically before every
-// download and can be rotated more readily, assuming that most deployed
-// clients trust the root keys used to issue fresh signing keys.
-package distsign
-
-import (
-	"context"
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/binary"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"hash"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-	"os"
-	"time"
-
-	"github.com/hdevalence/ed25519consensus"
-	"golang.org/x/crypto/blake2s"
-	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/must"
-)
-
-const (
-	pemTypeRootPrivate    = "ROOT PRIVATE KEY"
-	pemTypeRootPublic     = "ROOT PUBLIC KEY"
-	pemTypeSigningPrivate = "SIGNING PRIVATE KEY"
-	pemTypeSigningPublic  = "SIGNING PUBLIC KEY"
-
-	downloadSizeLimit    = 1 << 29 // 512MB
-	signingKeysSizeLimit = 1 << 20 // 1MB
-	signatureSizeLimit   = ed25519.SignatureSize
-)
-
-// RootKey is a root key used to sign signing keys.
-type RootKey struct {
-	k ed25519.PrivateKey
-}
-
-// GenerateRootKey generates a new root key pair and encodes it as PEM.
-func GenerateRootKey() (priv, pub []byte, err error) {
-	pub, priv, err = ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	return pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeRootPrivate,
-			Bytes: []byte(priv),
-		}), pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeRootPublic,
-			Bytes: []byte(pub),
-		}), nil
-}
-
-// ParseRootKey parses the PEM-encoded private root key. The key must be in the
-// same format as returned by GenerateRootKey.
-func ParseRootKey(privKey []byte) (*RootKey, error) {
-	k, err := parsePrivateKey(privKey, pemTypeRootPrivate)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse root key: %w", err)
-	}
-	return &RootKey{k: k}, nil
-}
-
-// SignSigningKeys signs the bundle of public signing keys. The bundle must be
-// a sequence of PEM blocks joined with newlines.
-func (r *RootKey) SignSigningKeys(pubBundle []byte) ([]byte, error) {
-	if _, err := ParseSigningKeyBundle(pubBundle); err != nil {
-		return nil, err
-	}
-	return ed25519.Sign(r.k, pubBundle), nil
-}
-
-// SigningKey is a signing key used to sign packages.
-type SigningKey struct {
-	k ed25519.PrivateKey
-}
-
-// GenerateSigningKey generates a new signing key pair and encodes it as PEM.
-func GenerateSigningKey() (priv, pub []byte, err error) {
-	pub, priv, err = ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	return pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeSigningPrivate,
-			Bytes: []byte(priv),
-		}), pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeSigningPublic,
-			Bytes: []byte(pub),
-		}), nil
-}
-
-// ParseSigningKey parses the PEM-encoded private signing key. The key must be
-// in the same format as returned by GenerateSigningKey.
-func ParseSigningKey(privKey []byte) (*SigningKey, error) {
-	k, err := parsePrivateKey(privKey, pemTypeSigningPrivate)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse root key: %w", err)
-	}
-	return &SigningKey{k: k}, nil
-}
-
-// SignPackageHash signs the hash and the length of a package. Use PackageHash
-// to compute the inputs.
-func (s *SigningKey) SignPackageHash(hash []byte, len int64) ([]byte, error) {
-	if len <= 0 {
-		return nil, fmt.Errorf("package length must be positive, got %d", len)
-	}
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
-	return ed25519.Sign(s.k, msg), nil
-}
-
-// PackageHash is a hash.Hash that counts the number of bytes written. Use it
-// to get the hash and length inputs to SigningKey.SignPackageHash.
-type PackageHash struct {
-	hash.Hash
-	len int64
-}
-
-// NewPackageHash returns an initialized PackageHash using BLAKE2s.
-func NewPackageHash() *PackageHash {
-	h, err := blake2s.New256(nil)
-	if err != nil {
-		// Should never happen with a nil key passed to blake2s.
-		panic(err)
-	}
-	return &PackageHash{Hash: h}
-}
-
-func (ph *PackageHash) Write(b []byte) (int, error) {
-	ph.len += int64(len(b))
-	return ph.Hash.Write(b)
-}
-
-// Reset the PackageHash to its initial state.
-func (ph *PackageHash) Reset() {
-	ph.len = 0
-	ph.Hash.Reset()
-}
-
-// Len returns the total number of bytes written.
-func (ph *PackageHash) Len() int64 { return ph.len }
-
-// Client downloads and validates files from a distribution server.
-type Client struct {
-	logf     logger.Logf
-	roots    []ed25519.PublicKey
-	pkgsAddr *url.URL
-}
-
-// NewClient returns a new client for distribution server located at pkgsAddr,
-// and uses embedded root keys from the roots/ subdirectory of this package.
-func NewClient(logf logger.Logf, pkgsAddr string) (*Client, error) {
-	if logf == nil {
-		logf = log.Printf
-	}
-	u, err := url.Parse(pkgsAddr)
-	if err != nil {
-		return nil, fmt.Errorf("invalid pkgsAddr %q: %w", pkgsAddr, err)
-	}
-	return &Client{logf: logf, roots: roots(), pkgsAddr: u}, nil
-}
-
-func (c *Client) url(path string) string {
-	return c.pkgsAddr.JoinPath(path).String()
-}
-
-// Download fetches a file at path srcPath from pkgsAddr passed in NewClient.
-// The file is downloaded to dstPath and its signature is validated using the
-// embedded root keys. Download returns an error if anything goes wrong with
-// the actual file download or with signature validation.
-func (c *Client) Download(ctx context.Context, srcPath, dstPath string) error {
-	// Always fetch a fresh signing key.
-	sigPub, err := c.signingKeys()
-	if err != nil {
-		return err
-	}
-
-	srcURL := c.url(srcPath)
-	sigURL := srcURL + ".sig"
-
-	c.logf("Downloading %q", srcURL)
-	dstPathUnverified := dstPath + ".unverified"
-	hash, len, err := c.download(ctx, srcURL, dstPathUnverified, downloadSizeLimit)
-	if err != nil {
-		return err
-	}
-	c.logf("Downloading %q", sigURL)
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		// Best-effort clean up of downloaded package.
-		os.Remove(dstPathUnverified)
-		return err
-	}
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
-	if !VerifyAny(sigPub, msg, sig) {
-		// Best-effort clean up of downloaded package.
-		os.Remove(dstPathUnverified)
-		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, srcURL)
-	}
-	c.logf("Signature OK")
-
-	if err := os.Rename(dstPathUnverified, dstPath); err != nil {
-		return fmt.Errorf("failed to move %q to %q after signature validation", dstPathUnverified, dstPath)
-	}
-
-	return nil
-}
-
-// ValidateLocalBinary fetches the latest signature associated with the binary
-// at srcURLPath and uses it to validate the file located on disk via
-// localFilePath. ValidateLocalBinary returns an error if anything goes wrong
-// with the signature download or with signature validation.
-func (c *Client) ValidateLocalBinary(srcURLPath, localFilePath string) error {
-	// Always fetch a fresh signing key.
-	sigPub, err := c.signingKeys()
-	if err != nil {
-		return err
-	}
-
-	srcURL := c.url(srcURLPath)
-	sigURL := srcURL + ".sig"
-
-	localFile, err := os.Open(localFilePath)
-	if err != nil {
-		return err
-	}
-	defer localFile.Close()
-
-	h := NewPackageHash()
-	_, err = io.Copy(h, localFile)
-	if err != nil {
-		return err
-	}
-	hash, hashLen := h.Sum(nil), h.Len()
-
-	c.logf("Downloading %q", sigURL)
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		return err
-	}
-
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(hashLen))
-	if !VerifyAny(sigPub, msg, sig) {
-		return fmt.Errorf("signature %q for file %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, localFilePath)
-	}
-	c.logf("Signature OK")
-
-	return nil
-}
-
-// signingKeys fetches current signing keys from the server and validates them
-// against the roots. Should be called before validation of any downloaded file
-// to get the fresh keys.
-func (c *Client) signingKeys() ([]ed25519.PublicKey, error) {
-	keyURL := c.url("distsign.pub")
-	sigURL := keyURL + ".sig"
-	raw, err := fetch(keyURL, signingKeysSizeLimit)
-	if err != nil {
-		return nil, err
-	}
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		return nil, err
-	}
-	if !VerifyAny(c.roots, raw, sig) {
-		return nil, fmt.Errorf("signature %q for key %q does not validate with any known root key; either you are under attack, or running a very old version of Tailscale with outdated root keys", sigURL, keyURL)
-	}
-
-	keys, err := ParseSigningKeyBundle(raw)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse signing key bundle from %q: %w", keyURL, err)
-	}
-	return keys, nil
-}
-
-// fetch reads the response body from url into memory, up to limit bytes.
-func fetch(url string, limit int64) ([]byte, error) {
-	resp, err := http.Get(url)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(io.LimitReader(resp.Body, limit))
-}
-
-// download writes the response body of url into a local file at dst, up to
-// limit bytes. On success, the returned value is a BLAKE2s hash of the file.
-func (c *Client) download(ctx context.Context, url, dst string, limit int64) ([]byte, int64, error) {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.Proxy = tshttpproxy.ProxyFromEnvironment
-	defer tr.CloseIdleConnections()
-	hc := &http.Client{Transport: tr}
-
-	quickCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, http.MethodHead, url, nil))
-
-	res, err := hc.Do(headReq)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.StatusCode != http.StatusOK {
-		return nil, 0, fmt.Errorf("HEAD %q: %v", url, res.Status)
-	}
-	if res.ContentLength <= 0 {
-		return nil, 0, fmt.Errorf("HEAD %q: unexpected Content-Length %v", url, res.ContentLength)
-	}
-	c.logf("Download size: %v", res.ContentLength)
-
-	dlReq := must.Get(http.NewRequestWithContext(ctx, http.MethodGet, url, nil))
-	dlRes, err := hc.Do(dlReq)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer dlRes.Body.Close()
-	// TODO(bradfitz): resume from existing partial file on disk
-	if dlRes.StatusCode != http.StatusOK {
-		return nil, 0, fmt.Errorf("GET %q: %v", url, dlRes.Status)
-	}
-
-	of, err := os.Create(dst)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer of.Close()
-	pw := &progressWriter{total: res.ContentLength, logf: c.logf}
-	h := NewPackageHash()
-	n, err := io.Copy(io.MultiWriter(of, h, pw), io.LimitReader(dlRes.Body, limit))
-	if err != nil {
-		return nil, n, err
-	}
-	if n != res.ContentLength {
-		return nil, n, fmt.Errorf("GET %q: downloaded %v, want %v", url, n, res.ContentLength)
-	}
-	if err := dlRes.Body.Close(); err != nil {
-		return nil, n, err
-	}
-	if err := of.Close(); err != nil {
-		return nil, n, err
-	}
-	pw.print()
-
-	return h.Sum(nil), h.Len(), nil
-}
-
-type progressWriter struct {
-	done      int64
-	total     int64
-	lastPrint time.Time
-	logf      logger.Logf
-}
-
-func (pw *progressWriter) Write(p []byte) (n int, err error) {
-	pw.done += int64(len(p))
-	if time.Since(pw.lastPrint) > 2*time.Second {
-		pw.print()
-	}
-	return len(p), nil
-}
-
-func (pw *progressWriter) print() {
-	pw.lastPrint = time.Now()
-	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
-}
-
-func parsePrivateKey(data []byte, typeTag string) (ed25519.PrivateKey, error) {
-	b, rest := pem.Decode(data)
-	if b == nil {
-		return nil, errors.New("failed to decode PEM data")
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("trailing PEM data")
-	}
-	if b.Type != typeTag {
-		return nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
-	}
-	if len(b.Bytes) != ed25519.PrivateKeySize {
-		return nil, errors.New("private key has incorrect length for an Ed25519 private key")
-	}
-	return ed25519.PrivateKey(b.Bytes), nil
-}
-
-// ParseSigningKeyBundle parses the bundle of PEM-encoded public signing keys.
-func ParseSigningKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
-	return parsePublicKeyBundle(bundle, pemTypeSigningPublic)
-}
-
-// ParseRootKeyBundle parses the bundle of PEM-encoded public root keys.
-func ParseRootKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
-	return parsePublicKeyBundle(bundle, pemTypeRootPublic)
-}
-
-func parsePublicKeyBundle(bundle []byte, typeTag string) ([]ed25519.PublicKey, error) {
-	var keys []ed25519.PublicKey
-	for len(bundle) > 0 {
-		pub, rest, err := parsePublicKey(bundle, typeTag)
-		if err != nil {
-			return nil, err
-		}
-		keys = append(keys, pub)
-		bundle = rest
-	}
-	if len(keys) == 0 {
-		return nil, errors.New("no signing keys found in the bundle")
-	}
-	return keys, nil
-}
-
-func parseSinglePublicKey(data []byte, typeTag string) (ed25519.PublicKey, error) {
-	pub, rest, err := parsePublicKey(data, typeTag)
-	if err != nil {
-		return nil, err
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("trailing PEM data")
-	}
-	return pub, err
-}
-
-func parsePublicKey(data []byte, typeTag string) (pub ed25519.PublicKey, rest []byte, retErr error) {
-	b, rest := pem.Decode(data)
-	if b == nil {
-		return nil, nil, errors.New("failed to decode PEM data")
-	}
-	if b.Type != typeTag {
-		return nil, nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
-	}
-	if len(b.Bytes) != ed25519.PublicKeySize {
-		return nil, nil, errors.New("public key has incorrect length for an Ed25519 public key")
-	}
-	return ed25519.PublicKey(b.Bytes), rest, nil
-}
-
-// VerifyAny verifies whether sig is valid for msg using any of the keys.
-// VerifyAny will panic if any of the keys have the wrong size for Ed25519.
-func VerifyAny(keys []ed25519.PublicKey, msg, sig []byte) bool {
-	for _, k := range keys {
-		if ed25519consensus.Verify(k, msg, sig) {
-			return true
-		}
-	}
-	return false
-}

clientupdate/distsign/distsign_test.go

@@ -1,585 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import (
-	"bytes"
-	"context"
-	"crypto/ed25519"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/blake2s"
-)
-
-func TestDownload(t *testing.T) {
-	srv := newTestServer(t)
-	c := srv.client(t)
-
-	tests := []struct {
-		desc    string
-		before  func(*testing.T)
-		src     string
-		want    []byte
-		wantErr bool
-	}{
-		{
-			desc:    "missing file",
-			before:  func(*testing.T) {},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "success",
-			before: func(*testing.T) {
-				srv.addSigned("hello", []byte("world"))
-			},
-			src:  "hello",
-			want: []byte("world"),
-		},
-		{
-			desc: "no signature",
-			before: func(*testing.T) {
-				srv.add("hello", []byte("world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "bad signature",
-			before: func(*testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", []byte("potato"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "signed with untrusted key",
-			before: func(t *testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", newSigningKeyPair(t).sign([]byte("world")))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "signed with root key",
-			before: func(t *testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", ed25519.Sign(srv.roots[0].k, []byte("world")))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "bad signing key signature",
-			before: func(t *testing.T) {
-				srv.add("distsign.pub.sig", []byte("potato"))
-				srv.addSigned("hello", []byte("world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			srv.reset()
-			tt.before(t)
-
-			dst := filepath.Join(t.TempDir(), tt.src)
-			t.Cleanup(func() {
-				os.Remove(dst)
-			})
-			err := c.Download(context.Background(), tt.src, dst)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error from Download(%q): %v", tt.src, err)
-			}
-			if tt.wantErr {
-				t.Fatalf("Download(%q) succeeded, expected an error", tt.src)
-			}
-			got, err := os.ReadFile(dst)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if !bytes.Equal(tt.want, got) {
-				t.Errorf("Download(%q): got %q, want %q", tt.src, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestValidateLocalBinary(t *testing.T) {
-	srv := newTestServer(t)
-	c := srv.client(t)
-
-	tests := []struct {
-		desc    string
-		before  func(*testing.T)
-		src     string
-		wantErr bool
-	}{
-		{
-			desc:    "missing file",
-			before:  func(*testing.T) {},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "success",
-			before: func(*testing.T) {
-				srv.addSigned("hello", []byte("world"))
-			},
-			src: "hello",
-		},
-		{
-			desc: "contents changed",
-			before: func(*testing.T) {
-				srv.addSigned("hello", []byte("new world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "no signature",
-			before: func(*testing.T) {
-				srv.add("hello", []byte("world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "bad signature",
-			before: func(*testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", []byte("potato"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "signed with untrusted key",
-			before: func(t *testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", newSigningKeyPair(t).sign([]byte("world")))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "signed with root key",
-			before: func(t *testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", ed25519.Sign(srv.roots[0].k, []byte("world")))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "bad signing key signature",
-			before: func(t *testing.T) {
-				srv.add("distsign.pub.sig", []byte("potato"))
-				srv.addSigned("hello", []byte("world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			srv.reset()
-
-			// First just do a successful Download.
-			want := []byte("world")
-			srv.addSigned("hello", want)
-			dst := filepath.Join(t.TempDir(), tt.src)
-			err := c.Download(context.Background(), tt.src, dst)
-			if err != nil {
-				t.Fatalf("unexpected error from Download(%q): %v", tt.src, err)
-			}
-			got, err := os.ReadFile(dst)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if !bytes.Equal(want, got) {
-				t.Errorf("Download(%q): got %q, want %q", tt.src, got, want)
-			}
-
-			// Now we reset srv with the test case and validate against the local dst.
-			srv.reset()
-			tt.before(t)
-
-			err = c.ValidateLocalBinary(tt.src, dst)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error from ValidateLocalBinary(%q): %v", tt.src, err)
-			}
-			if tt.wantErr {
-				t.Fatalf("ValidateLocalBinary(%q) succeeded, expected an error", tt.src)
-			}
-		})
-	}
-}
-
-func TestRotateRoot(t *testing.T) {
-	srv := newTestServer(t)
-	c1 := srv.client(t)
-	ctx := context.Background()
-
-	srv.addSigned("hello", []byte("world"))
-	if err := c1.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed on a fresh server: %v", err)
-	}
-
-	// Remove first root and replace it with a new key.
-	srv.roots = append(srv.roots[1:], newRootKeyPair(t))
-
-	// Old client can still download files because it still trusts the old
-	// root key.
-	if err := c1.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after root rotation on old client: %v", err)
-	}
-	// New client should fail download because current signing key is signed by
-	// the revoked root that new client doesn't trust.
-	c2 := srv.client(t)
-	if err := c2.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err == nil {
-		t.Fatalf("Download succeeded on new client, but signing key is signed with revoked root key")
-	}
-	// Re-sign signing key with another valid root that client still trusts.
-	srv.resignSigningKeys()
-	// Both old and new clients should now be able to download.
-	//
-	// Note: we don't need to re-sign the "hello" file because signing key
-	// didn't change (only signing key's signature).
-	if err := c1.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after root rotation on old client with re-signed signing key: %v", err)
-	}
-	if err := c2.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after root rotation on new client with re-signed signing key: %v", err)
-	}
-}
-
-func TestRotateSigning(t *testing.T) {
-	srv := newTestServer(t)
-	c := srv.client(t)
-	ctx := context.Background()
-
-	srv.addSigned("hello", []byte("world"))
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed on a fresh server: %v", err)
-	}
-
-	// Replace signing key but don't publish it yet.
-	srv.sign = append(srv.sign, newSigningKeyPair(t))
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after new signing key added but before publishing it: %v", err)
-	}
-
-	// Publish new signing key bundle with both keys.
-	srv.resignSigningKeys()
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after new signing key was published: %v", err)
-	}
-
-	// Re-sign the "hello" file with new signing key.
-	srv.add("hello.sig", srv.sign[1].sign([]byte("world")))
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after re-signing with new signing key: %v", err)
-	}
-
-	// Drop the old signing key.
-	srv.sign = srv.sign[1:]
-	srv.resignSigningKeys()
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after removing old signing key: %v", err)
-	}
-
-	// Add another key and re-sign the file with it *before* publishing.
-	srv.sign = append(srv.sign, newSigningKeyPair(t))
-	srv.add("hello.sig", srv.sign[1].sign([]byte("world")))
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err == nil {
-		t.Fatalf("Download succeeded when signed with a not-yet-published signing key")
-	}
-	// Fix this by publishing the new key.
-	srv.resignSigningKeys()
-	if err := c.Download(ctx, "hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after publishing new signing key: %v", err)
-	}
-}
-
-func TestParseRootKey(t *testing.T) {
-	tests := []struct {
-		desc     string
-		generate func() ([]byte, []byte, error)
-		wantErr  bool
-	}{
-		{
-			desc:     "valid",
-			generate: GenerateRootKey,
-		},
-		{
-			desc:     "signing",
-			generate: GenerateSigningKey,
-			wantErr:  true,
-		},
-		{
-			desc:     "nil",
-			generate: func() ([]byte, []byte, error) { return nil, nil, nil },
-			wantErr:  true,
-		},
-		{
-			desc: "invalid PEM tag",
-			generate: func() ([]byte, []byte, error) {
-				priv, pub, err := GenerateRootKey()
-				priv = bytes.Replace(priv, []byte("ROOT "), nil, -1)
-				return priv, pub, err
-			},
-			wantErr: true,
-		},
-		{
-			desc:     "not PEM",
-			generate: func() ([]byte, []byte, error) { return []byte("s3cr3t"), nil, nil },
-			wantErr:  true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			priv, _, err := tt.generate()
-			if err != nil {
-				t.Fatal(err)
-			}
-			r, err := ParseRootKey(priv)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error: %v", err)
-			}
-			if tt.wantErr {
-				t.Fatal("expected non-nil error")
-			}
-			if r == nil {
-				t.Errorf("got nil error and nil RootKey")
-			}
-		})
-	}
-}
-
-func TestParseSigningKey(t *testing.T) {
-	tests := []struct {
-		desc     string
-		generate func() ([]byte, []byte, error)
-		wantErr  bool
-	}{
-		{
-			desc:     "valid",
-			generate: GenerateSigningKey,
-		},
-		{
-			desc:     "root",
-			generate: GenerateRootKey,
-			wantErr:  true,
-		},
-		{
-			desc:     "nil",
-			generate: func() ([]byte, []byte, error) { return nil, nil, nil },
-			wantErr:  true,
-		},
-		{
-			desc: "invalid PEM tag",
-			generate: func() ([]byte, []byte, error) {
-				priv, pub, err := GenerateSigningKey()
-				priv = bytes.Replace(priv, []byte("SIGNING "), nil, -1)
-				return priv, pub, err
-			},
-			wantErr: true,
-		},
-		{
-			desc:     "not PEM",
-			generate: func() ([]byte, []byte, error) { return []byte("s3cr3t"), nil, nil },
-			wantErr:  true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			priv, _, err := tt.generate()
-			if err != nil {
-				t.Fatal(err)
-			}
-			r, err := ParseSigningKey(priv)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error: %v", err)
-			}
-			if tt.wantErr {
-				t.Fatal("expected non-nil error")
-			}
-			if r == nil {
-				t.Errorf("got nil error and nil SigningKey")
-			}
-		})
-	}
-}
-
-type testServer struct {
-	roots []rootKeyPair
-	sign  []signingKeyPair
-	files map[string][]byte
-	srv   *httptest.Server
-}
-
-func newTestServer(t *testing.T) *testServer {
-	var roots []rootKeyPair
-	for i := 0; i < 3; i++ {
-		roots = append(roots, newRootKeyPair(t))
-	}
-
-	ts := &testServer{
-		roots: roots,
-		sign:  []signingKeyPair{newSigningKeyPair(t)},
-	}
-	ts.reset()
-	ts.srv = httptest.NewServer(ts)
-	t.Cleanup(ts.srv.Close)
-	return ts
-}
-
-func (s *testServer) client(t *testing.T) *Client {
-	roots := make([]ed25519.PublicKey, 0, len(s.roots))
-	for _, r := range s.roots {
-		pub, err := parseSinglePublicKey(r.pubRaw, pemTypeRootPublic)
-		if err != nil {
-			t.Fatalf("parsePublicKey: %v", err)
-		}
-		roots = append(roots, pub)
-	}
-	u, err := url.Parse(s.srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &Client{
-		logf:     t.Logf,
-		roots:    roots,
-		pkgsAddr: u,
-	}
-}
-
-func (s *testServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	path := strings.TrimPrefix(r.URL.Path, "/")
-	data, ok := s.files[path]
-	if !ok {
-		http.NotFound(w, r)
-		return
-	}
-	w.Write(data)
-}
-
-func (s *testServer) addSigned(name string, data []byte) {
-	s.files[name] = data
-	s.files[name+".sig"] = s.sign[0].sign(data)
-}
-
-func (s *testServer) add(name string, data []byte) {
-	s.files[name] = data
-}
-
-func (s *testServer) reset() {
-	s.files = make(map[string][]byte)
-	s.resignSigningKeys()
-}
-
-func (s *testServer) resignSigningKeys() {
-	var pubs [][]byte
-	for _, k := range s.sign {
-		pubs = append(pubs, k.pubRaw)
-	}
-	bundle := bytes.Join(pubs, []byte("\n"))
-	sig := s.roots[0].sign(bundle)
-	s.files["distsign.pub"] = bundle
-	s.files["distsign.pub.sig"] = sig
-}
-
-type rootKeyPair struct {
-	*RootKey
-	keyPair
-}
-
-func newRootKeyPair(t *testing.T) rootKeyPair {
-	privRaw, pubRaw, err := GenerateRootKey()
-	if err != nil {
-		t.Fatalf("GenerateRootKey: %v", err)
-	}
-	kp := keyPair{
-		privRaw: privRaw,
-		pubRaw:  pubRaw,
-	}
-	priv, err := parsePrivateKey(kp.privRaw, pemTypeRootPrivate)
-	if err != nil {
-		t.Fatalf("parsePrivateKey: %v", err)
-	}
-	return rootKeyPair{
-		RootKey: &RootKey{k: priv},
-		keyPair: kp,
-	}
-}
-
-func (s rootKeyPair) sign(bundle []byte) []byte {
-	sig, err := s.SignSigningKeys(bundle)
-	if err != nil {
-		panic(err)
-	}
-	return sig
-}
-
-type signingKeyPair struct {
-	*SigningKey
-	keyPair
-}
-
-func newSigningKeyPair(t *testing.T) signingKeyPair {
-	privRaw, pubRaw, err := GenerateSigningKey()
-	if err != nil {
-		t.Fatalf("GenerateSigningKey: %v", err)
-	}
-	kp := keyPair{
-		privRaw: privRaw,
-		pubRaw:  pubRaw,
-	}
-	priv, err := parsePrivateKey(kp.privRaw, pemTypeSigningPrivate)
-	if err != nil {
-		t.Fatalf("parsePrivateKey: %v", err)
-	}
-	return signingKeyPair{
-		SigningKey: &SigningKey{k: priv},
-		keyPair:    kp,
-	}
-}
-
-func (s signingKeyPair) sign(blob []byte) []byte {
-	hash := blake2s.Sum256(blob)
-	sig, err := s.SignPackageHash(hash[:], int64(len(blob)))
-	if err != nil {
-		panic(err)
-	}
-	return sig
-}
-
-type keyPair struct {
-	privRaw []byte
-	pubRaw  []byte
-}

clientupdate/distsign/roots.go

@@ -1,54 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import (
-	"crypto/ed25519"
-	"embed"
-	"errors"
-	"fmt"
-	"path"
-	"path/filepath"
-	"sync"
-)
-
-//go:embed roots
-var rootsFS embed.FS
-
-var roots = sync.OnceValue(func() []ed25519.PublicKey {
-	roots, err := parseRoots()
-	if err != nil {
-		panic(err)
-	}
-	return roots
-})
-
-func parseRoots() ([]ed25519.PublicKey, error) {
-	files, err := rootsFS.ReadDir("roots")
-	if err != nil {
-		return nil, err
-	}
-	var keys []ed25519.PublicKey
-	for _, f := range files {
-		if !f.Type().IsRegular() {
-			continue
-		}
-		if filepath.Ext(f.Name()) != ".pem" {
-			continue
-		}
-		raw, err := rootsFS.ReadFile(path.Join("roots", f.Name()))
-		if err != nil {
-			return nil, err
-		}
-		key, err := parseSinglePublicKey(raw, pemTypeRootPublic)
-		if err != nil {
-			return nil, fmt.Errorf("parsing root key %q: %w", f.Name(), err)
-		}
-		keys = append(keys, key)
-	}
-	if len(keys) == 0 {
-		return nil, errors.New("no embedded root keys, please check clientupdate/distsign/roots/")
-	}
-	return keys, nil
-}

clientupdate/distsign/roots/crawshaw-root.pem

@@ -1,3 +0,0 @@
------BEGIN ROOT PUBLIC KEY-----
-Psrabv2YNiEDhPlnLVSMtB5EKACm7zxvKxfvYD4i7X8=
------END ROOT PUBLIC KEY-----

clientupdate/distsign/roots/distsign-dev-root-pub.pem

@@ -1,3 +0,0 @@
------BEGIN ROOT PUBLIC KEY-----
-Muw5GkO5mASsJ7k6kS+svfuanr6XcW9I7fPGtyqOTeI=
------END ROOT PUBLIC KEY-----

clientupdate/distsign/roots_test.go

@@ -1,16 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import "testing"
-
-func TestParseRoots(t *testing.T) {
-	roots, err := parseRoots()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(roots) == 0 {
-		t.Error("parseRoots returned no root keys")
-	}
-}

clientupdate/systemd_linux.go

@@ -1,37 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package clientupdate
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/coreos/go-systemd/v22/dbus"
-)
-
-func restartSystemdUnit(ctx context.Context) error {
-	c, err := dbus.NewWithContext(ctx)
-	if err != nil {
-		// Likely not a systemd-managed distro.
-		return errors.ErrUnsupported
-	}
-	defer c.Close()
-	if err := c.ReloadContext(ctx); err != nil {
-		return fmt.Errorf("failed to reload tailsacled.service: %w", err)
-	}
-	ch := make(chan string, 1)
-	if _, err := c.RestartUnitContext(ctx, "tailscaled.service", "replace", ch); err != nil {
-		return fmt.Errorf("failed to restart tailsacled.service: %w", err)
-	}
-	select {
-	case res := <-ch:
-		if res != "done" {
-			return fmt.Errorf("systemd service restart failed with result %q", res)
-		}
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-	return nil
-}

clientupdate/systemd_other.go

@@ -1,15 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !linux
-
-package clientupdate
-
-import (
-	"context"
-	"errors"
-)
-
-func restartSystemdUnit(ctx context.Context) error {
-	return errors.ErrUnsupported
-}

cmd/cloner/cloner.go

@@ -126,8 +126,8 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("for i := range dst.%s {", fname)
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
 					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
-						it.Import("tailscale.com/types/ptr")
-						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
+						writef("\tx := *src.%s[i]", fname)
+						writef("\tdst.%s[i] = &x", fname)
 					} else {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
@@ -145,41 +145,41 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
-			it.Import("tailscale.com/types/ptr")
+			n := it.QualifiedName(ft.Elem())
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
+			writef("\tdst.%s = new(%s)", fname, n)
+			writef("\t*dst.%s = *src.%s", fname, fname)
 			if codegen.ContainsPointers(ft.Elem()) {
 				writef("\t" + `panic("TODO pointers in pointers")`)
 			}
 			writef("}")
 		case *types.Map:
 			elem := ft.Elem()
+			writef("if dst.%s != nil {", fname)
+			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 			if sliceType, isSlice := elem.(*types.Slice); isSlice {
 				n := it.QualifiedName(sliceType.Elem())
-				writef("if dst.%s != nil {", fname)
-				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
 				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
 				writef("\t}")
-				writef("}")
 			} else if codegen.ContainsPointers(elem) {
-				writef("if dst.%s != nil {", fname)
-				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 				writef("\tfor k, v := range src.%s {", fname)
 				switch elem.(type) {
 				case *types.Pointer:
 					writef("\t\tdst.%s[k] = v.Clone()", fname)
 				default:
-					writef("\t\tdst.%s[k] = *(v.Clone())", fname)
+					writef("\t\tv2 := v.Clone()")
+					writef("\t\tdst.%s[k] = *v2", fname)
 				}
 				writef("\t}")
-				writef("}")
 			} else {
-				it.Import("maps")
-				writef("\tdst.%s = maps.Clone(src.%s)", fname, fname)
+				writef("\tfor k, v := range src.%s {", fname)
+				writef("\t\tdst.%s[k] = v", fname)
+				writef("\t}")
 			}
+			writef("}")
 		default:
 			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}

cmd/containerboot/kube.go

@@ -7,11 +7,9 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"log"
 	"net/http"
-	"net/netip"
 	"os"
 
 	"tailscale.com/kube"
@@ -34,7 +32,7 @@ func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error)
 
 // storeDeviceInfo writes deviceID into the "device_id" data field of the kube
 // secret secretName.
-func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string, addresses []netip.Prefix) error {
+func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string) error {
 	// First check if the secret exists at all. Even if running on
 	// kubernetes, we do not necessarily store state in a k8s secret.
 	if _, err := kc.GetSecret(ctx, secretName); err != nil {
@@ -48,20 +46,10 @@ func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.St
 		return err
 	}
 
-	var ips []string
-	for _, addr := range addresses {
-		ips = append(ips, addr.Addr().String())
-	}
-	deviceIPs, err := json.Marshal(ips)
-	if err != nil {
-		return err
-	}
-
 	m := &kube.Secret{
 		Data: map[string][]byte{
 			"device_id":   []byte(deviceID),
 			"device_fqdn": []byte(fqdn),
-			"device_ips":  deviceIPs,
 		},
 	}
 	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")

cmd/containerboot/main.go

@@ -16,11 +16,8 @@
 //   - TS_ROUTES: subnet routes to advertise.
 //   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
 //     destination.
-//   - TS_TAILNET_TARGET_IP: proxy all incoming non-Tailscale traffic to the given
-//     destination.
 //   - TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
-//   - TS_EXTRA_ARGS: extra arguments to 'tailscale login', these are not
-//     reset on restart.
+//   - TS_EXTRA_ARGS: extra arguments to 'tailscale up'.
 //   - TS_USERSPACE: run with userspace networking (the default)
 //     instead of kernel networking.
 //   - TS_STATE_DIR: the directory in which to store tailscaled
@@ -39,11 +36,6 @@
 //     logged in. If false (the default, for backwards
 //     compatibility), forcibly log in every time the
 //     container starts.
-//   - TS_SERVE_CONFIG: if specified, is the file path where the ipn.ServeConfig is located.
-//     It will be applied once tailscaled is up and running. If the file contains
-//     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
-//     It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes,
-//     and will be re-applied when it changes.
 //
 // When running on Kubernetes, containerboot defaults to storing state in the
 // "tailscale" kube secret. To store state on local disk instead, set
@@ -55,9 +47,7 @@
 package main
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -67,18 +57,14 @@ import (
 	"os/exec"
 	"os/signal"
 	"path/filepath"
-	"reflect"
 	"strconv"
 	"strings"
-	"sync/atomic"
 	"syscall"
 	"time"
 
-	"github.com/fsnotify/fsnotify"
 	"golang.org/x/sys/unix"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
-	"tailscale.com/types/ptr"
 	"tailscale.com/util/deephash"
 )
 
@@ -90,9 +76,7 @@ func main() {
 		AuthKey:         defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
 		Hostname:        defaultEnv("TS_HOSTNAME", ""),
 		Routes:          defaultEnv("TS_ROUTES", ""),
-		ServeConfigPath: defaultEnv("TS_SERVE_CONFIG", ""),
 		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
-		TailnetTargetIP: defaultEnv("TS_TAILNET_TARGET_IP", ""),
 		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
 		ExtraArgs:       defaultEnv("TS_EXTRA_ARGS", ""),
 		InKubernetes:    os.Getenv("KUBERNETES_SERVICE_HOST") != "",
@@ -111,16 +95,12 @@ func main() {
 		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
 	}
 
-	if cfg.TailnetTargetIP != "" && cfg.UserspaceMode {
-		log.Fatal("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
-	}
-
 	if !cfg.UserspaceMode {
 		if err := ensureTunFile(cfg.Root); err != nil {
 			log.Fatalf("Unable to create tuntap device file: %v", err)
 		}
-		if cfg.ProxyTo != "" || cfg.Routes != "" || cfg.TailnetTargetIP != "" {
-			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.TailnetTargetIP, cfg.Routes); err != nil {
+		if cfg.ProxyTo != "" || cfg.Routes != "" {
+			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.Routes); err != nil {
 				log.Printf("Failed to enable IP forwarding: %v", err)
 				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
 				if cfg.InKubernetes {
@@ -139,18 +119,18 @@ func main() {
 	// Context is used for all setup stuff until we're in steady
 	// state, so that if something is hanging we eventually time out
 	// and crashloop the container.
-	bootCtx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()
 
 	if cfg.InKubernetes && cfg.KubeSecret != "" {
-		canPatch, err := kc.CheckSecretPermissions(bootCtx, cfg.KubeSecret)
+		canPatch, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret)
 		if err != nil {
 			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
 		}
 		cfg.KubernetesCanPatch = canPatch
 
 		if cfg.AuthKey == "" {
-			key, err := findKeyInKubeSecret(bootCtx, cfg.KubeSecret)
+			key, err := findKeyInKubeSecret(ctx, cfg.KubeSecret)
 			if err != nil {
 				log.Fatalf("Getting authkey from kube secret: %v", err)
 			}
@@ -173,12 +153,12 @@ func main() {
 		}
 	}
 
-	client, daemonPid, err := startTailscaled(bootCtx, cfg)
+	client, daemonPid, err := startTailscaled(ctx, cfg)
 	if err != nil {
 		log.Fatalf("failed to bring up tailscale: %v", err)
 	}
 
-	w, err := client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialPrefs|ipn.NotifyInitialState)
+	w, err := client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialPrefs|ipn.NotifyInitialState)
 	if err != nil {
 		log.Fatalf("failed to watch tailscaled for updates: %v", err)
 	}
@@ -197,10 +177,10 @@ func main() {
 		}
 		didLogin = true
 		w.Close()
-		if err := tailscaleLogin(bootCtx, cfg); err != nil {
+		if err := tailscaleUp(ctx, cfg); err != nil {
 			return fmt.Errorf("failed to auth tailscale: %v", err)
 		}
-		w, err = client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
+		w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
 		if err != nil {
 			return fmt.Errorf("rewatching tailscaled for updates after auth: %v", err)
 		}
@@ -244,20 +224,6 @@ authLoop:
 
 	w.Close()
 
-	ctx, cancel := context.WithCancel(context.Background()) // no deadline now that we're in steady state
-	defer cancel()
-
-	// Now that we are authenticated, we can set/reset any of the
-	// settings that we need to.
-	if err := tailscaleSet(ctx, cfg); err != nil {
-		log.Fatalf("failed to auth tailscale: %v", err)
-	}
-	// Remove any serve config that may have been set by a previous
-	// run of containerboot.
-	if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
-		log.Fatalf("failed to unset serve config: %v", err)
-	}
-
 	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
 		// We were told to only auth once, so any secret-bound
 		// authkey is no longer needed. We don't strictly need to
@@ -268,24 +234,18 @@ authLoop:
 		}
 	}
 
-	w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
+	w, err = client.WatchIPNBus(context.Background(), ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
 	if err != nil {
 		log.Fatalf("rewatching tailscaled for updates after auth: %v", err)
 	}
 
 	var (
-		wantProxy         = cfg.ProxyTo != "" || cfg.TailnetTargetIP != ""
+		wantProxy         = cfg.ProxyTo != ""
 		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
 		startupTasksDone  = false
 		currentIPs        deephash.Sum // tailscale IPs assigned to device
 		currentDeviceInfo deephash.Sum // device ID and fqdn
-
-		certDomain        = new(atomic.Pointer[string])
-		certDomainChanged = make(chan bool, 1)
 	)
-	if cfg.ServeConfigPath != "" {
-		go watchServeConfigChanges(ctx, cfg.ServeConfigPath, certDomainChanged, certDomain, client)
-	}
 	for {
 		n, err := w.Next()
 		if err != nil {
@@ -301,35 +261,14 @@ authLoop:
 			log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
 		}
 		if n.NetMap != nil {
-			addrs := n.NetMap.SelfNode.Addresses().AsSlice()
-			newCurrentIPs := deephash.Hash(&addrs)
-			ipsHaveChanged := newCurrentIPs != currentIPs
-			if cfg.ProxyTo != "" && len(addrs) > 0 && ipsHaveChanged {
-				log.Printf("Installing proxy rules")
-				if err := installIngressForwardingRule(ctx, cfg.ProxyTo, addrs); err != nil {
-					log.Fatalf("installing ingress proxy rules: %v", err)
+			if cfg.ProxyTo != "" && len(n.NetMap.Addresses) > 0 && deephash.Update(&currentIPs, &n.NetMap.Addresses) {
+				if err := installIPTablesRule(ctx, cfg.ProxyTo, n.NetMap.Addresses); err != nil {
+					log.Fatalf("installing proxy rules: %v", err)
 				}
 			}
-			if cfg.ServeConfigPath != "" && len(n.NetMap.DNS.CertDomains) > 0 {
-				cd := n.NetMap.DNS.CertDomains[0]
-				prev := certDomain.Swap(ptr.To(cd))
-				if prev == nil || *prev != cd {
-					select {
-					case certDomainChanged <- true:
-					default:
-					}
-				}
-			}
-			if cfg.TailnetTargetIP != "" && ipsHaveChanged && len(addrs) > 0 {
-				if err := installEgressForwardingRule(ctx, cfg.TailnetTargetIP, addrs); err != nil {
-					log.Fatalf("installing egress proxy rules: %v", err)
-				}
-			}
-			currentIPs = newCurrentIPs
-
-			deviceInfo := []any{n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()}
+			deviceInfo := []any{n.NetMap.SelfNode.StableID, n.NetMap.SelfNode.Name}
 			if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
-				if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
+				if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID, n.NetMap.SelfNode.Name); err != nil {
 					log.Fatalf("storing device ID in kube secret: %v", err)
 				}
 			}
@@ -366,79 +305,6 @@ authLoop:
 	}
 }
 
-// watchServeConfigChanges watches path for changes, and when it sees one, reads
-// the serve config from it, replacing ${TS_CERT_DOMAIN} with certDomain, and
-// applies it to lc. It exits when ctx is canceled. cdChanged is a channel that
-// is written to when the certDomain changes, causing the serve config to be
-// re-read and applied.
-func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *tailscale.LocalClient) {
-	if certDomainAtomic == nil {
-		panic("cd must not be nil")
-	}
-	var tickChan <-chan time.Time
-	w, err := fsnotify.NewWatcher()
-	if err != nil {
-		log.Printf("failed to create fsnotify watcher, timer-only mode: %v", err)
-		ticker := time.NewTicker(5 * time.Second)
-		defer ticker.Stop()
-		tickChan = ticker.C
-	} else {
-		defer w.Close()
-	}
-
-	if err := w.Add(filepath.Dir(path)); err != nil {
-		log.Fatalf("failed to add fsnotify watch: %v", err)
-	}
-	var certDomain string
-	var prevServeConfig *ipn.ServeConfig
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-cdChanged:
-			certDomain = *certDomainAtomic.Load()
-		case <-tickChan:
-		case <-w.Events:
-			// We can't do any reasonable filtering on the event because of how
-			// k8s handles these mounts. So just re-read the file and apply it
-			// if it's changed.
-		}
-		if certDomain == "" {
-			continue
-		}
-		sc, err := readServeConfig(path, certDomain)
-		if err != nil {
-			log.Fatalf("failed to read serve config: %v", err)
-		}
-		if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
-			continue
-		}
-		log.Printf("Applying serve config")
-		if err := lc.SetServeConfig(ctx, sc); err != nil {
-			log.Fatalf("failed to set serve config: %v", err)
-		}
-		prevServeConfig = sc
-	}
-}
-
-// readServeConfig reads the ipn.ServeConfig from path, replacing
-// ${TS_CERT_DOMAIN} with certDomain.
-func readServeConfig(path, certDomain string) (*ipn.ServeConfig, error) {
-	if path == "" {
-		return nil, nil
-	}
-	j, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	j = bytes.ReplaceAll(j, []byte("${TS_CERT_DOMAIN}"), []byte(certDomain))
-	var sc ipn.ServeConfig
-	if err := json.Unmarshal(j, &sc); err != nil {
-		return nil, err
-	}
-	return &sc, nil
-}
-
 func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient, int, error) {
 	args := tailscaledArgs(cfg)
 	sigCh := make(chan os.Signal, 1)
@@ -519,48 +385,32 @@ func tailscaledArgs(cfg *settings) []string {
 	return args
 }
 
-// tailscaleLogin uses cfg to run 'tailscale login' everytime containerboot
-// starts, or if TS_AUTH_ONCE is set, only the first time containerboot starts.
-func tailscaleLogin(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "login"}
-	if cfg.AuthKey != "" {
-		args = append(args, "--authkey="+cfg.AuthKey)
-	}
-	if cfg.ExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.ExtraArgs)...)
-	}
-	log.Printf("Running 'tailscale login'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale login failed: %v", err)
-	}
-	return nil
-}
-
-// tailscaleSet uses cfg to run 'tailscale set' to set any known configuration
-// options that are passed in via environment variables. This is run after the
-// node is in Running state.
-func tailscaleSet(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "set"}
+// tailscaleUp uses cfg to run 'tailscale up'.
+func tailscaleUp(ctx context.Context, cfg *settings) error {
+	args := []string{"--socket=" + cfg.Socket, "up"}
 	if cfg.AcceptDNS {
 		args = append(args, "--accept-dns=true")
 	} else {
 		args = append(args, "--accept-dns=false")
 	}
+	if cfg.AuthKey != "" {
+		args = append(args, "--authkey="+cfg.AuthKey)
+	}
 	if cfg.Routes != "" {
 		args = append(args, "--advertise-routes="+cfg.Routes)
 	}
 	if cfg.Hostname != "" {
 		args = append(args, "--hostname="+cfg.Hostname)
 	}
-	log.Printf("Running 'tailscale set'")
+	if cfg.ExtraArgs != "" {
+		args = append(args, strings.Fields(cfg.ExtraArgs)...)
+	}
+	log.Printf("Running 'tailscale up'")
 	cmd := exec.CommandContext(ctx, "tailscale", args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale set failed: %v", err)
+		return fmt.Errorf("tailscale up failed: %v", err)
 	}
 	return nil
 }
@@ -585,25 +435,14 @@ func ensureTunFile(root string) error {
 }
 
 // ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, routes string) error {
+func ensureIPForwarding(root, proxyTo, routes string) error {
 	var (
 		v4Forwarding, v6Forwarding bool
 	)
-	if clusterProxyTarget != "" {
-		proxyIP, err := netip.ParseAddr(clusterProxyTarget)
+	if proxyTo != "" {
+		proxyIP, err := netip.ParseAddr(proxyTo)
 		if err != nil {
-			return fmt.Errorf("invalid cluster destination IP: %v", err)
-		}
-		if proxyIP.Is4() {
-			v4Forwarding = true
-		} else {
-			v6Forwarding = true
-		}
-	}
-	if tailnetTargetiP != "" {
-		proxyIP, err := netip.ParseAddr(tailnetTargetiP)
-		if err != nil {
-			return fmt.Errorf("invalid tailnet destination IP: %v", err)
+			return fmt.Errorf("invalid proxy destination IP: %v", err)
 		}
 		if proxyIP.Is4() {
 			v4Forwarding = true
@@ -653,53 +492,7 @@ func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, routes string
 	return nil
 }
 
-func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
-	dst, err := netip.ParseAddr(dstStr)
-	if err != nil {
-		return err
-	}
-	argv0 := "iptables"
-	if dst.Is6() {
-		argv0 = "ip6tables"
-	}
-	var local string
-	for _, pfx := range tsIPs {
-		if !pfx.IsSingleIP() {
-			continue
-		}
-		if pfx.Addr().Is4() != dst.Is4() {
-			continue
-		}
-		local = pfx.Addr().String()
-		break
-	}
-	if local == "" {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
-	}
-	// Technically, if the control server ever changes the IPs assigned to this
-	// node, we'll slowly accumulate iptables rules. This shouldn't happen, so
-	// for now we'll live with it.
-	// Set up a rule that ensures that all packets
-	// except for those received on tailscale0 interface is forwarded to
-	// destination address
-	cmdDNAT := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "!", "-i", "tailscale0", "-j", "DNAT", "--to-destination", dstStr)
-	cmdDNAT.Stdout = os.Stdout
-	cmdDNAT.Stderr = os.Stderr
-	if err := cmdDNAT.Run(); err != nil {
-		return fmt.Errorf("executing iptables failed: %w", err)
-	}
-	// Set up a rule that ensures that all packets sent to the destination
-	// address will have the proxy's IP set as source IP
-	cmdSNAT := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "POSTROUTING", "1", "--destination", dstStr, "-j", "SNAT", "--to-source", local)
-	cmdSNAT.Stdout = os.Stdout
-	cmdSNAT.Stderr = os.Stderr
-	if err := cmdSNAT.Run(); err != nil {
-		return fmt.Errorf("setting up SNAT via iptables failed: %w", err)
-	}
-	return nil
-}
-
-func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
+func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
 		return err
@@ -736,18 +529,10 @@ func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []ne
 
 // settings is all the configuration for containerboot.
 type settings struct {
-	AuthKey  string
-	Hostname string
-	Routes   string
-	// ProxyTo is the destination IP to which all incoming
-	// Tailscale traffic should be proxied. If empty, no proxying
-	// is done. This is typically a locally reachable IP.
-	ProxyTo string
-	// TailnetTargetIP is the destination IP to which all incoming
-	// non-Tailscale traffic should be proxied. If empty, no
-	// proxying is done. This is typically a Tailscale IP.
-	TailnetTargetIP    string
-	ServeConfigPath    string
+	AuthKey            string
+	Hostname           string
+	Routes             string
+	ProxyTo            string
 	DaemonExtraArgs    string
 	ExtraArgs          string
 	InKubernetes       bool

cmd/containerboot/main_test.go

@@ -112,11 +112,11 @@ func TestContainerBoot(t *testing.T) {
 	runningNotify := &ipn.Notify{
 		State: ptr.To(ipn.Running),
 		NetMap: &netmap.NetworkMap{
-			SelfNode: (&tailcfg.Node{
-				StableID:  tailcfg.StableNodeID("myID"),
-				Name:      "test-node.test.ts.net",
-				Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
-			}).View(),
+			SelfNode: &tailcfg.Node{
+				StableID: tailcfg.StableNodeID("myID"),
+				Name:     "test-node.test.ts.net",
+			},
+			Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 		},
 	}
 	tests := []struct {
@@ -134,14 +134,11 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -155,14 +152,11 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -176,14 +170,11 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -197,14 +188,11 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -218,7 +206,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
 					},
 				},
 				{
@@ -227,9 +215,6 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "0",
 						"proc/sys/net/ipv6/conf/all/forwarding": "0",
 					},
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=1.2.3.0/24,10.20.30.0/24",
-					},
 				},
 			},
 		},
@@ -244,7 +229,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=1.2.3.0/24,10.20.30.0/24",
 					},
 				},
 				{
@@ -253,9 +238,6 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "1",
 						"proc/sys/net/ipv6/conf/all/forwarding": "0",
 					},
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=1.2.3.0/24,10.20.30.0/24",
-					},
 				},
 			},
 		},
@@ -270,7 +252,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1::/64",
 					},
 				},
 				{
@@ -279,9 +261,6 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "0",
 						"proc/sys/net/ipv6/conf/all/forwarding": "1",
 					},
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=::/64,1::/64",
-					},
 				},
 			},
 		},
@@ -296,7 +275,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key --advertise-routes=::/64,1.2.3.0/24",
 					},
 				},
 				{
@@ -305,14 +284,11 @@ func TestContainerBoot(t *testing.T) {
 						"proc/sys/net/ipv4/ip_forward":          "1",
 						"proc/sys/net/ipv6/conf/all/forwarding": "1",
 					},
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --advertise-routes=::/64,1.2.3.0/24",
-					},
 				},
 			},
 		},
 		{
-			Name: "ingres proxy",
+			Name: "proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
@@ -322,42 +298,17 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
 					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 						"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
 					},
 				},
 			},
 		},
-		{
-			Name: "egress proxy",
-			Env: map[string]string{
-				"TS_AUTHKEY":           "tskey-key",
-				"TS_TAILNET_TARGET_IP": "100.99.99.99",
-				"TS_USERSPACE":         "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
-					},
-				},
-				{
-					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-						"/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99",
-						"/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1",
-					},
-				},
-			},
-		},
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
@@ -375,14 +326,11 @@ func TestContainerBoot(t *testing.T) {
 						State: ptr.To(ipn.NeedsLogin),
 					},
 					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -399,7 +347,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
@@ -407,14 +355,10 @@ func TestContainerBoot(t *testing.T) {
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 					WantKubeSecret: map[string]string{
 						"authkey":     "tskey-key",
 						"device_fqdn": "test-node.test.ts.net",
 						"device_id":   "myID",
-						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -434,15 +378,12 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{},
 				},
 				{
-					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
+					Notify:         runningNotify,
 					WantKubeSecret: map[string]string{},
 				},
 			},
@@ -460,15 +401,12 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{},
 				},
 				{
-					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
+					Notify:         runningNotify,
 					WantKubeSecret: map[string]string{},
 				},
 			},
@@ -498,7 +436,7 @@ func TestContainerBoot(t *testing.T) {
 						State: ptr.To(ipn.NeedsLogin),
 					},
 					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
@@ -506,13 +444,9 @@ func TestContainerBoot(t *testing.T) {
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 					WantKubeSecret: map[string]string{
 						"device_fqdn": "test-node.test.ts.net",
 						"device_id":   "myID",
-						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -530,7 +464,7 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=kube:tailscale --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --authkey=tskey-key",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
 					WantKubeSecret: map[string]string{
 						"authkey": "tskey-key",
@@ -538,32 +472,27 @@ func TestContainerBoot(t *testing.T) {
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 					WantKubeSecret: map[string]string{
 						"authkey":     "tskey-key",
 						"device_fqdn": "test-node.test.ts.net",
 						"device_id":   "myID",
-						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 				{
 					Notify: &ipn.Notify{
 						State: ptr.To(ipn.Running),
 						NetMap: &netmap.NetworkMap{
-							SelfNode: (&tailcfg.Node{
-								StableID:  tailcfg.StableNodeID("newID"),
-								Name:      "new-name.test.ts.net",
-								Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
-							}).View(),
+							SelfNode: &tailcfg.Node{
+								StableID: tailcfg.StableNodeID("newID"),
+								Name:     "new-name.test.ts.net",
+							},
+							Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
 						},
 					},
 					WantKubeSecret: map[string]string{
 						"authkey":     "tskey-key",
 						"device_fqdn": "new-name.test.ts.net",
 						"device_id":   "newID",
-						"device_ips":  `["100.64.0.1"]`,
 					},
 				},
 			},
@@ -578,14 +507,11 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --socks5-server=localhost:1080 --outbound-http-proxy-listen=localhost:8080",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -598,14 +524,11 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=true",
 					},
 				},
 				{
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=true",
-					},
 				},
 			},
 		},
@@ -619,14 +542,10 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --experiments=widgets",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login --widget=rotated",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --widget=rotated",
 					},
-				},
-				{
+				}, {
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
-					},
 				},
 			},
 		},
@@ -639,14 +558,10 @@ func TestContainerBoot(t *testing.T) {
 				{
 					WantCmds: []string{
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock login",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --hostname=my-server",
 					},
-				},
-				{
+				}, {
 					Notify: runningNotify,
-					WantCmds: []string{
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false --hostname=my-server",
-					},
 				},
 			},
 		},
@@ -687,7 +602,7 @@ func TestContainerBoot(t *testing.T) {
 				t.Fatalf("starting containerboot: %v", err)
 			}
 			defer func() {
-				cmd.Process.Signal(unix.SIGKILL)
+				cmd.Process.Signal(unix.SIGTERM)
 				cmd.Process.Wait()
 			}()
 
@@ -875,17 +790,10 @@ func (l *localAPI) Notify(n *ipn.Notify) {
 }
 
 func (l *localAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	switch r.URL.Path {
-	case "/localapi/v0/serve-config":
-		if r.Method != "POST" {
-			panic(fmt.Sprintf("unsupported method %q", r.Method))
-		}
-		return
-	case "/localapi/v0/watch-ipn-bus":
-		if r.Method != "GET" {
-			panic(fmt.Sprintf("unsupported method %q", r.Method))
-		}
-	default:
+	if r.Method != "GET" {
+		panic(fmt.Sprintf("unsupported method %q", r.Method))
+	}
+	if r.URL.Path != "/localapi/v0/watch-ipn-bus" {
 		panic(fmt.Sprintf("unsupported path %q", r.URL.Path))
 	}
 

cmd/derper/bootstrap_dns.go

@@ -25,7 +25,6 @@ var (
 	dnsCache            syncs.AtomicValue[dnsEntryMap]
 	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
 	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
-	bootstrapLookupMap  syncs.Map[string, bool]
 )
 
 var (
@@ -36,12 +35,6 @@ var (
 	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
 )
 
-func init() {
-	expvar.Publish("counter_bootstrap_dns_queried_domains", expvar.Func(func() any {
-		return bootstrapLookupMap.Len()
-	}))
-}
-
 func refreshBootstrapDNSLoop() {
 	if *bootstrapDNS == "" && *unpublishedDNS == "" {
 		return
@@ -114,7 +107,6 @@ func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 
 	// Try answering a query from our hidden map first
 	if q := r.URL.Query().Get("q"); q != "" {
-		bootstrapLookupMap.Store(q, true)
 		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
 			unpublishedDNSHits.Add(1)
 

cmd/derper/bootstrap_dns_test.go

@@ -98,7 +98,6 @@ func resetMetrics() {
 	publishedDNSMisses.Set(0)
 	unpublishedDNSHits.Set(0)
 	unpublishedDNSMisses.Set(0)
-	bootstrapLookupMap.Clear()
 }
 
 // Verify that we don't count an empty list in the unpublishedDNSCache as a
@@ -149,17 +148,4 @@ func TestUnpublishedDNSEmptyList(t *testing.T) {
 			t.Errorf("got misses=%d; want 0", v)
 		}
 	})
-
-}
-
-func TestLookupMetric(t *testing.T) {
-	d := []string{"a.io", "b.io", "c.io", "d.io", "e.io", "e.io", "e.io", "a.io"}
-	resetMetrics()
-	for _, q := range d {
-		_ = getBootstrapDNS(t, q)
-	}
-	// {"a.io": true, "b.io": true, "c.io": true, "d.io": true, "e.io": true}
-	if bootstrapLookupMap.Len() != 5 {
-		t.Errorf("bootstrapLookupMap.Len() want=5, got %v", bootstrapLookupMap.Len())
-	}
 }

cmd/derper/depaware.txt

@@ -13,7 +13,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
      💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
         github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
@@ -136,7 +135,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/types/structs                                  from tailscale.com/ipn+
         tailscale.com/types/tkatype                                  from tailscale.com/types/key+
         tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-        tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy+
+   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
         tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
         tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
@@ -169,6 +168,9 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/maps                                        from tailscale.com/types/views
+        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
    L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http
@@ -191,7 +193,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
-        cmp                                                          from slices
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from internal/profile+
         container/list                                               from crypto/tls+
@@ -241,7 +242,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         io/ioutil                                                    from github.com/mitchellh/go-ps+
         log                                                          from expvar+
         log/internal                                                 from log
-        maps                                                         from tailscale.com/types/views+
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
@@ -269,7 +269,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/ipn+
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
         strings                                                      from bufio+

cmd/derper/websocket.go

@@ -50,7 +50,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 			return
 		}
 		counterWebSocketAccepts.Add(1)
-		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary, r.RemoteAddr)
+		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary)
 		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
 		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
 	})

cmd/dist/dist.go

@@ -19,10 +19,10 @@ import (
 
 var synologyPackageCenter bool
 
-func getTargets() ([]dist.Target, error) {
+func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
 	var ret []dist.Target
 
-	ret = append(ret, unixpkgs.Targets(unixpkgs.Signers{})...)
+	ret = append(ret, unixpkgs.Targets(signers)...)
 	// Synology packages can be built either for sideloading, or for
 	// distribution by Synology in their package center. When
 	// distributed through the package center, apps can request
@@ -33,7 +33,7 @@ func getTargets() ([]dist.Target, error) {
 	// Since only we can provide packages to Synology for
 	// distribution, we default to building the "sideload" variant of
 	// packages that we distribute on pkgs.tailscale.com.
-	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
+	ret = append(ret, synology.Targets(synologyPackageCenter)...)
 	return ret, nil
 }
 

cmd/gitops-pusher/README.md

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
       
       - name: Setup Go environment
         uses: actions/setup-go@v3.2.0

cmd/k8s-operator/ingress.go

@@ -1,264 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"sync"
-
-	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
-	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/ipn"
-	"tailscale.com/types/opt"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/set"
-)
-
-type IngressReconciler struct {
-	client.Client
-
-	recorder record.EventRecorder
-	ssr      *tailscaleSTSReconciler
-	logger   *zap.SugaredLogger
-
-	mu sync.Mutex // protects following
-
-	// managedIngresses is a set of all ingress resources that we're currently
-	// managing. This is only used for metrics.
-	managedIngresses set.Slice[types.UID]
-}
-
-var (
-	// gaugeIngressResources tracks the number of ingress resources that we're
-	// currently managing.
-	gaugeIngressResources = clientmetric.NewGauge("k8s_ingress_resources")
-)
-
-func (a *IngressReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
-	logger := a.logger.With("ingress-ns", req.Namespace, "ingress-name", req.Name)
-	logger.Debugf("starting reconcile")
-	defer logger.Debugf("reconcile finished")
-
-	ing := new(networkingv1.Ingress)
-	err = a.Get(ctx, req.NamespacedName, ing)
-	if apierrors.IsNotFound(err) {
-		// Request object not found, could have been deleted after reconcile request.
-		logger.Debugf("ingress not found, assuming it was deleted")
-		return reconcile.Result{}, nil
-	} else if err != nil {
-		return reconcile.Result{}, fmt.Errorf("failed to get ing: %w", err)
-	}
-	if !ing.DeletionTimestamp.IsZero() || !a.shouldExpose(ing) {
-		logger.Debugf("ingress is being deleted or should not be exposed, cleaning up")
-		return reconcile.Result{}, a.maybeCleanup(ctx, logger, ing)
-	}
-
-	return reconcile.Result{}, a.maybeProvision(ctx, logger, ing)
-}
-
-func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, ing *networkingv1.Ingress) error {
-	ix := slices.Index(ing.Finalizers, FinalizerName)
-	if ix < 0 {
-		logger.Debugf("no finalizer, nothing to do")
-		a.mu.Lock()
-		defer a.mu.Unlock()
-		a.managedIngresses.Remove(ing.UID)
-		gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
-		return nil
-	}
-
-	if done, err := a.ssr.Cleanup(ctx, logger, childResourceLabels(ing.Name, ing.Namespace, "ingress")); err != nil {
-		return fmt.Errorf("failed to cleanup: %w", err)
-	} else if !done {
-		logger.Debugf("cleanup not done yet, waiting for next reconcile")
-		return nil
-	}
-
-	ing.Finalizers = append(ing.Finalizers[:ix], ing.Finalizers[ix+1:]...)
-	if err := a.Update(ctx, ing); err != nil {
-		return fmt.Errorf("failed to remove finalizer: %w", err)
-	}
-
-	// Unlike most log entries in the reconcile loop, this will get printed
-	// exactly once at the very end of cleanup, because the final step of
-	// cleanup removes the tailscale finalizer, which will make all future
-	// reconciles exit early.
-	logger.Infof("unexposed ingress from tailnet")
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.managedIngresses.Remove(ing.UID)
-	gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
-	return nil
-}
-
-// maybeProvision ensures that ing is exposed over tailscale, taking any actions
-// necessary to reach that state.
-//
-// This function adds a finalizer to ing, ensuring that we can handle orderly
-// deprovisioning later.
-func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, ing *networkingv1.Ingress) error {
-	if !slices.Contains(ing.Finalizers, FinalizerName) {
-		// This log line is printed exactly once during initial provisioning,
-		// because once the finalizer is in place this block gets skipped. So,
-		// this is a nice place to tell the operator that the high level,
-		// multi-reconcile operation is underway.
-		logger.Infof("exposing ingress over tailscale")
-		ing.Finalizers = append(ing.Finalizers, FinalizerName)
-		if err := a.Update(ctx, ing); err != nil {
-			return fmt.Errorf("failed to add finalizer: %w", err)
-		}
-	}
-	a.mu.Lock()
-	a.managedIngresses.Add(ing.UID)
-	gaugeIngressResources.Set(int64(a.managedIngresses.Len()))
-	a.mu.Unlock()
-
-	if !a.ssr.IsHTTPSEnabledOnTailnet() {
-		a.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
-	}
-
-	// magic443 is a fake hostname that we can use to tell containerboot to swap
-	// out with the real hostname once it's known.
-	const magic443 = "${TS_CERT_DOMAIN}:443"
-	sc := &ipn.ServeConfig{
-		TCP: map[uint16]*ipn.TCPPortHandler{
-			443: {
-				HTTPS: true,
-			},
-		},
-		Web: map[ipn.HostPort]*ipn.WebServerConfig{
-			magic443: {
-				Handlers: map[string]*ipn.HTTPHandler{},
-			},
-		},
-	}
-	if opt.Bool(ing.Annotations[AnnotationFunnel]).EqualBool(true) {
-		sc.AllowFunnel = map[ipn.HostPort]bool{
-			magic443: true,
-		}
-	}
-
-	web := sc.Web[magic443]
-	addIngressBackend := func(b *networkingv1.IngressBackend, path string) {
-		if b == nil {
-			return
-		}
-		if b.Service == nil {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q is missing service", path)
-			return
-		}
-		var svc corev1.Service
-		if err := a.Get(ctx, types.NamespacedName{Namespace: ing.Namespace, Name: b.Service.Name}, &svc); err != nil {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "failed to get service %q for path %q: %v", b.Service.Name, path, err)
-			return
-		}
-		if svc.Spec.ClusterIP == "" || svc.Spec.ClusterIP == "None" {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q has invalid ClusterIP", path)
-			return
-		}
-		var port int32
-		if b.Service.Port.Name != "" {
-			for _, p := range svc.Spec.Ports {
-				if p.Name == b.Service.Port.Name {
-					port = p.Port
-					break
-				}
-			}
-		} else {
-			port = b.Service.Port.Number
-		}
-		if port == 0 {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "backend for path %q has invalid port", path)
-			return
-		}
-		proto := "http://"
-		if port == 443 || b.Service.Port.Name == "https" {
-			proto = "https+insecure://"
-		}
-		web.Handlers[path] = &ipn.HTTPHandler{
-			Proxy: proto + svc.Spec.ClusterIP + ":" + fmt.Sprint(port) + path,
-		}
-	}
-	addIngressBackend(ing.Spec.DefaultBackend, "/")
-	for _, rule := range ing.Spec.Rules {
-		if rule.Host != "" {
-			a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "rule with host %q ignored, unsupported", rule.Host)
-			continue
-		}
-		for _, p := range rule.HTTP.Paths {
-			addIngressBackend(&p.Backend, p.Path)
-		}
-	}
-
-	crl := childResourceLabels(ing.Name, ing.Namespace, "ingress")
-	var tags []string
-	if tstr, ok := ing.Annotations[AnnotationTags]; ok {
-		tags = strings.Split(tstr, ",")
-	}
-	hostname := ing.Namespace + "-" + ing.Name + "-ingress"
-	if ing.Spec.TLS != nil && len(ing.Spec.TLS) > 0 && len(ing.Spec.TLS[0].Hosts) > 0 {
-		hostname, _, _ = strings.Cut(ing.Spec.TLS[0].Hosts[0], ".")
-	}
-
-	sts := &tailscaleSTSConfig{
-		Hostname:            hostname,
-		ParentResourceName:  ing.Name,
-		ParentResourceUID:   string(ing.UID),
-		ServeConfig:         sc,
-		Tags:                tags,
-		ChildResourceLabels: crl,
-	}
-
-	if _, err := a.ssr.Provision(ctx, logger, sts); err != nil {
-		return fmt.Errorf("failed to provision: %w", err)
-	}
-
-	_, tsHost, _, err := a.ssr.DeviceInfo(ctx, crl)
-	if err != nil {
-		return fmt.Errorf("failed to get device ID: %w", err)
-	}
-	if tsHost == "" {
-		logger.Debugf("no Tailscale hostname known yet, waiting for proxy pod to finish auth")
-		// No hostname yet. Wait for the proxy pod to auth.
-		ing.Status.LoadBalancer.Ingress = nil
-		if err := a.Status().Update(ctx, ing); err != nil {
-			return fmt.Errorf("failed to update ingress status: %w", err)
-		}
-		return nil
-	}
-
-	logger.Debugf("setting ingress hostname to %q", tsHost)
-	ing.Status.LoadBalancer.Ingress = []networkingv1.IngressLoadBalancerIngress{
-		{
-			Hostname: tsHost,
-			Ports: []networkingv1.IngressPortStatus{
-				{
-					Protocol: "TCP",
-					Port:     443,
-				},
-			},
-		},
-	}
-	if err := a.Status().Update(ctx, ing); err != nil {
-		return fmt.Errorf("failed to update ingress status: %w", err)
-	}
-	return nil
-}
-
-func (a *IngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
-	return ing != nil &&
-		ing.Spec.IngressClassName != nil &&
-		*ing.Spec.IngressClassName == "tailscale"
-}

cmd/k8s-operator/manifests/operator.yaml

@@ -48,10 +48,7 @@ metadata:
   name: tailscale-operator
 rules:
 - apiGroups: [""]
-  resources: ["events", "services", "services/status"]
-  verbs: ["*"]
-- apiGroups: ["networking.k8s.io"]
-  resources: ["ingresses", "ingresses/status"]
+  resources: ["services", "services/status"]
   verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

cmd/k8s-operator/manifests/proxy.yaml

@@ -2,7 +2,7 @@
 # at build time and then uses to construct Tailscale proxy pods.
 apiVersion: apps/v1
 kind: StatefulSet
-metadata: {}
+metadata:
 spec:
   replicas: 1
   template:

cmd/k8s-operator/manifests/userspace-proxy.yaml

@@ -1,24 +0,0 @@
-# This file is not a complete manifest, it's a skeleton that the operator embeds
-# at build time and then uses to construct Tailscale proxy pods.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata: {}
-spec:
-  replicas: 1
-  template:
-    metadata:
-      deletionGracePeriodSeconds: 10
-    spec:
-      serviceAccountName: proxies
-      resources:
-        requests:
-          cpu: 1m
-          memory: 1Mi
-      containers:
-        - name: tailscale
-          imagePullPolicy: Always
-          env:
-            - name: TS_USERSPACE
-              value: "true"
-            - name: TS_AUTH_ONCE
-              value: "true"

cmd/k8s-operator/operator.go

@@ -1,14 +1,16 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 // tailscale-operator provides a way to expose services running in a Kubernetes
 // cluster to your Tailnet.
 package main
 
 import (
 	"context"
+	"crypto/tls"
+	_ "embed"
+	"fmt"
+	"net/http"
 	"os"
 	"strings"
 	"time"
@@ -16,12 +18,15 @@ import (
 	"github.com/go-logr/zapr"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
+	"golang.org/x/exp/slices"
 	"golang.org/x/oauth2/clientcredentials"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/rest"
+	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -32,12 +37,15 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/kubestore"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/opt"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/version"
 )
 
@@ -47,8 +55,13 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true
 
 	var (
+		hostname           = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
+		kubeSecret         = defaultEnv("OPERATOR_SECRET", "")
+		operatorTags       = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
 		tsNamespace        = defaultEnv("OPERATOR_NAMESPACE", "")
 		tslogging          = defaultEnv("OPERATOR_LOGGING", "info")
+		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
+		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
 		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
 		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
@@ -66,29 +79,8 @@ func main() {
 	}
 	zlog := kzap.NewRaw(opts...).Sugar()
 	logf.SetLogger(zapr.NewLogger(zlog.Desugar()))
-
-	s, tsClient := initTSNet(zlog)
-	defer s.Close()
-	restConfig := config.GetConfigOrDie()
-	if shouldRunAuthProxy {
-		launchAuthProxy(zlog, restConfig, s)
-	}
-	startReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags)
-}
-
-// initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
-// CLIENT_ID_FILE and CLIENT_SECRET_FILE environment variables to authenticate
-// with Tailscale.
-func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, *tailscale.Client) {
-	hostinfo.SetApp("k8s-operator")
-	var (
-		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
-		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
-		hostname         = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
-		kubeSecret       = defaultEnv("OPERATOR_SECRET", "")
-		operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
-	)
 	startlog := zlog.Named("startup")
+
 	if clientIDPath == "" || clientSecretPath == "" {
 		startlog.Fatalf("CLIENT_ID_FILE and CLIENT_SECRET_FILE must be set")
 	}
@@ -108,6 +100,12 @@ func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, *tailscale.Client) {
 	tsClient := tailscale.NewClient("-", nil)
 	tsClient.HTTPClient = credentials.Client(context.Background())
 
+	if shouldRunAuthProxy {
+		hostinfo.SetApp("k8s-operator-proxy")
+	} else {
+		hostinfo.SetApp("k8s-operator")
+	}
+
 	s := &tsnet.Server{
 		Hostname: hostname,
 		Logf:     zlog.Named("tailscaled").Debugf,
@@ -122,6 +120,7 @@ func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, *tailscale.Client) {
 	if err := s.Start(); err != nil {
 		startlog.Fatalf("starting tailscale server: %v", err)
 	}
+	defer s.Close()
 	lc, err := s.LocalClient()
 	if err != nil {
 		startlog.Fatalf("getting local client: %v", err)
@@ -177,16 +176,7 @@ waitOnline:
 		}
 		time.Sleep(time.Second)
 	}
-	return s, tsClient
-}
 
-// startReconcilers starts the controller-runtime manager and registers the
-// ServiceReconciler.
-func startReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags string) {
-	var (
-		isDefaultLoadBalancer = defaultBool("OPERATOR_DEFAULT_LOAD_BALANCER", false)
-	)
-	startlog := zlog.Named("startReconcilers")
 	// For secrets and statefulsets, we only get permission to touch the objects
 	// in the controller's own namespace. This cannot be expressed by
 	// .Watches(...) below, instead you have to add a per-type field selector to
@@ -196,6 +186,7 @@ func startReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace stri
 	nsFilter := cache.ByObject{
 		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
+	restConfig := config.GetConfigOrDie()
 	mgr, err := manager.New(restConfig, manager.Options{
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
@@ -208,11 +199,24 @@ func startReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace stri
 		startlog.Fatalf("could not create manager: %v", err)
 	}
 
+	sr := &ServiceReconciler{
+		Client:                 mgr.GetClient(),
+		tsClient:               tsClient,
+		defaultTags:            strings.Split(tags, ","),
+		operatorNamespace:      tsNamespace,
+		proxyImage:             image,
+		proxyPriorityClassName: priorityClassName,
+		logger:                 zlog.Named("service-reconciler"),
+	}
+
 	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
 			return nil
 		}
+		if ls[LabelParentType] != "svc" {
+			return nil
+		}
 		return []reconcile.Request{
 			{
 				NamespacedName: types.NamespacedName{
@@ -222,52 +226,527 @@ func startReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace stri
 			},
 		}
 	})
-	eventRecorder := mgr.GetEventRecorderFor("tailscale-operator")
-	ssr := &tailscaleSTSReconciler{
-		Client:                 mgr.GetClient(),
-		tsnetServer:            s,
-		tsClient:               tsClient,
-		defaultTags:            strings.Split(tags, ","),
-		operatorNamespace:      tsNamespace,
-		proxyImage:             image,
-		proxyPriorityClassName: priorityClassName,
-	}
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
 		Watches(&appsv1.StatefulSet{}, reconcileFilter).
 		Watches(&corev1.Secret{}, reconcileFilter).
-		Complete(&ServiceReconciler{
-			ssr:                   ssr,
-			Client:                mgr.GetClient(),
-			logger:                zlog.Named("service-reconciler"),
-			isDefaultLoadBalancer: isDefaultLoadBalancer,
-		})
-	if err != nil {
-		startlog.Fatalf("could not create controller: %v", err)
-	}
-	err = builder.
-		ControllerManagedBy(mgr).
-		For(&networkingv1.Ingress{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
-		Complete(&IngressReconciler{
-			ssr:      ssr,
-			recorder: eventRecorder,
-			Client:   mgr.GetClient(),
-			logger:   zlog.Named("ingress-reconciler"),
-		})
+		Complete(sr)
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}
 
 	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
+	if shouldRunAuthProxy {
+		cfg, err := restConfig.TransportConfig()
+		if err != nil {
+			startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
+		}
+
+		// Kubernetes uses SPDY for exec and port-forward, however SPDY is
+		// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
+		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.TLSClientConfig, err = transport.TLSConfigFor(cfg)
+		if err != nil {
+			startlog.Fatalf("could not get transport.TLSConfigFor(): %v", err)
+		}
+		tr.TLSNextProto = make(map[string]func(authority string, c *tls.Conn) http.RoundTripper)
+
+		rt, err := transport.HTTPWrappersForConfig(cfg, tr)
+		if err != nil {
+			startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
+		}
+		go runAuthProxy(s, rt, zlog.Named("auth-proxy").Infof)
+	}
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)
 	}
 }
 
+const (
+	LabelManaged         = "tailscale.com/managed"
+	LabelParentType      = "tailscale.com/parent-resource-type"
+	LabelParentName      = "tailscale.com/parent-resource"
+	LabelParentNamespace = "tailscale.com/parent-resource-ns"
+
+	FinalizerName = "tailscale.com/finalizer"
+
+	AnnotationExpose   = "tailscale.com/expose"
+	AnnotationTags     = "tailscale.com/tags"
+	AnnotationHostname = "tailscale.com/hostname"
+)
+
+// ServiceReconciler is a simple ControllerManagedBy example implementation.
+type ServiceReconciler struct {
+	client.Client
+	tsClient               tsClient
+	defaultTags            []string
+	operatorNamespace      string
+	proxyImage             string
+	proxyPriorityClassName string
+	logger                 *zap.SugaredLogger
+}
+
 type tsClient interface {
 	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
-	DeleteDevice(ctx context.Context, nodeStableID string) error
+	DeleteDevice(ctx context.Context, id string) error
+}
+
+func childResourceLabels(parent *corev1.Service) map[string]string {
+	// You might wonder why we're using owner references, since they seem to be
+	// built for exactly this. Unfortunately, Kubernetes does not support
+	// cross-namespace ownership, by design. This means we cannot make the
+	// service being exposed the owner of the implementation details of the
+	// proxying. Instead, we have to do our own filtering and tracking with
+	// labels.
+	return map[string]string{
+		LabelManaged:         "true",
+		LabelParentName:      parent.GetName(),
+		LabelParentNamespace: parent.GetNamespace(),
+		LabelParentType:      "svc",
+	}
+}
+
+func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
+	logger := a.logger.With("service-ns", req.Namespace, "service-name", req.Name)
+	logger.Debugf("starting reconcile")
+	defer logger.Debugf("reconcile finished")
+
+	svc := new(corev1.Service)
+	err = a.Get(ctx, req.NamespacedName, svc)
+	if apierrors.IsNotFound(err) {
+		// Request object not found, could have been deleted after reconcile request.
+		logger.Debugf("service not found, assuming it was deleted")
+		return reconcile.Result{}, nil
+	} else if err != nil {
+		return reconcile.Result{}, fmt.Errorf("failed to get svc: %w", err)
+	}
+	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) {
+		logger.Debugf("service is being deleted or should not be exposed, cleaning up")
+		return reconcile.Result{}, a.maybeCleanup(ctx, logger, svc)
+	}
+
+	return reconcile.Result{}, a.maybeProvision(ctx, logger, svc)
+}
+
+// maybeCleanup removes any existing resources related to serving svc over tailscale.
+//
+// This function is responsible for removing the finalizer from the service,
+// once all associated resources are gone.
+func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+	ix := slices.Index(svc.Finalizers, FinalizerName)
+	if ix < 0 {
+		logger.Debugf("no finalizer, nothing to do")
+		return nil
+	}
+
+	ml := childResourceLabels(svc)
+
+	// Need to delete the StatefulSet first, and delete it with foreground
+	// cascading deletion. That way, the pod that's writing to the Secret will
+	// stop running before we start looking at the Secret's contents, and
+	// assuming k8s ordering semantics don't mess with us, that should avoid
+	// tailscale device deletion races where we fail to notice a device that
+	// should be removed.
+	sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, ml)
+	if err != nil {
+		return fmt.Errorf("getting statefulset: %w", err)
+	}
+	if sts != nil {
+		if !sts.GetDeletionTimestamp().IsZero() {
+			// Deletion in progress, check again later. We'll get another
+			// notification when the deletion is complete.
+			logger.Debugf("waiting for statefulset %s/%s deletion", sts.GetNamespace(), sts.GetName())
+			return nil
+		}
+		err := a.DeleteAllOf(ctx, &appsv1.StatefulSet{}, client.InNamespace(a.operatorNamespace), client.MatchingLabels(ml), client.PropagationPolicy(metav1.DeletePropagationForeground))
+		if err != nil {
+			return fmt.Errorf("deleting statefulset: %w", err)
+		}
+		logger.Debugf("started deletion of statefulset %s/%s", sts.GetNamespace(), sts.GetName())
+		return nil
+	}
+
+	id, _, err := a.getDeviceInfo(ctx, svc)
+	if err != nil {
+		return fmt.Errorf("getting device info: %w", err)
+	}
+	if id != "" {
+		// TODO: handle case where the device is already deleted, but the secret
+		// is still around.
+		if err := a.tsClient.DeleteDevice(ctx, id); err != nil {
+			return fmt.Errorf("deleting device: %w", err)
+		}
+	}
+
+	types := []client.Object{
+		&corev1.Service{},
+		&corev1.Secret{},
+	}
+	for _, typ := range types {
+		if err := a.DeleteAllOf(ctx, typ, client.InNamespace(a.operatorNamespace), client.MatchingLabels(ml)); err != nil {
+			return err
+		}
+	}
+
+	svc.Finalizers = append(svc.Finalizers[:ix], svc.Finalizers[ix+1:]...)
+	if err := a.Update(ctx, svc); err != nil {
+		return fmt.Errorf("failed to remove finalizer: %w", err)
+	}
+
+	// Unlike most log entries in the reconcile loop, this will get printed
+	// exactly once at the very end of cleanup, because the final step of
+	// cleanup removes the tailscale finalizer, which will make all future
+	// reconciles exit early.
+	logger.Infof("unexposed service from tailnet")
+	return nil
+}
+
+// maybeProvision ensures that svc is exposed over tailscale, taking any actions
+// necessary to reach that state.
+//
+// This function adds a finalizer to svc, ensuring that we can handle orderly
+// deprovisioning later.
+func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+	hostname, err := nameForService(svc)
+	if err != nil {
+		return err
+	}
+
+	if !slices.Contains(svc.Finalizers, FinalizerName) {
+		// This log line is printed exactly once during initial provisioning,
+		// because once the finalizer is in place this block gets skipped. So,
+		// this is a nice place to tell the operator that the high level,
+		// multi-reconcile operation is underway.
+		logger.Infof("exposing service over tailscale")
+		svc.Finalizers = append(svc.Finalizers, FinalizerName)
+		if err := a.Update(ctx, svc); err != nil {
+			return fmt.Errorf("failed to add finalizer: %w", err)
+		}
+	}
+
+	// Do full reconcile.
+	hsvc, err := a.reconcileHeadlessService(ctx, logger, svc)
+	if err != nil {
+		return fmt.Errorf("failed to reconcile headless service: %w", err)
+	}
+
+	tags := a.defaultTags
+	if tstr, ok := svc.Annotations[AnnotationTags]; ok {
+		tags = strings.Split(tstr, ",")
+	}
+	secretName, err := a.createOrGetSecret(ctx, logger, svc, hsvc, tags)
+	if err != nil {
+		return fmt.Errorf("failed to create or get API key secret: %w", err)
+	}
+	_, err = a.reconcileSTS(ctx, logger, svc, hsvc, secretName, hostname)
+	if err != nil {
+		return fmt.Errorf("failed to reconcile statefulset: %w", err)
+	}
+
+	if !a.hasLoadBalancerClass(svc) {
+		logger.Debugf("service is not a LoadBalancer, so not updating ingress")
+		return nil
+	}
+
+	_, tsHost, err := a.getDeviceInfo(ctx, svc)
+	if err != nil {
+		return fmt.Errorf("failed to get device ID: %w", err)
+	}
+	if tsHost == "" {
+		logger.Debugf("no Tailscale hostname known yet, waiting for proxy pod to finish auth")
+		// No hostname yet. Wait for the proxy pod to auth.
+		svc.Status.LoadBalancer.Ingress = nil
+		if err := a.Status().Update(ctx, svc); err != nil {
+			return fmt.Errorf("failed to update service status: %w", err)
+		}
+		return nil
+	}
+
+	logger.Debugf("setting ingress hostname to %q", tsHost)
+	svc.Status.LoadBalancer.Ingress = []corev1.LoadBalancerIngress{
+		{
+			Hostname: tsHost,
+		},
+	}
+	if err := a.Status().Update(ctx, svc); err != nil {
+		return fmt.Errorf("failed to update service status: %w", err)
+	}
+	return nil
+}
+
+func (a *ServiceReconciler) shouldExpose(svc *corev1.Service) bool {
+	// Headless services can't be exposed, since there is no ClusterIP to
+	// forward to.
+	if svc.Spec.ClusterIP == "" || svc.Spec.ClusterIP == "None" {
+		return false
+	}
+
+	return a.hasLoadBalancerClass(svc) || a.hasAnnotation(svc)
+}
+
+func (a *ServiceReconciler) hasLoadBalancerClass(svc *corev1.Service) bool {
+	return svc != nil &&
+		svc.Spec.Type == corev1.ServiceTypeLoadBalancer &&
+		svc.Spec.LoadBalancerClass != nil &&
+		*svc.Spec.LoadBalancerClass == "tailscale"
+}
+
+func (a *ServiceReconciler) hasAnnotation(svc *corev1.Service) bool {
+	return svc != nil &&
+		svc.Annotations[AnnotationExpose] == "true"
+}
+
+func (a *ServiceReconciler) reconcileHeadlessService(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) (*corev1.Service, error) {
+	hsvc := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "ts-" + svc.Name + "-",
+			Namespace:    a.operatorNamespace,
+			Labels:       childResourceLabels(svc),
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "None",
+			Selector: map[string]string{
+				"app": string(svc.UID),
+			},
+		},
+	}
+	logger.Debugf("reconciling headless service for StatefulSet")
+	return createOrUpdate(ctx, a.Client, a.operatorNamespace, hsvc, func(svc *corev1.Service) { svc.Spec = hsvc.Spec })
+}
+
+func (a *ServiceReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, svc, hsvc *corev1.Service, tags []string) (string, error) {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			// Hardcode a -0 suffix so that in future, if we support
+			// multiple StatefulSet replicas, we can provision -N for
+			// those.
+			Name:      hsvc.Name + "-0",
+			Namespace: a.operatorNamespace,
+			Labels:    childResourceLabels(svc),
+		},
+	}
+	if err := a.Get(ctx, client.ObjectKeyFromObject(secret), secret); err == nil {
+		logger.Debugf("secret %s/%s already exists", secret.GetNamespace(), secret.GetName())
+		return secret.Name, nil
+	} else if !apierrors.IsNotFound(err) {
+		return "", err
+	}
+
+	// Secret doesn't exist yet, create one. Initially it contains
+	// only the Tailscale authkey, but once Tailscale starts it'll
+	// also store the daemon state.
+	sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, childResourceLabels(svc))
+	if err != nil {
+		return "", err
+	}
+	if sts != nil {
+		// StatefulSet exists, so we have already created the secret.
+		// If the secret is missing, they should delete the StatefulSet.
+		logger.Errorf("Tailscale proxy secret doesn't exist, but the corresponding StatefulSet %s/%s already does. Something is wrong, please delete the StatefulSet.", sts.GetNamespace(), sts.GetName())
+		return "", nil
+	}
+	// Create API Key secret which is going to be used by the statefulset
+	// to authenticate with Tailscale.
+	logger.Debugf("creating authkey for new tailscale proxy")
+	authKey, err := a.newAuthKey(ctx, tags)
+	if err != nil {
+		return "", err
+	}
+
+	secret.StringData = map[string]string{
+		"authkey": authKey,
+	}
+	if err := a.Create(ctx, secret); err != nil {
+		return "", err
+	}
+	return secret.Name, nil
+}
+
+func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Service) (id, hostname string, err error) {
+	sec, err := getSingleObject[corev1.Secret](ctx, a.Client, a.operatorNamespace, childResourceLabels(svc))
+	if err != nil {
+		return "", "", err
+	}
+	if sec == nil {
+		return "", "", nil
+	}
+	id = string(sec.Data["device_id"])
+	if id == "" {
+		return "", "", nil
+	}
+	// Kubernetes chokes on well-formed FQDNs with the trailing dot, so we have
+	// to remove it.
+	hostname = strings.TrimSuffix(string(sec.Data["device_fqdn"]), ".")
+	if hostname == "" {
+		return "", "", nil
+	}
+	return id, hostname, nil
+}
+
+func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (string, error) {
+	caps := tailscale.KeyCapabilities{
+		Devices: tailscale.KeyDeviceCapabilities{
+			Create: tailscale.KeyDeviceCreateCapabilities{
+				Reusable:      false,
+				Preauthorized: true,
+				Tags:          tags,
+			},
+		},
+	}
+
+	key, _, err := a.tsClient.CreateKey(ctx, caps)
+	if err != nil {
+		return "", err
+	}
+	return key, nil
+}
+
+//go:embed manifests/proxy.yaml
+var proxyYaml []byte
+
+func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, parentSvc, headlessSvc *corev1.Service, authKeySecret, hostname string) (*appsv1.StatefulSet, error) {
+	var ss appsv1.StatefulSet
+	if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
+	}
+	container := &ss.Spec.Template.Spec.Containers[0]
+	container.Image = a.proxyImage
+	container.Env = append(container.Env,
+		corev1.EnvVar{
+			Name:  "TS_DEST_IP",
+			Value: parentSvc.Spec.ClusterIP,
+		},
+		corev1.EnvVar{
+			Name:  "TS_KUBE_SECRET",
+			Value: authKeySecret,
+		},
+		corev1.EnvVar{
+			Name:  "TS_HOSTNAME",
+			Value: hostname,
+		})
+	ss.ObjectMeta = metav1.ObjectMeta{
+		Name:      headlessSvc.Name,
+		Namespace: a.operatorNamespace,
+		Labels:    childResourceLabels(parentSvc),
+	}
+	ss.Spec.ServiceName = headlessSvc.Name
+	ss.Spec.Selector = &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": string(parentSvc.UID),
+		},
+	}
+	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
+		"app": string(parentSvc.UID),
+	}
+	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
+	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
+	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
+}
+
+// ptrObject is a type constraint for pointer types that implement
+// client.Object.
+type ptrObject[T any] interface {
+	client.Object
+	*T
+}
+
+// createOrUpdate adds obj to the k8s cluster, unless the object already exists,
+// in which case update is called to make changes to it. If update is nil, the
+// existing object is returned unmodified.
+//
+// obj is looked up by its Name and Namespace if Name is set, otherwise it's
+// looked up by labels.
+func createOrUpdate[T any, O ptrObject[T]](ctx context.Context, c client.Client, ns string, obj O, update func(O)) (O, error) {
+	var (
+		existing O
+		err      error
+	)
+	if obj.GetName() != "" {
+		existing = new(T)
+		existing.SetName(obj.GetName())
+		existing.SetNamespace(obj.GetNamespace())
+		err = c.Get(ctx, client.ObjectKeyFromObject(obj), existing)
+	} else {
+		existing, err = getSingleObject[T, O](ctx, c, ns, obj.GetLabels())
+	}
+	if err == nil && existing != nil {
+		if update != nil {
+			update(existing)
+			if err := c.Update(ctx, existing); err != nil {
+				return nil, err
+			}
+		}
+		return existing, nil
+	}
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, fmt.Errorf("failed to get object: %w", err)
+	}
+	if err := c.Create(ctx, obj); err != nil {
+		return nil, err
+	}
+	return obj, nil
+}
+
+// getSingleObject searches for k8s objects of type T
+// (e.g. corev1.Service) with the given labels, and returns
+// it. Returns nil if no objects match the labels, and an error if
+// more than one object matches.
+func getSingleObject[T any, O ptrObject[T]](ctx context.Context, c client.Client, ns string, labels map[string]string) (O, error) {
+	ret := O(new(T))
+	kinds, _, err := c.Scheme().ObjectKinds(ret)
+	if err != nil {
+		return nil, err
+	}
+	if len(kinds) != 1 {
+		// TODO: the runtime package apparently has a "pick the best
+		// GVK" function somewhere that might be good enough?
+		return nil, fmt.Errorf("more than 1 GroupVersionKind for %T", ret)
+	}
+
+	gvk := kinds[0]
+	gvk.Kind += "List"
+	lst := unstructured.UnstructuredList{}
+	lst.SetGroupVersionKind(gvk)
+	if err := c.List(ctx, &lst, client.InNamespace(ns), client.MatchingLabels(labels)); err != nil {
+		return nil, err
+	}
+
+	if len(lst.Items) == 0 {
+		return nil, nil
+	}
+	if len(lst.Items) > 1 {
+		return nil, fmt.Errorf("found multiple matching %T objects", ret)
+	}
+	if err := c.Scheme().Convert(&lst.Items[0], ret, nil); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
+func defaultBool(envName string, defVal bool) bool {
+	vs := os.Getenv(envName)
+	if vs == "" {
+		return defVal
+	}
+	v, _ := opt.Bool(vs).Get()
+	return v
+}
+
+func defaultEnv(envName, defVal string) string {
+	v := os.Getenv(envName)
+	if v == "" {
+		return defVal
+	}
+	return v
+}
+
+func nameForService(svc *corev1.Service) (string, error) {
+	if h, ok := svc.Annotations[AnnotationHostname]; ok {
+		if err := dnsname.ValidLabel(h); err != nil {
+			return "", fmt.Errorf("invalid Tailscale hostname %q: %w", h, err)
+		}
+		return h, nil
+	}
+	return svc.Namespace + "-" + svc.Name, nil
 }

cmd/k8s-operator/operator_test.go

@@ -1,13 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (
 	"context"
-	"fmt"
 	"strings"
 	"sync"
 	"testing"
@@ -35,15 +32,12 @@ func TestLoadBalancerClass(t *testing.T) {
 		t.Fatal(err)
 	}
 	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -81,7 +75,6 @@ func TestLoadBalancerClass(t *testing.T) {
 		}
 		s.Data["device_id"] = []byte("ts-id-1234")
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
-		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
@@ -106,9 +99,6 @@ func TestLoadBalancerClass(t *testing.T) {
 					{
 						Hostname: "tailscale.device.name",
 					},
-					{
-						IP: "100.99.98.97",
-					},
 				},
 			},
 		},
@@ -154,111 +144,6 @@ func TestLoadBalancerClass(t *testing.T) {
 	}
 	expectEqual(t, fc, want)
 }
-func TestTailnetTargetIPAnnotation(t *testing.T) {
-	fc := fake.NewFakeClient()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	tailnetTargetIP := "100.66.66.66"
-	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
-	}
-
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
-	mustCreate(t, fc, &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			// The apiserver is supposed to set the UID, but the fake client
-			// doesn't. So, set it explicitly because other code later depends
-			// on it being set.
-			UID: types.UID("1234-UID"),
-			Annotations: map[string]string{
-				AnnotationTailnetTargetIP: tailnetTargetIP,
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			Type: corev1.ServiceTypeClusterIP,
-			Selector: map[string]string{
-				"foo": "bar",
-			},
-		},
-	})
-
-	expectReconciled(t, sr, "default", "test")
-
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedEgressSTS(shortName, fullName, tailnetTargetIP, "default-test", ""))
-	want := &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:       "test",
-			Namespace:  "default",
-			Finalizers: []string{"tailscale.com/finalizer"},
-			UID:        types.UID("1234-UID"),
-			Annotations: map[string]string{
-				AnnotationTailnetTargetIP: tailnetTargetIP,
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ExternalName: fmt.Sprintf("%s.operator-ns.svc", shortName),
-			Type:         corev1.ServiceTypeExternalName,
-			Selector:     nil,
-		},
-	}
-	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedEgressSTS(shortName, fullName, tailnetTargetIP, "default-test", ""))
-
-	// Change the tailscale-target-ip annotation which should update the
-	// StatefulSet
-	tailnetTargetIP = "100.77.77.77"
-	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
-		s.ObjectMeta.Annotations = map[string]string{
-			AnnotationTailnetTargetIP: tailnetTargetIP,
-		}
-	})
-
-	// Remove the tailscale-target-ip annotation which should make the
-	// operator clean up
-	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
-		s.ObjectMeta.Annotations = map[string]string{}
-	})
-	expectReconciled(t, sr, "default", "test")
-
-	// // synchronous StatefulSet deletion triggers a requeue. But, the StatefulSet
-	// // didn't create any child resources since this is all faked, so the
-	// // deletion goes through immediately.
-	expectReconciled(t, sr, "default", "test")
-	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
-	// // The deletion triggers another reconcile, to finish the cleanup.
-	expectReconciled(t, sr, "default", "test")
-	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
-	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
-	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
-
-	// At the moment we don't revert changes to the user created Service -
-	// we don't have a reliable way how to tell what it was before and also
-	// we don't really expect it to be re-used
-}
 
 func TestAnnotations(t *testing.T) {
 	fc := fake.NewFakeClient()
@@ -268,15 +153,12 @@ func TestAnnotations(t *testing.T) {
 		t.Fatal(err)
 	}
 	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -368,15 +250,12 @@ func TestAnnotationIntoLB(t *testing.T) {
 		t.Fatal(err)
 	}
 	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -416,7 +295,6 @@ func TestAnnotationIntoLB(t *testing.T) {
 		}
 		s.Data["device_id"] = []byte("ts-id-1234")
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
-		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
@@ -475,9 +353,6 @@ func TestAnnotationIntoLB(t *testing.T) {
 					{
 						Hostname: "tailscale.device.name",
 					},
-					{
-						IP: "100.99.98.97",
-					},
 				},
 			},
 		},
@@ -493,15 +368,12 @@ func TestLBIntoAnnotation(t *testing.T) {
 		t.Fatal(err)
 	}
 	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -539,7 +411,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Data["device_id"] = []byte("ts-id-1234")
 		s.Data["device_fqdn"] = []byte("tailscale.device.name.")
-		s.Data["device_ips"] = []byte(`["100.99.98.97", "2c0a:8083:94d4:2012:3165:34a5:3616:5fdf"]`)
 	})
 	expectReconciled(t, sr, "default", "test")
 	want := &corev1.Service{
@@ -564,9 +435,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 					{
 						Hostname: "tailscale.device.name",
 					},
-					{
-						IP: "100.99.98.97",
-					},
 				},
 			},
 		},
@@ -623,15 +491,12 @@ func TestCustomHostname(t *testing.T) {
 		t.Fatal(err)
 	}
 	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -728,16 +593,13 @@ func TestCustomPriorityClassName(t *testing.T) {
 		t.Fatal(err)
 	}
 	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:                 fc,
-			tsClient:               ft,
-			defaultTags:            []string{"tag:k8s"},
-			operatorNamespace:      "operator-ns",
-			proxyImage:             "tailscale/tailscale",
-			proxyPriorityClassName: "tailscale-critical",
-		},
-		logger: zl.Sugar(),
+		Client:                 fc,
+		tsClient:               ft,
+		defaultTags:            []string{"tag:k8s"},
+		operatorNamespace:      "operator-ns",
+		proxyImage:             "tailscale/tailscale",
+		proxyPriorityClassName: "tailscale-critical",
+		logger:                 zl.Sugar(),
 	}
 
 	// Create a service that we should manage, and check that the initial round
@@ -768,52 +630,6 @@ func TestCustomPriorityClassName(t *testing.T) {
 	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
 }
 
-func TestDefaultLoadBalancer(t *testing.T) {
-	fc := fake.NewFakeClient()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	sr := &ServiceReconciler{
-		Client: fc,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger:                zl.Sugar(),
-		isDefaultLoadBalancer: true,
-	}
-
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
-	mustCreate(t, fc, &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			// The apiserver is supposed to set the UID, but the fake client
-			// doesn't. So, set it explicitly because other code later depends
-			// on it being set.
-			UID: types.UID("1234-UID"),
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeLoadBalancer,
-		},
-	})
-
-	expectReconciled(t, sr, "default", "test")
-
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSecret(fullName))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
-}
-
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -886,10 +702,6 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 			ServiceName: stsName,
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
-					Annotations: map[string]string{
-						"tailscale.com/operator-last-set-hostname":   hostname,
-						"tailscale.com/operator-last-set-cluster-ip": "10.20.30.40",
-					},
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
 					Labels:                     map[string]string{"app": "1234-UID"},
 				},
@@ -914,78 +726,9 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 							Env: []corev1.EnvVar{
 								{Name: "TS_USERSPACE", Value: "false"},
 								{Name: "TS_AUTH_ONCE", Value: "true"},
-								{Name: "TS_KUBE_SECRET", Value: secretName},
-								{Name: "TS_HOSTNAME", Value: hostname},
 								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
-							},
-							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{
-									Add: []corev1.Capability{"NET_ADMIN"},
-								},
-							},
-							ImagePullPolicy: "Always",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-func expectedEgressSTS(stsName, secretName, tailnetTargetIP, hostname, priorityClassName string) *appsv1.StatefulSet {
-	return &appsv1.StatefulSet{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "StatefulSet",
-			APIVersion: "apps/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      stsName,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		Spec: appsv1.StatefulSetSpec{
-			Replicas: ptr.To[int32](1),
-			Selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"app": "1234-UID"},
-			},
-			ServiceName: stsName,
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations: map[string]string{
-						"tailscale.com/operator-last-set-hostname":             hostname,
-						"tailscale.com/operator-last-set-ts-tailnet-target-ip": tailnetTargetIP,
-					},
-					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
-				},
-				Spec: corev1.PodSpec{
-					ServiceAccountName: "proxies",
-					PriorityClassName:  priorityClassName,
-					InitContainers: []corev1.Container{
-						{
-							Name:    "sysctler",
-							Image:   "busybox",
-							Command: []string{"/bin/sh"},
-							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: ptr.To(true),
-							},
-						},
-					},
-					Containers: []corev1.Container{
-						{
-							Name:  "tailscale",
-							Image: "tailscale/tailscale",
-							Env: []corev1.EnvVar{
-								{Name: "TS_USERSPACE", Value: "false"},
-								{Name: "TS_AUTH_ONCE", Value: "true"},
 								{Name: "TS_KUBE_SECRET", Value: secretName},
 								{Name: "TS_HOSTNAME", Value: hostname},
-								{Name: "TS_TAILNET_TARGET_IP", Value: tailnetTargetIP},
 							},
 							SecurityContext: &corev1.SecurityContext{
 								Capabilities: &corev1.Capabilities{
@@ -1013,9 +756,6 @@ func findGenName(t *testing.T, client client.Client, ns, name string) (full, noS
 	if err != nil {
 		t.Fatalf("finding secret for %q: %v", name, err)
 	}
-	if s == nil {
-		t.Fatalf("no secret found for %q", name)
-	}
 	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
 }
 

cmd/k8s-operator/proxy.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (
@@ -16,62 +14,14 @@ import (
 	"os"
 	"strings"
 
-	"go.uber.org/zap"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/transport"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/hostinfo"
-	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/set"
 )
 
 type whoIsKey struct{}
 
-// whoIsFromRequest returns the WhoIsResponse previously stashed by a call to
-// addWhoIsToRequest.
-func whoIsFromRequest(r *http.Request) *apitype.WhoIsResponse {
-	return r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
-}
-
-// addWhoIsToRequest stashes who in r's context, retrievable by a call to
-// whoIsFromRequest.
-func addWhoIsToRequest(r *http.Request, who *apitype.WhoIsResponse) *http.Request {
-	return r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
-}
-
-var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
-
-// launchAuthProxy launches the auth proxy, which is a small HTTP server that
-// authenticates requests using the Tailscale LocalAPI and then proxies them to
-// the kube-apiserver.
-func launchAuthProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, s *tsnet.Server) {
-	hostinfo.SetApp("k8s-operator-proxy")
-	startlog := zlog.Named("launchAuthProxy")
-	cfg, err := restConfig.TransportConfig()
-	if err != nil {
-		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
-	}
-
-	// Kubernetes uses SPDY for exec and port-forward, however SPDY is
-	// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.TLSClientConfig, err = transport.TLSConfigFor(cfg)
-	if err != nil {
-		startlog.Fatalf("could not get transport.TLSConfigFor(): %v", err)
-	}
-	tr.TLSNextProto = make(map[string]func(authority string, c *tls.Conn) http.RoundTripper)
-
-	rt, err := transport.HTTPWrappersForConfig(cfg, tr)
-	if err != nil {
-		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
-	}
-	go runAuthProxy(s, rt, zlog.Named("auth-proxy").Infof)
-}
-
 // authProxy is an http.Handler that authenticates requests using the Tailscale
 // LocalAPI and then proxies them to the Kubernetes API.
 type authProxy struct {
@@ -87,8 +37,8 @@ func (h *authProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
 		return
 	}
-	counterNumRequestsProxied.Add(1)
-	h.rp.ServeHTTP(w, addWhoIsToRequest(r, who))
+	r = r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
+	h.rp.ServeHTTP(w, r)
 }
 
 // runAuthProxy runs an HTTP server that authenticates requests using the
@@ -117,10 +67,6 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 		lc:   lc,
 		rp: &httputil.ReverseProxy{
 			Director: func(r *http.Request) {
-				// Replace the URL with the Kubernetes APIServer.
-				r.URL.Scheme = u.Scheme
-				r.URL.Host = u.Host
-
 				// We want to proxy to the Kubernetes API, but we want to use
 				// the caller's identity to do so. We do this by impersonating
 				// the caller using the Kubernetes User Impersonation feature:
@@ -139,9 +85,21 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 				}
 
 				// Now add the impersonation headers that we want.
-				if err := addImpersonationHeaders(r); err != nil {
-					panic("failed to add impersonation headers: " + err.Error())
+				who := r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
+				if who.Node.IsTagged() {
+					// Use the nodes FQDN as the username, and the nodes tags as the groups.
+					// "Impersonate-Group" requires "Impersonate-User" to be set.
+					r.Header.Set("Impersonate-User", strings.TrimSuffix(who.Node.Name, "."))
+					for _, tag := range who.Node.Tags {
+						r.Header.Add("Impersonate-Group", tag)
+					}
+				} else {
+					r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
 				}
+
+				// Replace the URL with the Kubernetes APIServer.
+				r.URL.Scheme = u.Scheme
+				r.URL.Host = u.Host
 			},
 			Transport: rt,
 		},
@@ -160,58 +118,3 @@ func runAuthProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf) {
 		log.Fatalf("runAuthProxy: failed to serve %v", err)
 	}
 }
-
-const capabilityName = "https://tailscale.com/cap/kubernetes"
-
-type capRule struct {
-	// Impersonate is a list of rules that specify how to impersonate the caller
-	// when proxying to the Kubernetes API.
-	Impersonate *impersonateRule `json:"impersonate,omitempty"`
-}
-
-// TODO(maisem): move this to some well-known location so that it can be shared
-// with control.
-type impersonateRule struct {
-	Groups []string `json:"groups,omitempty"`
-}
-
-// addImpersonationHeaders adds the appropriate headers to r to impersonate the
-// caller when proxying to the Kubernetes API. It uses the WhoIsResponse stashed
-// in the context by the authProxy.
-func addImpersonationHeaders(r *http.Request) error {
-	who := whoIsFromRequest(r)
-	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
-	if err != nil {
-		return fmt.Errorf("failed to unmarshal capability: %v", err)
-	}
-
-	var groupsAdded set.Slice[string]
-	for _, rule := range rules {
-		if rule.Impersonate == nil {
-			continue
-		}
-		for _, group := range rule.Impersonate.Groups {
-			if groupsAdded.Contains(group) {
-				continue
-			}
-			r.Header.Add("Impersonate-Group", group)
-			groupsAdded.Add(group)
-		}
-	}
-
-	if !who.Node.IsTagged() {
-		r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
-		return nil
-	}
-	// "Impersonate-Group" requires "Impersonate-User" to be set, so we set it
-	// to the node FQDN for tagged nodes.
-	r.Header.Set("Impersonate-User", strings.TrimSuffix(who.Node.Name, "."))
-
-	// For legacy behavior (before caps), set the groups to the nodes tags.
-	if groupsAdded.Slice().Len() == 0 {
-		for _, tag := range who.Node.Tags {
-			r.Header.Add("Impersonate-Group", tag)
-		}
-	}
-	return nil
-}

cmd/k8s-operator/proxy_test.go

@@ -1,109 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/must"
-)
-
-func TestImpersonationHeaders(t *testing.T) {
-	tests := []struct {
-		name     string
-		emailish string
-		tags     []string
-		capMap   tailcfg.PeerCapMap
-
-		wantHeaders http.Header
-	}{
-		{
-			name:     "user",
-			emailish: "foo@example.com",
-			wantHeaders: http.Header{
-				"Impersonate-User": {"foo@example.com"},
-			},
-		},
-		{
-			name:     "tagged",
-			emailish: "tagged-device",
-			tags:     []string{"tag:foo", "tag:bar"},
-			wantHeaders: http.Header{
-				"Impersonate-User":  {"node.ts.net"},
-				"Impersonate-Group": {"tag:foo", "tag:bar"},
-			},
-		},
-		{
-			name:     "user-with-cap",
-			emailish: "foo@example.com",
-			capMap: tailcfg.PeerCapMap{
-				capabilityName: {
-					[]byte(`{"impersonate":{"groups":["group1","group2"]}}`),
-					[]byte(`{"impersonate":{"groups":["group1","group3"]}}`), // One group is duplicated.
-					[]byte(`{"impersonate":{"groups":["group4"]}}`),
-					[]byte(`{"impersonate":{"groups":["group2"]}}`), // duplicate
-
-					// These should be ignored, but should parse correctly.
-					[]byte(`{}`),
-					[]byte(`{"impersonate":{}}`),
-					[]byte(`{"impersonate":{"groups":[]}}`),
-				},
-			},
-			wantHeaders: http.Header{
-				"Impersonate-Group": {"group1", "group2", "group3", "group4"},
-				"Impersonate-User":  {"foo@example.com"},
-			},
-		},
-		{
-			name:     "tagged-with-cap",
-			emailish: "tagged-device",
-			tags:     []string{"tag:foo", "tag:bar"},
-			capMap: tailcfg.PeerCapMap{
-				capabilityName: {
-					[]byte(`{"impersonate":{"groups":["group1"]}}`),
-				},
-			},
-			wantHeaders: http.Header{
-				"Impersonate-Group": {"group1"},
-				"Impersonate-User":  {"node.ts.net"},
-			},
-		},
-		{
-			name:     "bad-cap",
-			emailish: "tagged-device",
-			tags:     []string{"tag:foo", "tag:bar"},
-			capMap: tailcfg.PeerCapMap{
-				capabilityName: {
-					[]byte(`[]`),
-				},
-			},
-			wantHeaders: http.Header{},
-		},
-	}
-
-	for _, tc := range tests {
-		r := must.Get(http.NewRequest("GET", "https://op.ts.net/api/foo", nil))
-		r = addWhoIsToRequest(r, &apitype.WhoIsResponse{
-			Node: &tailcfg.Node{
-				Name: "node.ts.net",
-				Tags: tc.tags,
-			},
-			UserProfile: &tailcfg.UserProfile{
-				LoginName: tc.emailish,
-			},
-			CapMap: tc.capMap,
-		})
-		addImpersonationHeaders(r)
-
-		if d := cmp.Diff(tc.wantHeaders, r.Header); d != "" {
-			t.Errorf("unexpected header (-want +got):\n%s", d)
-		}
-	}
-}

cmd/k8s-operator/sts.go

@@ -1,493 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	_ "embed"
-	"encoding/json"
-	"fmt"
-	"os"
-	"strings"
-
-	"go.uber.org/zap"
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/yaml"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tsnet"
-	"tailscale.com/types/opt"
-	"tailscale.com/util/dnsname"
-	"tailscale.com/util/mak"
-)
-
-const (
-	LabelManaged         = "tailscale.com/managed"
-	LabelParentType      = "tailscale.com/parent-resource-type"
-	LabelParentName      = "tailscale.com/parent-resource"
-	LabelParentNamespace = "tailscale.com/parent-resource-ns"
-
-	FinalizerName = "tailscale.com/finalizer"
-
-	// Annotations settable by users on services.
-	AnnotationExpose          = "tailscale.com/expose"
-	AnnotationTags            = "tailscale.com/tags"
-	AnnotationHostname        = "tailscale.com/hostname"
-	AnnotationTailnetTargetIP = "tailscale.com/ts-tailnet-target-ip"
-
-	// Annotations settable by users on ingresses.
-	AnnotationFunnel = "tailscale.com/funnel"
-
-	// Annotations set by the operator on pods to trigger restarts when the
-	// hostname or IP changes.
-	podAnnotationLastSetClusterIP       = "tailscale.com/operator-last-set-cluster-ip"
-	podAnnotationLastSetHostname        = "tailscale.com/operator-last-set-hostname"
-	podAnnotationLastSetTailnetTargetIP = "tailscale.com/operator-last-set-ts-tailnet-target-ip"
-)
-
-type tailscaleSTSConfig struct {
-	ParentResourceName  string
-	ParentResourceUID   string
-	ChildResourceLabels map[string]string
-
-	ServeConfig *ipn.ServeConfig
-	// Tailscale target in cluster we are setting up ingress for
-	ClusterTargetIP string
-
-	// Tailscale IP of a Tailscale service we are setting up egress for
-	TailnetTargetIP string
-
-	Hostname string
-	Tags     []string // if empty, use defaultTags
-}
-
-type tailscaleSTSReconciler struct {
-	client.Client
-	tsnetServer            *tsnet.Server
-	tsClient               tsClient
-	defaultTags            []string
-	operatorNamespace      string
-	proxyImage             string
-	proxyPriorityClassName string
-}
-
-// IsHTTPSEnabledOnTailnet reports whether HTTPS is enabled on the tailnet.
-func (a *tailscaleSTSReconciler) IsHTTPSEnabledOnTailnet() bool {
-	return len(a.tsnetServer.CertDomains()) > 0
-}
-
-// Provision ensures that the StatefulSet for the given service is running and
-// up to date.
-func (a *tailscaleSTSReconciler) Provision(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
-	// Do full reconcile.
-	hsvc, err := a.reconcileHeadlessService(ctx, logger, sts)
-	if err != nil {
-		return nil, fmt.Errorf("failed to reconcile headless service: %w", err)
-	}
-
-	secretName, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create or get API key secret: %w", err)
-	}
-	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to reconcile statefulset: %w", err)
-	}
-
-	return hsvc, nil
-}
-
-// Cleanup removes all resources associated that were created by Provision with
-// the given labels. It returns true when all resources have been removed,
-// otherwise it returns false and the caller should retry later.
-func (a *tailscaleSTSReconciler) Cleanup(ctx context.Context, logger *zap.SugaredLogger, labels map[string]string) (done bool, _ error) {
-	// Need to delete the StatefulSet first, and delete it with foreground
-	// cascading deletion. That way, the pod that's writing to the Secret will
-	// stop running before we start looking at the Secret's contents, and
-	// assuming k8s ordering semantics don't mess with us, that should avoid
-	// tailscale device deletion races where we fail to notice a device that
-	// should be removed.
-	sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, labels)
-	if err != nil {
-		return false, fmt.Errorf("getting statefulset: %w", err)
-	}
-	if sts != nil {
-		if !sts.GetDeletionTimestamp().IsZero() {
-			// Deletion in progress, check again later. We'll get another
-			// notification when the deletion is complete.
-			logger.Debugf("waiting for statefulset %s/%s deletion", sts.GetNamespace(), sts.GetName())
-			return false, nil
-		}
-		err := a.DeleteAllOf(ctx, &appsv1.StatefulSet{}, client.InNamespace(a.operatorNamespace), client.MatchingLabels(labels), client.PropagationPolicy(metav1.DeletePropagationForeground))
-		if err != nil {
-			return false, fmt.Errorf("deleting statefulset: %w", err)
-		}
-		logger.Debugf("started deletion of statefulset %s/%s", sts.GetNamespace(), sts.GetName())
-		return false, nil
-	}
-
-	id, _, _, err := a.DeviceInfo(ctx, labels)
-	if err != nil {
-		return false, fmt.Errorf("getting device info: %w", err)
-	}
-	if id != "" {
-		// TODO: handle case where the device is already deleted, but the secret
-		// is still around.
-		if err := a.tsClient.DeleteDevice(ctx, string(id)); err != nil {
-			return false, fmt.Errorf("deleting device: %w", err)
-		}
-	}
-
-	types := []client.Object{
-		&corev1.Service{},
-		&corev1.Secret{},
-	}
-	for _, typ := range types {
-		if err := a.DeleteAllOf(ctx, typ, client.InNamespace(a.operatorNamespace), client.MatchingLabels(labels)); err != nil {
-			return false, err
-		}
-	}
-	return true, nil
-}
-
-func (a *tailscaleSTSReconciler) reconcileHeadlessService(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
-	hsvc := &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "ts-" + sts.ParentResourceName + "-",
-			Namespace:    a.operatorNamespace,
-			Labels:       sts.ChildResourceLabels,
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "None",
-			Selector: map[string]string{
-				"app": sts.ParentResourceUID,
-			},
-		},
-	}
-	logger.Debugf("reconciling headless service for StatefulSet")
-	return createOrUpdate(ctx, a.Client, a.operatorNamespace, hsvc, func(svc *corev1.Service) { svc.Spec = hsvc.Spec })
-}
-
-func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *zap.SugaredLogger, stsC *tailscaleSTSConfig, hsvc *corev1.Service) (string, error) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			// Hardcode a -0 suffix so that in future, if we support
-			// multiple StatefulSet replicas, we can provision -N for
-			// those.
-			Name:      hsvc.Name + "-0",
-			Namespace: a.operatorNamespace,
-			Labels:    stsC.ChildResourceLabels,
-		},
-	}
-	var orig *corev1.Secret // unmodified copy of secret
-	if err := a.Get(ctx, client.ObjectKeyFromObject(secret), secret); err == nil {
-		logger.Debugf("secret %s/%s already exists", secret.GetNamespace(), secret.GetName())
-		orig = secret.DeepCopy()
-	} else if !apierrors.IsNotFound(err) {
-		return "", err
-	}
-
-	if orig == nil {
-		// Secret doesn't exist yet, create one. Initially it contains
-		// only the Tailscale authkey, but once Tailscale starts it'll
-		// also store the daemon state.
-		sts, err := getSingleObject[appsv1.StatefulSet](ctx, a.Client, a.operatorNamespace, stsC.ChildResourceLabels)
-		if err != nil {
-			return "", err
-		}
-		if sts != nil {
-			// StatefulSet exists, so we have already created the secret.
-			// If the secret is missing, they should delete the StatefulSet.
-			logger.Errorf("Tailscale proxy secret doesn't exist, but the corresponding StatefulSet %s/%s already does. Something is wrong, please delete the StatefulSet.", sts.GetNamespace(), sts.GetName())
-			return "", nil
-		}
-		// Create API Key secret which is going to be used by the statefulset
-		// to authenticate with Tailscale.
-		logger.Debugf("creating authkey for new tailscale proxy")
-		tags := stsC.Tags
-		if len(tags) == 0 {
-			tags = a.defaultTags
-		}
-		authKey, err := a.newAuthKey(ctx, tags)
-		if err != nil {
-			return "", err
-		}
-
-		mak.Set(&secret.StringData, "authkey", authKey)
-	}
-	if stsC.ServeConfig != nil {
-		j, err := json.Marshal(stsC.ServeConfig)
-		if err != nil {
-			return "", err
-		}
-		mak.Set(&secret.StringData, "serve-config", string(j))
-	}
-	if orig != nil {
-		if err := a.Patch(ctx, secret, client.MergeFrom(orig)); err != nil {
-			return "", err
-		}
-	} else {
-		if err := a.Create(ctx, secret); err != nil {
-			return "", err
-		}
-	}
-	return secret.Name, nil
-}
-
-// DeviceInfo returns the device ID and hostname for the Tailscale device
-// associated with the given labels.
-func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map[string]string) (id tailcfg.StableNodeID, hostname string, ips []string, err error) {
-	sec, err := getSingleObject[corev1.Secret](ctx, a.Client, a.operatorNamespace, childLabels)
-	if err != nil {
-		return "", "", nil, err
-	}
-	if sec == nil {
-		return "", "", nil, nil
-	}
-	id = tailcfg.StableNodeID(sec.Data["device_id"])
-	if id == "" {
-		return "", "", nil, nil
-	}
-	// Kubernetes chokes on well-formed FQDNs with the trailing dot, so we have
-	// to remove it.
-	hostname = strings.TrimSuffix(string(sec.Data["device_fqdn"]), ".")
-	if hostname == "" {
-		return "", "", nil, nil
-	}
-	if rawDeviceIPs, ok := sec.Data["device_ips"]; ok {
-		if err := json.Unmarshal(rawDeviceIPs, &ips); err != nil {
-			return "", "", nil, err
-		}
-	}
-
-	return id, hostname, ips, nil
-}
-
-func (a *tailscaleSTSReconciler) newAuthKey(ctx context.Context, tags []string) (string, error) {
-	caps := tailscale.KeyCapabilities{
-		Devices: tailscale.KeyDeviceCapabilities{
-			Create: tailscale.KeyDeviceCreateCapabilities{
-				Reusable:      false,
-				Preauthorized: true,
-				Tags:          tags,
-			},
-		},
-	}
-
-	key, _, err := a.tsClient.CreateKey(ctx, caps)
-	if err != nil {
-		return "", err
-	}
-	return key, nil
-}
-
-//go:embed manifests/proxy.yaml
-var proxyYaml []byte
-
-//go:embed manifests/userspace-proxy.yaml
-var userspaceProxyYaml []byte
-
-func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
-	var ss appsv1.StatefulSet
-	if sts.ServeConfig != nil {
-		if err := yaml.Unmarshal(userspaceProxyYaml, &ss); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
-		}
-	} else {
-		if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
-		}
-	}
-	container := &ss.Spec.Template.Spec.Containers[0]
-	container.Image = a.proxyImage
-	container.Env = append(container.Env,
-		corev1.EnvVar{
-			Name:  "TS_KUBE_SECRET",
-			Value: authKeySecret,
-		},
-		corev1.EnvVar{
-			Name:  "TS_HOSTNAME",
-			Value: sts.Hostname,
-		})
-	if sts.ClusterTargetIP != "" {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_DEST_IP",
-			Value: sts.ClusterTargetIP,
-		})
-	} else if sts.TailnetTargetIP != "" {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_IP",
-			Value: sts.TailnetTargetIP,
-		})
-
-	} else if sts.ServeConfig != nil {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_SERVE_CONFIG",
-			Value: "/etc/tailscaled/serve-config",
-		})
-		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
-			Name:      "serve-config",
-			ReadOnly:  true,
-			MountPath: "/etc/tailscaled",
-		})
-		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
-			Name: "serve-config",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: authKeySecret,
-					Items: []corev1.KeyToPath{{
-						Key:  "serve-config",
-						Path: "serve-config",
-					}},
-				},
-			},
-		})
-	}
-	ss.ObjectMeta = metav1.ObjectMeta{
-		Name:      headlessSvc.Name,
-		Namespace: a.operatorNamespace,
-		Labels:    sts.ChildResourceLabels,
-	}
-	ss.Spec.ServiceName = headlessSvc.Name
-	ss.Spec.Selector = &metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": sts.ParentResourceUID,
-		},
-	}
-
-	// containerboot currently doesn't have a way to re-read the hostname/ip as
-	// it is passed via an environment variable. So we need to restart the
-	// container when the value changes. We do this by adding an annotation to
-	// the pod template that contains the last value we set.
-	ss.Spec.Template.Annotations = map[string]string{
-		podAnnotationLastSetHostname: sts.Hostname,
-	}
-	if sts.ClusterTargetIP != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetClusterIP] = sts.ClusterTargetIP
-	}
-	if sts.TailnetTargetIP != "" {
-		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetIP] = sts.TailnetTargetIP
-	}
-	ss.Spec.Template.Labels = map[string]string{
-		"app": sts.ParentResourceUID,
-	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
-	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
-	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
-}
-
-// ptrObject is a type constraint for pointer types that implement
-// client.Object.
-type ptrObject[T any] interface {
-	client.Object
-	*T
-}
-
-// createOrUpdate adds obj to the k8s cluster, unless the object already exists,
-// in which case update is called to make changes to it. If update is nil, the
-// existing object is returned unmodified.
-//
-// obj is looked up by its Name and Namespace if Name is set, otherwise it's
-// looked up by labels.
-func createOrUpdate[T any, O ptrObject[T]](ctx context.Context, c client.Client, ns string, obj O, update func(O)) (O, error) {
-	var (
-		existing O
-		err      error
-	)
-	if obj.GetName() != "" {
-		existing = new(T)
-		existing.SetName(obj.GetName())
-		existing.SetNamespace(obj.GetNamespace())
-		err = c.Get(ctx, client.ObjectKeyFromObject(obj), existing)
-	} else {
-		existing, err = getSingleObject[T, O](ctx, c, ns, obj.GetLabels())
-	}
-	if err == nil && existing != nil {
-		if update != nil {
-			update(existing)
-			if err := c.Update(ctx, existing); err != nil {
-				return nil, err
-			}
-		}
-		return existing, nil
-	}
-	if err != nil && !apierrors.IsNotFound(err) {
-		return nil, fmt.Errorf("failed to get object: %w", err)
-	}
-	if err := c.Create(ctx, obj); err != nil {
-		return nil, err
-	}
-	return obj, nil
-}
-
-// getSingleObject searches for k8s objects of type T
-// (e.g. corev1.Service) with the given labels, and returns
-// it. Returns nil if no objects match the labels, and an error if
-// more than one object matches.
-func getSingleObject[T any, O ptrObject[T]](ctx context.Context, c client.Client, ns string, labels map[string]string) (O, error) {
-	ret := O(new(T))
-	kinds, _, err := c.Scheme().ObjectKinds(ret)
-	if err != nil {
-		return nil, err
-	}
-	if len(kinds) != 1 {
-		// TODO: the runtime package apparently has a "pick the best
-		// GVK" function somewhere that might be good enough?
-		return nil, fmt.Errorf("more than 1 GroupVersionKind for %T", ret)
-	}
-
-	gvk := kinds[0]
-	gvk.Kind += "List"
-	lst := unstructured.UnstructuredList{}
-	lst.SetGroupVersionKind(gvk)
-	if err := c.List(ctx, &lst, client.InNamespace(ns), client.MatchingLabels(labels)); err != nil {
-		return nil, err
-	}
-
-	if len(lst.Items) == 0 {
-		return nil, nil
-	}
-	if len(lst.Items) > 1 {
-		return nil, fmt.Errorf("found multiple matching %T objects", ret)
-	}
-	if err := c.Scheme().Convert(&lst.Items[0], ret, nil); err != nil {
-		return nil, err
-	}
-	return ret, nil
-}
-
-func defaultBool(envName string, defVal bool) bool {
-	vs := os.Getenv(envName)
-	if vs == "" {
-		return defVal
-	}
-	v, _ := opt.Bool(vs).Get()
-	return v
-}
-
-func defaultEnv(envName, defVal string) string {
-	v := os.Getenv(envName)
-	if v == "" {
-		return defVal
-	}
-	return v
-}
-
-func nameForService(svc *corev1.Service) (string, error) {
-	if h, ok := svc.Annotations[AnnotationHostname]; ok {
-		if err := dnsname.ValidLabel(h); err != nil {
-			return "", fmt.Errorf("invalid Tailscale hostname %q: %w", h, err)
-		}
-		return h, nil
-	}
-	return svc.Namespace + "-" + svc.Name, nil
-}

cmd/k8s-operator/svc.go

@@ -1,268 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"net/netip"
-	"strings"
-	"sync"
-
-	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/set"
-)
-
-type ServiceReconciler struct {
-	client.Client
-	ssr                   *tailscaleSTSReconciler
-	logger                *zap.SugaredLogger
-	isDefaultLoadBalancer bool
-
-	mu sync.Mutex // protects following
-
-	// managedIngressProxies is a set of all ingress proxies that we're
-	// currently managing. This is only used for metrics.
-	managedIngressProxies set.Slice[types.UID]
-	// managedEgressProxies is a set of all egress proxies that we're currently
-	// managing. This is only used for metrics.
-	managedEgressProxies set.Slice[types.UID]
-}
-
-var (
-	// gaugeEgressProxies tracks the number of egress proxies that we're
-	// currently managing.
-	gaugeEgressProxies = clientmetric.NewGauge("k8s_egress_proxies")
-	// gaugeIngressProxies tracks the number of ingress proxies that we're
-	// currently managing.
-	gaugeIngressProxies = clientmetric.NewGauge("k8s_ingress_proxies")
-)
-
-func childResourceLabels(name, ns, typ string) map[string]string {
-	// You might wonder why we're using owner references, since they seem to be
-	// built for exactly this. Unfortunately, Kubernetes does not support
-	// cross-namespace ownership, by design. This means we cannot make the
-	// service being exposed the owner of the implementation details of the
-	// proxying. Instead, we have to do our own filtering and tracking with
-	// labels.
-	return map[string]string{
-		LabelManaged:         "true",
-		LabelParentName:      name,
-		LabelParentNamespace: ns,
-		LabelParentType:      typ,
-	}
-}
-
-func (a *ServiceReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
-	logger := a.logger.With("service-ns", req.Namespace, "service-name", req.Name)
-	logger.Debugf("starting reconcile")
-	defer logger.Debugf("reconcile finished")
-
-	svc := new(corev1.Service)
-	err = a.Get(ctx, req.NamespacedName, svc)
-	if apierrors.IsNotFound(err) {
-		// Request object not found, could have been deleted after reconcile request.
-		logger.Debugf("service not found, assuming it was deleted")
-		return reconcile.Result{}, nil
-	} else if err != nil {
-		return reconcile.Result{}, fmt.Errorf("failed to get svc: %w", err)
-	}
-	if !svc.DeletionTimestamp.IsZero() || !a.shouldExpose(svc) && !a.hasTailnetTargetAnnotation(svc) {
-		logger.Debugf("service is being deleted or is (no longer) referring to Tailscale ingress/egress, ensuring any created resources are cleaned up")
-		return reconcile.Result{}, a.maybeCleanup(ctx, logger, svc)
-	}
-
-	return reconcile.Result{}, a.maybeProvision(ctx, logger, svc)
-}
-
-// maybeCleanup removes any existing resources related to serving svc over tailscale.
-//
-// This function is responsible for removing the finalizer from the service,
-// once all associated resources are gone.
-func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
-	ix := slices.Index(svc.Finalizers, FinalizerName)
-	if ix < 0 {
-		logger.Debugf("no finalizer, nothing to do")
-		a.mu.Lock()
-		defer a.mu.Unlock()
-		a.managedIngressProxies.Remove(svc.UID)
-		a.managedEgressProxies.Remove(svc.UID)
-		gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
-		gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
-		return nil
-	}
-
-	if done, err := a.ssr.Cleanup(ctx, logger, childResourceLabels(svc.Name, svc.Namespace, "svc")); err != nil {
-		return fmt.Errorf("failed to cleanup: %w", err)
-	} else if !done {
-		logger.Debugf("cleanup not done yet, waiting for next reconcile")
-		return nil
-	}
-
-	svc.Finalizers = append(svc.Finalizers[:ix], svc.Finalizers[ix+1:]...)
-	if err := a.Update(ctx, svc); err != nil {
-		return fmt.Errorf("failed to remove finalizer: %w", err)
-	}
-
-	// Unlike most log entries in the reconcile loop, this will get printed
-	// exactly once at the very end of cleanup, because the final step of
-	// cleanup removes the tailscale finalizer, which will make all future
-	// reconciles exit early.
-	logger.Infof("unexposed service from tailnet")
-
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.managedIngressProxies.Remove(svc.UID)
-	a.managedEgressProxies.Remove(svc.UID)
-	gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
-	gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
-	return nil
-}
-
-// maybeProvision ensures that svc is exposed over tailscale, taking any actions
-// necessary to reach that state.
-//
-// This function adds a finalizer to svc, ensuring that we can handle orderly
-// deprovisioning later.
-func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
-	hostname, err := nameForService(svc)
-	if err != nil {
-		return err
-	}
-
-	if !slices.Contains(svc.Finalizers, FinalizerName) {
-		// This log line is printed exactly once during initial provisioning,
-		// because once the finalizer is in place this block gets skipped. So,
-		// this is a nice place to tell the operator that the high level,
-		// multi-reconcile operation is underway.
-		logger.Infof("exposing service over tailscale")
-		svc.Finalizers = append(svc.Finalizers, FinalizerName)
-		if err := a.Update(ctx, svc); err != nil {
-			return fmt.Errorf("failed to add finalizer: %w", err)
-		}
-	}
-	crl := childResourceLabels(svc.Name, svc.Namespace, "svc")
-	var tags []string
-	if tstr, ok := svc.Annotations[AnnotationTags]; ok {
-		tags = strings.Split(tstr, ",")
-	}
-
-	sts := &tailscaleSTSConfig{
-		ParentResourceName:  svc.Name,
-		ParentResourceUID:   string(svc.UID),
-		Hostname:            hostname,
-		Tags:                tags,
-		ChildResourceLabels: crl,
-	}
-
-	a.mu.Lock()
-	if a.shouldExpose(svc) {
-		sts.ClusterTargetIP = svc.Spec.ClusterIP
-		a.managedIngressProxies.Add(svc.UID)
-		gaugeIngressProxies.Set(int64(a.managedIngressProxies.Len()))
-	} else if a.hasTailnetTargetAnnotation(svc) {
-		sts.TailnetTargetIP = svc.Annotations[AnnotationTailnetTargetIP]
-		a.managedEgressProxies.Add(svc.UID)
-		gaugeEgressProxies.Set(int64(a.managedEgressProxies.Len()))
-	}
-	a.mu.Unlock()
-
-	var hsvc *corev1.Service
-	if hsvc, err = a.ssr.Provision(ctx, logger, sts); err != nil {
-		return fmt.Errorf("failed to provision: %w", err)
-	}
-
-	if a.hasTailnetTargetAnnotation(svc) {
-		headlessSvcName := hsvc.Name + "." + hsvc.Namespace + ".svc"
-		if svc.Spec.ExternalName != headlessSvcName || svc.Spec.Type != corev1.ServiceTypeExternalName {
-			svc.Spec.ExternalName = headlessSvcName
-			svc.Spec.Selector = nil
-			svc.Spec.Type = corev1.ServiceTypeExternalName
-			if err := a.Update(ctx, svc); err != nil {
-				return fmt.Errorf("failed to update service: %w", err)
-			}
-		}
-		return nil
-	}
-
-	if !a.hasLoadBalancerClass(svc) {
-		logger.Debugf("service is not a LoadBalancer, so not updating ingress")
-		return nil
-	}
-
-	_, tsHost, tsIPs, err := a.ssr.DeviceInfo(ctx, crl)
-	if err != nil {
-		return fmt.Errorf("failed to get device ID: %w", err)
-	}
-	if tsHost == "" {
-		logger.Debugf("no Tailscale hostname known yet, waiting for proxy pod to finish auth")
-		// No hostname yet. Wait for the proxy pod to auth.
-		svc.Status.LoadBalancer.Ingress = nil
-		if err := a.Status().Update(ctx, svc); err != nil {
-			return fmt.Errorf("failed to update service status: %w", err)
-		}
-		return nil
-	}
-
-	logger.Debugf("setting ingress to %q, %s", tsHost, strings.Join(tsIPs, ", "))
-	ingress := []corev1.LoadBalancerIngress{
-		{Hostname: tsHost},
-	}
-	clusterIPAddr, err := netip.ParseAddr(svc.Spec.ClusterIP)
-	if err != nil {
-		return fmt.Errorf("failed to parse cluster IP: %w", err)
-	}
-	for _, ip := range tsIPs {
-		addr, err := netip.ParseAddr(ip)
-		if err != nil {
-			continue
-		}
-		if addr.Is4() == clusterIPAddr.Is4() { // only add addresses of the same family
-			ingress = append(ingress, corev1.LoadBalancerIngress{IP: ip})
-		}
-	}
-	svc.Status.LoadBalancer.Ingress = ingress
-	if err := a.Status().Update(ctx, svc); err != nil {
-		return fmt.Errorf("failed to update service status: %w", err)
-	}
-	return nil
-}
-
-func (a *ServiceReconciler) shouldExpose(svc *corev1.Service) bool {
-	// Headless services can't be exposed, since there is no ClusterIP to
-	// forward to.
-	if svc.Spec.ClusterIP == "" || svc.Spec.ClusterIP == "None" {
-		return false
-	}
-
-	return a.hasLoadBalancerClass(svc) || a.hasExposeAnnotation(svc)
-}
-
-func (a *ServiceReconciler) hasLoadBalancerClass(svc *corev1.Service) bool {
-	return svc != nil &&
-		svc.Spec.Type == corev1.ServiceTypeLoadBalancer &&
-		(svc.Spec.LoadBalancerClass != nil && *svc.Spec.LoadBalancerClass == "tailscale" ||
-			svc.Spec.LoadBalancerClass == nil && a.isDefaultLoadBalancer)
-}
-
-// hasExposeAnnotation reports whether Service has the tailscale.com/expose
-// annotation set
-func (a *ServiceReconciler) hasExposeAnnotation(svc *corev1.Service) bool {
-	return svc != nil && svc.Annotations[AnnotationExpose] == "true"
-}
-
-// hasTailnetTargetAnnotation reports whether Service has a
-// tailscale.com/ts-tailnet-target-ip annotation set
-func (a *ServiceReconciler) hasTailnetTargetAnnotation(svc *corev1.Service) bool {
-	return svc != nil && svc.Annotations[AnnotationTailnetTargetIP] != ""
-}

cmd/netlogfmt/main.go

@@ -35,13 +35,14 @@ import (
 	"net/http"
 	"net/netip"
 	"os"
-	"slices"
 	"strconv"
 	"strings"
 	"time"
 
 	"github.com/dsnet/try"
 	jsonv2 "github.com/go-json-experiment/json"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netlogtype"
 	"tailscale.com/util/cmpx"
@@ -314,8 +315,8 @@ func mustMakeNamesByAddr() map[netip.Addr]string {
 	namesByAddr := make(map[netip.Addr]string)
 retry:
 	for i := 0; i < 10; i++ {
-		clear(seen)
-		clear(namesByAddr)
+		maps.Clear(seen)
+		maps.Clear(namesByAddr)
 		for _, d := range m.Devices {
 			name := fieldPrefix(d.Name, i)
 			if seen[name] {

cmd/sniproxy/.gitignore

@@ -1 +0,0 @@
-sniproxy

cmd/sniproxy/sniproxy.go

@@ -3,84 +3,46 @@
 
 // The sniproxy is an outbound SNI proxy. It receives TLS connections over
 // Tailscale on one or more TCP ports and sends them out to the same SNI
-// hostname & port on the internet. It can optionally forward one or more
-// TCP ports to a specific destination. It only does TCP.
+// hostname & port on the internet. It only does TCP.
 package main
 
 import (
 	"context"
-	"errors"
-	"expvar"
 	"flag"
-	"fmt"
 	"log"
 	"net"
 	"net/http"
-	"os"
-	"strconv"
 	"strings"
 	"time"
 
-	"github.com/peterbourgon/ff/v3"
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/tcpproxy"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
-	"tailscale.com/metrics"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tsnet"
-	"tailscale.com/tsweb"
 	"tailscale.com/types/nettype"
 	"tailscale.com/util/clientmetric"
 )
 
+var (
+	ports        = flag.String("ports", "443", "comma-separated list of ports to proxy")
+	wgPort       = flag.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	promoteHTTPS = flag.Bool("promote-https", true, "promote HTTP to HTTPS")
+)
+
 var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")
 
-// portForward is the state for a single port forwarding entry, as passed to the --forward flag.
-type portForward struct {
-	Port        int
-	Proto       string
-	Destination string
-}
-
-// parseForward takes a proto/port/destination tuple as an input, as would be passed
-// to the --forward command line flag, and returns a *portForward struct of those parameters.
-func parseForward(value string) (*portForward, error) {
-	parts := strings.Split(value, "/")
-	if len(parts) != 3 {
-		return nil, errors.New("cannot parse: " + value)
-	}
-
-	proto := parts[0]
-	if proto != "tcp" {
-		return nil, errors.New("unsupported forwarding protocol: " + proto)
-	}
-	port, err := strconv.ParseUint(parts[1], 10, 16)
-	if err != nil {
-		return nil, errors.New("bad forwarding port: " + parts[1])
-	}
-	host := parts[2]
-	if host == "" {
-		return nil, errors.New("bad destination: " + value)
-	}
-
-	return &portForward{Port: int(port), Proto: proto, Destination: host}, nil
-}
+var (
+	numSessions    = clientmetric.NewCounter("sniproxy_sessions")
+	numBadAddrPort = clientmetric.NewCounter("sniproxy_bad_addrport")
+	dnsResponses   = clientmetric.NewCounter("sniproxy_dns_responses")
+	dnsFailures    = clientmetric.NewCounter("sniproxy_dns_failed")
+	httpPromoted   = clientmetric.NewCounter("sniproxy_http_promoted")
+)
 
 func main() {
-	fs := flag.NewFlagSet("sniproxy", flag.ContinueOnError)
-	var (
-		ports        = fs.String("ports", "443", "comma-separated list of ports to proxy")
-		forwards     = fs.String("forwards", "", "comma-separated list of ports to transparently forward, protocol/number/destination. For example, --forwards=tcp/22/github.com,tcp/5432/sql.example.com")
-		wgPort       = fs.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-		promoteHTTPS = fs.Bool("promote-https", true, "promote HTTP to HTTPS")
-		debugPort    = fs.Int("debug-port", 8893, "Listening port for debug/metrics endpoint")
-	)
-
-	err := ff.Parse(fs, os.Args[1:], ff.WithEnvVarPrefix("TS_APPC"))
-	if err != nil {
-		log.Fatal("ff.Parse")
-	}
+	flag.Parse()
 	if *ports == "" {
 		log.Fatal("no ports")
 	}
@@ -96,7 +58,6 @@ func main() {
 		log.Fatal(err)
 	}
 	s.lc = lc
-	s.initMetrics()
 
 	for _, portStr := range strings.Split(*ports, ",") {
 		ln, err := s.ts.Listen("tcp", ":"+portStr)
@@ -107,33 +68,6 @@ func main() {
 		go s.serve(ln)
 	}
 
-	for _, forwStr := range strings.Split(*forwards, ",") {
-		if forwStr == "" {
-			continue
-		}
-		forw, err := parseForward(forwStr)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		ln, err := s.ts.Listen("tcp", ":"+strconv.Itoa(forw.Port))
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Printf("Serving on port %d to %s...", forw.Port, forw.Destination)
-
-		// Add an entry to the expvar LabelMap for Prometheus metrics,
-		// and create a clientmetric to report that same value.
-		service := portNumberToName(forw)
-		s.numTCPsessions.SetInt64(service, 0)
-		metric := fmt.Sprintf("sniproxy_tcp_sessions_%s", service)
-		clientmetric.NewCounterFunc(metric, func() int64 {
-			return s.numTCPsessions.Get(service).Value()
-		})
-
-		go s.forward(ln, forw)
-	}
-
 	ln, err := s.ts.Listen("udp", ":53")
 	if err != nil {
 		log.Fatal(err)
@@ -149,31 +83,12 @@ func main() {
 		go s.promoteHTTPS(ln)
 	}
 
-	if *debugPort != 0 {
-		mux := http.NewServeMux()
-		tsweb.Debugger(mux)
-		dln, err := s.ts.Listen("tcp", fmt.Sprintf(":%d", *debugPort))
-		if err != nil {
-			log.Fatal(err)
-		}
-		go func() {
-			log.Fatal(http.Serve(dln, mux))
-		}()
-	}
-
 	select {}
 }
 
 type server struct {
 	ts tsnet.Server
 	lc *tailscale.LocalClient
-
-	numTLSsessions expvar.Int
-	numTCPsessions *metrics.LabelMap
-	numBadAddrPort expvar.Int
-	dnsResponses   expvar.Int
-	dnsFailures    expvar.Int
-	httpPromoted   expvar.Int
 }
 
 func (s *server) serve(ln net.Listener) {
@@ -186,16 +101,6 @@ func (s *server) serve(ln net.Listener) {
 	}
 }
 
-func (s *server) forward(ln net.Listener, forw *portForward) {
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			log.Fatal(err)
-		}
-		go s.forwardConn(c, forw)
-	}
-}
-
 func (s *server) serveDNS(ln net.Listener) {
 	for {
 		c, err := ln.Accept()
@@ -213,7 +118,7 @@ func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
 	n, err := c.Read(buf)
 	if err != nil {
 		log.Printf("c.Read failed: %v\n ", err)
-		s.dnsFailures.Add(1)
+		dnsFailures.Add(1)
 		return
 	}
 
@@ -221,25 +126,25 @@ func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
 	err = msg.Unpack(buf[:n])
 	if err != nil {
 		log.Printf("dnsmessage unpack failed: %v\n ", err)
-		s.dnsFailures.Add(1)
+		dnsFailures.Add(1)
 		return
 	}
 
 	buf, err = s.dnsResponse(&msg)
 	if err != nil {
 		log.Printf("s.dnsResponse failed: %v\n", err)
-		s.dnsFailures.Add(1)
+		dnsFailures.Add(1)
 		return
 	}
 
 	_, err = c.Write(buf)
 	if err != nil {
 		log.Printf("c.Write failed: %v\n", err)
-		s.dnsFailures.Add(1)
+		dnsFailures.Add(1)
 		return
 	}
 
-	s.dnsResponses.Add(1)
+	dnsResponses.Add(1)
 }
 
 func (s *server) serveConn(c net.Conn) {
@@ -247,7 +152,7 @@ func (s *server) serveConn(c net.Conn) {
 	_, port, err := net.SplitHostPort(addrPortStr)
 	if err != nil {
 		log.Printf("bogus addrPort %q", addrPortStr)
-		s.numBadAddrPort.Add(1)
+		numBadAddrPort.Add(1)
 		c.Close()
 		return
 	}
@@ -260,7 +165,7 @@ func (s *server) serveConn(c net.Conn) {
 		return netutil.NewOneConnListener(c, nil), nil
 	}
 	p.AddSNIRouteFunc(addrPortStr, func(ctx context.Context, sniName string) (t tcpproxy.Target, ok bool) {
-		s.numTLSsessions.Add(1)
+		numSessions.Add(1)
 		return &tcpproxy.DialProxy{
 			Addr:        net.JoinHostPort(sniName, port),
 			DialContext: dialer.DialContext,
@@ -269,49 +174,6 @@ func (s *server) serveConn(c net.Conn) {
 	p.Start()
 }
 
-// portNumberToName returns a human-readable name for several port numbers commonly forwarded,
-// and "tcp###" for everything else. It is used for metric label names.
-func portNumberToName(forw *portForward) string {
-	switch forw.Port {
-	case 22:
-		return "ssh"
-	case 1433:
-		return "sqlserver"
-	case 3306:
-		return "mysql"
-	case 3389:
-		return "rdp"
-	case 5432:
-		return "postgres"
-	default:
-		return fmt.Sprintf("%s%d", forw.Proto, forw.Port)
-	}
-}
-
-// forwardConn sets up a forwarder for a TCP connection. It does not inspect of the data
-// like the SNI forwarding does, it merely forwards all data to the destination specified
-// in the --forward=tcp/22/github.com argument.
-func (s *server) forwardConn(c net.Conn, forw *portForward) {
-	addrPortStr := c.LocalAddr().String()
-
-	var dialer net.Dialer
-	dialer.Timeout = 30 * time.Second
-
-	var p tcpproxy.Proxy
-	p.ListenFunc = func(net, laddr string) (net.Listener, error) {
-		return netutil.NewOneConnListener(c, nil), nil
-	}
-
-	dial := &tcpproxy.DialProxy{
-		Addr:        fmt.Sprintf("%s:%d", forw.Destination, forw.Port),
-		DialContext: dialer.DialContext,
-	}
-
-	p.AddRoute(addrPortStr, dial)
-	s.numTCPsessions.Add(portNumberToName(forw), 1)
-	p.Start()
-}
-
 func (s *server) dnsResponse(req *dnsmessage.Message) (buf []byte, err error) {
 	resp := dnsmessage.NewBuilder(buf,
 		dnsmessage.Header{
@@ -373,36 +235,8 @@ func (s *server) dnsResponse(req *dnsmessage.Message) (buf []byte, err error) {
 
 func (s *server) promoteHTTPS(ln net.Listener) {
 	err := http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		s.httpPromoted.Add(1)
+		httpPromoted.Add(1)
 		http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusFound)
 	}))
 	log.Fatalf("promoteHTTPS http.Serve: %v", err)
 }
-
-// initMetrics sets up local prometheus metrics, and creates clientmetrics to report those
-// same counters.
-func (s *server) initMetrics() {
-	stats := new(metrics.Set)
-
-	stats.Set("tls_sessions", &s.numTLSsessions)
-	clientmetric.NewCounterFunc("sniproxy_tls_sessions", s.numTLSsessions.Value)
-
-	s.numTCPsessions = &metrics.LabelMap{Label: "proto"}
-	stats.Set("tcp_sessions", s.numTCPsessions)
-	// clientmetric doesn't have a good way to implement a Map type.
-	// We create clientmetrics dynamically when parsing the --forwards argument
-
-	stats.Set("bad_addrport", &s.numBadAddrPort)
-	clientmetric.NewCounterFunc("sniproxy_bad_addrport", s.numBadAddrPort.Value)
-
-	stats.Set("dns_responses", &s.dnsResponses)
-	clientmetric.NewCounterFunc("sniproxy_dns_responses", s.dnsResponses.Value)
-
-	stats.Set("dns_failed", &s.dnsFailures)
-	clientmetric.NewCounterFunc("sniproxy_dns_failed", s.dnsFailures.Value)
-
-	stats.Set("http_promoted", &s.httpPromoted)
-	clientmetric.NewCounterFunc("sniproxy_http_promoted", s.httpPromoted.Value)
-
-	expvar.Publish("sniproxy", stats)
-}

cmd/sniproxy/sniproxy_test.go

@@ -1,37 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-)
-
-func TestPortForwardingArguments(t *testing.T) {
-	tests := []struct {
-		in      string
-		wanterr string
-		want    *portForward
-	}{
-		{"", "", nil},
-		{"bad port specifier", "cannot parse", nil},
-		{"tcp/xyz/example.com", "bad forwarding port", nil},
-		{"tcp//example.com", "bad forwarding port", nil},
-		{"tcp/2112/", "bad destination", nil},
-		{"udp/53/example.com", "unsupported forwarding protocol", nil},
-		{"tcp/22/github.com", "", &portForward{Proto: "tcp", Port: 22, Destination: "github.com"}},
-	}
-	for _, tt := range tests {
-		got, goterr := parseForward(tt.in)
-		if tt.wanterr != "" {
-			if !strings.Contains(goterr.Error(), tt.wanterr) {
-				t.Errorf("f(%q).err = %v; want %v", tt.in, goterr, tt.wanterr)
-			}
-		} else if diff := cmp.Diff(got, tt.want); diff != "" {
-			t.Errorf("Parsed forward (-got, +want):\n%s", diff)
-		}
-	}
-}

cmd/ssh-auth-none-demo/ssh-auth-none-demo.go

@@ -19,6 +19,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"os"
 	"path/filepath"
@@ -148,7 +149,7 @@ func getHostKeys(dir string) (ret []ssh.Signer, err error) {
 
 func hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
 	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
-	v, err := os.ReadFile(path)
+	v, err := ioutil.ReadFile(path)
 	if err == nil {
 		return v, nil
 	}

cmd/sync-containers/main.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 // The sync-containers command synchronizes container image tags from one
 // registry to another.
 //

cmd/tailscale/cli/cli.go

@@ -14,12 +14,12 @@ import (
 	"log"
 	"os"
 	"runtime"
-	"slices"
 	"strings"
 	"sync"
 	"text/tabwriter"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/paths"
@@ -120,8 +120,8 @@ change in the future.
 			pingCmd,
 			ncCmd,
 			sshCmd,
-			funnelCmd(),
-			serveCmd(),
+			funnelCmd,
+			serveCmd,
 			versionCmd,
 			webCmd,
 			fileCmd,
@@ -130,7 +130,6 @@ change in the future.
 			netlockCmd,
 			licensesCmd,
 			exitNodeCmd,
-			updateCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -146,6 +145,8 @@ change in the future.
 	switch {
 	case slices.Contains(args, "debug"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
+	case slices.Contains(args, "update"):
+		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
 	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)

cmd/tailscale/cli/cli_test.go

@@ -21,7 +21,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstest"
-	"tailscale.com/types/logger"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 	"tailscale.com/util/cmpx"
@@ -556,10 +555,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NetfilterMode:    preftype.NetfilterOn,
 				CorpDNS:          true,
 				AllowSingleHosts: true,
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-					Apply: false,
-				},
 			},
 		},
 		{
@@ -573,10 +568,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				AllowSingleHosts: true,
 				RouteAll:         true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-					Apply: false,
-				},
 			},
 		},
 		{
@@ -592,10 +583,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 					netip.MustParsePrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterOn,
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-					Apply: false,
-				},
 			},
 		},
 		{
@@ -682,10 +669,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:   true,
 				NetfilterMode: preftype.NetfilterNoDivert,
 				NoSNAT:        true,
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-					Apply: false,
-				},
 			},
 		},
 		{
@@ -699,10 +682,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:   true,
 				NetfilterMode: preftype.NetfilterOff,
 				NoSNAT:        true,
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-					Apply: false,
-				},
 			},
 		},
 		{
@@ -718,10 +697,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				AdvertiseRoutes: []netip.Prefix{
 					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-					Apply: false,
-				},
 			},
 		},
 		{
@@ -1176,13 +1151,18 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", logger.AsJSON(oldEditPrefs))
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }
 
+func asJSON(v any) string {
+	b, _ := json.MarshalIndent(v, "", "\t")
+	return string(b)
+}
+
 var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
 	return a == b
 })

cmd/tailscale/cli/configure-kube.go

@@ -11,10 +11,10 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"slices"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
 	"k8s.io/client-go/util/homedir"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/version"

cmd/tailscale/cli/debug.go

@@ -28,7 +28,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/net/http/httpproxy"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
@@ -138,11 +137,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      localAPIAction("break-derp-conns"),
 			ShortHelp: "break any open DERP connections from the daemon",
 		},
-		{
-			Name:      "control-knobs",
-			Exec:      debugControlKnobs,
-			ShortHelp: "see current control knobs",
-		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,
@@ -225,9 +219,7 @@ var debugCmd = &ffcli.Command{
 				fs := newFlagSet("portmap")
 				fs.DurationVar(&debugPortmapArgs.duration, "duration", 5*time.Second, "timeout for port mapping")
 				fs.StringVar(&debugPortmapArgs.ty, "type", "", `portmap debug type (one of "", "pmp", "pcp", or "upnp")`)
-				fs.StringVar(&debugPortmapArgs.gatewayAddr, "gateway-addr", "", `override gateway IP (must also pass --self-addr)`)
-				fs.StringVar(&debugPortmapArgs.selfAddr, "self-addr", "", `override self IP (must also pass --gateway-addr)`)
-				fs.BoolVar(&debugPortmapArgs.logHTTP, "log-http", false, `print all HTTP requests and responses to the log`)
+				fs.StringVar(&debugPortmapArgs.gwSelf, "gw-self", "", `override gateway and self IP (format: "gatewayIP/selfIP")`)
 				return fs
 			})(),
 		},
@@ -826,34 +818,17 @@ func runCapture(ctx context.Context, args []string) error {
 }
 
 var debugPortmapArgs struct {
-	duration    time.Duration
-	gatewayAddr string
-	selfAddr    string
-	ty          string
-	logHTTP     bool
+	duration time.Duration
+	gwSelf   string
+	ty       string
 }
 
 func debugPortmap(ctx context.Context, args []string) error {
-	opts := &tailscale.DebugPortmapOpts{
-		Duration: debugPortmapArgs.duration,
-		Type:     debugPortmapArgs.ty,
-		LogHTTP:  debugPortmapArgs.logHTTP,
-	}
-	if (debugPortmapArgs.gatewayAddr != "") != (debugPortmapArgs.selfAddr != "") {
-		return fmt.Errorf("if one of --gateway-addr and --self-addr is provided, the other must be as well")
-	}
-	if debugPortmapArgs.gatewayAddr != "" {
-		var err error
-		opts.GatewayAddr, err = netip.ParseAddr(debugPortmapArgs.gatewayAddr)
-		if err != nil {
-			return fmt.Errorf("invalid --gateway-addr: %w", err)
-		}
-		opts.SelfAddr, err = netip.ParseAddr(debugPortmapArgs.selfAddr)
-		if err != nil {
-			return fmt.Errorf("invalid --self-addr: %w", err)
-		}
-	}
-	rc, err := localClient.DebugPortmap(ctx, opts)
+	rc, err := localClient.DebugPortmap(ctx,
+		debugPortmapArgs.duration,
+		debugPortmapArgs.ty,
+		debugPortmapArgs.gwSelf,
+	)
 	if err != nil {
 		return err
 	}
@@ -920,17 +895,3 @@ func runPeerEndpointChanges(ctx context.Context, args []string) error {
 	fmt.Printf("%s", dst.String())
 	return nil
 }
-
-func debugControlKnobs(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return errors.New("unexpected arguments")
-	}
-	v, err := localClient.DebugResultJSON(ctx, "control-knobs")
-	if err != nil {
-		return err
-	}
-	e := json.NewEncoder(os.Stdout)
-	e.SetIndent("", "  ")
-	e.Encode(v)
-	return nil
-}

cmd/tailscale/cli/exitnode.go

@@ -8,13 +8,14 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+
 	"os"
-	"slices"
 	"strings"
 	"text/tabwriter"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	xmaps "golang.org/x/exp/maps"
+	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/cmpx"
@@ -181,7 +182,7 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 	}
 
 	filteredExitNodes := filteredExitNodes{
-		Countries: xmaps.Values(countries),
+		Countries: maps.Values(countries),
 	}
 
 	for _, country := range filteredExitNodes.Countries {

cmd/tailscale/cli/funnel.go

@@ -9,28 +9,18 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"slices"
 	"strconv"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/envknob"
+	"golang.org/x/exp/slices"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 )
 
-var funnelCmd = func() *ffcli.Command {
-	se := &serveEnv{lc: &localClient}
-	// This flag is used to switch to an in-development
-	// implementation of the tailscale funnel command.
-	// See https://github.com/tailscale/tailscale/issues/7844
-	if envknob.UseWIPCode() {
-		return newServeDevCommand(se, funnel)
-	}
-	return newFunnelCommand(se)
-}
+var funnelCmd = newFunnelCommand(&serveEnv{lc: &localClient})
 
 // newFunnelCommand returns a new "funnel" subcommand using e as its environment.
 // The funnel subcommand is used to turn on/off the Funnel service.
@@ -93,7 +83,7 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 	if sc == nil {
 		sc = new(ipn.ServeConfig)
 	}
-	st, err := e.getLocalClientStatusWithoutPeers(ctx)
+	st, err := e.getLocalClientStatus(ctx)
 	if err != nil {
 		return fmt.Errorf("getting client status: %w", err)
 	}
@@ -156,7 +146,7 @@ func (e *serveEnv) verifyFunnelEnabled(ctx context.Context, st *ipnstate.Status,
 		return nil // already enabled
 	}
 	enableErr := e.enableFeatureInteractive(ctx, "funnel", hasFunnelAttrs)
-	st, statusErr := e.getLocalClientStatusWithoutPeers(ctx) // get updated status; interactive flow may block
+	st, statusErr := e.getLocalClientStatus(ctx) // get updated status; interactive flow may block
 	switch {
 	case statusErr != nil:
 		return fmt.Errorf("getting client status: %w", statusErr)

cmd/tailscale/cli/netcheck.go

@@ -21,7 +21,6 @@ import (
 	"tailscale.com/net/netcheck"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/portmapper"
-	"tailscale.com/net/tlsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 )
@@ -53,7 +52,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		return err
 	}
 	c := &netcheck.Client{
-		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil, nil),
+		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil),
 		UseDNSCache: false, // always resolve, don't cache
 	}
 	if netcheckArgs.verbose {
@@ -77,8 +76,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		log.Printf("No DERP map from tailscaled; using default.")
 	}
 	if err != nil || noRegions {
-		hc := &http.Client{Transport: tlsdial.NewTransport()}
-		dm, err = prodDERPMap(ctx, hc)
+		dm, err = prodDERPMap(ctx, http.DefaultClient)
 		if err != nil {
 			return err
 		}
@@ -153,11 +151,7 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	if len(report.RegionLatency) == 0 {
 		printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
 	} else {
-		if report.PreferredDERP != 0 {
-			printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
-		} else {
-			printf("\t* Nearest DERP: [none]\n")
-		}
+		printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
 		printf("\t* DERP latency:\n")
 		var rids []int
 		for rid := range dm.Regions {

cmd/tailscale/cli/serve.go

@@ -18,14 +18,13 @@ import (
 	"path/filepath"
 	"reflect"
 	"runtime"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@@ -33,16 +32,7 @@ import (
 	"tailscale.com/version"
 )
 
-var serveCmd = func() *ffcli.Command {
-	se := &serveEnv{lc: &localClient}
-	// This flag is used to switch to an in-development
-	// implementation of the tailscale funnel command.
-	// See https://github.com/tailscale/tailscale/issues/7844
-	if envknob.UseWIPCode() {
-		return newServeDevCommand(se, serve)
-	}
-	return newServeCommand(se)
-}
+var serveCmd = newServeCommand(&serveEnv{lc: &localClient})
 
 // newServeCommand returns a new "serve" subcommand using e as its environment.
 func newServeCommand(e *serveEnv) *ffcli.Command {
@@ -120,10 +110,6 @@ EXAMPLES
 	}
 }
 
-// errHelp is standard error text that prompts users to
-// run `serve --help` for information on how to use serve.
-var errHelp = errors.New("try `tailscale serve --help` for usage info")
-
 func (e *serveEnv) newFlags(name string, setup func(fs *flag.FlagSet)) *flag.FlagSet {
 	onError, out := flag.ExitOnError, Stderr
 	if e.testFlagOut != nil {
@@ -143,7 +129,7 @@ func (e *serveEnv) newFlags(name string, setup func(fs *flag.FlagSet)) *flag.Fla
 //
 // The purpose of this interface is to allow tests to provide a mock.
 type localServeClient interface {
-	StatusWithoutPeers(context.Context) (*ipnstate.Status, error)
+	Status(context.Context) (*ipnstate.Status, error)
 	GetServeConfig(context.Context) (*ipn.ServeConfig, error)
 	SetServeConfig(context.Context, *ipn.ServeConfig) error
 	QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error)
@@ -158,18 +144,9 @@ type localServeClient interface {
 //
 // It also contains the flags, as registered with newServeCommand.
 type serveEnv struct {
-	// v1 flags
+	// flags
 	json bool // output JSON (status only for now)
 
-	// v2 specific flags
-	bg               bool      // background mode
-	setPath          string    // serve path
-	https            string    // HTTP port
-	http             string    // HTTP port
-	tcp              string    // TCP port
-	tlsTerminatedTCP string    // a TLS terminated TCP port
-	subcmd           serveMode // subcommand
-
 	lc localServeClient // localClient interface, specific to serve
 
 	// optional stuff for tests:
@@ -181,21 +158,19 @@ type serveEnv struct {
 // The trailing dot is removed.
 // Returns an error if local client status fails.
 func (e *serveEnv) getSelfDNSName(ctx context.Context) (string, error) {
-	st, err := e.getLocalClientStatusWithoutPeers(ctx)
+	st, err := e.getLocalClientStatus(ctx)
 	if err != nil {
 		return "", fmt.Errorf("getting client status: %w", err)
 	}
 	return strings.TrimSuffix(st.Self.DNSName, "."), nil
 }
 
-// getLocalClientStatusWithoutPeers returns the Status of the local client
-// without any peers in the response.
-//
+// getLocalClientStatus returns the Status of the local client.
 // Returns error if unable to reach tailscaled or if self node is nil.
 //
 // Exits if status is not running or starting.
-func (e *serveEnv) getLocalClientStatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	st, err := e.lc.StatusWithoutPeers(ctx)
+func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status, error) {
+	st, err := e.lc.Status(ctx)
 	if err != nil {
 		return nil, fixTailscaledConnectError(err)
 	}
@@ -256,7 +231,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 
 	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
-		return errHelp
+		return flag.ErrHelp
 	}
 
 	if srcType == "https" && !turnOff {
@@ -298,7 +273,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
 		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
-		return errHelp
+		return flag.ErrHelp
 	}
 }
 
@@ -334,13 +309,13 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 		}
 		if !filepath.IsAbs(source) {
 			fmt.Fprintf(os.Stderr, "error: path must be absolute\n\n")
-			return errHelp
+			return flag.ErrHelp
 		}
 		source = filepath.Clean(source)
 		fi, err := os.Stat(source)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: invalid path: %v\n\n", err)
-			return errHelp
+			return flag.ErrHelp
 		}
 		if fi.IsDir() && !strings.HasSuffix(mount, "/") {
 			// dir mount points must end in /
@@ -366,7 +341,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 
 	if sc.IsTCPForwardingOnPort(srvPort) {
 		fmt.Fprintf(os.Stderr, "error: cannot serve web; already serving TCP\n")
-		return errHelp
+		return flag.ErrHelp
 	}
 
 	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
@@ -554,18 +529,18 @@ func (e *serveEnv) handleTCPServe(ctx context.Context, srcType string, srcPort u
 		terminateTLS = true
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n\n", dest)
-		return errHelp
+		return flag.ErrHelp
 	}
 
 	dstURL, err := url.Parse(dest)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return errHelp
+		return flag.ErrHelp
 	}
 	host, dstPortStr, err := net.SplitHostPort(dstURL.Host)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q: %v\n\n", dest, err)
-		return errHelp
+		return flag.ErrHelp
 	}
 
 	switch host {
@@ -574,12 +549,12 @@ func (e *serveEnv) handleTCPServe(ctx context.Context, srcType string, srcPort u
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid TCP source %q\n", dest)
 		fmt.Fprint(os.Stderr, "must be one of: localhost or 127.0.0.1\n\n", dest)
-		return errHelp
+		return flag.ErrHelp
 	}
 
 	if p, err := strconv.ParseUint(dstPortStr, 10, 16); p == 0 || err != nil {
 		fmt.Fprintf(os.Stderr, "error: invalid port %q\n\n", dstPortStr)
-		return errHelp
+		return flag.ErrHelp
 	}
 
 	cursc, err := e.lc.GetServeConfig(ctx)
@@ -666,7 +641,7 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printf("No serve config\n")
 		return nil
 	}
-	st, err := e.getLocalClientStatusWithoutPeers(ctx)
+	st, err := e.getLocalClientStatus(ctx)
 	if err != nil {
 		return err
 	}
@@ -874,8 +849,8 @@ func (e *serveEnv) enableFeatureInteractive(ctx context.Context, feature string,
 			e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enablement_lost_connection", feature), 1)
 			return err
 		}
-		if nm := n.NetMap; nm != nil && nm.SelfNode.Valid() {
-			if hasRequiredCapabilities(nm.SelfNode.Capabilities().AsSlice()) {
+		if nm := n.NetMap; nm != nil && nm.SelfNode != nil {
+			if hasRequiredCapabilities(nm.SelfNode.Capabilities) {
 				e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enabled", feature), 1)
 				fmt.Fprintln(os.Stdout, "Success.")
 				return nil

cmd/tailscale/cli/serve_dev.go

@@ -1,755 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"log"
-	"net"
-	"net/url"
-	"os"
-	"os/signal"
-	"path"
-	"path/filepath"
-	"slices"
-	"sort"
-	"strconv"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/mak"
-	"tailscale.com/version"
-)
-
-type execFunc func(ctx context.Context, args []string) error
-
-type commandInfo struct {
-	Name      string
-	ShortHelp string
-	LongHelp  string
-}
-
-var serveHelpCommon = strings.TrimSpace(`
-<target> can be a port number (e.g., 3000), a partial URL (e.g., localhost:3000), or a
-full URL including a path (e.g., http://localhost:3000/foo, https+insecure://localhost:3000/foo).
-
-EXAMPLES
-  - Mount a local web server at 127.0.0.1:3000 in the foreground:
-    $ tailscale %s localhost:3000
-
-  - Mount a local web server at 127.0.0.1:3000 in the background:
-    $ tailscale %s --bg localhost:3000
-
-For more examples and use cases visit our docs site https://tailscale.com/kb/1247/funnel-serve-use-cases
-`)
-
-type serveMode int
-
-const (
-	serve serveMode = iota
-	funnel
-)
-
-type serveType int
-
-const (
-	serveTypeHTTPS serveType = iota
-	serveTypeHTTP
-	serveTypeTCP
-	serveTypeTLSTerminatedTCP
-)
-
-var infoMap = map[serveMode]commandInfo{
-	serve: {
-		Name:      "serve",
-		ShortHelp: "Serve content and local servers on your tailnet",
-		LongHelp: strings.Join([]string{
-			"Serve enables you to share a local server securely within your tailnet.\n",
-			"To share a local server on the internet, use `tailscale funnel`\n\n",
-		}, "\n"),
-	},
-	funnel: {
-		Name:      "funnel",
-		ShortHelp: "Serve content and local servers on the internet",
-		LongHelp: strings.Join([]string{
-			"Funnel enables you to share a local server on the internet using Tailscale.\n",
-			"To share only within your tailnet, use `tailscale serve`\n\n",
-		}, "\n"),
-	},
-}
-
-func buildShortUsage(subcmd string) string {
-	return strings.Join([]string{
-		subcmd + " [flags] <target> [off]",
-		subcmd + " status [--json]",
-		subcmd + " reset",
-	}, "\n  ")
-}
-
-// newServeDevCommand returns a new "serve" subcommand using e as its environment.
-func newServeDevCommand(e *serveEnv, subcmd serveMode) *ffcli.Command {
-	if subcmd != serve && subcmd != funnel {
-		log.Fatalf("newServeDevCommand called with unknown subcmd %q", subcmd)
-	}
-
-	info := infoMap[subcmd]
-
-	return &ffcli.Command{
-		Name:      info.Name,
-		ShortHelp: info.ShortHelp,
-		ShortUsage: strings.Join([]string{
-			fmt.Sprintf("%s <target>", info.Name),
-			fmt.Sprintf("%s status [--json]", info.Name),
-			fmt.Sprintf("%s reset", info.Name),
-		}, "\n  "),
-		LongHelp: info.LongHelp + fmt.Sprintf(strings.TrimSpace(serveHelpCommon), info.Name, info.Name),
-		Exec:     e.runServeCombined(subcmd),
-
-		FlagSet: e.newFlags("serve-set", func(fs *flag.FlagSet) {
-			fs.BoolVar(&e.bg, "bg", false, "run the command in the background")
-			fs.StringVar(&e.setPath, "set-path", "", "set a path for a specific target and run in the background")
-			fs.StringVar(&e.https, "https", "", "default; HTTPS listener")
-			fs.StringVar(&e.http, "http", "", "HTTP listener")
-			fs.StringVar(&e.tcp, "tcp", "", "TCP listener")
-			fs.StringVar(&e.tlsTerminatedTCP, "tls-terminated-tcp", "", "TLS terminated TCP listener")
-
-		}),
-		UsageFunc: usageFunc,
-		Subcommands: []*ffcli.Command{
-			{
-				Name:      "status",
-				Exec:      e.runServeStatus,
-				ShortHelp: "view current proxy configuration",
-				FlagSet: e.newFlags("serve-status", func(fs *flag.FlagSet) {
-					fs.BoolVar(&e.json, "json", false, "output JSON")
-				}),
-				UsageFunc: usageFunc,
-			},
-			{
-				Name:      "reset",
-				ShortHelp: "reset current serve/funnel config",
-				Exec:      e.runServeReset,
-				FlagSet:   e.newFlags("serve-reset", nil),
-				UsageFunc: usageFunc,
-			},
-		},
-	}
-}
-
-func validateArgs(subcmd serveMode, args []string) error {
-	switch len(args) {
-	case 0:
-		return flag.ErrHelp
-	case 1, 2:
-		if isLegacyInvocation(subcmd, args) {
-			fmt.Fprintf(os.Stderr, "error: the CLI for serve and funnel has changed.")
-			fmt.Fprintf(os.Stderr, "Please see https://tailscale.com/kb/1242/tailscale-serve for more information.")
-			return errHelp
-		}
-	default:
-		fmt.Fprintf(os.Stderr, "error: invalid number of arguments (%d)", len(args))
-		return errHelp
-	}
-	return nil
-}
-
-// runServeCombined is the entry point for the "tailscale {serve,funnel}" commands.
-func (e *serveEnv) runServeCombined(subcmd serveMode) execFunc {
-	e.subcmd = subcmd
-
-	return func(ctx context.Context, args []string) error {
-		if err := validateArgs(subcmd, args); err != nil {
-			return err
-		}
-
-		ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
-		defer cancel()
-
-		st, err := e.getLocalClientStatusWithoutPeers(ctx)
-		if err != nil {
-			return fmt.Errorf("getting client status: %w", err)
-		}
-
-		funnel := subcmd == funnel
-		if funnel {
-			// verify node has funnel capabilities
-			if err := e.verifyFunnelEnabled(ctx, st, 443); err != nil {
-				return err
-			}
-		}
-
-		mount, err := cleanURLPath(e.setPath)
-		if err != nil {
-			return fmt.Errorf("failed to clean the mount point: %w", err)
-		}
-
-		if e.setPath != "" {
-			// TODO(marwan-at-work): either
-			// 1. Warn the user that this is a side effect.
-			// 2. Force the user to pass --bg
-			// 3. Allow set-path to be in the foreground.
-			e.bg = true
-		}
-
-		srvType, srvPort, err := srvTypeAndPortFromFlags(e)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n\n", err)
-			return errHelp
-		}
-
-		sc, err := e.lc.GetServeConfig(ctx)
-		if err != nil {
-			return fmt.Errorf("error getting serve config: %w", err)
-		}
-
-		// nil if no config
-		if sc == nil {
-			sc = new(ipn.ServeConfig)
-		}
-		dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
-
-		// set parent serve config to always be persisted
-		// at the top level, but a nested config might be
-		// the one that gets manipulated depending on
-		// foreground or background.
-		parentSC := sc
-
-		turnOff := "off" == args[len(args)-1]
-		if !turnOff && srvType == serveTypeHTTPS {
-			// Running serve with https requires that the tailnet has enabled
-			// https cert provisioning. Send users through an interactive flow
-			// to enable this if not already done.
-			//
-			// TODO(sonia,tailscale/corp#10577): The interactive feature flow
-			// is behind a control flag. If the tailnet doesn't have the flag
-			// on, enableFeatureInteractive will error. For now, we hide that
-			// error and maintain the previous behavior (prior to 2023-08-15)
-			// of letting them edit the serve config before enabling certs.
-			if err := e.enableFeatureInteractive(ctx, "serve", func(caps []string) bool {
-				return slices.Contains(caps, tailcfg.CapabilityHTTPS)
-			}); err != nil {
-				return fmt.Errorf("error enabling https feature: %w", err)
-			}
-		}
-
-		var watcher *tailscale.IPNBusWatcher
-		if !e.bg && !turnOff {
-			// if foreground mode, create a WatchIPNBus session
-			// and use the nested config for all following operations
-			// TODO(marwan-at-work): nested-config validations should happen here or previous to this point.
-			watcher, err = e.lc.WatchIPNBus(ctx, ipn.NotifyInitialState)
-			if err != nil {
-				return err
-			}
-			defer watcher.Close()
-			n, err := watcher.Next()
-			if err != nil {
-				return err
-			}
-			if n.SessionID == "" {
-				return errors.New("missing SessionID")
-			}
-			fsc := &ipn.ServeConfig{}
-			mak.Set(&sc.Foreground, n.SessionID, fsc)
-			sc = fsc
-		}
-
-		var msg string
-		if turnOff {
-			err = e.unsetServe(sc, dnsName, srvType, srvPort, mount)
-		} else {
-			err = e.setServe(sc, st, dnsName, srvType, srvPort, mount, args[0], funnel)
-			msg = e.messageForPort(sc, st, dnsName, srvPort)
-		}
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "error: %v\n\n", err)
-			return errHelp
-		}
-
-		if err := e.lc.SetServeConfig(ctx, parentSC); err != nil {
-			return err
-		}
-
-		if msg != "" {
-			fmt.Fprintln(os.Stderr, msg)
-		}
-
-		if watcher != nil {
-			for {
-				_, err = watcher.Next()
-				if err != nil {
-					if errors.Is(err, context.Canceled) {
-						return nil
-					}
-					return err
-				}
-			}
-		}
-
-		return nil
-	}
-}
-
-func (e *serveEnv) setServe(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName string, srvType serveType, srvPort uint16, mount string, target string, allowFunnel bool) error {
-	// update serve config based on the type
-	switch srvType {
-	case serveTypeHTTPS, serveTypeHTTP:
-		useTLS := srvType == serveTypeHTTPS
-		err := e.applyWebServe(sc, dnsName, srvPort, useTLS, mount, target)
-		if err != nil {
-			return fmt.Errorf("failed apply web serve: %w", err)
-		}
-	case serveTypeTCP, serveTypeTLSTerminatedTCP:
-		err := e.applyTCPServe(sc, dnsName, srvType, srvPort, target)
-		if err != nil {
-			return fmt.Errorf("failed to apply TCP serve: %w", err)
-		}
-	default:
-		return fmt.Errorf("invalid type %q", srvType)
-	}
-
-	// update the serve config based on if funnel is enabled
-	e.applyFunnel(sc, dnsName, srvPort, allowFunnel)
-
-	return nil
-}
-
-// messageForPort returns a message for the given port based on the
-// serve config and status.
-func (e *serveEnv) messageForPort(sc *ipn.ServeConfig, st *ipnstate.Status, dnsName string, srvPort uint16) string {
-	var output strings.Builder
-
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
-
-	if sc.AllowFunnel[hp] == true {
-		output.WriteString("Available on the internet:\n")
-	} else {
-		output.WriteString("Available within your tailnet:\n")
-	}
-
-	scheme := "https"
-	if sc.IsServingHTTP(srvPort) {
-		scheme = "http"
-	}
-
-	portPart := ":" + fmt.Sprint(srvPort)
-	if scheme == "http" && srvPort == 80 ||
-		scheme == "https" && srvPort == 443 {
-		portPart = ""
-	}
-
-	output.WriteString(fmt.Sprintf("%s://%s%s\n\n", scheme, dnsName, portPart))
-
-	if !e.bg {
-		output.WriteString("Press Ctrl+C to exit.")
-		return output.String()
-	}
-
-	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
-		switch {
-		case h.Path != "":
-			return "path", h.Path
-		case h.Proxy != "":
-			return "proxy", h.Proxy
-		case h.Text != "":
-			return "text", "\"" + elipticallyTruncate(h.Text, 20) + "\""
-		}
-		return "", ""
-	}
-
-	if sc.Web[hp] != nil {
-		var mounts []string
-
-		for k := range sc.Web[hp].Handlers {
-			mounts = append(mounts, k)
-		}
-		sort.Slice(mounts, func(i, j int) bool {
-			return len(mounts[i]) < len(mounts[j])
-		})
-		maxLen := len(mounts[len(mounts)-1])
-
-		for _, m := range mounts {
-			h := sc.Web[hp].Handlers[m]
-			t, d := srvTypeAndDesc(h)
-			output.WriteString(fmt.Sprintf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d))
-		}
-	} else if sc.TCP[srvPort] != nil {
-		h := sc.TCP[srvPort]
-
-		tlsStatus := "TLS over TCP"
-		if h.TerminateTLS != "" {
-			tlsStatus = "TLS terminated"
-		}
-
-		output.WriteString(fmt.Sprintf("|-- tcp://%s (%s)\n", hp, tlsStatus))
-		for _, a := range st.TailscaleIPs {
-			ipp := net.JoinHostPort(a.String(), strconv.Itoa(int(srvPort)))
-			output.WriteString(fmt.Sprintf("|-- tcp://%s\n", ipp))
-		}
-		output.WriteString(fmt.Sprintf("|--> tcp://%s\n", h.TCPForward))
-	}
-
-	output.WriteString("\nServe started and running in the background.\n")
-	output.WriteString(fmt.Sprintf("To disable the proxy, run: tailscale %s off", infoMap[e.subcmd].Name))
-
-	return output.String()
-}
-
-func (e *serveEnv) applyWebServe(sc *ipn.ServeConfig, dnsName string, srvPort uint16, useTLS bool, mount, target string) error {
-	h := new(ipn.HTTPHandler)
-
-	switch {
-	case strings.HasPrefix(target, "text:"):
-		text := strings.TrimPrefix(target, "text:")
-		if text == "" {
-			return errors.New("unable to serve; text cannot be an empty string")
-		}
-		h.Text = text
-	case filepath.IsAbs(target):
-		if version.IsSandboxedMacOS() {
-			// don't allow path serving for now on macOS (2022-11-15)
-			return errors.New("path serving is not supported if sandboxed on macOS")
-		}
-
-		target = filepath.Clean(target)
-		fi, err := os.Stat(target)
-		if err != nil {
-			return errors.New("invalid path")
-		}
-
-		// TODO: need to understand this further
-		if fi.IsDir() && !strings.HasSuffix(mount, "/") {
-			// dir mount points must end in /
-			// for relative file links to work
-			mount += "/"
-		}
-		h.Path = target
-	default:
-		t, err := expandProxyTargetDev(target)
-		if err != nil {
-			return err
-		}
-		h.Proxy = t
-	}
-
-	// TODO: validation needs to check nested foreground configs
-	if sc.IsTCPForwardingOnPort(srvPort) {
-		return errors.New("cannot serve web; already serving TCP")
-	}
-
-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
-
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
-	if _, ok := sc.Web[hp]; !ok {
-		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
-	}
-	mak.Set(&sc.Web[hp].Handlers, mount, h)
-
-	// TODO: handle multiple web handlers from foreground mode
-	for k, v := range sc.Web[hp].Handlers {
-		if v == h {
-			continue
-		}
-		// If the new mount point ends in / and another mount point
-		// shares the same prefix, remove the other handler.
-		// (e.g. /foo/ overwrites /foo)
-		// The opposite example is also handled.
-		m1 := strings.TrimSuffix(mount, "/")
-		m2 := strings.TrimSuffix(k, "/")
-		if m1 == m2 {
-			delete(sc.Web[hp].Handlers, k)
-		}
-	}
-
-	return nil
-}
-
-func (e *serveEnv) applyTCPServe(sc *ipn.ServeConfig, dnsName string, srcType serveType, srcPort uint16, target string) error {
-	var terminateTLS bool
-	switch srcType {
-	case serveTypeTCP:
-		terminateTLS = false
-	case serveTypeTLSTerminatedTCP:
-		terminateTLS = true
-	default:
-		return fmt.Errorf("invalid TCP target %q", target)
-	}
-
-	dstURL, err := url.Parse(target)
-	if err != nil {
-		return fmt.Errorf("invalid TCP target %q: %v", target, err)
-	}
-	host, dstPortStr, err := net.SplitHostPort(dstURL.Host)
-	if err != nil {
-		return fmt.Errorf("invalid TCP target %q: %v", target, err)
-	}
-
-	switch host {
-	case "localhost", "127.0.0.1":
-		// ok
-	default:
-		return fmt.Errorf("invalid TCP target %q, must be one of localhost or 127.0.0.1", target)
-	}
-
-	if p, err := strconv.ParseUint(dstPortStr, 10, 16); p == 0 || err != nil {
-		return fmt.Errorf("invalid port %q", dstPortStr)
-	}
-
-	fwdAddr := "127.0.0.1:" + dstPortStr
-
-	// TODO: needs to account for multiple configs from foreground mode
-	if sc.IsServingWeb(srcPort) {
-		return fmt.Errorf("cannot serve TCP; already serving web on %d", srcPort)
-	}
-
-	mak.Set(&sc.TCP, srcPort, &ipn.TCPPortHandler{TCPForward: fwdAddr})
-
-	if terminateTLS {
-		sc.TCP[srcPort].TerminateTLS = dnsName
-	}
-
-	return nil
-}
-
-func (e *serveEnv) applyFunnel(sc *ipn.ServeConfig, dnsName string, srvPort uint16, allowFunnel bool) {
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
-
-	// TODO: Should we return an error? Should not be possible.
-	// nil if no config
-	if sc == nil {
-		sc = new(ipn.ServeConfig)
-	}
-
-	// TODO: should ensure there is no other conflicting funnel
-	// TODO: add error handling for if toggling for existing sc
-	if allowFunnel {
-		mak.Set(&sc.AllowFunnel, hp, true)
-	}
-}
-
-// unsetServe removes the serve config for the given serve port.
-func (e *serveEnv) unsetServe(sc *ipn.ServeConfig, dnsName string, srvType serveType, srvPort uint16, mount string) error {
-	switch srvType {
-	case serveTypeHTTPS, serveTypeHTTP:
-		err := e.removeWebServe(sc, dnsName, srvPort, mount)
-		if err != nil {
-			return fmt.Errorf("failed to remove web serve: %w", err)
-		}
-	case serveTypeTCP, serveTypeTLSTerminatedTCP:
-		err := e.removeTCPServe(sc, srvPort)
-		if err != nil {
-			return fmt.Errorf("failed to remove TCP serve: %w", err)
-		}
-	default:
-		return fmt.Errorf("invalid type %q", srvType)
-	}
-
-	// TODO(tylersmalley): remove funnel
-
-	return nil
-}
-
-func srvTypeAndPortFromFlags(e *serveEnv) (srvType serveType, srvPort uint16, err error) {
-	sourceMap := map[serveType]string{
-		serveTypeHTTP:             e.http,
-		serveTypeHTTPS:            e.https,
-		serveTypeTCP:              e.tcp,
-		serveTypeTLSTerminatedTCP: e.tlsTerminatedTCP,
-	}
-
-	var srcTypeCount int
-	var srcValue string
-
-	for k, v := range sourceMap {
-		if v != "" {
-			srcTypeCount++
-			srvType = k
-			srcValue = v
-		}
-	}
-
-	if srcTypeCount > 1 {
-		return 0, 0, fmt.Errorf("cannot serve multiple types for a single mount point")
-	} else if srcTypeCount == 0 {
-		srvType = serveTypeHTTPS
-		srcValue = "443"
-	}
-
-	srvPort, err = parseServePort(srcValue)
-	if err != nil {
-		return 0, 0, fmt.Errorf("invalid port %q: %w", srcValue, err)
-	}
-
-	return srvType, srvPort, nil
-}
-
-func isLegacyInvocation(subcmd serveMode, args []string) bool {
-	if subcmd == serve && len(args) == 2 {
-		prefixes := []string{"http", "https", "tcp", "tls-terminated-tcp"}
-
-		for _, prefix := range prefixes {
-			if strings.HasPrefix(args[0], prefix) {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
-// removeWebServe removes a web handler from the serve config
-// and removes funnel if no remaining mounts exist for the serve port.
-// The srvPort argument is the serving port and the mount argument is
-// the mount point or registered path to remove.
-func (e *serveEnv) removeWebServe(sc *ipn.ServeConfig, dnsName string, srvPort uint16, mount string) error {
-	if sc.IsTCPForwardingOnPort(srvPort) {
-		return errors.New("cannot remove web handler; currently serving TCP")
-	}
-
-	hp := ipn.HostPort(net.JoinHostPort(dnsName, strconv.Itoa(int(srvPort))))
-	if !sc.WebHandlerExists(hp, mount) {
-		return errors.New("error: handler does not exist")
-	}
-
-	// delete existing handler, then cascade delete if empty
-	delete(sc.Web[hp].Handlers, mount)
-	if len(sc.Web[hp].Handlers) == 0 {
-		delete(sc.Web, hp)
-		delete(sc.TCP, srvPort)
-	}
-
-	// clear empty maps mostly for testing
-	if len(sc.Web) == 0 {
-		sc.Web = nil
-	}
-
-	if len(sc.TCP) == 0 {
-		sc.TCP = nil
-	}
-
-	// disable funnel if no remaining mounts exist for the serve port
-	if sc.Web == nil && sc.TCP == nil {
-		delete(sc.AllowFunnel, hp)
-	}
-
-	return nil
-}
-
-// removeTCPServe removes the TCP forwarding configuration for the
-// given srvPort, or serving port.
-func (e *serveEnv) removeTCPServe(sc *ipn.ServeConfig, src uint16) error {
-	if sc == nil {
-		return nil
-	}
-	if sc.GetTCPPortHandler(src) == nil {
-		return errors.New("error: serve config does not exist")
-	}
-	if sc.IsServingWeb(src) {
-		return fmt.Errorf("unable to remove; serving web, not TCP forwarding on serve port %d", src)
-	}
-	delete(sc.TCP, src)
-	// clear map mostly for testing
-	if len(sc.TCP) == 0 {
-		sc.TCP = nil
-	}
-	return nil
-}
-
-// expandProxyTargetDev expands the supported target values to be proxied
-// allowing for input values to be a port number, a partial URL, or a full URL
-// including a path.
-//
-// examples:
-//   - 3000
-//   - localhost:3000
-//   - http://localhost:3000
-//   - https://localhost:3000
-//   - https-insecure://localhost:3000
-//   - https-insecure://localhost:3000/foo
-func expandProxyTargetDev(target string) (string, error) {
-	var (
-		scheme = "http"
-		host   = "127.0.0.1"
-	)
-
-	// support target being a port number
-	if port, err := strconv.ParseUint(target, 10, 16); err == nil {
-		return fmt.Sprintf("%s://%s:%d", scheme, host, port), nil
-	}
-
-	// prepend scheme if not present
-	if !strings.Contains(target, "://") {
-		target = scheme + "://" + target
-	}
-
-	// make sure we can parse the target
-	u, err := url.ParseRequestURI(target)
-	if err != nil {
-		return "", fmt.Errorf("invalid URL %w", err)
-	}
-
-	// ensure a supported scheme
-	switch u.Scheme {
-	case "http", "https", "https+insecure":
-	default:
-		return "", errors.New("must be a URL starting with http://, https://, or https+insecure://")
-	}
-
-	// validate the port
-	port, err := strconv.ParseUint(u.Port(), 10, 16)
-	if err != nil || port == 0 {
-		return "", fmt.Errorf("invalid port %q", u.Port())
-	}
-
-	// validate the host.
-	switch u.Hostname() {
-	case "localhost", "127.0.0.1":
-		u.Host = fmt.Sprintf("%s:%d", host, port)
-	default:
-		return "", errors.New("only localhost or 127.0.0.1 proxies are currently supported")
-	}
-
-	return u.String(), nil
-}
-
-// cleanURLPath ensures the path is clean and has a leading "/".
-func cleanURLPath(urlPath string) (string, error) {
-	if urlPath == "" {
-		return "/", nil
-	}
-
-	// TODO(tylersmalley) verify still needed with path being a flag
-	urlPath = cleanMinGWPathConversionIfNeeded(urlPath)
-	if !strings.HasPrefix(urlPath, "/") {
-		urlPath = "/" + urlPath
-	}
-
-	c := path.Clean(urlPath)
-	if urlPath == c || urlPath == c+"/" {
-		return urlPath, nil
-	}
-	return "", fmt.Errorf("invalid mount point %q", urlPath)
-}
-
-func (s serveType) String() string {
-	switch s {
-	case serveTypeHTTP:
-		return "httpListener"
-	case serveTypeHTTPS:
-		return "httpsListener"
-	case serveTypeTCP:
-		return "tcpListener"
-	case serveTypeTLSTerminatedTCP:
-		return "tlsTerminatedTCPListener"
-	default:
-		return "unknownServeType"
-	}
-}

cmd/tailscale/cli/serve_dev_test.go

@@ -1,955 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"reflect"
-	"runtime"
-	"strings"
-	"testing"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-	"tailscale.com/types/logger"
-)
-
-func TestServeDevConfigMutations(t *testing.T) {
-	// Stateful mutations, starting from an empty config.
-	type step struct {
-		command []string                       // serve args; nil means no command to run (only reset)
-		reset   bool                           // if true, reset all ServeConfig state
-		want    *ipn.ServeConfig               // non-nil means we want a save of this value
-		wantErr func(error) (badErrMsg string) // nil means no error is wanted
-		line    int                            // line number of addStep call, for error messages
-
-		debugBreak func()
-	}
-	var steps []step
-	add := func(s step) {
-		_, _, s.line, _ = runtime.Caller(1)
-		steps = append(steps, s)
-	}
-
-	// using port number
-	add(step{reset: true})
-	add(step{
-		command: cmd("funnel --bg 3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
-		},
-	})
-
-	// funnel background
-	add(step{reset: true})
-	add(step{
-		command: cmd("funnel --bg localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
-		},
-	})
-
-	// serve background
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --bg localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-
-	// --set-path runs in background
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --set-path=/ localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-
-	// using http listener
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --bg --http=80 localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-
-	// using https listener with a valid port
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --bg --https=8443 localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-
-	// https
-	add(step{reset: true})
-	add(step{ // allow omitting port (default to 80)
-		command: cmd("serve --http=80 --bg http://localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // support non Funnel port
-		command: cmd("serve --http=9999 --set-path=/abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --http=9999 --set-path=/abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --http=8080 --set-path=/abc http://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-
-	// // https
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --https=443 --bg http://localhost:0"), // invalid port, too low
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("serve --https=443 --bg http://localhost:65536"), // invalid port, too high
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("serve --https=443 --bg http://somehost:3000"), // invalid host
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("serve --https=443 --bg httpz://127.0.0.1"), // invalid scheme
-		wantErr: anyErr(),
-	})
-	add(step{ // allow omitting port (default to 443)
-		command: cmd("serve --https=443 --bg http://localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // support non Funnel port
-		command: cmd("serve --https=9999 --set-path=/abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 9999: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=9999 --set-path=/abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=8443 --set-path=/abc http://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=10000 --bg text:hi"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {HTTPS: true}, 8443: {HTTPS: true}, 10000: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-				"foo.test.ts.net:10000": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Text: "hi"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=443 --set-path=/foo off"),
-		want:    nil, // nothing to save
-		wantErr: anyErr(),
-	}) // handler doesn't exist, so we get an error
-	add(step{
-		command: cmd("serve --https=10000 off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=443 off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=8443 --set-path=/abc off"),
-		want:    &ipn.ServeConfig{},
-	})
-	add(step{ // clean mount: "bar" becomes "/bar"
-		command: cmd("serve --https=443 --set-path=bar https://127.0.0.1:8443"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "https://127.0.0.1:8443"},
-				}},
-			},
-		},
-	})
-	// add(step{
-	// 	command:   cmd("serve --https=443 --set-path=bar https://127.0.0.1:8443"),
-	// 	want:      nil, // nothing to save
-	// })
-	add(step{ // try resetting using reset command
-		command: cmd("serve reset"),
-		want:    &ipn.ServeConfig{},
-	})
-	add(step{
-		command: cmd("serve --https=443 --bg https+insecure://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "https+insecure://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --https=443 --set-path=/foo localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/foo": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // test a second handler on the same port
-		command: cmd("serve --https=8443 --set-path=/foo localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/foo": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/foo": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{reset: true})
-	add(step{ // support path in proxy
-		command: cmd("serve --https=443 --bg http://127.0.0.1:3000/foo/bar"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000/foo/bar"},
-				}},
-			},
-		},
-	})
-
-	// // tcp
-	add(step{reset: true})
-	add(step{ // must include scheme for tcp
-		command: cmd("serve --tls-terminated-tcp=443 --bg localhost:5432"),
-		wantErr: exactErr(errHelp, "errHelp"),
-	})
-	add(step{ // !somehost, must be localhost or 127.0.0.1
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://somehost:5432"),
-		wantErr: exactErr(errHelp, "errHelp"),
-	})
-	add(step{ // bad target port, too low
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://somehost:0"),
-		wantErr: exactErr(errHelp, "errHelp"),
-	})
-	add(step{ // bad target port, too high
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://somehost:65536"),
-		wantErr: exactErr(errHelp, "errHelp"),
-	})
-	add(step{
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://localhost:5432"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:5432",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://127.0.0.1:8443"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8443",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	// add(step{
-	// 	command:   cmd("serve --tls-terminated-tcp=443 --bg tcp://127.0.0.1:8443"),
-	// 	want:      nil, // nothing to save
-	// })
-	add(step{
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://localhost:8444"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8444",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://127.0.0.1:8445"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:8445",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://localhost:123"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:123",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{ // handler doesn't exist, so we get an error
-		command: cmd("serve --tls-terminated-tcp=8443 off"),
-		wantErr: anyErr(),
-	})
-	add(step{
-		command: cmd("serve --tls-terminated-tcp=443 off"),
-		want:    &ipn.ServeConfig{},
-	})
-
-	// // text
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --https=443 --bg text:hello"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Text: "hello"},
-				}},
-			},
-		},
-	})
-
-	// path
-	td := t.TempDir()
-	writeFile := func(suffix, contents string) {
-		if err := os.WriteFile(filepath.Join(td, suffix), []byte(contents), 0600); err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	add(step{reset: true})
-	writeFile("foo", "this is foo")
-	add(step{
-		command: cmd("serve --https=443 --bg " + filepath.Join(td, "foo")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Path: filepath.Join(td, "foo")},
-				}},
-			},
-		},
-	})
-	os.MkdirAll(filepath.Join(td, "subdir"), 0700)
-	writeFile("subdir/file-a", "this is A")
-	add(step{
-		command: cmd("serve --https=443 --set-path=/some/where " + filepath.Join(td, "subdir/file-a")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/":           {Path: filepath.Join(td, "foo")},
-					"/some/where": {Path: filepath.Join(td, "subdir/file-a")},
-				}},
-			},
-		},
-	})
-	add(step{ // bad path
-		command: cmd("serve --https=443 --bg bad/path"),
-		wantErr: exactErr(errHelp, "errHelp"),
-	})
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --https=443 --bg " + filepath.Join(td, "subdir")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Path: filepath.Join(td, "subdir/")},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("serve --https=443 off"),
-		want:    &ipn.ServeConfig{},
-	})
-
-	// // combos
-	add(step{reset: true})
-	add(step{
-		command: cmd("serve --bg localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // enable funnel for primary port
-		command: cmd("funnel --bg localhost:3000"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // serving on secondary port doesn't change funnel on primary port
-		command: cmd("serve --https=8443 --set-path=/bar localhost:3001"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{ // turn funnel on for secondary port
-		command: cmd("funnel --https=8443 --set-path=/bar localhost:3001"),
-		want: &ipn.ServeConfig{
-			AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:443": true, "foo.test.ts.net:8443": true},
-			TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/bar": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	// TODO(tylersmalley) resolve these failures
-	// add(step{ // turn funnel off for primary port 443
-	// 	command:   cmd("serve --https=443 --set-path=/bar localhost:3001"),
-	// 	want: &ipn.ServeConfig{
-	// 		AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-	// 		TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {HTTPS: true}},
-	// 		Web: map[ipn.HostPort]*ipn.WebServerConfig{
-	// 			"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-	// 				"/": {Proxy: "http://127.0.0.1:3000"},
-	// 			}},
-	// 			"foo.test.ts.net:8443": {Handlers: map[string]*ipn.HTTPHandler{
-	// 				"/bar": {Proxy: "http://127.0.0.1:3001"},
-	// 			}},
-	// 		},
-	// 	},
-	// })
-	// add(step{ // remove secondary port
-	// 	command: cmd("https:8443 /bar off"),
-	// 	want: &ipn.ServeConfig{
-	// 		AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-	// 		TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-	// 		Web: map[ipn.HostPort]*ipn.WebServerConfig{
-	// 			"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-	// 				"/": {Proxy: "http://127.0.0.1:3000"},
-	// 			}},
-	// 		},
-	// 	},
-	// })
-	// add(step{ // start a tcp forwarder on 8443
-	// 	command: cmd("tcp:8443 tcp://localhost:5432"),
-	// 	want: &ipn.ServeConfig{
-	// 		AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-	// 		TCP:         map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}, 8443: {TCPForward: "127.0.0.1:5432"}},
-	// 		Web: map[ipn.HostPort]*ipn.WebServerConfig{
-	// 			"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-	// 				"/": {Proxy: "http://127.0.0.1:3000"},
-	// 			}},
-	// 		},
-	// 	},
-	// })
-	// add(step{ // remove primary port http handler
-	// 	command: cmd("https:443 / off"),
-	// 	want: &ipn.ServeConfig{
-	// 		AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-	// 		TCP:         map[uint16]*ipn.TCPPortHandler{8443: {TCPForward: "127.0.0.1:5432"}},
-	// 	},
-	// })
-	// add(step{ // remove tcp forwarder
-	// 	command: cmd("tls-terminated-tcp:8443 off"),
-	// 	want: &ipn.ServeConfig{
-	// 		AllowFunnel: map[ipn.HostPort]bool{"foo.test.ts.net:8443": true},
-	// 	},
-	// })
-	// add(step{ // turn off funnel
-	// 	command: cmd("funnel 8443 off"),
-	// 	want:    &ipn.ServeConfig{},
-	// })
-
-	// // tricky steps
-	add(step{reset: true})
-	add(step{ // a directory with a trailing slash mount point
-		command: cmd("serve --https=443 --set-path=/dir " + filepath.Join(td, "subdir")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir/": {Path: filepath.Join(td, "subdir/")},
-				}},
-			},
-		},
-	})
-	add(step{ // this should overwrite the previous one
-		command: cmd("serve --https=443 --set-path=/dir " + filepath.Join(td, "foo")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir": {Path: filepath.Join(td, "foo")},
-				}},
-			},
-		},
-	})
-	add(step{reset: true}) // reset and do the opposite
-	add(step{              // a file without a trailing slash mount point
-		command: cmd("serve --https=443 --set-path=/dir " + filepath.Join(td, "foo")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir": {Path: filepath.Join(td, "foo")},
-				}},
-			},
-		},
-	})
-	add(step{ // this should overwrite the previous one
-		command: cmd("serve --https=443 --set-path=/dir " + filepath.Join(td, "subdir")),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/dir/": {Path: filepath.Join(td, "subdir/")},
-				}},
-			},
-		},
-	})
-
-	// // error states
-	add(step{reset: true})
-	add(step{ // tcp forward 5432 on serve port 443
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://localhost:5432"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{
-				443: {
-					TCPForward:   "127.0.0.1:5432",
-					TerminateTLS: "foo.test.ts.net",
-				},
-			},
-		},
-	})
-	add(step{ // try to start a web handler on the same port
-		command: cmd("serve --https=443 --bg localhost:3000"),
-		wantErr: exactErr(errHelp, "errHelp"),
-	})
-	add(step{reset: true})
-	add(step{ // start a web handler on port 443
-		command: cmd("serve --https=443 --bg localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{443: {HTTPS: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // try to start a tcp forwarder on the same serve port
-		command: cmd("serve --tls-terminated-tcp=443 --bg tcp://localhost:5432"),
-		wantErr: anyErr(),
-	})
-
-	lc := &fakeLocalServeClient{}
-	// And now run the steps above.
-	for i, st := range steps {
-		if st.debugBreak != nil {
-			st.debugBreak()
-		}
-		if st.reset {
-			t.Logf("Executing step #%d, line %v: [reset]", i, st.line)
-			lc.config = nil
-		}
-		if st.command == nil {
-			continue
-		}
-		t.Logf("Executing step #%d, line %v: %q ... ", i, st.line, st.command)
-
-		var stdout bytes.Buffer
-		var flagOut bytes.Buffer
-		e := &serveEnv{
-			lc:          lc,
-			testFlagOut: &flagOut,
-			testStdout:  &stdout,
-		}
-		lastCount := lc.setCount
-		var cmd *ffcli.Command
-		var args []string
-
-		mode := serve
-		if st.command[0] == "funnel" {
-			mode = funnel
-		}
-		cmd = newServeDevCommand(e, mode)
-		args = st.command[1:]
-
-		err := cmd.ParseAndRun(context.Background(), args)
-		if flagOut.Len() > 0 {
-			t.Logf("flag package output: %q", flagOut.Bytes())
-		}
-		if err != nil {
-			if st.wantErr == nil {
-				t.Fatalf("step #%d, line %v: unexpected error: %v", i, st.line, err)
-			}
-			if bad := st.wantErr(err); bad != "" {
-				t.Fatalf("step #%d, line %v: unexpected error: %v", i, st.line, bad)
-			}
-			continue
-		}
-		if st.wantErr != nil {
-			t.Fatalf("step #%d, line %v: got success (saved=%v), but wanted an error", i, st.line, lc.config != nil)
-		}
-		var got *ipn.ServeConfig = nil
-		if lc.setCount > lastCount {
-			got = lc.config
-		}
-		if !reflect.DeepEqual(got, st.want) {
-			t.Fatalf("[%d] %v: bad state. got:\n%v\n\nwant:\n%v\n",
-				i, st.command, logger.AsJSON(got), logger.AsJSON(st.want))
-			// NOTE: asJSON will omit empty fields, which might make
-			// result in bad state got/want diffs being the same, even
-			// though the actual state is different. Use below to debug:
-			// t.Fatalf("[%d] %v: bad state. got:\n%+v\n\nwant:\n%+v\n",
-			// 	i, st.command, got, st.want)
-		}
-	}
-}
-
-func TestSrcTypeFromFlags(t *testing.T) {
-	tests := []struct {
-		name         string
-		env          *serveEnv
-		expectedType serveType
-		expectedPort uint16
-		expectedErr  bool
-	}{
-		{
-			name:         "only http set",
-			env:          &serveEnv{http: "80"},
-			expectedType: serveTypeHTTP,
-			expectedPort: 80,
-			expectedErr:  false,
-		},
-		{
-			name:         "only https set",
-			env:          &serveEnv{https: "10000"},
-			expectedType: serveTypeHTTPS,
-			expectedPort: 10000,
-			expectedErr:  false,
-		},
-		{
-			name:         "only tcp set",
-			env:          &serveEnv{tcp: "8000"},
-			expectedType: serveTypeTCP,
-			expectedPort: 8000,
-			expectedErr:  false,
-		},
-		{
-			name:         "only tls-terminated-tcp set",
-			env:          &serveEnv{tlsTerminatedTCP: "8080"},
-			expectedType: serveTypeTLSTerminatedTCP,
-			expectedPort: 8080,
-			expectedErr:  false,
-		},
-		{
-			name:         "defaults to https, port 443",
-			env:          &serveEnv{},
-			expectedType: serveTypeHTTPS,
-			expectedPort: 443,
-			expectedErr:  false,
-		},
-		{
-			name:         "multiple types set",
-			env:          &serveEnv{http: "80", https: "443"},
-			expectedPort: 0,
-			expectedErr:  true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			srcType, srcPort, err := srvTypeAndPortFromFlags(tt.env)
-			if (err != nil) != tt.expectedErr {
-				t.Errorf("Expected error: %v, got: %v", tt.expectedErr, err)
-			}
-			if srcType != tt.expectedType {
-				t.Errorf("Expected srcType: %s, got: %s", tt.expectedType.String(), srcType)
-			}
-			if srcPort != tt.expectedPort {
-				t.Errorf("Expected srcPort: %d, got: %d", tt.expectedPort, srcPort)
-			}
-		})
-	}
-}
-
-func TestExpandProxyTargetDev(t *testing.T) {
-	tests := []struct {
-		input    string
-		expected string
-		wantErr  bool
-	}{
-		{input: "8080", expected: "http://127.0.0.1:8080"},
-		{input: "localhost:8080", expected: "http://127.0.0.1:8080"},
-		{input: "http://localhost:8080", expected: "http://127.0.0.1:8080"},
-		{input: "http://127.0.0.1:8080", expected: "http://127.0.0.1:8080"},
-		{input: "http://127.0.0.1:8080/foo", expected: "http://127.0.0.1:8080/foo"},
-		{input: "https://localhost:8080", expected: "https://127.0.0.1:8080"},
-		{input: "https+insecure://localhost:8080", expected: "https+insecure://127.0.0.1:8080"},
-
-		// errors
-		{input: "localhost:9999999", wantErr: true},
-		{input: "ftp://localhost:8080", expected: "", wantErr: true},
-		{input: "https://tailscale.com:8080", expected: "", wantErr: true},
-		{input: "", expected: "", wantErr: true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.input, func(t *testing.T) {
-			actual, err := expandProxyTargetDev(tt.input)
-
-			if tt.wantErr == true && err == nil {
-				t.Errorf("Expected an error but got none")
-				return
-			}
-
-			if tt.wantErr == false && err != nil {
-				t.Errorf("Got an error, but didn't expect one: %v", err)
-				return
-			}
-
-			if actual != tt.expected {
-				t.Errorf("Got: %q; expected: %q", actual, tt.expected)
-			}
-		})
-	}
-}
-
-func TestCleanURLPath(t *testing.T) {
-	tests := []struct {
-		input    string
-		expected string
-		wantErr  bool
-	}{
-		{input: "", expected: "/"},
-		{input: "/", expected: "/"},
-		{input: "/foo", expected: "/foo"},
-		{input: "/foo/", expected: "/foo/"},
-		{input: "/../bar", wantErr: true},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.input, func(t *testing.T) {
-			actual, err := cleanURLPath(tt.input)
-
-			if tt.wantErr == true && err == nil {
-				t.Errorf("Expected an error but got none")
-				return
-			}
-
-			if tt.wantErr == false && err != nil {
-				t.Errorf("Got an error, but didn't expect one: %v", err)
-				return
-			}
-
-			if actual != tt.expected {
-				t.Errorf("Got: %q; expected: %q", actual, tt.expected)
-			}
-		})
-	}
-}
-
-func TestIsLegacyInvocation(t *testing.T) {
-	tests := []struct {
-		subcmd   serveMode
-		args     []string
-		expected bool
-	}{
-		{subcmd: serve, args: []string{"https", "localhost:3000"}, expected: true},
-		{subcmd: serve, args: []string{"https:8443", "localhost:3000"}, expected: true},
-		{subcmd: serve, args: []string{"http", "localhost:3000"}, expected: true},
-		{subcmd: serve, args: []string{"http:80", "localhost:3000"}, expected: true},
-		{subcmd: serve, args: []string{"tcp:2222", "tcp://localhost:22"}, expected: true},
-		{subcmd: serve, args: []string{"tls-terminated-tcp:443", "tcp://localhost:80"}, expected: true},
-
-		// false
-		{subcmd: serve, args: []string{"3000"}, expected: false},
-		{subcmd: serve, args: []string{"localhost:3000"}, expected: false},
-	}
-
-	for _, tt := range tests {
-		args := strings.Join(tt.args, " ")
-		t.Run(fmt.Sprintf("%v %s", infoMap[tt.subcmd].Name, args), func(t *testing.T) {
-			actual := isLegacyInvocation(tt.subcmd, tt.args)
-
-			if actual != tt.expected {
-				t.Errorf("Got: %v; expected: %v", actual, tt.expected)
-			}
-		})
-	}
-}

cmd/tailscale/cli/serve_test.go

@@ -21,7 +21,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
 )
 
 func TestCleanMountPoint(t *testing.T) {
@@ -338,19 +337,19 @@ func TestServeConfigMutations(t *testing.T) {
 	add(step{reset: true})
 	add(step{ // must include scheme for tcp
 		command: cmd("tls-terminated-tcp:443 localhost:5432"),
-		wantErr: exactErr(errHelp, "errHelp"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{ // !somehost, must be localhost or 127.0.0.1
 		command: cmd("tls-terminated-tcp:443 tcp://somehost:5432"),
-		wantErr: exactErr(errHelp, "errHelp"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{ // bad target port, too low
 		command: cmd("tls-terminated-tcp:443 tcp://somehost:0"),
-		wantErr: exactErr(errHelp, "errHelp"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{ // bad target port, too high
 		command: cmd("tls-terminated-tcp:443 tcp://somehost:65536"),
-		wantErr: exactErr(errHelp, "errHelp"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{
 		command: cmd("tls-terminated-tcp:443 tcp://localhost:5432"),
@@ -471,7 +470,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{ // bad path
 		command: cmd("https:443 / bad/path"),
-		wantErr: exactErr(errHelp, "errHelp"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{reset: true})
 	add(step{
@@ -665,7 +664,7 @@ func TestServeConfigMutations(t *testing.T) {
 	})
 	add(step{ // try to start a web handler on the same port
 		command: cmd("https:443 / localhost:3000"),
-		wantErr: exactErr(errHelp, "errHelp"),
+		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})
 	add(step{reset: true})
 	add(step{ // start a web handler on port 443
@@ -737,8 +736,8 @@ func TestServeConfigMutations(t *testing.T) {
 			got = lc.config
 		}
 		if !reflect.DeepEqual(got, st.want) {
-			t.Fatalf("[%d] %v: bad state. got:\n%v\n\nwant:\n%v\n",
-				i, st.command, logger.AsJSON(got), logger.AsJSON(st.want))
+			t.Fatalf("[%d] %v: bad state. got:\n%s\n\nwant:\n%s\n",
+				i, st.command, asJSON(got), asJSON(st.want))
 			// NOTE: asJSON will omit empty fields, which might make
 			// result in bad state got/want diffs being the same, even
 			// though the actual state is different. Use below to debug:
@@ -811,7 +810,7 @@ func TestVerifyFunnelEnabled(t *testing.T) {
 				defer func() { fakeStatus.Self.Capabilities = oldCaps }() // reset after test
 				fakeStatus.Self.Capabilities = tt.caps
 			}
-			st, err := e.getLocalClientStatusWithoutPeers(ctx)
+			st, err := e.getLocalClientStatus(ctx)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -862,7 +861,7 @@ var fakeStatus = &ipnstate.Status{
 	},
 }
 
-func (lc *fakeLocalServeClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+func (lc *fakeLocalServeClient) Status(ctx context.Context) (*ipnstate.Status, error) {
 	return fakeStatus, nil
 }
 

cmd/tailscale/cli/set.go

@@ -11,12 +11,10 @@ import (
 	"net/netip"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/clientupdate"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/safesocket"
-	"tailscale.com/types/views"
 )
 
 var setCmd = &ffcli.Command{
@@ -47,8 +45,6 @@ type setArgsT struct {
 	acceptedRisks          string
 	profileName            string
 	forceDaemon            bool
-	updateCheck            bool
-	updateApply            bool
 }
 
 func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
@@ -64,8 +60,6 @@ func newSetFlagSet(goos string, setArgs *setArgsT) *flag.FlagSet {
 	setf.StringVar(&setArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
 	setf.StringVar(&setArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. \"10.0.0.0/8,192.168.0.0/24\") or empty string to not advertise routes")
 	setf.BoolVar(&setArgs.advertiseDefaultRoute, "advertise-exit-node", false, "offer to be an exit node for internet traffic for the tailnet")
-	setf.BoolVar(&setArgs.updateCheck, "update-check", true, "HIDDEN: notify about available Tailscale updates")
-	setf.BoolVar(&setArgs.updateApply, "auto-update", false, "HIDDEN: automatically update to the latest available version")
 	if safesocket.GOOSUsesPeerCreds(goos) {
 		setf.StringVar(&setArgs.opUser, "operator", "", "Unix username to allow to operate on tailscaled without sudo")
 	}
@@ -104,10 +98,6 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 			Hostname:               setArgs.hostname,
 			OperatorUser:           setArgs.opUser,
 			ForceDaemon:            setArgs.forceDaemon,
-			AutoUpdate: ipn.AutoUpdatePrefs{
-				Check: setArgs.updateCheck,
-				Apply: setArgs.updateApply,
-			},
 		},
 	}
 
@@ -152,12 +142,6 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 			return err
 		}
 	}
-	if maskedPrefs.AutoUpdateSet {
-		_, err := clientupdate.NewUpdater(clientupdate.Arguments{})
-		if errors.Is(err, errors.ErrUnsupported) {
-			return errors.New("automatic updates are not supported on this platform")
-		}
-	}
 	checkPrefs := curPrefs.Clone()
 	checkPrefs.ApplyEdits(maskedPrefs)
 	if err := localClient.CheckPrefs(ctx, checkPrefs); err != nil {
@@ -187,7 +171,7 @@ func calcAdvertiseRoutesForSet(advertiseExitNodeSet, advertiseRoutesSet bool, cu
 		if alreadyAdvertisesExitNode == setArgs.advertiseDefaultRoute {
 			return curPrefs.AdvertiseRoutes, nil
 		}
-		routes = tsaddr.FilterPrefixesCopy(views.SliceOf(curPrefs.AdvertiseRoutes), func(p netip.Prefix) bool {
+		routes = tsaddr.FilterPrefixesCopy(curPrefs.AdvertiseRoutes, func(p netip.Prefix) bool {
 			return p.Bits() != 0
 		})
 		if setArgs.advertiseDefaultRoute {

cmd/tailscale/cli/ssh_unix.go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !wasm && !windows && !plan9
+//go:build !js && !windows
 
 package cli
 

cmd/tailscale/cli/status.go

@@ -23,7 +23,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/dnsname"
 )
 
@@ -236,9 +235,6 @@ func runStatus(ctx context.Context, args []string) error {
 		printHealth()
 	}
 	printFunnelStatus(ctx)
-	if cv := st.ClientVersion; cv != nil && !cv.RunningLatest && cv.LatestVersion != "" {
-		printf("# New Tailscale version is available: %q, run `tailscale update` to update.\n", cv.LatestVersion)
-	}
 	return nil
 }
 
@@ -312,20 +308,12 @@ func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 }
 
 func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
-	// We prioritize showing the name of the sharer as the owner of a node if
-	// it's different from the node's user. This is less surprising: if user B
-	// from a company shares user's C node from the same company with user A who
-	// don't know user C, user A might be surprised to see user C listed in
-	// their netmap. We've historically (2021-01..2023-08) always shown the
-	// sharer's name in the UI. Perhaps we want to show both here? But the CLI's
-	// a bit space constrained.
-	uid := cmpx.Or(ps.AltSharerUserID, ps.UserID)
-	if uid.IsZero() {
+	if ps.UserID.IsZero() {
 		return "-"
 	}
-	u, ok := st.User[uid]
+	u, ok := st.User[ps.UserID]
 	if !ok {
-		return fmt.Sprint(uid)
+		return fmt.Sprint(ps.UserID)
 	}
 	if i := strings.Index(u.LoginName, "@"); i != -1 {
 		return u.LoginName[:i+1]

cmd/tailscale/cli/up.go

@@ -97,8 +97,6 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 	}
 	upf := newFlagSet(cmd)
 
-	// When adding new flags, prefer to put them under "tailscale set" instead
-	// of here. Setting preferences via "tailscale up" is deprecated.
 	upf.BoolVar(&upArgs.qr, "qr", false, "show QR code for login URLs")
 	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 
@@ -714,8 +712,6 @@ func init() {
 	addPrefFlagMapping("operator", "OperatorUser")
 	addPrefFlagMapping("ssh", "RunSSH")
 	addPrefFlagMapping("nickname", "ProfileName")
-	addPrefFlagMapping("update-check", "AutoUpdate")
-	addPrefFlagMapping("auto-update", "AutoUpdate")
 }
 
 func addPrefFlagMapping(flagName string, prefNames ...string) {

cmd/tailscale/cli/update.go

@@ -60,7 +60,7 @@ func runUpdate(ctx context.Context, args []string) error {
 	if updateArgs.track != "" {
 		ver = updateArgs.track
 	}
-	err := clientupdate.Update(clientupdate.Arguments{
+	err := clientupdate.Update(clientupdate.UpdateArgs{
 		Version:  ver,
 		AppStore: updateArgs.appStore,
 		Logf:     func(format string, args ...any) { fmt.Printf(format+"\n", args...) },

cmd/tailscale/cli/web.go

@@ -39,7 +39,6 @@ Tailscale, as opposed to a CLI or a native app.
 		webf.StringVar(&webArgs.listen, "listen", "localhost:8088", "listen address; use port 0 for automatic")
 		webf.BoolVar(&webArgs.cgi, "cgi", false, "run as CGI script")
 		webf.BoolVar(&webArgs.dev, "dev", false, "run web client in developer mode [this flag is in development, use is unsupported]")
-		webf.StringVar(&webArgs.prefix, "prefix", "", "URL prefix added to requests (for cgi or reverse proxies)")
 		return webf
 	})(),
 	Exec: runWeb,
@@ -49,7 +48,6 @@ var webArgs struct {
 	listen string
 	cgi    bool
 	dev    bool
-	prefix string
 }
 
 func tlsConfigFromEnvironment() *tls.Config {
@@ -80,12 +78,7 @@ func runWeb(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
 
-	webServer, cleanup := web.NewServer(ctx, web.ServerOpts{
-		DevMode:     webArgs.dev,
-		CGIMode:     webArgs.cgi,
-		PathPrefix:  webArgs.prefix,
-		LocalClient: &localClient,
-	})
+	webServer, cleanup := web.NewServer(webArgs.dev, nil)
 	defer cleanup()
 
 	if webArgs.cgi {

cmd/tailscale/depaware.txt

@@ -11,11 +11,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-   L    github.com/coreos/go-systemd/v22/dbus                        from tailscale.com/clientupdate
-   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil/authenticode+
+   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil/authenticode
    W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/winutil/authenticode
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-   L 💣 github.com/godbus/dbus/v5                                    from github.com/coreos/go-systemd/v22/dbus
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
    L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
    L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
@@ -24,9 +22,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/google/uuid                                       from tailscale.com/util/quarantine+
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
@@ -42,7 +38,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
         github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
         github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
         github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
         github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
         github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
@@ -75,7 +70,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/client/tailscale/apitype                       from tailscale.com/cmd/tailscale/cli+
         tailscale.com/client/web                                     from tailscale.com/cmd/tailscale/cli
         tailscale.com/clientupdate                                   from tailscale.com/cmd/tailscale/cli
-        tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
         tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
         tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp
         tailscale.com/control/controlhttp                            from tailscale.com/cmd/tailscale/cli
@@ -174,8 +168,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   W    golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe
-        golang.org/x/exp/maps                                        from tailscale.com/cmd/tailscale/cli
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
+        golang.org/x/exp/maps                                        from tailscale.com/types/views+
+        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
         golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http+
@@ -202,12 +197,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
         golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
         golang.org/x/time/rate                                       from tailscale.com/cmd/tailscale/cli+
-        archive/tar                                                  from tailscale.com/clientupdate
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
-        cmp                                                          from slices
         compress/flate                                               from compress/gzip+
-        compress/gzip                                                from net/http+
+        compress/gzip                                                from net/http
         compress/zlib                                                from image/png+
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
@@ -241,7 +234,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         encoding/base32                                              from tailscale.com/tka+
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
-        encoding/gob                                                 from github.com/gorilla/securecookie
         encoding/hex                                                 from crypto/x509+
         encoding/json                                                from expvar+
         encoding/pem                                                 from crypto/tls+
@@ -255,7 +247,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         hash/crc32                                                   from compress/gzip+
         hash/maphash                                                 from go4.org/mem
         html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from github.com/gorilla/csrf
+        html/template                                                from tailscale.com/client/web
         image                                                        from github.com/skip2/go-qrcode+
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
@@ -264,7 +256,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         io/ioutil                                                    from golang.org/x/sys/cpu+
         log                                                          from expvar+
         log/internal                                                 from log
-        maps                                                         from tailscale.com/types/views+
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
@@ -291,7 +282,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         regexp                                                       from github.com/tailscale/goupnp/httpu+
         regexp/syntax                                                from regexp
         runtime/debug                                                from tailscale.com/util/singleflight+
-        slices                                                       from tailscale.com/cmd/tailscale/cli+
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
         strings                                                      from bufio+

cmd/tailscaled/debug.go

@@ -82,13 +82,13 @@ func runMonitor(ctx context.Context, loop bool) error {
 	}
 	defer mon.Close()
 
-	mon.RegisterChangeCallback(func(delta *netmon.ChangeDelta) {
-		if !delta.Major {
-			log.Printf("Network monitor fired; not a major change")
+	mon.RegisterChangeCallback(func(changed bool, st *interfaces.State) {
+		if !changed {
+			log.Printf("Network monitor fired; no change")
 			return
 		}
 		log.Printf("Network monitor fired. New state:")
-		dump(delta.New)
+		dump(st)
 	})
 	if loop {
 		log.Printf("Starting link change monitor; initial state:")

cmd/tailscaled/depaware.txt

@@ -76,11 +76,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-   L    github.com/coreos/go-systemd/v22/dbus                        from tailscale.com/clientupdate
   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
    W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
-   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled+
-   W 💣 github.com/dblohm7/wingoes/com/automation                    from tailscale.com/util/osdiag/internal/wsc
+   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
    W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
    W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/osdiag+
         github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
@@ -95,8 +93,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/google/nftables/expr                              from github.com/google/nftables+
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/google/uuid                                       from tailscale.com/clientupdate
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
    L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
@@ -217,8 +214,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
         tailscale.com/client/tailscale                               from tailscale.com/derp
         tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/clientupdate                                   from tailscale.com/ipn/ipnlocal
-        tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
         tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/ssh/tailssh+
         tailscale.com/control/controlbase                            from tailscale.com/control/controlclient+
         tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
@@ -247,6 +242,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/store+
    L    tailscale.com/kube                                           from tailscale.com/ipn/store/kubestore
         tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
+        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
         tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
         tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
         tailscale.com/logtail                                        from tailscale.com/control/controlclient+
@@ -290,7 +286,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
-        tailscale.com/smallzstd                                      from tailscale.com/control/controlclient+
+        tailscale.com/smallzstd                                      from tailscale.com/cmd/tailscaled+
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
         tailscale.com/syncs                                          from tailscale.com/net/netcheck+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
@@ -305,7 +301,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
         tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
         tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
-        tailscale.com/types/empty                                    from tailscale.com/ipn+
+        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
         tailscale.com/types/key                                      from tailscale.com/control/controlbase+
@@ -315,7 +311,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
         tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
         tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
         tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
         tailscale.com/types/preftype                                 from tailscale.com/ipn+
         tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
@@ -329,7 +325,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-        tailscale.com/util/goroutines                                from tailscale.com/ipn/ipnlocal
+        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnauth
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
@@ -337,13 +333,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
         tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/must                                      from tailscale.com/logpolicy+
+        tailscale.com/util/must                                      from tailscale.com/logpolicy
      💣 tailscale.com/util/osdiag                                    from tailscale.com/cmd/tailscaled+
-   W 💣 tailscale.com/util/osdiag/internal/wsc                       from tailscale.com/util/osdiag
         tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
    W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/rands                                     from tailscale.com/ipn/localapi+
         tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
@@ -353,7 +347,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
      💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
-   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/util/osdiag+
+   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/util/osdiag
    W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
         tailscale.com/version                                        from tailscale.com/derp+
         tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -386,8 +380,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
-        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine/magicsock
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine+
+        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -415,7 +410,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
         golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
         golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/tcpip/stack+
-        archive/tar                                                  from tailscale.com/clientupdate
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
         cmp                                                          from slices
@@ -446,7 +440,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         crypto/tls                                                   from github.com/tcnksm/go-httpstat+
         crypto/x509                                                  from crypto/tls+
         crypto/x509/pkix                                             from crypto/x509+
-        database/sql/driver                                          from github.com/google/uuid
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
         embed                                                        from tailscale.com+
@@ -475,7 +468,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         log                                                          from expvar+
         log/internal                                                 from log
   LD    log/syslog                                                   from tailscale.com/ssh/tailssh
-        maps                                                         from tailscale.com/types/views+
         math                                                         from compress/flate+
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
@@ -503,9 +495,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         regexp                                                       from github.com/coreos/go-iptables/iptables+
         regexp/syntax                                                from regexp
         runtime/debug                                                from github.com/klauspost/compress/zstd+
-        runtime/pprof                                                from net/http/pprof+
+        runtime/pprof                                                from tailscale.com/log/logheap+
         runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/wgengine/magicsock+
+        slices                                                       from tailscale.com/wgengine/magicsock
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+
         strings                                                      from bufio+

cmd/tailscaled/sigpipe.go

@@ -1,12 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.21 && !plan9
-
-package main
-
-import "syscall"
-
-func init() {
-	sigPipe = syscall.SIGPIPE
-}

cmd/tailscaled/tailscaled.go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build go1.21
+//go:build go1.19
 
 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -48,6 +48,7 @@ import (
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
 	"tailscale.com/tsd"
 	"tailscale.com/tsweb/varz"
@@ -75,8 +76,6 @@ func defaultTunName() string {
 		// "utun" is recognized by wireguard-go/tun/tun_darwin.go
 		// as a magic value that uses/creates any free number.
 		return "utun"
-	case "plan9":
-		return "userspace-networking"
 	case "linux":
 		switch distro.Get() {
 		case distro.Synology:
@@ -201,10 +200,6 @@ func main() {
 		}
 	}
 
-	if fd, ok := envknob.LookupInt("TS_PARENT_DEATH_FD"); ok && fd > 2 {
-		go dieOnPipeReadErrorOfFD(fd)
-	}
-
 	if printVersion {
 		fmt.Println(version.String())
 		os.Exit(0)
@@ -399,8 +394,6 @@ func run() error {
 	return startIPNServer(context.Background(), logf, pol.PublicID, sys)
 }
 
-var sigPipe os.Signal // set by sigpipe.go
-
 func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) error {
 	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
@@ -416,9 +409,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 	// SIGPIPE sometimes gets generated when CLIs disconnect from
 	// tailscaled. The default action is to terminate the process, we
 	// want to keep running.
-	if sigPipe != nil {
-		signal.Ignore(sigPipe)
-	}
+	signal.Ignore(syscall.SIGPIPE)
 	go func() {
 		select {
 		case s := <-interrupt:
@@ -496,7 +487,6 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
-	sys.Set(ns)
 	ns.ProcessLocalIPs = onlyNetstack
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()
 
@@ -551,6 +541,9 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	if root := lb.TailscaleVarRoot(); root != "" {
 		dnsfallback.SetCachePath(filepath.Join(root, "derpmap.cached.json"), logf)
 	}
+	lb.SetDecompressor(func() (controlclient.Decompressor, error) {
+		return smallzstd.NewDecoder(nil)
+	})
 	configureTaildrop(logf, lb)
 	if err := ns.Start(lb); err != nil {
 		log.Fatalf("failed to start netstack: %v", err)
@@ -608,7 +601,6 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 		NetMon:       sys.NetMon.Get(),
 		Dialer:       sys.Dialer.Get(),
 		SetSubsystem: sys.Set,
-		ControlKnobs: sys.ControlKnobs(),
 	}
 
 	onlyNetstack = name == "userspace-networking"
@@ -771,14 +763,3 @@ func beChild(args []string) error {
 	}
 	return f(args[1:])
 }
-
-// dieOnPipeReadErrorOfFD reads from the pipe named by fd and exit the process
-// when the pipe becomes readable. We use this in tests as a somewhat more
-// portable mechanism for the Linux PR_SET_PDEATHSIG, which we wish existed on
-// macOS. This helps us clean up straggler tailscaled processes when the parent
-// test driver dies unexpectedly.
-func dieOnPipeReadErrorOfFD(fd int) {
-	f := os.NewFile(uintptr(fd), "TS_PARENT_DEATH_FD")
-	f.Read(make([]byte, 1))
-	os.Exit(1)
-}

cmd/testwrapper/flakytest/flakytest.go

@@ -19,8 +19,7 @@ import (
 const FlakyTestLogMessage = "flakytest: this is a known flaky test"
 
 // FlakeAttemptEnv is an environment variable that is set by cmd/testwrapper
-// when a flaky test is being (re)tried. It contains the attempt number,
-// starting at 1.
+// when a flaky test is retried. It contains the attempt number, starting at 1.
 const FlakeAttemptEnv = "TS_TESTWRAPPER_ATTEMPT"
 
 var issueRegexp = regexp.MustCompile(`\Ahttps://github\.com/tailscale/[a-zA-Z0-9_.-]+/issues/\d+\z`)
@@ -34,11 +33,7 @@ func Mark(t testing.TB, issue string) {
 	if !issueRegexp.MatchString(issue) {
 		t.Fatalf("bad issue format: %q", issue)
 	}
-	if _, ok := os.LookupEnv(FlakeAttemptEnv); ok {
-		// We're being run under cmd/testwrapper so send our sentinel message
-		// to stderr. (We avoid doing this when the env is absent to avoid
-		// spamming people running tests without the wrapper)
-		fmt.Fprintln(os.Stderr, FlakyTestLogMessage)
-	}
+
+	fmt.Fprintln(os.Stderr, FlakyTestLogMessage) // sentinel value for testwrapper
 	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
 }

cmd/testwrapper/testwrapper.go

@@ -8,7 +8,6 @@
 package main
 
 import (
-	"bufio"
 	"bytes"
 	"context"
 	"encoding/json"
@@ -23,15 +22,14 @@ import (
 	"strings"
 	"time"
 
-	xmaps "golang.org/x/exp/maps"
+	"golang.org/x/exp/maps"
 	"tailscale.com/cmd/testwrapper/flakytest"
 )
 
 const maxAttempts = 3
 
 type testAttempt struct {
-	pkg           string // "tailscale.com/types/key"
-	testName      string // "TestFoo"
+	name          testName
 	outcome       string // "pass", "fail", "skip"
 	logs          bytes.Buffer
 	isMarkedFlaky bool // set if the test is marked as flaky
@@ -39,6 +37,11 @@ type testAttempt struct {
 	pkgFinished bool
 }
 
+type testName struct {
+	pkg  string // "tailscale.com/types/key"
+	name string // "TestFoo"
+}
+
 type packageTests struct {
 	// pattern is the package pattern to run.
 	// Must be a single pattern, not a list of patterns.
@@ -60,10 +63,9 @@ var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
 
 // runTests runs the tests in pt and sends the results on ch. It sends a
 // testAttempt for each test and a final testAttempt per pkg with pkgFinished
-// set to true. Package build errors will not emit a testAttempt (as no valid
-// JSON is produced) but the [os/exec.ExitError] will be returned.
+// set to true.
 // It calls close(ch) when it's done.
-func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) error {
+func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) {
 	defer close(ch)
 	args := []string{"test", "-json", pt.pattern}
 	args = append(args, otherArgs...)
@@ -89,12 +91,17 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 		log.Printf("error starting test: %v", err)
 		os.Exit(1)
 	}
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		cmd.Wait()
+	}()
 
-	s := bufio.NewScanner(r)
-	resultMap := make(map[string]map[string]*testAttempt) // pkg -> test -> testAttempt
-	for s.Scan() {
+	jd := json.NewDecoder(r)
+	resultMap := make(map[testName]*testAttempt)
+	for {
 		var goOutput goTestOutput
-		if err := json.Unmarshal(s.Bytes(), &goOutput); err != nil {
+		if err := jd.Decode(&goOutput); err != nil {
 			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
 				break
 			}
@@ -104,39 +111,32 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 			// The build error will be printed to stderr.
 			// See: https://github.com/golang/go/issues/35169
 			if _, ok := err.(*json.SyntaxError); ok {
-				fmt.Println(s.Text())
+				jd = json.NewDecoder(r)
 				continue
 			}
 			panic(err)
 		}
-		pkg := goOutput.Package
-		pkgTests := resultMap[pkg]
 		if goOutput.Test == "" {
 			switch goOutput.Action {
 			case "fail", "pass", "skip":
-				for _, test := range pkgTests {
-					if test.outcome == "" {
-						test.outcome = "fail"
-						ch <- test
-					}
-				}
 				ch <- &testAttempt{
-					pkg:         goOutput.Package,
+					name: testName{
+						pkg: goOutput.Package,
+					},
 					outcome:     goOutput.Action,
 					pkgFinished: true,
 				}
 			}
 			continue
 		}
-		if pkgTests == nil {
-			pkgTests = make(map[string]*testAttempt)
-			resultMap[pkg] = pkgTests
+		name := testName{
+			pkg:  goOutput.Package,
+			name: goOutput.Test,
 		}
-		testName := goOutput.Test
 		if test, _, isSubtest := strings.Cut(goOutput.Test, "/"); isSubtest {
-			testName = test
+			name.name = test
 			if goOutput.Action == "output" {
-				resultMap[pkg][testName].logs.WriteString(goOutput.Output)
+				resultMap[name].logs.WriteString(goOutput.Output)
 			}
 			continue
 		}
@@ -144,28 +144,21 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []st
 		case "start":
 			// ignore
 		case "run":
-			pkgTests[testName] = &testAttempt{
-				pkg:      pkg,
-				testName: testName,
+			resultMap[name] = &testAttempt{
+				name: name,
 			}
 		case "skip", "pass", "fail":
-			pkgTests[testName].outcome = goOutput.Action
-			ch <- pkgTests[testName]
+			resultMap[name].outcome = goOutput.Action
+			ch <- resultMap[name]
 		case "output":
 			if strings.TrimSpace(goOutput.Output) == flakytest.FlakyTestLogMessage {
-				pkgTests[testName].isMarkedFlaky = true
+				resultMap[name].isMarkedFlaky = true
 			} else {
-				pkgTests[testName].logs.WriteString(goOutput.Output)
+				resultMap[name].logs.WriteString(goOutput.Output)
 			}
 		}
 	}
-	if err := cmd.Wait(); err != nil {
-		return err
-	}
-	if err := s.Err(); err != nil {
-		return fmt.Errorf("reading go test stdout: %w", err)
-	}
-	return nil
+	<-done
 }
 
 func main() {
@@ -239,7 +232,7 @@ func main() {
 		var thisRun *nextRun
 		thisRun, toRun = toRun[0], toRun[1:]
 
-		if thisRun.attempt > maxAttempts {
+		if thisRun.attempt >= maxAttempts {
 			fmt.Println("max attempts reached")
 			os.Exit(1)
 		}
@@ -247,32 +240,14 @@ func main() {
 			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\n", thisRun.attempt)
 		}
 
+		failed := false
 		toRetry := make(map[string][]string) // pkg -> tests to retry
 		for _, pt := range thisRun.tests {
 			ch := make(chan *testAttempt)
-			runErr := make(chan error, 1)
-			go func() {
-				defer close(runErr)
-				runErr <- runTests(ctx, thisRun.attempt, pt, otherArgs, ch)
-			}()
-
-			var failed bool
+			go runTests(ctx, thisRun.attempt, pt, otherArgs, ch)
 			for tr := range ch {
-				// Go assigns the package name "command-line-arguments" when you
-				// `go test FILE` rather than `go test PKG`. It's more
-				// convenient for us to to specify files in tests, so fix tr.pkg
-				// so that subsequent testwrapper attempts run correctly.
-				if tr.pkg == "command-line-arguments" {
-					tr.pkg = pattern
-				}
 				if tr.pkgFinished {
-					if tr.outcome == "fail" && len(toRetry[tr.pkg]) == 0 {
-						// If a package fails and we don't have any tests to
-						// retry, then we should fail. This typically happens
-						// when a package times out.
-						failed = true
-					}
-					printPkgOutcome(tr.pkg, tr.outcome, thisRun.attempt)
+					printPkgOutcome(tr.name.pkg, tr.outcome, thisRun.attempt)
 					continue
 				}
 				if *v || tr.outcome == "fail" {
@@ -282,33 +257,20 @@ func main() {
 					continue
 				}
 				if tr.isMarkedFlaky {
-					toRetry[tr.pkg] = append(toRetry[tr.pkg], tr.testName)
+					toRetry[tr.name.pkg] = append(toRetry[tr.name.pkg], tr.name.name)
 				} else {
 					failed = true
 				}
 			}
-			if failed {
-				fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
-				os.Exit(1)
-			}
-
-			// If there's nothing to retry and no non-retryable tests have
-			// failed then we've probably hit a build error.
-			if err := <-runErr; len(toRetry) == 0 && err != nil {
-				var exit *exec.ExitError
-				if errors.As(err, &exit) {
-					if code := exit.ExitCode(); code > -1 {
-						os.Exit(exit.ExitCode())
-					}
-				}
-				log.Printf("testwrapper: %s", err)
-				os.Exit(1)
-			}
+		}
+		if failed {
+			fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
+			os.Exit(1)
 		}
 		if len(toRetry) == 0 {
 			continue
 		}
-		pkgs := xmaps.Keys(toRetry)
+		pkgs := maps.Keys(toRetry)
 		sort.Strings(pkgs)
 		nextRun := &nextRun{
 			attempt: thisRun.attempt + 1,

cmd/testwrapper/testwrapper_test.go

@@ -1,218 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main_test
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"sync"
-	"testing"
-)
-
-var (
-	buildPath string
-	buildErr  error
-	buildOnce sync.Once
-)
-
-func cmdTestwrapper(t *testing.T, args ...string) *exec.Cmd {
-	buildOnce.Do(func() {
-		buildPath, buildErr = buildTestWrapper()
-	})
-	if buildErr != nil {
-		t.Fatalf("building testwrapper: %s", buildErr)
-	}
-	return exec.Command(buildPath, args...)
-}
-
-func buildTestWrapper() (string, error) {
-	dir, err := os.MkdirTemp("", "testwrapper")
-	if err != nil {
-		return "", fmt.Errorf("making temp dir: %w", err)
-	}
-	_, err = exec.Command("go", "build", "-o", dir, ".").Output()
-	if err != nil {
-		return "", fmt.Errorf("go build: %w", err)
-	}
-	return filepath.Join(dir, "testwrapper"), nil
-}
-
-func TestRetry(t *testing.T) {
-	t.Parallel()
-
-	testfile := filepath.Join(t.TempDir(), "retry_test.go")
-	code := []byte(`package retry_test
-
-import (
-	"os"
-	"testing"
-	"tailscale.com/cmd/testwrapper/flakytest"
-)
-
-func TestOK(t *testing.T) {}
-
-func TestFlakeRun(t *testing.T) {
-	flakytest.Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
-	e := os.Getenv(flakytest.FlakeAttemptEnv)
-	if e == "" {
-		t.Skip("not running in testwrapper")
-	}
-	if e == "1" {
-		t.Fatal("First run in testwrapper, failing so that test is retried. This is expected.")
-	}
-}
-`)
-	if err := os.WriteFile(testfile, code, 0o644); err != nil {
-		t.Fatalf("writing package: %s", err)
-	}
-
-	out, err := cmdTestwrapper(t, "-v", testfile).CombinedOutput()
-	if err != nil {
-		t.Fatalf("go run . %s: %s with output:\n%s", testfile, err, out)
-	}
-
-	want := []byte("ok\t" + testfile + " [attempt=2]")
-	if !bytes.Contains(out, want) {
-		t.Fatalf("wanted output containing %q but got:\n%s", want, out)
-	}
-
-	if okRuns := bytes.Count(out, []byte("=== RUN   TestOK")); okRuns != 1 {
-		t.Fatalf("expected TestOK to be run once but was run %d times in output:\n%s", okRuns, out)
-	}
-	if flakeRuns := bytes.Count(out, []byte("=== RUN   TestFlakeRun")); flakeRuns != 2 {
-		t.Fatalf("expected TestFlakeRun to be run twice but was run %d times in output:\n%s", flakeRuns, out)
-	}
-
-	if testing.Verbose() {
-		t.Logf("success - output:\n%s", out)
-	}
-}
-
-func TestNoRetry(t *testing.T) {
-	t.Parallel()
-
-	testfile := filepath.Join(t.TempDir(), "noretry_test.go")
-	code := []byte(`package noretry_test
-
-import (
-	"testing"
-	"tailscale.com/cmd/testwrapper/flakytest"
-)
-
-func TestFlakeRun(t *testing.T) {
-	flakytest.Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
-	t.Error("shouldn't be retried")
-}
-
-func TestAlwaysError(t *testing.T) {
-	t.Error("error")
-}
-`)
-	if err := os.WriteFile(testfile, code, 0o644); err != nil {
-		t.Fatalf("writing package: %s", err)
-	}
-
-	out, err := cmdTestwrapper(t, "-v", testfile).Output()
-	if err == nil {
-		t.Fatalf("go run . %s: expected error but it succeeded with output:\n%s", testfile, out)
-	}
-	if code, ok := errExitCode(err); ok && code != 1 {
-		t.Fatalf("expected exit code 1 but got %d", code)
-	}
-
-	want := []byte("Not retrying flaky tests because non-flaky tests failed.")
-	if !bytes.Contains(out, want) {
-		t.Fatalf("wanted output containing %q but got:\n%s", want, out)
-	}
-
-	if flakeRuns := bytes.Count(out, []byte("=== RUN   TestFlakeRun")); flakeRuns != 1 {
-		t.Fatalf("expected TestFlakeRun to be run once but was run %d times in output:\n%s", flakeRuns, out)
-	}
-
-	if testing.Verbose() {
-		t.Logf("success - output:\n%s", out)
-	}
-}
-
-func TestBuildError(t *testing.T) {
-	t.Parallel()
-
-	// Construct our broken package.
-	testfile := filepath.Join(t.TempDir(), "builderror_test.go")
-	code := []byte("package builderror_test\n\nderp")
-	err := os.WriteFile(testfile, code, 0o644)
-	if err != nil {
-		t.Fatalf("writing package: %s", err)
-	}
-
-	buildErr := []byte("builderror_test.go:3:1: expected declaration, found derp\nFAIL	command-line-arguments [setup failed]")
-
-	// Confirm `go test` exits with code 1.
-	goOut, err := exec.Command("go", "test", testfile).CombinedOutput()
-	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("go test %s: expected error with exit code 0 but got: %v", testfile, err)
-	}
-	if !bytes.Contains(goOut, buildErr) {
-		t.Fatalf("go test %s: expected build error containing %q but got:\n%s", testfile, buildErr, goOut)
-	}
-
-	// Confirm `testwrapper` exits with code 1.
-	twOut, err := cmdTestwrapper(t, testfile).CombinedOutput()
-	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v", testfile, err)
-	}
-	if !bytes.Contains(twOut, buildErr) {
-		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, twOut)
-	}
-
-	if testing.Verbose() {
-		t.Logf("success - output:\n%s", twOut)
-	}
-}
-
-func TestTimeout(t *testing.T) {
-	t.Parallel()
-
-	// Construct our broken package.
-	testfile := filepath.Join(t.TempDir(), "timeout_test.go")
-	code := []byte(`package noretry_test
-
-import (
-	"testing"
-	"time"
-)
-
-func TestTimeout(t *testing.T) {
-	time.Sleep(500 * time.Millisecond)
-}
-`)
-	err := os.WriteFile(testfile, code, 0o644)
-	if err != nil {
-		t.Fatalf("writing package: %s", err)
-	}
-
-	out, err := cmdTestwrapper(t, testfile, "-timeout=20ms").CombinedOutput()
-	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v; output was:\n%s", testfile, err, out)
-	}
-	if want := "panic: test timed out after 20ms"; !bytes.Contains(out, []byte(want)) {
-		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, out)
-	}
-
-	if testing.Verbose() {
-		t.Logf("success - output:\n%s", out)
-	}
-}
-
-func errExitCode(err error) (int, bool) {
-	var exit *exec.ExitError
-	if errors.As(err, &exit) {
-		return exit.ExitCode(), true
-	}
-	return 0, false
-}

cmd/tsconnect/build-pkg.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (

cmd/tsconnect/build.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (

cmd/tsconnect/common.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (
@@ -14,11 +12,11 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
-	"slices"
 	"strconv"
 	"time"
 
 	esbuild "github.com/evanw/esbuild/pkg/api"
+	"golang.org/x/exp/slices"
 )
 
 const (

cmd/tsconnect/dev-pkg.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (

cmd/tsconnect/dev.go

@@ -1,8 +1,6 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !plan9
-
 package main
 
 import (