Wip

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-01-21 00:15:47 +02:00
933 changed files with 16585 additions and 85001 deletions
--- a/.github/workflows/checklocks.yml
+++ b/.github/workflows/checklocks.yml
@@ -24,11 +24,5 @@ jobs:
        run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks

      - name: Run checklocks vet
-        # TODO(#12625): add more packages as we add annotations
-        run: |-
-          ./tool/go vet -vettool=/tmp/checklocks \
-            ./envknob           \
-            ./ipn/store/mem     \
-            ./net/stun/stuntest \
-            ./net/wsconn        \
-            ./proxymap
+        # TODO: remove || true once we have applied checklocks annotations everywhere.
+        run: ./tool/go vet -vettool=/tmp/checklocks ./... || true
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,12 +47,6 @@ jobs:
    - name: Checkout repository
      uses: actions/checkout@v4

-    # Install a more recent Go that understands modern go.mod content.
-    - name: Install Go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -0,0 +1,64 @@
+name: go-licenses
+
+on:
+  # run action when a change lands in the main branch which updates go.mod or
+  # our license template file. Also allow manual triggering.
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - .github/licenses.tmpl
+      - .github/workflows/go-licenses.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  update-licenses:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+
+      - name: Install go-licenses
+        run: |
+          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
+
+      - name: Run go-licenses
+        env:
+          # include all build tags to include platform-specific dependencies
+          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
+        run: |
+          [ -d licenses ] || mkdir licenses
+          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
+
+      - name: Get access token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.LICENSING_APP_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: License Updater <noreply+license-updater@tailscale.com>
+          committer: License Updater <noreply+license-updater@tailscale.com>
+          branch: licenses/cli
+          commit-message: "licenses: update tailscale{,d} licenses"
+          title: "licenses: update tailscale{,d} licenses"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          team-reviewers: opensource-license-reviewers
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -34,7 +34,7 @@ jobs:
        # Note: this is the 'v3' tag as of 2023-08-14
        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
        with:
-          version: v1.56
+          version: v1.54.2

          # Show only new issues if it's a pull request.
          only-new-issues: true
--- a/.github/workflows/installer.yml
+++ b/.github/workflows/installer.yml
@@ -32,6 +32,7 @@ jobs:
          - "ubuntu:18.04"
          - "ubuntu:20.04"
          - "ubuntu:22.04"
+          - "ubuntu:22.10"
          - "ubuntu:23.04"
          - "elementary/docker:stable"
          - "elementary/docker:unstable"
@@ -67,11 +68,6 @@ jobs:
      image: ${{ matrix.image }}
      options: --user root
    steps:
-    - name: install dependencies (pacman)
-      # Refresh the package databases to ensure that the tailscale package is
-      # defined.
-      run: pacman -Sy
-      if: contains(matrix.image, 'archlinux')
    - name: install dependencies (yum)
      # tar and gzip are needed by the actions/checkout below.
      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
@@ -95,10 +91,7 @@ jobs:
        || contains(matrix.image, 'parrotsec')
        || contains(matrix.image, 'kalilinux')
    - name: checkout
-      # We cannot use v4, as it requires a newer glibc version than some of the
-      # tested images provide. See
-      # https://github.com/actions/checkout/issues/1487
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: run installer
      run: scripts/installer.sh
      # Package installation can fail in docker because systemd is not running
--- a/.github/workflows/kubemanifests.yaml
+++ b/.github/workflows/kubemanifests.yaml
@@ -2,8 +2,8 @@ name: "Kubernetes manifests"
 on:
  pull_request:
   paths: 
-   - 'cmd/k8s-operator/**'
-   - 'k8s-operator/**'
+   - './cmd/k8s-operator/'
+   - './k8s-operator/'
   - '.github/workflows/kubemanifests.yaml'

 # Cancel workflow run if there is a newer push to the same PR for which it is
--- a/.github/workflows/ssh-integrationtest.yml
+++ b/.github/workflows/ssh-integrationtest.yml
@@ -1,23 +0,0 @@
-# Run the ssh integration tests with `make sshintegrationtest`.
-# These tests can also be running locally.
-name: "ssh-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "ssh/**"
-      - "tempfork/gliderlabs/ssh/**"
-      - ".github/workflows/ssh-integrationtest"
-jobs:
-  ssh-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run SSH integration tests
-        run: |
-          make sshintegrationtest
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -183,19 +183,6 @@ jobs:
      # the equals signs cause great confusion.
      run: go test ./... -bench . -benchtime 1x -run "^$"

-  privileged:
-    runs-on: ubuntu-22.04
-    container:
-      image: golang:latest
-      options: --privileged
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: chown
-      run: chown -R $(id -u):$(id -g) $PWD
-    - name: privileged tests
-      run: ./tool/go test ./util/linuxfw ./derp/xdp
-
  vm:
    runs-on: ["self-hosted", "linux", "vm"]
    # VM tests run with some privileges, don't let them run on 3p PRs.
@@ -206,9 +193,9 @@ jobs:
    - name: Run VM tests
      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
      env:
-        HOME: "/var/lib/ghrunner/home"
+        HOME: "/tmp"
        TMPDIR: "/tmp"
-        XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+        XDB_CACHE_HOME: "/var/lib/ghrunner/cache"

  race-build:
    runs-on: ubuntu-22.04
@@ -254,6 +241,9 @@ jobs:
            goarch: amd64
          - goos: openbsd
            goarch: amd64
+          # Plan9
+          - goos: plan9
+            goarch: amd64

    runs-on: ubuntu-22.04
    steps:
@@ -302,47 +292,6 @@ jobs:
        GOOS: ios
        GOARCH: arm64

-  crossmin: # cross-compile for platforms where we only check cmd/tailscale{,d}
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Plan9
-          - goos: plan9
-            goarch: amd64
-          # AIX
-          - goos: aix
-            goarch: ppc64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build core
-      run: ./tool/go build ./cmd/tailscale ./cmd/tailscaled
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-
  android:
    # similar to cross above, but android fails to build a few pieces of the
    # repo. We should fix those pieces, they're small, but as a stepping stone,
@@ -356,7 +305,7 @@ jobs:
      # some Android breakages early.
      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
    - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/netmon ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
      env:
        GOOS: android
        GOARCH: arm64
@@ -480,7 +429,7 @@ jobs:
      uses: actions/checkout@v4
    - name: check that 'go generate' is clean
      run: |
-        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
+        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator')
        ./tool/go generate $pkgs
        echo
        echo
--- a/.gitignore
+++ b/.gitignore
@@ -9,7 +9,6 @@

 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
-ssh/tailssh/testcontainers/tailscaled

 # Test binary, built with `go test -c`
 *.test
--- a/16
+++ b/16
@@ -1,13 +1,17 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause

-# Note that this Dockerfile is currently NOT used to build any of the published
-# Tailscale container images and may have drifted from the image build mechanism
-# we use.
-# Tailscale images are currently built using https://github.com/tailscale/mkctr,
-# and the build script can be found in ./build_docker.sh.
+############################################################################
 #
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
 #
+# See current bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
+
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
@@ -27,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.22-alpine AS build-env
+FROM golang:1.21-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/21
+++ b/21
@@ -1,5 +1,5 @@
 IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "x86_64"
+SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
 TAGS ?= "latest"

@@ -21,7 +21,6 @@ updatedeps: ## Update depaware deps
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund

 depaware: ## Run depaware checks
@@ -31,7 +30,6 @@ depaware: ## Run depaware checks
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
 		tailscale.com/cmd/stund

 buildwindows: ## Build tailscale CLI for windows/amd64
@@ -102,23 +100,6 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
 	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=operator ./build_docker.sh

-publishdevnameserver: ## Build and publish k8s-nameserver image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-nameserver" || (echo "REPO=... must not be tailscale/k8s-nameserver" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-nameserver" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-nameserver" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-nameserver ./build_docker.sh
-
-.PHONY: sshintegrationtest
-sshintegrationtest: ## Run the SSH integration tests in various Docker containers
-	@GOOS=linux GOARCH=amd64 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
-	GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
-	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers
-
 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"
 	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'
--- a/README.md
+++ b/README.md
@@ -37,7 +37,7 @@ not open source.

 ## Building

-We always require the latest Go release, currently Go 1.22. (While we build
+We always require the latest Go release, currently Go 1.21. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.71.0
+1.57.0
--- a/api.md
+++ b/api.md
--- a/appc/appconnector.go
+++ b/appc/appconnector.go
@@ -10,123 +10,24 @@
 package appc

 import (
-	"context"
-	"fmt"
 	"net/netip"
 	"slices"
 	"strings"
 	"sync"
-	"time"

 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
-	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/util/execqueue"
-	"tailscale.com/util/mak"
-	"tailscale.com/util/slicesx"
 )

-// rateLogger responds to calls to update by adding a count for the current period and
-// calling the callback if any previous period has finished since update was last called
-type rateLogger struct {
-	interval    time.Duration
-	start       time.Time
-	periodStart time.Time
-	periodCount int64
-	now         func() time.Time
-	callback    func(int64, time.Time, int64)
-}
-
-func (rl *rateLogger) currentIntervalStart(now time.Time) time.Time {
-	millisSince := now.Sub(rl.start).Milliseconds() % rl.interval.Milliseconds()
-	return now.Add(-(time.Duration(millisSince)) * time.Millisecond)
-}
-
-func (rl *rateLogger) update(numRoutes int64) {
-	now := rl.now()
-	periodEnd := rl.periodStart.Add(rl.interval)
-	if periodEnd.Before(now) {
-		if rl.periodCount != 0 {
-			rl.callback(rl.periodCount, rl.periodStart, numRoutes)
-		}
-		rl.periodCount = 0
-		rl.periodStart = rl.currentIntervalStart(now)
-	}
-	rl.periodCount++
-}
-
-func newRateLogger(now func() time.Time, interval time.Duration, callback func(int64, time.Time, int64)) *rateLogger {
-	nowTime := now()
-	return &rateLogger{
-		callback:    callback,
-		now:         now,
-		interval:    interval,
-		start:       nowTime,
-		periodStart: nowTime,
-	}
-}
-
 // RouteAdvertiser is an interface that allows the AppConnector to advertise
 // newly discovered routes that need to be served through the AppConnector.
 type RouteAdvertiser interface {
-	// AdvertiseRoute adds one or more route advertisements skipping any that
-	// are already advertised.
-	AdvertiseRoute(...netip.Prefix) error
-
-	// UnadvertiseRoute removes any matching route advertisements.
-	UnadvertiseRoute(...netip.Prefix) error
-}
-
-var (
-	metricStoreRoutesRateBuckets = []int64{1, 2, 3, 4, 5, 10, 100, 1000}
-	metricStoreRoutesNBuckets    = []int64{1, 2, 3, 4, 5, 10, 100, 1000, 10000}
-	metricStoreRoutesRate        []*clientmetric.Metric
-	metricStoreRoutesN           []*clientmetric.Metric
-)
-
-func initMetricStoreRoutes() {
-	for _, n := range metricStoreRoutesRateBuckets {
-		metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_rate_%d", n)))
-	}
-	metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter("appc_store_routes_rate_over"))
-	for _, n := range metricStoreRoutesNBuckets {
-		metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_n_routes_%d", n)))
-	}
-	metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter("appc_store_routes_n_routes_over"))
-}
-
-func recordMetric(val int64, buckets []int64, metrics []*clientmetric.Metric) {
-	if len(buckets) < 1 {
-		return
-	}
-	// finds the first bucket where val <=, or len(buckets) if none match
-	// for bucket values of 1, 10, 100; 0-1 goes to [0], 2-10 goes to [1], 11-100 goes to [2], 101+ goes to [3]
-	bucket, _ := slices.BinarySearch(buckets, val)
-	metrics[bucket].Add(1)
-}
-
-func metricStoreRoutes(rate, nRoutes int64) {
-	if len(metricStoreRoutesRate) == 0 {
-		initMetricStoreRoutes()
-	}
-	recordMetric(rate, metricStoreRoutesRateBuckets, metricStoreRoutesRate)
-	recordMetric(nRoutes, metricStoreRoutesNBuckets, metricStoreRoutesN)
-}
-
-// RouteInfo is a data structure used to persist the in memory state of an AppConnector
-// so that we can know, even after a restart, which routes came from ACLs and which were
-// learned from domains.
-type RouteInfo struct {
-	// Control is the routes from the 'routes' section of an app connector acl.
-	Control []netip.Prefix `json:",omitempty"`
-	// Domains are the routes discovered by observing DNS lookups for configured domains.
-	Domains map[string][]netip.Addr `json:",omitempty"`
-	// Wildcards are the configured DNS lookup domains to observe. When a DNS query matches Wildcards,
-	// its result is added to Domains.
-	Wildcards []string `json:",omitempty"`
+	// AdvertiseRoute adds a new route advertisement if the route is not already
+	// being advertised.
+	AdvertiseRoute(netip.Prefix) error
 }

 // AppConnector is an implementation of an AppConnector that performs
@@ -142,115 +43,29 @@ type AppConnector struct {
 	logf            logger.Logf
 	routeAdvertiser RouteAdvertiser

-	// storeRoutesFunc will be called to persist routes if it is not nil.
-	storeRoutesFunc func(*RouteInfo) error
-
 	// mu guards the fields that follow
 	mu sync.Mutex
-
-	// domains is a map of lower case domain names with no trailing dot, to an
-	// ordered list of resolved IP addresses.
+	// domains is a map of lower case domain names with no trailing dot, to a
+	// list of resolved IP addresses.
 	domains map[string][]netip.Addr

-	// controlRoutes is the list of routes that were last supplied by control.
-	controlRoutes []netip.Prefix
-
 	// wildcards is the list of domain strings that match subdomains.
 	wildcards []string
-
-	// queue provides ordering for update operations
-	queue execqueue.ExecQueue
-
-	writeRateMinute *rateLogger
-	writeRateDay    *rateLogger
 }

 // NewAppConnector creates a new AppConnector.
-func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser, routeInfo *RouteInfo, storeRoutesFunc func(*RouteInfo) error) *AppConnector {
-	ac := &AppConnector{
+func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConnector {
+	return &AppConnector{
 		logf:            logger.WithPrefix(logf, "appc: "),
 		routeAdvertiser: routeAdvertiser,
-		storeRoutesFunc: storeRoutesFunc,
 	}
-	if routeInfo != nil {
-		ac.domains = routeInfo.Domains
-		ac.wildcards = routeInfo.Wildcards
-		ac.controlRoutes = routeInfo.Control
-	}
-	ac.writeRateMinute = newRateLogger(time.Now, time.Minute, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in minute starting at %v (%d routes)", c, s, l)
-		metricStoreRoutes(c, l)
-	})
-	ac.writeRateDay = newRateLogger(time.Now, 24*time.Hour, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in 24 hours starting at %v (%d routes)", c, s, l)
-	})
-	return ac
 }

-// ShouldStoreRoutes returns true if the appconnector was created with the controlknob on
-// and is storing its discovered routes persistently.
-func (e *AppConnector) ShouldStoreRoutes() bool {
-	return e.storeRoutesFunc != nil
-}
-
-// storeRoutesLocked takes the current state of the AppConnector and persists it
-func (e *AppConnector) storeRoutesLocked() error {
-	if !e.ShouldStoreRoutes() {
-		return nil
-	}
-
-	// log write rate and write size
-	numRoutes := int64(len(e.controlRoutes))
-	for _, rs := range e.domains {
-		numRoutes += int64(len(rs))
-	}
-	e.writeRateMinute.update(numRoutes)
-	e.writeRateDay.update(numRoutes)
-
-	return e.storeRoutesFunc(&RouteInfo{
-		Control:   e.controlRoutes,
-		Domains:   e.domains,
-		Wildcards: e.wildcards,
-	})
-}
-
-// ClearRoutes removes all route state from the AppConnector.
-func (e *AppConnector) ClearRoutes() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	e.controlRoutes = nil
-	e.domains = nil
-	e.wildcards = nil
-	return e.storeRoutesLocked()
-}
-
-// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
-// given the new domains and routes.
-func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
-	e.queue.Add(func() {
-		// Add the new routes first.
-		e.updateRoutes(routes)
-		e.updateDomains(domains)
-	})
-}
-
-// UpdateDomains asynchronously replaces the current set of configured domains
-// with the supplied set of domains. Domains must not contain a trailing dot,
-// and should be lower case. If the domain contains a leading '*' label it
-// matches all subdomains of a domain.
+// UpdateDomains replaces the current set of configured domains with the
+// supplied set of domains. Domains must not contain a trailing dot, and should
+// be lower case. If the domain contains a leading '*' label it matches all
+// subdomains of a domain.
 func (e *AppConnector) UpdateDomains(domains []string) {
-	e.queue.Add(func() {
-		e.updateDomains(domains)
-	})
-}
-
-// Wait waits for the currently scheduled asynchronous configuration changes to
-// complete.
-func (e *AppConnector) Wait(ctx context.Context) {
-	e.queue.Wait(ctx)
-}
-
-func (e *AppConnector) updateDomains(domains []string) {
 	e.mu.Lock()
 	defer e.mu.Unlock()

@@ -275,80 +90,13 @@ func (e *AppConnector) updateDomains(domains []string) {
 		for _, wc := range e.wildcards {
 			if dnsname.HasSuffix(d, wc) {
 				e.domains[d] = addrs
-				delete(oldDomains, d)
 				break
 			}
 		}
 	}
-
-	// Everything left in oldDomains is a domain we're no longer tracking
-	// and if we are storing route info we can unadvertise the routes
-	if e.ShouldStoreRoutes() {
-		toRemove := []netip.Prefix{}
-		for _, addrs := range oldDomains {
-			for _, a := range addrs {
-				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
-			}
-		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", xmaps.Keys(oldDomains), toRemove, err)
-		}
-	}
-
 	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
 }

-// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
-// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
-// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
-// covered by new ranges.
-func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	// If there was no change since the last update, no work to do.
-	if slices.Equal(e.controlRoutes, routes) {
-		return
-	}
-
-	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-		e.logf("failed to advertise routes: %v: %v", routes, err)
-		return
-	}
-
-	var toRemove []netip.Prefix
-
-	// If we're storing routes and know e.controlRoutes is a good
-	// representation of what should be in AdvertisedRoutes we can stop
-	// advertising routes that used to be in e.controlRoutes but are not
-	// in routes.
-	if e.ShouldStoreRoutes() {
-		toRemove = routesWithout(e.controlRoutes, routes)
-	}
-
-nextRoute:
-	for _, r := range routes {
-		for _, addr := range e.domains {
-			for _, a := range addr {
-				if r.Contains(a) && netip.PrefixFrom(a, a.BitLen()) != r {
-					pfx := netip.PrefixFrom(a, a.BitLen())
-					toRemove = append(toRemove, pfx)
-					continue nextRoute
-				}
-			}
-		}
-	}
-
-	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-	}
-
-	e.controlRoutes = routes
-	if err := e.storeRoutesLocked(); err != nil {
-		e.logf("failed to store route info: %v", err)
-	}
-}
-
 // Domains returns the currently configured domain list.
 func (e *AppConnector) Domains() views.Slice[string] {
 	e.mu.Lock()
@@ -384,16 +132,6 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		return
 	}

-	// cnameChain tracks a chain of CNAMEs for a given query in order to reverse
-	// a CNAME chain back to the original query for flattening. The keys are
-	// CNAME record targets, and the value is the name the record answers, so
-	// for www.example.com CNAME example.com, the map would contain
-	// ["example.com"] = "www.example.com".
-	var cnameChain map[string]string
-
-	// addressRecords is a list of address records found in the response.
-	var addressRecords map[string][]netip.Addr
-
 	for {
 		h, err := p.AnswerHeader()
 		if err == dnsmessage.ErrSectionDone {
@@ -409,188 +147,73 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 			}
 			continue
 		}
-
-		switch h.Type {
-		case dnsmessage.TypeCNAME, dnsmessage.TypeA, dnsmessage.TypeAAAA:
-		default:
+		if h.Type != dnsmessage.TypeA && h.Type != dnsmessage.TypeAAAA {
 			if err := p.SkipAnswer(); err != nil {
 				return
 			}
 			continue
-
 		}

-		domain := strings.TrimSuffix(strings.ToLower(h.Name.String()), ".")
+		domain := h.Name.String()
 		if len(domain) == 0 {
-			continue
+			return
 		}
+		domain = strings.TrimSuffix(domain, ".")
+		domain = strings.ToLower(domain)
+		e.logf("[v2] observed DNS response for %s", domain)

-		if h.Type == dnsmessage.TypeCNAME {
-			res, err := p.CNAMEResource()
-			if err != nil {
+		e.mu.Lock()
+		addrs, ok := e.domains[domain]
+		// match wildcard domains
+		if !ok {
+			for _, wc := range e.wildcards {
+				if dnsname.HasSuffix(domain, wc) {
+					e.domains[domain] = nil
+					ok = true
+					break
+				}
+			}
+		}
+		e.mu.Unlock()
+
+		if !ok {
+			if err := p.SkipAnswer(); err != nil {
 				return
 			}
-			cname := strings.TrimSuffix(strings.ToLower(res.CNAME.String()), ".")
-			if len(cname) == 0 {
-				continue
-			}
-			mak.Set(&cnameChain, cname, domain)
 			continue
 		}

+		var addr netip.Addr
 		switch h.Type {
 		case dnsmessage.TypeA:
 			r, err := p.AResource()
 			if err != nil {
 				return
 			}
-			addr := netip.AddrFrom4(r.A)
-			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
+			addr = netip.AddrFrom4(r.A)
 		case dnsmessage.TypeAAAA:
 			r, err := p.AAAAResource()
 			if err != nil {
 				return
 			}
-			addr := netip.AddrFrom16(r.AAAA)
-			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
+			addr = netip.AddrFrom16(r.AAAA)
 		default:
 			if err := p.SkipAnswer(); err != nil {
 				return
 			}
 			continue
 		}
-	}
-
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	for domain, addrs := range addressRecords {
-		domain, isRouted := e.findRoutedDomainLocked(domain, cnameChain)
-
-		// domain and none of the CNAMEs in the chain are routed
-		if !isRouted {
+		if slices.Contains(addrs, addr) {
 			continue
 		}
-
-		// advertise each address we have learned for the routed domain, that
-		// was not already known.
-		var toAdvertise []netip.Prefix
-		for _, addr := range addrs {
-			if !e.isAddrKnownLocked(domain, addr) {
-				toAdvertise = append(toAdvertise, netip.PrefixFrom(addr, addr.BitLen()))
-			}
+		if err := e.routeAdvertiser.AdvertiseRoute(netip.PrefixFrom(addr, addr.BitLen())); err != nil {
+			e.logf("failed to advertise route for %s: %v: %v", domain, addr, err)
+			continue
 		}
+		e.logf("[v2] advertised route for %v: %v", domain, addr)

-		if len(toAdvertise) > 0 {
-			e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
-			e.scheduleAdvertisement(domain, toAdvertise...)
-		}
-	}
-}
-
-// starting from the given domain that resolved to an address, find it, or any
-// of the domains in the CNAME chain toward resolving it, that are routed
-// domains, returning the routed domain name and a bool indicating whether a
-// routed domain was found.
-// e.mu must be held.
-func (e *AppConnector) findRoutedDomainLocked(domain string, cnameChain map[string]string) (string, bool) {
-	var isRouted bool
-	for {
-		_, isRouted = e.domains[domain]
-		if isRouted {
-			break
-		}
-
-		// match wildcard domains
-		for _, wc := range e.wildcards {
-			if dnsname.HasSuffix(domain, wc) {
-				e.domains[domain] = nil
-				isRouted = true
-				break
-			}
-		}
-
-		next, ok := cnameChain[domain]
-		if !ok {
-			break
-		}
-		domain = next
-	}
-	return domain, isRouted
-}
-
-// isAddrKnownLocked returns true if the address is known to be associated with
-// the given domain. Known domain tables are updated for covered routes to speed
-// up future matches.
-// e.mu must be held.
-func (e *AppConnector) isAddrKnownLocked(domain string, addr netip.Addr) bool {
-	if e.hasDomainAddrLocked(domain, addr) {
-		return true
-	}
-	for _, route := range e.controlRoutes {
-		if route.Contains(addr) {
-			// record the new address associated with the domain for faster matching in subsequent
-			// requests and for diagnostic records.
-			e.addDomainAddrLocked(domain, addr)
-			return true
-		}
-	}
-	return false
-}
-
-// scheduleAdvertisement schedules an advertisement of the given address
-// associated with the given domain.
-func (e *AppConnector) scheduleAdvertisement(domain string, routes ...netip.Prefix) {
-	e.queue.Add(func() {
-		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-			e.logf("failed to advertise routes for %s: %v: %v", domain, routes, err)
-			return
-		}
 		e.mu.Lock()
-		defer e.mu.Unlock()
-
-		for _, route := range routes {
-			if !route.IsSingleIP() {
-				continue
-			}
-			addr := route.Addr()
-			if !e.hasDomainAddrLocked(domain, addr) {
-				e.addDomainAddrLocked(domain, addr)
-				e.logf("[v2] advertised route for %v: %v", domain, addr)
-			}
-		}
-		if err := e.storeRoutesLocked(); err != nil {
-			e.logf("failed to store route info: %v", err)
-		}
-	})
-}
-
-// hasDomainAddrLocked returns true if the address has been observed in a
-// resolution of domain.
-func (e *AppConnector) hasDomainAddrLocked(domain string, addr netip.Addr) bool {
-	_, ok := slices.BinarySearchFunc(e.domains[domain], addr, compareAddr)
-	return ok
-}
-
-// addDomainAddrLocked adds the address to the list of addresses resolved for
-// domain and ensures the list remains sorted. Does not attempt to deduplicate.
-func (e *AppConnector) addDomainAddrLocked(domain string, addr netip.Addr) {
-	e.domains[domain] = append(e.domains[domain], addr)
-	slices.SortFunc(e.domains[domain], compareAddr)
-}
-
-func compareAddr(l, r netip.Addr) int {
-	return l.Compare(r)
-}
-
-// routesWithout returns a without b where a and b
-// are unsorted slices of netip.Prefix
-func routesWithout(a, b []netip.Prefix) []netip.Prefix {
-	m := make(map[netip.Prefix]bool, len(b))
-	for _, p := range b {
-		m[p] = true
+		e.domains[domain] = append(addrs, addr)
+		e.mu.Unlock()
 	}
-	return slicesx.Filter(make([]netip.Prefix, 0, len(a)), a, func(p netip.Prefix) bool {
-		return !m[p]
-	})
 }
--- a/appc/appconnector_test.go
+++ b/appc/appconnector_test.go
@@ -4,254 +4,110 @@
 package appc

 import (
-	"context"
 	"net/netip"
 	"reflect"
 	"slices"
 	"testing"
-	"time"

 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/appc/appctest"
-	"tailscale.com/tstest"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )

-func fakeStoreRoutes(*RouteInfo) error { return nil }
-
 func TestUpdateDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, nil, nil)
-		}
-		a.UpdateDomains([]string{"example.com"})
-
-		a.Wait(ctx)
-		if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		addr := netip.MustParseAddr("192.0.0.8")
-		a.domains["example.com"] = append(a.domains["example.com"], addr)
-		a.UpdateDomains([]string{"example.com"})
-		a.Wait(ctx)
-
-		if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		// domains are explicitly downcased on set.
-		a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
-		a.Wait(ctx)
-		if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a := NewAppConnector(t.Logf, nil)
+	a.UpdateDomains([]string{"example.com"})
+	if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
 	}
-}

-func TestUpdateRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"*.example.com"})
+	addr := netip.MustParseAddr("192.0.0.8")
+	a.domains["example.com"] = append(a.domains["example.com"], addr)
+	a.UpdateDomains([]string{"example.com"})

-		// This route should be collapsed into the range
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
-		a.Wait(ctx)
-
-		if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
-			t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		}
-
-		// This route should not be collapsed or removed
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
-		a.Wait(ctx)
-
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
-		a.updateRoutes(routes)
-
-		slices.SortFunc(rc.Routes(), prefixCompare)
-		rc.SetRoutes(slices.Compact(rc.Routes()))
-		slices.SortFunc(routes, prefixCompare)
-
-		// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
-		}
-
-		// Ensure that the contained /32 is removed, replaced by the /24.
-		wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
-		if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
-			t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
-		}
+	if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
 	}
-}

-func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
-		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
-		a.updateRoutes(routes)
-
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Fatalf("got %v, want %v", rc.Routes(), routes)
-		}
+	// domains are explicitly downcased on set.
+	a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
+	if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
 	}
 }

 func TestDomainRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		a.Wait(context.Background())
+	rc := &routeCollector{}
+	a := NewAppConnector(t.Logf, rc)
+	a.UpdateDomains([]string{"example.com"})
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))

-		want := map[string][]netip.Addr{
-			"example.com": {netip.MustParseAddr("192.0.0.8")},
-		}
+	want := map[string][]netip.Addr{
+		"example.com": {netip.MustParseAddr("192.0.0.8")},
+	}

-		if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
-			t.Fatalf("DomainRoutes: got %v, want %v", got, want)
-		}
+	if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
+		t.Fatalf("DomainRoutes: got %v, want %v", got, want)
 	}
 }

 func TestObserveDNSResponse(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
+	rc := &routeCollector{}
+	a := NewAppConnector(t.Logf, rc)

-		// a has no domains configured, so it should not advertise any routes
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	// a has no domains configured, so it should not advertise any routes
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	if got, want := rc.routes, ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}

-		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
+	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}

-		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.UpdateDomains([]string{"example.com"})
+	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
+	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}

-		// a CNAME record chain should result in a route being added if the chain
-		// matches a routed domain.
-		a.updateDomains([]string{"www.example.com", "example.com"})
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))

-		// a CNAME record chain should result in a route being added if the chain
-		// even if only found in the middle of the chain
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
+	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
+		t.Errorf("got %v; want %v", got, want)
+	}

-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
-
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		// don't re-advertise routes that have already been advertised
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
-
-		// don't advertise addresses that are already in a control provided route
-		pfx := netip.MustParsePrefix("192.0.2.0/24")
-		a.updateRoutes([]netip.Prefix{pfx})
-		wantRoutes = append(wantRoutes, pfx)
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
-		if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
-			t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
-		}
+	// don't re-advertise routes that have already been advertised
+	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
+	if !slices.Equal(rc.routes, wantRoutes) {
+		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
 	}
 }

 func TestWildcardDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
+	rc := &routeCollector{}
+	a := NewAppConnector(t.Logf, rc)

-		a.updateDomains([]string{"*.example.com"})
-		a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
-			t.Errorf("routes: got %v; want %v", got, want)
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
+	a.UpdateDomains([]string{"*.example.com"})
+	a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
+	if got, want := rc.routes, []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+		t.Errorf("routes: got %v; want %v", got, want)
+	}
+	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("wildcards: got %v; want %v", got, want)
+	}

-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if _, ok := a.domains["foo.example.com"]; !ok {
-			t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
+	a.UpdateDomains([]string{"*.example.com", "example.com"})
+	if _, ok := a.domains["foo.example.com"]; !ok {
+		t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
+	}
+	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
+		t.Errorf("wildcards: got %v; want %v", got, want)
+	}

-		// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if len(a.wildcards) != 1 {
-			t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
-		}
+	// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
+	a.UpdateDomains([]string{"*.example.com", "example.com"})
+	if len(a.wildcards) != 1 {
+		t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
 	}
 }

@@ -292,313 +148,15 @@ func dnsResponse(domain, address string) []byte {
 	return must.Get(b.Finish())
 }

-func dnsCNAMEResponse(address string, domains ...string) []byte {
-	addr := netip.MustParseAddr(address)
-	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
-	b.EnableCompression()
-	b.StartAnswers()
-
-	if len(domains) >= 2 {
-		for i, domain := range domains[:len(domains)-1] {
-			b.CNAMEResource(
-				dnsmessage.ResourceHeader{
-					Name:  dnsmessage.MustNewName(domain),
-					Type:  dnsmessage.TypeCNAME,
-					Class: dnsmessage.ClassINET,
-					TTL:   0,
-				},
-				dnsmessage.CNAMEResource{
-					CNAME: dnsmessage.MustNewName(domains[i+1]),
-				},
-			)
-		}
-	}
-
-	domain := domains[len(domains)-1]
-
-	switch addr.BitLen() {
-	case 32:
-		b.AResource(
-			dnsmessage.ResourceHeader{
-				Name:  dnsmessage.MustNewName(domain),
-				Type:  dnsmessage.TypeA,
-				Class: dnsmessage.ClassINET,
-				TTL:   0,
-			},
-			dnsmessage.AResource{
-				A: addr.As4(),
-			},
-		)
-	case 128:
-		b.AAAAResource(
-			dnsmessage.ResourceHeader{
-				Name:  dnsmessage.MustNewName(domain),
-				Type:  dnsmessage.TypeAAAA,
-				Class: dnsmessage.ClassINET,
-				TTL:   0,
-			},
-			dnsmessage.AAAAResource{
-				AAAA: addr.As16(),
-			},
-		)
-	default:
-		panic("invalid address length")
-	}
-	return must.Get(b.Finish())
+// routeCollector is a test helper that collects the list of routes advertised
+type routeCollector struct {
+	routes []netip.Prefix
 }

-func prefixEqual(a, b netip.Prefix) bool {
-	return a == b
-}
-
-func prefixCompare(a, b netip.Prefix) int {
-	if a.Addr().Compare(b.Addr()) == 0 {
-		return a.Bits() - b.Bits()
-	}
-	return a.Addr().Compare(b.Addr())
-}
-
-func prefixes(in ...string) []netip.Prefix {
-	toRet := make([]netip.Prefix, len(in))
-	for i, s := range in {
-		toRet[i] = netip.MustParsePrefix(s)
-	}
-	return toRet
-}
-
-func TestUpdateRouteRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		// nothing has yet been advertised
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.2/32"))
-		a.Wait(ctx)
-		// the routes passed to UpdateDomainsAndRoutes have been advertised
-		assertRoutes("simple update", prefixes("1.2.3.1/32", "1.2.3.2/32"), []netip.Prefix{})
-
-		// one route the same, one different
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.3/32"))
-		a.Wait(ctx)
-		// old behavior: routes are not removed, resulting routes are both old and new
-		// (we have dupe 1.2.3.1 routes because the test RouteAdvertiser doesn't have the deduplication
-		// the real one does)
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.1/32", "1.2.3.3/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior: routes are removed, resulting routes are new only
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.1/32", "1.2.3.3/32")
-			wantRemovedRoutes = prefixes("1.2.3.2/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateDomainRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.4"))
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateWildcardRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "*.b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("1.b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("2.b.example.com.", "1.2.3.4"))
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for *.b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestRoutesWithout(t *testing.T) {
-	assert := func(msg string, got, want []netip.Prefix) {
-		if !slices.Equal(want, got) {
-			t.Errorf("%s: want %v, got %v", msg, want, got)
-		}
-	}
-
-	assert("empty routes", routesWithout([]netip.Prefix{}, []netip.Prefix{}), []netip.Prefix{})
-	assert("a empty", routesWithout([]netip.Prefix{}, prefixes("1.1.1.1/32", "1.1.1.2/32")), []netip.Prefix{})
-	assert("b empty", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), []netip.Prefix{}), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("no overlap", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.3/32", "1.1.1.4/32")), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("a has fewer", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32")), []netip.Prefix{})
-	assert("a has more", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32"), prefixes("1.1.1.1/32", "1.1.1.3/32")), prefixes("1.1.1.2/32", "1.1.1.4/32"))
-}
-
-func TestRateLogger(t *testing.T) {
-	clock := tstest.Clock{}
-	wasCalled := false
-	rl := newRateLogger(func() time.Time { return clock.Now() }, 1*time.Second, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Millisecond)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Second)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-
-	wasCalled = false
-	rl = newRateLogger(func() time.Time { return clock.Now() }, 1*time.Hour, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Minute)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Hour)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-}
-
-func TestRouteStoreMetrics(t *testing.T) {
-	metricStoreRoutes(1, 1)
-	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
-	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1
-	metricStoreRoutes(6, 6)         // the 10 buckets value should be 1
-	metricStoreRoutes(10001, 10001) // the over buckets value should be 1
-	wanted := map[string]int64{
-		"appc_store_routes_n_routes_1":    2,
-		"appc_store_routes_rate_1":        2,
-		"appc_store_routes_n_routes_5":    1,
-		"appc_store_routes_rate_5":        1,
-		"appc_store_routes_n_routes_10":   1,
-		"appc_store_routes_rate_10":       1,
-		"appc_store_routes_n_routes_over": 1,
-		"appc_store_routes_rate_over":     1,
-	}
-	for _, x := range clientmetric.Metrics() {
-		if x.Value() != wanted[x.Name()] {
-			t.Errorf("%s: want: %d, got: %d", x.Name(), wanted[x.Name()], x.Value())
-		}
-	}
-}
-
-func TestMetricBucketsAreSorted(t *testing.T) {
-	if !slices.IsSorted(metricStoreRoutesRateBuckets) {
-		t.Errorf("metricStoreRoutesRateBuckets must be in order")
-	}
-	if !slices.IsSorted(metricStoreRoutesNBuckets) {
-		t.Errorf("metricStoreRoutesNBuckets must be in order")
-	}
+// routeCollector implements RouteAdvertiser
+var _ RouteAdvertiser = (*routeCollector)(nil)
+
+func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx)
+	return nil
 }
--- a/appc/appctest/appctest.go
+++ b/appc/appctest/appctest.go
@@ -1,50 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package appctest contains code to help test App Connectors.
-package appctest
-
-import (
-	"net/netip"
-	"slices"
-)
-
-// RouteCollector is a test helper that collects the list of routes advertised
-type RouteCollector struct {
-	routes        []netip.Prefix
-	removedRoutes []netip.Prefix
-}
-
-func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
-	rc.routes = append(rc.routes, pfx...)
-	return nil
-}
-
-func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
-	routes := rc.routes
-	rc.routes = rc.routes[:0]
-	for _, r := range routes {
-		if !slices.Contains(toRemove, r) {
-			rc.routes = append(rc.routes, r)
-		} else {
-			rc.removedRoutes = append(rc.removedRoutes, r)
-		}
-	}
-	return nil
-}
-
-// RemovedRoutes returns the list of routes that were removed.
-func (rc *RouteCollector) RemovedRoutes() []netip.Prefix {
-	return rc.removedRoutes
-}
-
-// Routes returns the ordered list of routes that were added, including
-// possible duplicates.
-func (rc *RouteCollector) Routes() []netip.Prefix {
-	return rc.routes
-}
-
-func (rc *RouteCollector) SetRoutes(routes []netip.Prefix) error {
-	rc.routes = routes
-	return nil
-}
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -37,7 +37,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
 		;;
 	--box)
 		shift
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -1,18 +1,28 @@
 #!/usr/bin/env sh
+
 #
-# This script builds Tailscale container images using
-# github.com/tailscale/mkctr.
-# By default the images will be tagged with the current version and git
-# hash of this repository as produced by ./cmd/mkversion.
-# This is the image build mechanim used to build the official Tailscale
-# container images.
+# Runs `go build` with flags configured for docker distribution. All
+# it does differently from `go build` is burn git commit and version
+# information into the binaries inside docker, so that we can track down user
+# issues.
+#
+############################################################################
+#
+# WARNING: Tailscale is not yet officially supported in container
+# environments, such as Docker and Kubernetes. Though it should work, we
+# don't regularly test it, and we know there are some feature limitations.
+#
+# See current bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################

 set -eu

 # Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH="$PWD"/tool:"$PATH"
+export PATH=$PWD/tool:$PATH

-eval "$(./build_dist.sh shellvars)"
+eval $(./build_dist.sh shellvars)

 DEFAULT_TARGET="client"
 DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
@@ -39,7 +49,6 @@ case "$TARGET" in
        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
      --repos="${REPOS}" \
      --push="${PUSH}" \
      --target="${PLATFORM}" \
@@ -61,24 +70,8 @@ case "$TARGET" in
      --target="${PLATFORM}" \
      /usr/local/bin/operator
    ;;
-  k8s-nameserver)
-    DEFAULT_REPOS="tailscale/k8s-nameserver"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="tailscale.com/cmd/k8s-nameserver:/usr/local/bin/k8s-nameserver" \
-      --ldflags=" \
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      --target="${PLATFORM}" \
-      /usr/local/bin/k8s-nameserver
-    ;;
  *)
    echo "unknown target: $TARGET"
    exit 1
    ;;
-esac
+esac
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -37,16 +37,6 @@ type ACLTest struct {
 	Allow []string `json:"allow,omitempty"` // old name for accept
 }

-// NodeAttrGrant defines additional string attributes that apply to specific devices.
-type NodeAttrGrant struct {
-	// Target specifies which nodes the attributes apply to. The nodes can be a
-	// tag (tag:server), user (alice@example.com), group (group:kids), or *.
-	Target []string `json:"target,omitempty"`
-
-	// Attr are the attributes to set on Target(s).
-	Attr []string `json:"attr,omitempty"`
-}
-
 // ACLDetails contains all the details for an ACL.
 type ACLDetails struct {
 	Tests     []ACLTest           `json:"tests,omitempty"`
@@ -54,7 +44,6 @@ type ACLDetails struct {
 	Groups    map[string][]string `json:"groups,omitempty"`
 	TagOwners map[string][]string `json:"tagowners,omitempty"`
 	Hosts     map[string]string   `json:"hosts,omitempty"`
-	NodeAttrs []NodeAttrGrant     `json:"nodeAttrs,omitempty"`
 }

 // ACL contains an ACLDetails and metadata.
@@ -161,12 +150,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	// User is the source ("src") value of the ACL test that failed.
-	// The name "user" is a legacy holdover from the original naming and
-	// is kept for compatibility but it may also contain any value
-	// that's valid in a ACL test "src" field.
-	User string `json:"user,omitempty"`
-
+	User     string   `json:"user,omitempty"`
 	Errors   []string `json:"errors,omitempty"`
 	Warnings []string `json:"warnings,omitempty"`
 }
@@ -286,14 +270,6 @@ type UserRuleMatch struct {
 	Users      []string `json:"users"`
 	Ports      []string `json:"ports"`
 	LineNumber int      `json:"lineNumber"`
-
-	// Postures is a list of posture policies that are
-	// associated with this match. The rules can be looked
-	// up in the ACLPreviewResponse parent struct.
-	// The source of the list is from srcPosture on
-	// an ACL or Grant rule:
-	// https://tailscale.com/kb/1288/device-posture#posture-conditions
-	Postures []string `json:"postures"`
 }

 // ACLPreviewResponse is the response type of previewACLPostRequest
@@ -301,12 +277,6 @@ type ACLPreviewResponse struct {
 	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
 	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
 	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-
-	// Postures is a map of postures and associated rules that apply
-	// to this preview.
-	// For more details about the posture mapping, see:
-	// https://tailscale.com/kb/1288/device-posture#postures
-	Postures map[string][]string `json:"postures,omitempty"`
 }

 // ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
@@ -314,12 +284,6 @@ type ACLPreview struct {
 	Matches []UserRuleMatch `json:"matches"`
 	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
 	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-
-	// Postures is a map of postures and associated rules that apply
-	// to this preview.
-	// For more details about the posture mapping, see:
-	// https://tailscale.com/kb/1288/device-posture#postures
-	Postures map[string][]string `json:"postures,omitempty"`
 }

 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
@@ -377,9 +341,8 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 	}

 	return &ACLPreview{
-		Matches:  b.Matches,
-		User:     b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		User:    b.PreviewFor,
 	}, nil
 }

@@ -406,9 +369,8 @@ func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.
 	}

 	return &ACLPreview{
-		Matches:  b.Matches,
-		IPPort:   b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
 	}, nil
 }

@@ -432,9 +394,8 @@ func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, use
 	}

 	return &ACLPreview{
-		Matches:  b.Matches,
-		User:     b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		User:    b.PreviewFor,
 	}, nil
 }

@@ -458,9 +419,8 @@ func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, i
 	}

 	return &ACLPreview{
-		Matches:  b.Matches,
-		IPPort:   b.PreviewFor,
-		Postures: b.Postures,
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
 	}, nil
 }

--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -49,11 +49,3 @@ type ReloadConfigResponse struct {
 	Reloaded bool   // whether the config was reloaded
 	Err      string // any error message
 }
-
-// ExitNodeSuggestionResponse is the response to a LocalAPI suggest-exit-node GET request.
-// It returns the StableNodeID, name, and location of a suggested exit node for the client making the request.
-type ExitNodeSuggestionResponse struct {
-	ID       tailcfg.StableNodeID
-	Name     string
-	Location tailcfg.LocationView `json:",omitempty"`
-}
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -10,7 +10,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"log"
 	"net/http"
 	"net/url"

@@ -40,7 +39,6 @@ type Device struct {
 	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
 	Addresses []string `json:"addresses"`
 	DeviceID  string   `json:"id"`
-	NodeID    string   `json:"nodeId"`
 	User      string   `json:"user"`
 	Name      string   `json:"name"`
 	Hostname  string   `json:"hostname"`
@@ -215,9 +213,6 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	if err != nil {
 		return err
 	}
-
-	log.Printf("RESP: %di, path: %s", resp.StatusCode, path)
-
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -7,7 +7,6 @@ package tailscale

 import (
 	"bytes"
-	"cmp"
 	"context"
 	"crypto/tls"
 	"encoding/json"
@@ -28,7 +27,6 @@ import (

 	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/drive"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -39,6 +37,7 @@ import (
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
 	"tailscale.com/types/tkatype"
+	"tailscale.com/util/cmpx"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@@ -103,7 +102,7 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 			return d.DialContext(ctx, "tcp", "127.0.0.1:"+strconv.Itoa(port))
 		}
 	}
-	return safesocket.ConnectContext(ctx, lc.socket())
+	return safesocket.Connect(lc.socket())
 }

 // DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
@@ -253,16 +252,11 @@ func (lc *LocalClient) sendWithHeaders(
 	}
 	if res.StatusCode != wantStatus {
 		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, nil, httpStatusError{bestError(err, slurp), res.StatusCode}
+		return nil, nil, bestError(err, slurp)
 	}
 	return slurp, res.Header, nil
 }

-type httpStatusError struct {
-	error
-	HTTPStatus int
-}
-
 func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
 	return lc.send(ctx, "GET", path, 200, nil)
 }
@@ -283,50 +277,9 @@ func decodeJSON[T any](b []byte) (ret T, err error) {
 }

 // WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-//
-// If not found, the error is ErrPeerNotFound.
-//
-// For connections proxied by tailscaled, this looks up the owner of the given
-// address as TCP first, falling back to UDP; if you want to only check a
-// specific address family, use WhoIsProto.
 func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
 	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
 	if err != nil {
-		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
-			return nil, ErrPeerNotFound
-		}
-		return nil, err
-	}
-	return decodeJSON[*apitype.WhoIsResponse](body)
-}
-
-// ErrPeerNotFound is returned by WhoIs and WhoIsNodeKey when a peer is not found.
-var ErrPeerNotFound = errors.New("peer not found")
-
-// WhoIsNodeKey returns the owner of the given wireguard public key.
-//
-// If not found, the error is ErrPeerNotFound.
-func (lc *LocalClient) WhoIsNodeKey(ctx context.Context, key key.NodePublic) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(key.String()))
-	if err != nil {
-		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
-			return nil, ErrPeerNotFound
-		}
-		return nil, err
-	}
-	return decodeJSON[*apitype.WhoIsResponse](body)
-}
-
-// WhoIsProto returns the owner of the remoteAddr, which must be an IP or
-// IP:port, for the given protocol (tcp or udp).
-//
-// If not found, the error is ErrPeerNotFound.
-func (lc *LocalClient) WhoIsProto(ctx context.Context, proto, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?proto="+url.QueryEscape(proto)+"&addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		if hs, ok := err.(httpStatusError); ok && hs.HTTPStatus == http.StatusNotFound {
-			return nil, ErrPeerNotFound
-		}
 		return nil, err
 	}
 	return decodeJSON[*apitype.WhoIsResponse](body)
@@ -526,7 +479,7 @@ func (lc *LocalClient) DebugPortmap(ctx context.Context, opts *DebugPortmapOpts)
 		opts = &DebugPortmapOpts{}
 	}

-	vals.Set("duration", cmp.Or(opts.Duration, 5*time.Second).String())
+	vals.Set("duration", cmpx.Or(opts.Duration, 5*time.Second).String())
 	vals.Set("type", opts.Type)
 	vals.Set("log_http", strconv.FormatBool(opts.LogHTTP))

@@ -745,27 +698,6 @@ func (lc *LocalClient) CheckUDPGROForwarding(ctx context.Context) error {
 	return nil
 }

-// SetUDPGROForwarding enables UDP GRO forwarding for the main interface of this
-// node. This can be done to improve performance of tailnet nodes acting as exit
-// nodes or subnet routers.
-// See https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes
-func (lc *LocalClient) SetUDPGROForwarding(ctx context.Context) error {
-	body, err := lc.get200(ctx, "/localapi/v0/set-udp-gro-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from set-udp-gro-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
 // CheckPrefs validates the provided preferences, without making any changes.
 //
 // The CLI uses this before a Start call to fail fast if the preferences won't
@@ -845,17 +777,6 @@ func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
 //
 // The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
 func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	return lc.UserDial(ctx, "tcp", host, port)
-}
-
-// UserDial connects to the host's port via Tailscale for the given network.
-//
-// The host may be a base DNS name (resolved from the netmap inside tailscaled),
-// a FQDN, or an IP address.
-//
-// The ctx is only used for the duration of the call, not the lifetime of the
-// net.Conn.
-func (lc *LocalClient) UserDial(ctx context.Context, network, host string, port uint16) (net.Conn, error) {
 	connCh := make(chan net.Conn, 1)
 	trace := httptrace.ClientTrace{
 		GotConn: func(info httptrace.GotConnInfo) {
@@ -868,11 +789,10 @@ func (lc *LocalClient) UserDial(ctx context.Context, network, host string, port
 		return nil, err
 	}
 	req.Header = http.Header{
-		"Upgrade":      []string{"ts-dial"},
-		"Connection":   []string{"upgrade"},
-		"Dial-Host":    []string{host},
-		"Dial-Port":    []string{fmt.Sprint(port)},
-		"Dial-Network": []string{network},
+		"Upgrade":    []string{"ts-dial"},
+		"Connection": []string{"upgrade"},
+		"Dial-Host":  []string{host},
+		"Dial-Port":  []string{fmt.Sprint(port)},
 	}
 	res, err := lc.DoLocalRequest(req)
 	if err != nil {
@@ -933,20 +853,7 @@ func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err e
 //
 // API maturity: this is considered a stable API.
 func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return lc.CertPairWithValidity(ctx, domain, 0)
-}
-
-// CertPairWithValidity returns a cert and private key for the provided DNS
-// domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-// When minValidity is non-zero, the returned certificate will be valid for at
-// least the given duration, if permitted by the CA. If the certificate is
-// valid, but for less than minValidity, it will be synchronously renewed.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) CertPairWithValidity(ctx context.Context, domain string, minValidity time.Duration) (certPEM, keyPEM []byte, err error) {
-	res, err := lc.send(ctx, "GET", fmt.Sprintf("/localapi/v0/cert/%s?type=pair&min_validity=%s", domain, minValidity), 200, nil)
+	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -1510,66 +1417,6 @@ func (lc *LocalClient) CheckUpdate(ctx context.Context) (*tailcfg.ClientVersion,
 	return &cv, nil
 }

-// SetUseExitNode toggles the use of an exit node on or off.
-// To turn it on, there must have been a previously used exit node.
-// The most previously used one is reused.
-// This is a convenience method for GUIs. To select an actual one, update the prefs.
-func (lc *LocalClient) SetUseExitNode(ctx context.Context, on bool) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/set-use-exit-node-enabled?enabled="+strconv.FormatBool(on), http.StatusOK, nil)
-	return err
-}
-
-// DriveSetServerAddr instructs Taildrive to use the server at addr to access
-// the filesystem. This is used on platforms like Windows and MacOS to let
-// Taildrive know to use the file server running in the GUI app.
-func (lc *LocalClient) DriveSetServerAddr(ctx context.Context, addr string) error {
-	_, err := lc.send(ctx, "PUT", "/localapi/v0/drive/fileserver-address", http.StatusCreated, strings.NewReader(addr))
-	return err
-}
-
-// DriveShareSet adds or updates the given share in the list of shares that
-// Taildrive will serve to remote nodes. If a share with the same name already
-// exists, the existing share is replaced/updated.
-func (lc *LocalClient) DriveShareSet(ctx context.Context, share *drive.Share) error {
-	_, err := lc.send(ctx, "PUT", "/localapi/v0/drive/shares", http.StatusCreated, jsonBody(share))
-	return err
-}
-
-// DriveShareRemove removes the share with the given name from the list of
-// shares that Taildrive will serve to remote nodes.
-func (lc *LocalClient) DriveShareRemove(ctx context.Context, name string) error {
-	_, err := lc.send(
-		ctx,
-		"DELETE",
-		"/localapi/v0/drive/shares",
-		http.StatusNoContent,
-		strings.NewReader(name))
-	return err
-}
-
-// DriveShareRename renames the share from old to new name.
-func (lc *LocalClient) DriveShareRename(ctx context.Context, oldName, newName string) error {
-	_, err := lc.send(
-		ctx,
-		"POST",
-		"/localapi/v0/drive/shares",
-		http.StatusNoContent,
-		jsonBody([2]string{oldName, newName}))
-	return err
-}
-
-// DriveShareList returns the list of shares that drive is currently serving
-// to remote nodes.
-func (lc *LocalClient) DriveShareList(ctx context.Context) ([]*drive.Share, error) {
-	result, err := lc.get200(ctx, "/localapi/v0/drive/shares")
-	if err != nil {
-		return nil, err
-	}
-	var shares []*drive.Share
-	err = json.Unmarshal(result, &shares)
-	return shares, err
-}
-
 // IPNBusWatcher is an active subscription (watch) of the local tailscaled IPN bus.
 // It's returned by LocalClient.WatchIPNBus.
 //
@@ -1606,12 +1453,3 @@ func (w *IPNBusWatcher) Next() (ipn.Notify, error) {
 	}
 	return n, nil
 }
-
-// SuggestExitNode requests an exit node suggestion and returns the exit node's details.
-func (lc *LocalClient) SuggestExitNode(ctx context.Context) (apitype.ExitNodeSuggestionResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/suggest-exit-node")
-	if err != nil {
-		return apitype.ExitNodeSuggestionResponse{}, err
-	}
-	return decodeJSON[apitype.ExitNodeSuggestionResponse](body)
-}
--- a/client/tailscale/localclient_test.go
+++ b/client/tailscale/localclient_test.go
@@ -5,16 +5,7 @@

 package tailscale

-import (
-	"context"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"tailscale.com/tstest/deptest"
-	"tailscale.com/types/key"
-)
+import "testing"

 func TestGetServeConfigFromJSON(t *testing.T) {
 	sc, err := getServeConfigFromJSON([]byte("null"))
@@ -34,41 +25,3 @@ func TestGetServeConfigFromJSON(t *testing.T) {
 		t.Errorf("want non-nil TCP for object")
 	}
 }
-
-func TestWhoIsPeerNotFound(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(404)
-	}))
-	defer ts.Close()
-
-	lc := &LocalClient{
-		Dial: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			var std net.Dialer
-			return std.DialContext(ctx, network, ts.Listener.Addr().(*net.TCPAddr).String())
-		},
-	}
-	var k key.NodePublic
-	if err := k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")); err != nil {
-		t.Fatal(err)
-	}
-	res, err := lc.WhoIsNodeKey(context.Background(), k)
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-	res, err = lc.WhoIs(context.Background(), "1.2.3.4:5678")
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-}
-
-func TestDeps(t *testing.T) {
-	deptest.DepChecker{
-		BadDeps: map[string]string{
-			// Make sure we don't again accidentally bring in a dependency on
-			// drive or its transitive dependencies
-			"testing":                        "do not use testing package in production code",
-			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
-			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
-		},
-	}.Check(t)
-}
--- a/client/web/auth.go
+++ b/client/web/auth.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"slices"
 	"strings"
 	"time"

@@ -223,7 +222,7 @@ func (s *Server) awaitUserAuth(ctx context.Context, session *browserSession) err

 func (s *Server) newSessionID() (string, error) {
 	raw := make([]byte, 16)
-	for range 5 {
+	for i := 0; i < 5; i++ {
 		if _, err := rand.Read(raw); err != nil {
 			return "", err
 		}
@@ -235,12 +234,7 @@ func (s *Server) newSessionID() (string, error) {
 	return "", errors.New("too many collisions generating new session; please refresh page")
 }

-// peerCapabilities holds information about what a source
-// peer is allowed to edit via the web UI.
-//
-// map value is true if the peer can edit the given feature.
-// Only capFeatures included in validCaps will be included.
-type peerCapabilities map[capFeature]bool
+type peerCapabilities map[capFeature]bool // value is true if the peer can edit the given feature

 // canEdit is true if the peerCapabilities grant edit access
 // to the given feature.
@@ -254,85 +248,39 @@ func (p peerCapabilities) canEdit(feature capFeature) bool {
 	return p[feature]
 }

-// isEmpty is true if p is either nil or has no capabilities
-// with value true.
-func (p peerCapabilities) isEmpty() bool {
-	if p == nil {
-		return true
-	}
-	for _, v := range p {
-		if v == true {
-			return false
-		}
-	}
-	return true
-}
-
 type capFeature string

 const (
 	// The following values should not be edited.
 	// New caps can be added, but existing ones should not be changed,
 	// as these exact values are used by users in tailnet policy files.
-	//
-	// IMPORTANT: When adding a new cap, also update validCaps slice below.

-	capFeatureAll       capFeature = "*"         // grants peer management of all features
-	capFeatureSSH       capFeature = "ssh"       // grants peer SSH server management
-	capFeatureSubnets   capFeature = "subnets"   // grants peer subnet routes management
-	capFeatureExitNodes capFeature = "exitnodes" // grants peer ability to advertise-as and use exit nodes
-	capFeatureAccount   capFeature = "account"   // grants peer ability to turn on auto updates and log out of node
+	capFeatureAll      capFeature = "*"        // grants peer management of all features
+	capFeatureFunnel   capFeature = "funnel"   // grants peer serve/funnel management
+	capFeatureSSH      capFeature = "ssh"      // grants peer SSH server management
+	capFeatureSubnet   capFeature = "subnet"   // grants peer subnet routes management
+	capFeatureExitNode capFeature = "exitnode" // grants peer ability to advertise-as and use exit nodes
+	capFeatureAccount  capFeature = "account"  // grants peer ability to turn on auto updates and log out of node
 )

-// validCaps contains the list of valid capabilities used in the web client.
-// Any capabilities included in a peer's grants that do not fall into this
-// list will be ignored.
-var validCaps []capFeature = []capFeature{
-	capFeatureAll,
-	capFeatureSSH,
-	capFeatureSubnets,
-	capFeatureExitNodes,
-	capFeatureAccount,
-}
-
 type capRule struct {
 	CanEdit []string `json:"canEdit,omitempty"` // list of features peer is allowed to edit
 }

 // toPeerCapabilities parses out the web ui capabilities from the
 // given whois response.
-func toPeerCapabilities(status *ipnstate.Status, whois *apitype.WhoIsResponse) (peerCapabilities, error) {
-	if whois == nil || status == nil {
-		return peerCapabilities{}, nil
-	}
-	if whois.Node.IsTagged() {
-		// We don't allow management *from* tagged nodes, so ignore caps.
-		// The web client auth flow relies on having a true user identity
-		// that can be verified through login.
-		return peerCapabilities{}, nil
-	}
-
-	if !status.Self.IsTagged() {
-		// User owned nodes are only ever manageable by the owner.
-		if status.Self.UserID != whois.UserProfile.ID {
-			return peerCapabilities{}, nil
-		} else {
-			return peerCapabilities{capFeatureAll: true}, nil // owner can edit all features
-		}
-	}
-
-	// For tagged nodes, we actually look at the granted capabilities.
+func toPeerCapabilities(whois *apitype.WhoIsResponse) (peerCapabilities, error) {
 	caps := peerCapabilities{}
+	if whois == nil {
+		return caps, nil
+	}
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](whois.CapMap, tailcfg.PeerCapabilityWebUI)
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal capability: %v", err)
 	}
 	for _, c := range rules {
 		for _, f := range c.CanEdit {
-			cap := capFeature(strings.ToLower(f))
-			if slices.Contains(validCaps, cap) {
-				caps[cap] = true
-			}
+			caps[capFeature(strings.ToLower(f))] = true
 		}
 	}
 	return caps, nil
--- a/client/web/package.json
+++ b/client/web/package.json
@@ -3,10 +3,9 @@
  "version": "0.0.1",
  "license": "BSD-3-Clause",
  "engines": {
-    "node": "18.20.4",
+    "node": "18.16.1",
    "yarn": "1.22.19"
  },
-  "type": "module",
  "private": true,
  "dependencies": {
    "@radix-ui/react-collapsible": "^1.0.3",
@@ -20,28 +19,23 @@
    "zustand": "^4.4.7"
  },
  "devDependencies": {
-    "@types/node": "^18.16.1",
    "@types/react": "^18.0.20",
    "@types/react-dom": "^18.0.6",
-    "@vitejs/plugin-react-swc": "^3.6.0",
+    "@vitejs/plugin-react-swc": "^3.3.2",
    "autoprefixer": "^10.4.15",
    "eslint": "^8.23.1",
    "eslint-config-react-app": "^7.0.1",
-    "eslint-plugin-curly-quotes": "^1.0.4",
    "jsdom": "^23.0.1",
    "postcss": "^8.4.31",
    "prettier": "^2.5.1",
    "prettier-plugin-organize-imports": "^3.2.2",
    "tailwindcss": "^3.3.3",
-    "typescript": "^5.3.3",
-    "vite": "^5.1.7",
-    "vite-plugin-svgr": "^4.2.0",
+    "typescript": "^4.7.4",
+    "vite": "^4.3.9",
+    "vite-plugin-rewrite-all": "^1.0.1",
+    "vite-plugin-svgr": "^3.2.0",
    "vite-tsconfig-paths": "^3.5.0",
-    "vitest": "^1.3.1"
-  },
-  "resolutions": {
-    "@typescript-eslint/eslint-plugin": "^6.2.1",
-    "@typescript-eslint/parser": "^6.2.1"
+    "vitest": "^0.32.0"
  },
  "scripts": {
    "build": "vite build",
@@ -56,11 +50,9 @@
      "react-app"
    ],
    "plugins": [
-      "curly-quotes",
      "react-hooks"
    ],
    "rules": {
-      "curly-quotes/no-straight-quotes": "warn",
      "react-hooks/rules-of-hooks": "error",
      "react-hooks/exhaustive-deps": "error"
    },
--- a/client/web/src/components/address-copy-card.tsx
+++ b/client/web/src/components/address-copy-card.tsx
@@ -4,8 +4,8 @@
 import * as Primitive from "@radix-ui/react-popover"
 import cx from "classnames"
 import React, { useCallback } from "react"
-import ChevronDown from "src/assets/icons/chevron-down.svg?react"
-import Copy from "src/assets/icons/copy.svg?react"
+import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
+import { ReactComponent as Copy } from "src/assets/icons/copy.svg"
 import NiceIP from "src/components/nice-ip"
 import useToaster from "src/hooks/toaster"
 import Button from "src/ui/button"
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import React from "react"
-import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
+import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
 import LoginToggle from "src/components/login-toggle"
 import DeviceDetailsView from "src/components/views/device-details-view"
 import DisconnectedView from "src/components/views/disconnected-view"
@@ -11,8 +11,8 @@ import LoginView from "src/components/views/login-view"
 import SSHView from "src/components/views/ssh-view"
 import SubnetRouterView from "src/components/views/subnet-router-view"
 import { UpdatingView } from "src/components/views/updating-view"
-import useAuth, { AuthResponse, canEdit } from "src/hooks/auth"
-import { Feature, NodeData, featureDescription } from "src/types"
+import useAuth, { AuthResponse } from "src/hooks/auth"
+import { Feature, featureDescription, NodeData } from "src/types"
 import Card from "src/ui/card"
 import EmptyState from "src/ui/empty-state"
 import LoadingDots from "src/ui/loading-dots"
@@ -56,19 +56,16 @@ function WebClient({
        <Header node={node} auth={auth} newSession={newSession} />
        <Switch>
          <Route path="/">
-            <HomeView node={node} auth={auth} />
+            <HomeView readonly={!auth.canManageNode} node={node} />
          </Route>
          <Route path="/details">
-            <DeviceDetailsView node={node} auth={auth} />
+            <DeviceDetailsView readonly={!auth.canManageNode} node={node} />
          </Route>
          <FeatureRoute path="/subnets" feature="advertise-routes" node={node}>
-            <SubnetRouterView
-              readonly={!canEdit("subnets", auth)}
-              node={node}
-            />
+            <SubnetRouterView readonly={!auth.canManageNode} node={node} />
          </FeatureRoute>
          <FeatureRoute path="/ssh" feature="ssh" node={node}>
-            <SSHView readonly={!canEdit("ssh", auth)} node={node} />
+            <SSHView readonly={!auth.canManageNode} node={node} />
          </FeatureRoute>
          {/* <Route path="/serve">Share local content</Route> */}
          <FeatureRoute path="/update" feature="auto-update" node={node}>
--- a/client/web/src/components/exit-node-selector.tsx
+++ b/client/web/src/components/exit-node-selector.tsx
@@ -4,8 +4,8 @@
 import cx from "classnames"
 import React, { useCallback, useEffect, useMemo, useRef, useState } from "react"
 import { useAPI } from "src/api"
-import Check from "src/assets/icons/check.svg?react"
-import ChevronDown from "src/assets/icons/chevron-down.svg?react"
+import { ReactComponent as Check } from "src/assets/icons/check.svg"
+import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
 import useExitNodes, {
  noExitNode,
  runAsExitNode,
@@ -180,7 +180,7 @@ export default function ExitNodeSelector({
      )}
      {pending && (
        <p className="text-white p-3">
-          Pending approval to run as exit node. This device won’t be usable as
+          Pending approval to run as exit node. This device won't be usable as
          an exit node until then.
        </p>
      )}
--- a/client/web/src/components/login-toggle.tsx
+++ b/client/web/src/components/login-toggle.tsx
@@ -2,17 +2,15 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import cx from "classnames"
-import React, { useCallback, useMemo, useState } from "react"
-import ChevronDown from "src/assets/icons/chevron-down.svg?react"
-import Eye from "src/assets/icons/eye.svg?react"
-import User from "src/assets/icons/user.svg?react"
-import { AuthResponse, hasAnyEditCapabilities } from "src/hooks/auth"
-import { useTSWebConnected } from "src/hooks/ts-web-connected"
+import React, { useCallback, useEffect, useState } from "react"
+import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"
+import { ReactComponent as Eye } from "src/assets/icons/eye.svg"
+import { ReactComponent as User } from "src/assets/icons/user.svg"
+import { AuthResponse, AuthType } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Popover from "src/ui/popover"
 import ProfilePic from "src/ui/profile-pic"
-import { assertNever, isHTTPS } from "src/utils/util"

 export default function LoginToggle({
  node,
@@ -24,29 +22,12 @@ export default function LoginToggle({
  newSession: () => Promise<void>
 }) {
  const [open, setOpen] = useState<boolean>(false)
-  const { tsWebConnected, checkTSWebConnection } = useTSWebConnected(
-    auth.serverMode,
-    node.IPv4
-  )

  return (
    <Popover
-      className="p-3 bg-white rounded-lg shadow flex flex-col max-w-[317px]"
+      className="p-3 bg-white rounded-lg shadow flex flex-col gap-2 max-w-[317px]"
      content={
-        auth.serverMode === "readonly" ? (
-          <ReadonlyModeContent auth={auth} />
-        ) : auth.serverMode === "login" ? (
-          <LoginModeContent
-            auth={auth}
-            node={node}
-            tsWebConnected={tsWebConnected}
-            checkTSWebConnection={checkTSWebConnection}
-          />
-        ) : auth.serverMode === "manage" ? (
-          <ManageModeContent auth={auth} node={node} newSession={newSession} />
-        ) : (
-          assertNever(auth.serverMode)
-        )
+        <LoginPopoverContent node={node} auth={auth} newSession={newSession} />
      }
      side="bottom"
      align="end"
@@ -54,303 +35,216 @@ export default function LoginToggle({
      onOpenChange={setOpen}
      asChild
    >
-      <div>
-        {auth.authorized ? (
-          <TriggerWhenManaging auth={auth} open={open} setOpen={setOpen} />
-        ) : (
-          <TriggerWhenReading auth={auth} open={open} setOpen={setOpen} />
-        )}
-      </div>
+      {!auth.canManageNode ? (
+        <button
+          className={cx(
+            "pl-3 py-1 bg-gray-700 rounded-full flex justify-start items-center h-[34px]",
+            { "pr-1": auth.viewerIdentity, "pr-3": !auth.viewerIdentity }
+          )}
+          onClick={() => setOpen(!open)}
+        >
+          <Eye />
+          <div className="text-white leading-snug ml-2 mr-1">Viewing</div>
+          <ChevronDown className="stroke-white w-[15px] h-[15px]" />
+          {auth.viewerIdentity && (
+            <ProfilePic
+              className="ml-2"
+              size="medium"
+              url={auth.viewerIdentity.profilePicUrl}
+            />
+          )}
+        </button>
+      ) : (
+        <div
+          className={cx(
+            "w-[34px] h-[34px] p-1 rounded-full justify-center items-center inline-flex hover:bg-gray-300",
+            {
+              "bg-transparent": !open,
+              "bg-gray-300": open,
+            }
+          )}
+        >
+          <button onClick={() => setOpen(!open)}>
+            <ProfilePic
+              size="medium"
+              url={auth.viewerIdentity?.profilePicUrl}
+            />
+          </button>
+        </div>
+      )}
    </Popover>
  )
 }

-/**
- * TriggerWhenManaging is displayed as the trigger for the login popover
- * when the user has an active authorized managment session.
- */
-function TriggerWhenManaging({
-  auth,
-  open,
-  setOpen,
-}: {
-  auth: AuthResponse
-  open: boolean
-  setOpen: (next: boolean) => void
-}) {
-  return (
-    <div
-      className={cx(
-        "w-[34px] h-[34px] p-1 rounded-full justify-center items-center inline-flex hover:bg-gray-300",
-        {
-          "bg-transparent": !open,
-          "bg-gray-300": open,
-        }
-      )}
-    >
-      <button onClick={() => setOpen(!open)}>
-        <ProfilePic size="medium" url={auth.viewerIdentity?.profilePicUrl} />
-      </button>
-    </div>
-  )
-}
-
-/**
- * TriggerWhenReading is displayed as the trigger for the login popover
- * when the user is currently in read mode (doesn't have an authorized
- * management session).
- */
-function TriggerWhenReading({
-  auth,
-  open,
-  setOpen,
-}: {
-  auth: AuthResponse
-  open: boolean
-  setOpen: (next: boolean) => void
-}) {
-  return (
-    <button
-      className={cx(
-        "pl-3 py-1 bg-gray-700 rounded-full flex justify-start items-center h-[34px]",
-        { "pr-1": auth.viewerIdentity, "pr-3": !auth.viewerIdentity }
-      )}
-      onClick={() => setOpen(!open)}
-    >
-      <Eye />
-      <div className="text-white leading-snug ml-2 mr-1">Viewing</div>
-      <ChevronDown className="stroke-white w-[15px] h-[15px]" />
-      {auth.viewerIdentity && (
-        <ProfilePic
-          className="ml-2"
-          size="medium"
-          url={auth.viewerIdentity.profilePicUrl}
-        />
-      )}
-    </button>
-  )
-}
-
-/**
- * PopoverContentHeader is the header for the login popover.
- */
-function PopoverContentHeader({ auth }: { auth: AuthResponse }) {
-  return (
-    <div className="text-black text-sm font-medium leading-tight mb-1">
-      {auth.authorized ? "Managing" : "Viewing"}
-      {auth.viewerIdentity && ` as ${auth.viewerIdentity.loginName}`}
-    </div>
-  )
-}
-
-/**
- * PopoverContentFooter is the footer for the login popover.
- */
-function PopoverContentFooter({ auth }: { auth: AuthResponse }) {
-  return auth.viewerIdentity ? (
-    <>
-      <hr className="my-2" />
-      <div className="flex items-center">
-        <User className="flex-shrink-0" />
-        <p className="text-gray-500 text-xs ml-2">
-          We recognize you because you are accessing this page from{" "}
-          <span className="font-medium">
-            {auth.viewerIdentity.nodeName || auth.viewerIdentity.nodeIP}
-          </span>
-        </p>
-      </div>
-    </>
-  ) : null
-}
-
-/**
- * ReadonlyModeContent is the body of the login popover when the web
- * client is being run in "readonly" server mode.
- */
-function ReadonlyModeContent({ auth }: { auth: AuthResponse }) {
-  return (
-    <>
-      <PopoverContentHeader auth={auth} />
-      <p className="text-gray-500 text-xs">
-        This web interface is running in read-only mode.{" "}
-        <a
-          href="https://tailscale.com/s/web-client-read-only"
-          className="text-blue-700"
-          target="_blank"
-          rel="noreferrer"
-        >
-          Learn more &rarr;
-        </a>
-      </p>
-      <PopoverContentFooter auth={auth} />
-    </>
-  )
-}
-
-/**
- * LoginModeContent is the body of the login popover when the web
- * client is being run in "login" server mode.
- */
-function LoginModeContent({
+function LoginPopoverContent({
  node,
-  auth,
-  tsWebConnected,
-  checkTSWebConnection,
-}: {
-  node: NodeData
-  auth: AuthResponse
-  tsWebConnected: boolean
-  checkTSWebConnection: () => void
-}) {
-  const https = isHTTPS()
-  // We can't run the ts web connection test when the webpage is loaded
-  // over HTTPS. So in this case, we default to presenting a login button
-  // with some helper text reminding the user to check their connection
-  // themselves.
-  const hasACLAccess = https || tsWebConnected
-
-  const hasEditCaps = useMemo(() => {
-    if (!auth.viewerIdentity) {
-      // If not connected to login client over tailscale, we won't know the viewer's
-      // identity. So we must assume they may be able to edit something and have the
-      // management client handle permissions once the user gets there.
-      return true
-    }
-    return hasAnyEditCapabilities(auth)
-  }, [auth])
-
-  const handleLogin = useCallback(() => {
-    // Must be connected over Tailscale to log in.
-    // Send user to Tailscale IP and start check mode
-    const manageURL = `http://${node.IPv4}:5252/?check=now`
-    if (window.self !== window.top) {
-      // If we're inside an iframe, open management client in new window.
-      window.open(manageURL, "_blank")
-    } else {
-      window.location.href = manageURL
-    }
-  }, [node.IPv4])
-
-  return (
-    <div
-      onMouseEnter={
-        hasEditCaps && !hasACLAccess ? checkTSWebConnection : undefined
-      }
-    >
-      <PopoverContentHeader auth={auth} />
-      {!hasACLAccess || !hasEditCaps ? (
-        <>
-          <p className="text-gray-500 text-xs">
-            {!hasEditCaps ? (
-              // ACLs allow access, but user isn't allowed to edit any features,
-              // restricted to readonly. No point in sending them over to the
-              // tailscaleIP:5252 address.
-              <>
-                You don’t have permission to make changes to this device, but
-                you can view most of its details.
-              </>
-            ) : !node.ACLAllowsAnyIncomingTraffic ? (
-              // Tailnet ACLs don't allow access to anyone.
-              <>
-                The current tailnet policy file does not allow connecting to
-                this device.
-              </>
-            ) : (
-              // ACLs don't allow access to this user specifically.
-              <>
-                Cannot access this device’s Tailscale IP. Make sure you are
-                connected to your tailnet, and that your policy file allows
-                access.
-              </>
-            )}{" "}
-            <a
-              href="https://tailscale.com/s/web-client-access"
-              className="text-blue-700"
-              target="_blank"
-              rel="noreferrer"
-            >
-              Learn more &rarr;
-            </a>
-          </p>
-        </>
-      ) : (
-        // User can connect to Tailcale IP; sign in when ready.
-        <>
-          <p className="text-gray-500 text-xs">
-            You can see most of this device’s details. To make changes, you need
-            to sign in.
-          </p>
-          {https && (
-            // we don't know if the user can connect over TS, so
-            // provide extra tips in case they have trouble.
-            <p className="text-gray-500 text-xs font-semibold pt-2">
-              Make sure you are connected to your tailnet, and that your policy
-              file allows access.
-            </p>
-          )}
-          <SignInButton auth={auth} onClick={handleLogin} />
-        </>
-      )}
-      <PopoverContentFooter auth={auth} />
-    </div>
-  )
-}
-
-/**
- * ManageModeContent is the body of the login popover when the web
- * client is being run in "manage" server mode.
- */
-function ManageModeContent({
  auth,
  newSession,
 }: {
  node: NodeData
  auth: AuthResponse
-  newSession: () => void
+  newSession: () => Promise<void>
 }) {
-  const handleLogin = useCallback(() => {
-    if (window.self !== window.top) {
-      // If we're inside an iframe, start session in new window.
-      let url = new URL(window.location.href)
-      url.searchParams.set("check", "now")
-      window.open(url, "_blank")
-    } else {
-      newSession()
-    }
-  }, [newSession])
+  /**
+   * canConnectOverTS indicates whether the current viewer
+   * is able to hit the node's web client that's being served
+   * at http://${node.IP}:5252. If false, this means that the
+   * viewer must connect to the correct tailnet before being
+   * able to sign in.
+   */
+  const [canConnectOverTS, setCanConnectOverTS] = useState<boolean>(false)
+  const [isRunningCheck, setIsRunningCheck] = useState<boolean>(false)

-  const hasAnyPermissions = useMemo(() => hasAnyEditCapabilities(auth), [auth])
+  // Whether the current page is loaded over HTTPS.
+  // If it is, then the connectivity check to the management client
+  // will fail with a mixed-content error.
+  const isHTTPS = window.location.protocol === "https:"
+
+  const checkTSConnection = useCallback(() => {
+    if (auth.viewerIdentity || isHTTPS) {
+      // Skip the connectivity check if we either already know we're connected over Tailscale,
+      // or know the connectivity check will fail because the current page is loaded over HTTPS.
+      setCanConnectOverTS(true)
+      return
+    }
+    // Otherwise, test connection to the ts IP.
+    if (isRunningCheck) {
+      return // already checking
+    }
+    setIsRunningCheck(true)
+    fetch(`http://${node.IPv4}:5252/ok`, { mode: "no-cors" })
+      .then(() => {
+        setCanConnectOverTS(true)
+        setIsRunningCheck(false)
+      })
+      .catch(() => setIsRunningCheck(false))
+  }, [auth.viewerIdentity, isRunningCheck, node.IPv4, isHTTPS])
+
+  /**
+   * Checking connection for first time on page load.
+   *
+   * While not connected, we check again whenever the mouse
+   * enters the popover component, to pick up on the user
+   * leaving to turn on Tailscale then returning to the view.
+   * See `onMouseEnter` on the div below.
+   */
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  useEffect(() => checkTSConnection(), [])
+
+  const handleSignInClick = useCallback(() => {
+    if (auth.viewerIdentity && auth.serverMode === "manage") {
+      if (window.self !== window.top) {
+        // if we're inside an iframe, start session in new window
+        let url = new URL(window.location.href)
+        url.searchParams.set("check", "now")
+        window.open(url, "_blank")
+      } else {
+        newSession()
+      }
+    } else {
+      // Must be connected over Tailscale to log in.
+      // Send user to Tailscale IP and start check mode
+      const manageURL = `http://${node.IPv4}:5252/?check=now`
+      if (window.self !== window.top) {
+        // if we're inside an iframe, open management client in new window
+        window.open(manageURL, "_blank")
+      } else {
+        window.location.href = manageURL
+      }
+    }
+  }, [auth.viewerIdentity, auth.serverMode, newSession, node.IPv4])

  return (
-    <>
-      <PopoverContentHeader auth={auth} />
-      {!auth.authorized &&
-        (hasAnyPermissions ? (
-          // User is connected over Tailscale, but needs to complete check mode.
-          <>
+    <div onMouseEnter={!canConnectOverTS ? checkTSConnection : undefined}>
+      <div className="text-black text-sm font-medium leading-tight mb-1">
+        {!auth.canManageNode ? "Viewing" : "Managing"}
+        {auth.viewerIdentity && ` as ${auth.viewerIdentity.loginName}`}
+      </div>
+      {!auth.canManageNode && (
+        <>
+          {!auth.viewerIdentity ? (
+            // User is not connected over Tailscale.
+            // These states are only possible on the login client.
+            <>
+              {!canConnectOverTS ? (
+                <>
+                  <p className="text-gray-500 text-xs">
+                    {!node.ACLAllowsAnyIncomingTraffic ? (
+                      // Tailnet ACLs don't allow access.
+                      <>
+                        The current tailnet policy file does not allow
+                        connecting to this device.
+                      </>
+                    ) : (
+                      // ACLs allow access, but user can't connect.
+                      <>
+                        Cannot access this device's Tailscale IP. Make sure you
+                        are connected to your tailnet, and that your policy file
+                        allows access.
+                      </>
+                    )}{" "}
+                    <a
+                      href="https://tailscale.com/s/web-client-connection"
+                      className="text-blue-700"
+                      target="_blank"
+                      rel="noreferrer"
+                    >
+                      Learn more &rarr;
+                    </a>
+                  </p>
+                </>
+              ) : (
+                // User can connect to Tailcale IP; sign in when ready.
+                <>
+                  <p className="text-gray-500 text-xs">
+                    You can see most of this device's details. To make changes,
+                    you need to sign in.
+                  </p>
+                  {isHTTPS && (
+                    // we don't know if the user can connect over TS, so
+                    // provide extra tips in case they have trouble.
+                    <p className="text-gray-500 text-xs font-semibold pt-2">
+                      Make sure you are connected to your tailnet, and that your
+                      policy file allows access.
+                    </p>
+                  )}
+                  <SignInButton auth={auth} onClick={handleSignInClick} />
+                </>
+              )}
+            </>
+          ) : auth.authNeeded === AuthType.tailscale ? (
+            // User is connected over Tailscale, but needs to complete check mode.
+            <>
+              <p className="text-gray-500 text-xs">
+                To make changes, sign in to confirm your identity. This extra
+                step helps us keep your device secure.
+              </p>
+              <SignInButton auth={auth} onClick={handleSignInClick} />
+            </>
+          ) : (
+            // User is connected over tailscale, but doesn't have permission to manage.
            <p className="text-gray-500 text-xs">
-              To make changes, sign in to confirm your identity. This extra step
-              helps us keep your device secure.
+              You don’t have permission to make changes to this device, but you
+              can view most of its details.
            </p>
-            <SignInButton auth={auth} onClick={handleLogin} />
-          </>
-        ) : (
-          // User is connected over tailscale, but doesn't have permission to manage.
-          <p className="text-gray-500 text-xs">
-            You don’t have permission to make changes to this device, but you
-            can view most of its details.{" "}
-            <a
-              href="https://tailscale.com/s/web-client-access"
-              className="text-blue-700"
-              target="_blank"
-              rel="noreferrer"
-            >
-              Learn more &rarr;
-            </a>
-          </p>
-        ))}
-      <PopoverContentFooter auth={auth} />
-    </>
+          )}
+        </>
+      )}
+      {auth.viewerIdentity && (
+        <>
+          <hr className="my-2" />
+          <div className="flex items-center">
+            <User className="flex-shrink-0" />
+            <p className="text-gray-500 text-xs ml-2">
+              We recognize you because you are accessing this page from{" "}
+              <span className="font-medium">
+                {auth.viewerIdentity.nodeName || auth.viewerIdentity.nodeIP}
+              </span>
+            </p>
+          </div>
+        </>
+      )}
+    </div>
  )
 }

--- a/client/web/src/components/update-available.tsx
+++ b/client/web/src/components/update-available.tsx
@@ -61,7 +61,7 @@ export function ChangelogText({ version }: { version?: string }) {
      <a href="https://tailscale.com/changelog/" className="link">
        release notes
      </a>{" "}
-      to find out what’s new!
+      to find out what's new!
    </>
  )
 }
--- a/client/web/src/components/views/device-details-view.tsx
+++ b/client/web/src/components/views/device-details-view.tsx
@@ -8,7 +8,6 @@ import ACLTag from "src/components/acl-tag"
 import * as Control from "src/components/control-components"
 import NiceIP from "src/components/nice-ip"
 import { UpdateAvailableNotification } from "src/components/update-available"
-import { AuthResponse, canEdit } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Card from "src/ui/card"
@@ -17,11 +16,11 @@ import QuickCopy from "src/ui/quick-copy"
 import { useLocation } from "wouter"

 export default function DeviceDetailsView({
+  readonly,
  node,
-  auth,
 }: {
+  readonly: boolean
  node: NodeData
-  auth: AuthResponse
 }) {
  return (
    <>
@@ -38,11 +37,11 @@ export default function DeviceDetailsView({
                })}
              />
            </div>
-            {canEdit("account", auth) && <DisconnectDialog />}
+            {!readonly && <DisconnectDialog />}
          </div>
        </Card>
        {node.Features["auto-update"] &&
-          canEdit("account", auth) &&
+          !readonly &&
          node.ClientVersion &&
          !node.ClientVersion.RunningLatest && (
            <UpdateAvailableNotification details={node.ClientVersion} />
--- a/client/web/src/components/views/disconnected-view.tsx
+++ b/client/web/src/components/views/disconnected-view.tsx
@@ -2,7 +2,7 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import React from "react"
-import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
+import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"

 /**
 * DisconnectedView is rendered after node logout.
--- a/client/web/src/components/views/home-view.tsx
+++ b/client/web/src/components/views/home-view.tsx
@@ -4,22 +4,21 @@
 import cx from "classnames"
 import React, { useMemo } from "react"
 import { apiFetch } from "src/api"
-import ArrowRight from "src/assets/icons/arrow-right.svg?react"
-import Machine from "src/assets/icons/machine.svg?react"
+import { ReactComponent as ArrowRight } from "src/assets/icons/arrow-right.svg"
+import { ReactComponent as Machine } from "src/assets/icons/machine.svg"
 import AddressCard from "src/components/address-copy-card"
 import ExitNodeSelector from "src/components/exit-node-selector"
-import { AuthResponse, canEdit } from "src/hooks/auth"
 import { NodeData } from "src/types"
 import Card from "src/ui/card"
 import { pluralize } from "src/utils/util"
 import { Link, useLocation } from "wouter"

 export default function HomeView({
+  readonly,
  node,
-  auth,
 }: {
+  readonly: boolean
  node: NodeData
-  auth: AuthResponse
 }) {
  const [allSubnetRoutes, pendingSubnetRoutes] = useMemo(
    () => [
@@ -64,11 +63,7 @@ export default function HomeView({
        </div>
        {(node.Features["advertise-exit-node"] ||
          node.Features["use-exit-node"]) && (
-          <ExitNodeSelector
-            className="mb-5"
-            node={node}
-            disabled={!canEdit("exitnodes", auth)}
-          />
+          <ExitNodeSelector className="mb-5" node={node} disabled={readonly} />
        )}
        <Link
          className="link font-medium"
--- a/client/web/src/components/views/login-view.tsx
+++ b/client/web/src/components/views/login-view.tsx
@@ -3,7 +3,7 @@

 import React, { useState } from "react"
 import { useAPI } from "src/api"
-import TailscaleIcon from "src/assets/icons/tailscale-icon.svg?react"
+import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
 import Collapsible from "src/ui/collapsible"
@@ -41,7 +41,7 @@ export default function LoginView({ data }: { data: NodeData }) {
        <>
          <div className="mb-6">
            <p className="text-gray-700">
-              Your device’s key has expired. Reauthenticate this device by
+              Your device's key has expired. Reauthenticate this device by
              logging in again, or{" "}
              <a
                href="https://tailscale.com/kb/1028/key-expiry"
--- a/client/web/src/components/views/subnet-router-view.tsx
+++ b/client/web/src/components/views/subnet-router-view.tsx
@@ -4,9 +4,9 @@
 import cx from "classnames"
 import React, { useCallback, useMemo, useState } from "react"
 import { useAPI } from "src/api"
-import CheckCircle from "src/assets/icons/check-circle.svg?react"
-import Clock from "src/assets/icons/clock.svg?react"
-import Plus from "src/assets/icons/plus.svg?react"
+import { ReactComponent as CheckCircle } from "src/assets/icons/check-circle.svg"
+import { ReactComponent as Clock } from "src/assets/icons/clock.svg"
+import { ReactComponent as Plus } from "src/assets/icons/plus.svg"
 import * as Control from "src/components/control-components"
 import { NodeData } from "src/types"
 import Button from "src/ui/button"
--- a/client/web/src/components/views/updating-view.tsx
+++ b/client/web/src/components/views/updating-view.tsx
@@ -2,8 +2,8 @@
 // SPDX-License-Identifier: BSD-3-Clause

 import React from "react"
-import CheckCircleIcon from "src/assets/icons/check-circle.svg?react"
-import XCircleIcon from "src/assets/icons/x-circle.svg?react"
+import { ReactComponent as CheckCircleIcon } from "src/assets/icons/check-circle.svg"
+import { ReactComponent as XCircleIcon } from "src/assets/icons/x-circle.svg"
 import { ChangelogText } from "src/components/update-available"
 import { UpdateState, useInstallUpdate } from "src/hooks/self-update"
 import { VersionInfo } from "src/types"
@@ -35,7 +35,7 @@ export function UpdatingView({
            <Spinner size="sm" className="text-gray-400" />
            <h1 className="text-2xl m-3">Update in progress</h1>
            <p className="text-gray-400">
-              The update shouldn’t take more than a couple of minutes. Once it’s
+              The update shouldn't take more than a couple of minutes. Once it's
              completed, you will be asked to log in again.
            </p>
          </>
--- a/client/web/src/hooks/auth.ts
+++ b/client/web/src/hooks/auth.ts
@@ -4,50 +4,25 @@
 import { useCallback, useEffect, useState } from "react"
 import { apiFetch, setSynoToken } from "src/api"

+export enum AuthType {
+  synology = "synology",
+  tailscale = "tailscale",
+}
+
 export type AuthResponse = {
-  serverMode: AuthServerMode
-  authorized: boolean
+  authNeeded?: AuthType
+  canManageNode: boolean
+  serverMode: "login" | "manage"
  viewerIdentity?: {
    loginName: string
    nodeName: string
    nodeIP: string
    profilePicUrl?: string
-    capabilities: { [key in PeerCapability]: boolean }
  }
-  needsSynoAuth?: boolean
 }

-export type AuthServerMode = "login" | "readonly" | "manage"
-
-export type PeerCapability = "*" | "ssh" | "subnets" | "exitnodes" | "account"
-
-/**
- * canEdit reports whether the given auth response specifies that the viewer
- * has the ability to edit the given capability.
- */
-export function canEdit(cap: PeerCapability, auth: AuthResponse): boolean {
-  if (!auth.authorized || !auth.viewerIdentity) {
-    return false
-  }
-  if (auth.viewerIdentity.capabilities["*"] === true) {
-    return true // can edit all features
-  }
-  return auth.viewerIdentity.capabilities[cap] === true
-}
-
-/**
- * hasAnyEditCapabilities reports whether the given auth response specifies
- * that the viewer has at least one edit capability. If this is true, the
- * user is able to go through the auth flow to authenticate a management
- * session.
- */
-export function hasAnyEditCapabilities(auth: AuthResponse): boolean {
-  return Object.values(auth.viewerIdentity?.capabilities || {}).includes(true)
-}
-
-/**
- * useAuth reports and refreshes Tailscale auth status for the web client.
- */
+// useAuth reports and refreshes Tailscale auth status
+// for the web client.
 export default function useAuth() {
  const [data, setData] = useState<AuthResponse>()
  const [loading, setLoading] = useState<boolean>(true)
@@ -58,16 +33,18 @@ export default function useAuth() {
    return apiFetch<AuthResponse>("/auth", "GET")
      .then((d) => {
        setData(d)
-        if (d.needsSynoAuth) {
-          fetch("/webman/login.cgi")
-            .then((r) => r.json())
-            .then((a) => {
-              setSynoToken(a.SynoToken)
-              setRanSynoAuth(true)
-              setLoading(false)
-            })
-        } else {
-          setLoading(false)
+        switch (d.authNeeded) {
+          case AuthType.synology:
+            fetch("/webman/login.cgi")
+              .then((r) => r.json())
+              .then((a) => {
+                setSynoToken(a.SynoToken)
+                setRanSynoAuth(true)
+                setLoading(false)
+              })
+            break
+          default:
+            setLoading(false)
        }
        return d
      })
@@ -95,13 +72,8 @@ export default function useAuth() {

  useEffect(() => {
    loadAuth().then((d) => {
-      if (!d) {
-        return
-      }
      if (
-        !d.authorized &&
-        hasAnyEditCapabilities(d) &&
-        // Start auth flow immediately if browser has requested it.
+        !d?.canManageNode &&
        new URLSearchParams(window.location.search).get("check") === "now"
      ) {
        newSession()
--- a/client/web/src/hooks/ts-web-connected.ts
+++ b/client/web/src/hooks/ts-web-connected.ts
@@ -1,46 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-import { useCallback, useEffect, useState } from "react"
-import { isHTTPS } from "src/utils/util"
-import { AuthServerMode } from "./auth"
-
-/**
- * useTSWebConnected hook is used to check whether the browser is able to
- * connect to the web client served at http://${nodeIPv4}:5252
- */
-export function useTSWebConnected(mode: AuthServerMode, nodeIPv4: string) {
-  const [tsWebConnected, setTSWebConnected] = useState<boolean>(
-    mode === "manage" // browser already on the web client
-  )
-  const [isLoading, setIsLoading] = useState<boolean>(false)
-
-  const checkTSWebConnection = useCallback(() => {
-    if (mode === "manage") {
-      // Already connected to the web client.
-      setTSWebConnected(true)
-      return
-    }
-    if (isHTTPS()) {
-      // When page is loaded over HTTPS, the connectivity check will always
-      // fail with a mixed-content error. In this case don't bother doing
-      // the check.
-      return
-    }
-    if (isLoading) {
-      return // already checking
-    }
-    setIsLoading(true)
-    fetch(`http://${nodeIPv4}:5252/ok`, { mode: "no-cors" })
-      .then(() => {
-        setTSWebConnected(true)
-        setIsLoading(false)
-      })
-      .catch(() => setIsLoading(false))
-  }, [isLoading, mode, nodeIPv4])
-
-  // eslint-disable-next-line react-hooks/exhaustive-deps
-  useEffect(() => checkTSWebConnection(), []) // checking connection for first time on page load
-
-  return { tsWebConnected, checkTSWebConnection, isLoading }
-}
--- a/client/web/src/ui/collapsible.tsx
+++ b/client/web/src/ui/collapsible.tsx
@@ -3,7 +3,7 @@

 import * as Primitive from "@radix-ui/react-collapsible"
 import React, { useState } from "react"
-import ChevronDown from "src/assets/icons/chevron-down.svg?react"
+import { ReactComponent as ChevronDown } from "src/assets/icons/chevron-down.svg"

 type CollapsibleProps = {
  trigger?: string
--- a/client/web/src/ui/dialog.tsx
+++ b/client/web/src/ui/dialog.tsx
@@ -4,7 +4,7 @@
 import * as DialogPrimitive from "@radix-ui/react-dialog"
 import cx from "classnames"
 import React, { Component, ComponentProps, FormEvent } from "react"
-import X from "src/assets/icons/x.svg?react"
+import { ReactComponent as X } from "src/assets/icons/x.svg"
 import Button from "src/ui/button"
 import PortalContainerContext from "src/ui/portal-container-context"
 import { isObject } from "src/utils/util"
--- a/client/web/src/ui/search-input.tsx
+++ b/client/web/src/ui/search-input.tsx
@@ -3,7 +3,7 @@

 import cx from "classnames"
 import React, { forwardRef, InputHTMLAttributes } from "react"
-import Search from "src/assets/icons/search.svg?react"
+import { ReactComponent as Search } from "src/assets/icons/search.svg"

 type Props = {
  className?: string
--- a/client/web/src/ui/toaster.tsx
+++ b/client/web/src/ui/toaster.tsx
@@ -10,7 +10,7 @@ import React, {
  useState,
 } from "react"
 import { createPortal } from "react-dom"
-import X from "src/assets/icons/x.svg?react"
+import { ReactComponent as X } from "src/assets/icons/x.svg"
 import { noop } from "src/utils/util"
 import { create } from "zustand"
 import { shallow } from "zustand/shallow"
--- a/client/web/src/utils/util.ts
+++ b/client/web/src/utils/util.ts
@@ -49,10 +49,3 @@ export function isPromise<T = unknown>(val: unknown): val is Promise<T> {
  }
  return typeof val === "object" && "then" in val
 }
-
-/**
- * isHTTPS reports whether the current page is loaded over HTTPS.
- */
-export function isHTTPS() {
-  return window.location.protocol === "https:"
-}
--- a/client/web/tailwind.config.js
+++ b/client/web/tailwind.config.js
@@ -1,7 +1,7 @@
-import plugin from "tailwindcss/plugin"
-import styles from "./styles.json"
+const plugin = require("tailwindcss/plugin")
+const styles = require("./styles.json")

-const config = {
+module.exports = {
  theme: {
    screens: {
      sm: "420px",
@@ -96,22 +96,20 @@ const config = {
  plugins: [
    plugin(function ({ addVariant }) {
      addVariant("state-open", [
-        "&[data-state=“open”]",
-        "[data-state=“open”] &",
+        '&[data-state="open"]',
+        '[data-state="open"] &',
      ])
      addVariant("state-closed", [
-        "&[data-state=“closed”]",
-        "[data-state=“closed”] &",
+        '&[data-state="closed"]',
+        '[data-state="closed"] &',
      ])
      addVariant("state-delayed-open", [
-        "&[data-state=“delayed-open”]",
-        "[data-state=“delayed-open”] &",
+        '&[data-state="delayed-open"]',
+        '[data-state="delayed-open"] &',
      ])
-      addVariant("state-active", ["&[data-state=“active”]"])
-      addVariant("state-inactive", ["&[data-state=“inactive”]"])
+      addVariant("state-active", ['&[data-state="active"]'])
+      addVariant("state-inactive", ['&[data-state="inactive"]'])
    }),
  ],
  content: ["./src/**/*.html", "./src/**/*.{ts,tsx}", "./index.html"],
 }
-
-export default config
--- a/client/web/tsconfig.json
+++ b/client/web/tsconfig.json
@@ -5,7 +5,6 @@
    "module": "ES2020",
    "strict": true,
    "sourceMap": true,
-    "skipLibCheck": true,
    "isolatedModules": true,
    "moduleResolution": "node",
    "forceConsistentCasingInFileNames": true,
--- a/client/web/vite.config.ts
+++ b/client/web/vite.config.ts
@@ -1,5 +1,6 @@
 /// <reference types="vitest" />
 import { createLogger, defineConfig } from "vite"
+import rewrite from "vite-plugin-rewrite-all"
 import svgr from "vite-plugin-svgr"
 import paths from "vite-tsconfig-paths"

@@ -23,6 +24,11 @@ export default defineConfig({
  plugins: [
    paths(),
    svgr(),
+    // By default, the Vite dev server doesn't handle dots
+    // in path names and treats them as static files.
+    // This plugin changes Vite's routing logic to fix this.
+    // See: https://github.com/vitejs/vite/issues/2415
+    rewrite(),
  ],
  build: {
    outDir: "build",
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -95,14 +95,6 @@ const (
 	// In this mode, API calls are authenticated via platform auth.
 	LoginServerMode ServerMode = "login"

-	// ReadOnlyServerMode is identical to LoginServerMode,
-	// but does not present a login button to switch to manage mode,
-	// even if the management client is running and reachable.
-	//
-	// This is designed for platforms where the device is configured by other means,
-	// such as Home Assistant's declarative YAML configuration.
-	ReadOnlyServerMode ServerMode = "readonly"
-
 	// ManageServerMode serves a management client for editing tailscale
 	// settings of a node.
 	//
@@ -162,7 +154,7 @@ type ServerOpts struct {
 // and not the lifespan of the web server.
 func NewServer(opts ServerOpts) (s *Server, err error) {
 	switch opts.Mode {
-	case LoginServerMode, ReadOnlyServerMode, ManageServerMode:
+	case LoginServerMode, ManageServerMode:
 		// valid types
 	case "":
 		return nil, fmt.Errorf("must specify a Mode")
@@ -215,14 +207,10 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	// The client is secured by limiting the interface it listens on,
 	// or by authenticating requests before they reach the web client.
 	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-	switch s.mode {
-	case LoginServerMode:
+	if s.mode == LoginServerMode {
 		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
 		metric = "web_login_client_initialization"
-	case ReadOnlyServerMode:
-		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveLoginAPI))
-		metric = "web_readonly_client_initialization"
-	case ManageServerMode:
+	} else {
 		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
 		metric = "web_client_initialization"
 	}
@@ -445,188 +433,18 @@ func (s *Server) serveLoginAPI(w http.ResponseWriter, r *http.Request) {
 	}
 }

-type apiHandler[data any] struct {
-	s *Server
-	w http.ResponseWriter
-	r *http.Request
+type authType string

-	// permissionCheck allows for defining whether a requesting peer's
-	// capabilities grant them access to make the given data update.
-	// If permissionCheck reports false, the request fails as unauthorized.
-	permissionCheck func(data data, peer peerCapabilities) bool
-}
-
-// newHandler constructs a new api handler which restricts the given request
-// to the specified permission check. If the permission check fails for
-// the peer associated with the request, an unauthorized error is returned
-// to the client.
-func newHandler[data any](s *Server, w http.ResponseWriter, r *http.Request, permissionCheck func(data data, peer peerCapabilities) bool) *apiHandler[data] {
-	return &apiHandler[data]{
-		s:               s,
-		w:               w,
-		r:               r,
-		permissionCheck: permissionCheck,
-	}
-}
-
-// alwaysAllowed can be passed as the permissionCheck argument to newHandler
-// for requests that are always allowed to complete regardless of a peer's
-// capabilities.
-func alwaysAllowed[data any](_ data, _ peerCapabilities) bool { return true }
-
-func (a *apiHandler[data]) getPeer() (peerCapabilities, error) {
-	// TODO(tailscale/corp#16695,sonia): We also call StatusWithoutPeers and
-	// WhoIs when originally checking for a session from authorizeRequest.
-	// Would be nice if we could pipe those through to here so we don't end
-	// up having to re-call them to grab the peer capabilities.
-	status, err := a.s.lc.StatusWithoutPeers(a.r.Context())
-	if err != nil {
-		return nil, err
-	}
-	whois, err := a.s.lc.WhoIs(a.r.Context(), a.r.RemoteAddr)
-	if err != nil {
-		return nil, err
-	}
-	peer, err := toPeerCapabilities(status, whois)
-	if err != nil {
-		return nil, err
-	}
-	return peer, nil
-}
-
-type noBodyData any // empty type, for use from serveAPI for endpoints with empty body
-
-// handle runs the given handler if the source peer satisfies the
-// constraints for running this request.
-//
-// handle is expected for use when `data` type is empty, or set to
-// `noBodyData` in practice. For requests that expect JSON body data
-// to be attached, use handleJSON instead.
-func (a *apiHandler[data]) handle(h http.HandlerFunc) {
-	peer, err := a.getPeer()
-	if err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	var body data // not used
-	if !a.permissionCheck(body, peer) {
-		http.Error(a.w, "not allowed", http.StatusUnauthorized)
-		return
-	}
-	h(a.w, a.r)
-}
-
-// handleJSON manages decoding the request's body JSON and passing
-// it on to the provided function if the source peer satisfies the
-// constraints for running this request.
-func (a *apiHandler[data]) handleJSON(h func(ctx context.Context, data data) error) {
-	defer a.r.Body.Close()
-	var body data
-	if err := json.NewDecoder(a.r.Body).Decode(&body); err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	peer, err := a.getPeer()
-	if err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	if !a.permissionCheck(body, peer) {
-		http.Error(a.w, "not allowed", http.StatusUnauthorized)
-		return
-	}
-
-	if err := h(a.r.Context(), body); err != nil {
-		http.Error(a.w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	a.w.WriteHeader(http.StatusOK)
-}
-
-// serveAPI serves requests for the web client api.
-// It should only be called by Server.ServeHTTP, via Server.apiHandler,
-// which protects the handler using gorilla csrf.
-func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
-	if r.Method == httpm.PATCH {
-		// Enforce that PATCH requests are always application/json.
-		if ct := r.Header.Get("Content-Type"); ct != "application/json" {
-			http.Error(w, "invalid request", http.StatusBadRequest)
-			return
-		}
-	}
-
-	w.Header().Set("X-CSRF-Token", csrf.Token(r))
-	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch {
-	case path == "/data" && r.Method == httpm.GET:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.serveGetNodeData)
-		return
-	case path == "/exit-nodes" && r.Method == httpm.GET:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.serveGetExitNodes)
-		return
-	case path == "/routes" && r.Method == httpm.POST:
-		peerAllowed := func(d postRoutesRequest, p peerCapabilities) bool {
-			if d.SetExitNode && !p.canEdit(capFeatureExitNodes) {
-				return false
-			} else if d.SetRoutes && !p.canEdit(capFeatureSubnets) {
-				return false
-			}
-			return true
-		}
-		newHandler[postRoutesRequest](s, w, r, peerAllowed).
-			handleJSON(s.servePostRoutes)
-		return
-	case path == "/device-details-click" && r.Method == httpm.POST:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.serveDeviceDetailsClick)
-		return
-	case path == "/local/v0/logout" && r.Method == httpm.POST:
-		peerAllowed := func(_ noBodyData, peer peerCapabilities) bool {
-			return peer.canEdit(capFeatureAccount)
-		}
-		newHandler[noBodyData](s, w, r, peerAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/prefs" && r.Method == httpm.PATCH:
-		peerAllowed := func(data maskedPrefs, peer peerCapabilities) bool {
-			if data.RunSSHSet && !peer.canEdit(capFeatureSSH) {
-				return false
-			}
-			return true
-		}
-		newHandler[maskedPrefs](s, w, r, peerAllowed).
-			handleJSON(s.serveUpdatePrefs)
-		return
-	case path == "/local/v0/update/check" && r.Method == httpm.GET:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/update/check" && r.Method == httpm.POST:
-		peerAllowed := func(_ noBodyData, peer peerCapabilities) bool {
-			return peer.canEdit(capFeatureAccount)
-		}
-		newHandler[noBodyData](s, w, r, peerAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/update/progress" && r.Method == httpm.POST:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	case path == "/local/v0/upload-client-metrics" && r.Method == httpm.POST:
-		newHandler[noBodyData](s, w, r, alwaysAllowed).
-			handle(s.proxyRequestToLocalAPI)
-		return
-	}
-	http.Error(w, "invalid endpoint", http.StatusNotFound)
-}
+var (
+	synoAuth      authType = "synology"  // user needs a SynoToken for subsequent API calls
+	tailscaleAuth authType = "tailscale" // user needs to complete Tailscale check mode
+)

 type authResponse struct {
-	ServerMode     ServerMode      `json:"serverMode"`
-	Authorized     bool            `json:"authorized"` // has an authorized management session
+	AuthNeeded     authType        `json:"authNeeded,omitempty"` // filled when user needs to complete a specific type of auth
+	CanManageNode  bool            `json:"canManageNode"`
 	ViewerIdentity *viewerIdentity `json:"viewerIdentity,omitempty"`
-	NeedsSynoAuth  bool            `json:"needsSynoAuth,omitempty"`
+	ServerMode     ServerMode      `json:"serverMode"`
 }

 // viewerIdentity is the Tailscale identity of the source node
@@ -645,11 +463,9 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	var resp authResponse
 	resp.ServerMode = s.mode
 	session, whois, status, sErr := s.getSession(r)
-	var caps peerCapabilities

 	if whois != nil {
-		var err error
-		caps, err = toPeerCapabilities(status, whois)
+		caps, err := toPeerCapabilities(whois)
 		if err != nil {
 			http.Error(w, sErr.Error(), http.StatusInternalServerError)
 			return
@@ -667,7 +483,7 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {

 	// First verify platform auth.
 	// If platform auth is needed, this should happen first.
-	if s.mode == LoginServerMode || s.mode == ReadOnlyServerMode {
+	if s.mode == LoginServerMode {
 		switch distro.Get() {
 		case distro.Synology:
 			authorized, err := authorizeSynology(r)
@@ -676,7 +492,7 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 			if !authorized {
-				resp.NeedsSynoAuth = true
+				resp.AuthNeeded = synoAuth
 				writeJSON(w, resp)
 				return
 			}
@@ -692,17 +508,21 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {

 	switch {
 	case sErr != nil && errors.Is(sErr, errNotUsingTailscale):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && errors.Is(sErr, errNotOwner):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_not_owner", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && errors.Is(sErr, errTaggedLocalSource):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_local_tag", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && errors.Is(sErr, errTaggedRemoteSource):
+		// Restricted to the readonly view, no auth action to take.
 		s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote_tag", 1)
-		resp.Authorized = false // restricted to the readonly view
+		resp.AuthNeeded = ""
 	case sErr != nil && !errors.Is(sErr, errNoSession):
 		// Any other error.
 		http.Error(w, sErr.Error(), http.StatusInternalServerError)
@@ -713,26 +533,16 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 		} else {
 			s.lc.IncrementCounter(r.Context(), "web_client_managing_remote", 1)
 		}
-		// User has a valid session. They're now authorized to edit if they
-		// have any edit capabilities. In practice, they won't be sent through
-		// the auth flow if they don't have edit caps, but their ACL granted
-		// permissions may change at any time. The frontend views and backend
-		// endpoints are always restricted to their current capabilities in
-		// addition to a valid session.
-		//
-		// But, we also check the caps here for a better user experience on
-		// the frontend login toggle, which uses resp.Authorized to display
-		// "viewing" vs "managing" copy. If they don't have caps, we want to
-		// display "viewing" even if they have a valid session.
-		resp.Authorized = !caps.isEmpty()
+		resp.CanManageNode = true
+		resp.AuthNeeded = ""
 	default:
+		// whois being nil implies local as the request did not come over Tailscale
 		if whois == nil || (whois.Node.StableID == status.Self.ID) {
-			// whois being nil implies local as the request did not come over Tailscale.
 			s.lc.IncrementCounter(r.Context(), "web_client_viewing_local", 1)
 		} else {
 			s.lc.IncrementCounter(r.Context(), "web_client_viewing_remote", 1)
 		}
-		resp.Authorized = false // not yet authorized
+		resp.AuthNeeded = tailscaleAuth
 	}

 	writeJSON(w, resp)
@@ -796,6 +606,32 @@ func (s *Server) serveAPIAuthSessionWait(w http.ResponseWriter, r *http.Request)
 	}
 }

+// serveAPI serves requests for the web client api.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	path := strings.TrimPrefix(r.URL.Path, "/api")
+	switch {
+	case path == "/data" && r.Method == httpm.GET:
+		s.serveGetNodeData(w, r)
+		return
+	case path == "/exit-nodes" && r.Method == httpm.GET:
+		s.serveGetExitNodes(w, r)
+		return
+	case path == "/routes" && r.Method == httpm.POST:
+		s.servePostRoutes(w, r)
+		return
+	case path == "/device-details-click" && r.Method == httpm.POST:
+		s.serveDeviceDetailsClick(w, r)
+		return
+	case strings.HasPrefix(path, "/local/"):
+		s.proxyRequestToLocalAPI(w, r)
+		return
+	}
+	http.Error(w, "invalid endpoint", http.StatusNotFound)
+}
+
 type nodeData struct {
 	ID          tailcfg.StableNodeID
 	Status      string
@@ -1032,23 +868,6 @@ func (s *Server) serveGetExitNodes(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, exitNodes)
 }

-// maskedPrefs is the subset of ipn.MaskedPrefs that are
-// allowed to be editable via the web UI.
-type maskedPrefs struct {
-	RunSSHSet bool
-	RunSSH    bool
-}
-
-func (s *Server) serveUpdatePrefs(ctx context.Context, prefs maskedPrefs) error {
-	_, err := s.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-		RunSSHSet: prefs.RunSSHSet,
-		Prefs: ipn.Prefs{
-			RunSSH: prefs.RunSSH,
-		},
-	})
-	return err
-}
-
 type postRoutesRequest struct {
 	SetExitNode       bool // when set, UseExitNode and AdvertiseExitNode values are applied
 	SetRoutes         bool // when set, AdvertiseRoutes value is applied
@@ -1057,10 +876,18 @@ type postRoutesRequest struct {
 	AdvertiseRoutes   []string
 }

-func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) error {
-	prefs, err := s.lc.GetPrefs(ctx)
+func (s *Server) servePostRoutes(w http.ResponseWriter, r *http.Request) {
+	defer r.Body.Close()
+
+	var data postRoutesRequest
+	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	prefs, err := s.lc.GetPrefs(r.Context())
 	if err != nil {
-		return err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}
 	var currNonExitRoutes []string
 	var currAdvertisingExitNode bool
@@ -1083,7 +910,8 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 	routesStr := strings.Join(data.AdvertiseRoutes, ",")
 	routes, err := netutil.CalcAdvertiseRoutes(routesStr, data.AdvertiseExitNode)
 	if err != nil {
-		return err
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
 	}

 	hasExitNodeRoute := func(all []netip.Prefix) bool {
@@ -1092,7 +920,8 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 	}

 	if !data.UseExitNode.IsZero() && hasExitNodeRoute(routes) {
-		return errors.New("cannot use and advertise exit node at same time")
+		http.Error(w, "cannot use and advertise exit node at same time", http.StatusBadRequest)
+		return
 	}

 	// Make prefs update.
@@ -1104,8 +933,12 @@ func (s *Server) servePostRoutes(ctx context.Context, data postRoutesRequest) er
 			AdvertiseRoutes: routes,
 		},
 	}
-	_, err = s.lc.EditPrefs(ctx, p)
-	return err
+	if _, err := s.lc.EditPrefs(r.Context(), p); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
 }

 // tailscaleUp starts the daemon with the provided options.
@@ -1150,15 +983,7 @@ func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, opt tails
 		if !isRunning {
 			ipnOptions := ipn.Options{AuthKey: opt.AuthKey}
 			if opt.ControlURL != "" {
-				_, err := s.lc.EditPrefs(ctx, &ipn.MaskedPrefs{
-					Prefs: ipn.Prefs{
-						ControlURL: opt.ControlURL,
-					},
-					ControlURLSet: true,
-				})
-				if err != nil {
-					s.logf("edit prefs: %v", err)
-				}
+				ipnOptions.UpdatePrefs = &ipn.Prefs{ControlURL: opt.ControlURL}
 			}
 			if err := s.lc.Start(ctx, ipnOptions); err != nil {
 				s.logf("start: %v", err)
@@ -1252,12 +1077,26 @@ func (s *Server) serveDeviceDetailsClick(w http.ResponseWriter, r *http.Request)
 //
 // The web API request path is expected to exactly match a localapi path,
 // with prefix /api/local/ rather than /localapi/.
+//
+// If the localapi path is not included in localapiAllowlist,
+// the request is rejected.
 func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimPrefix(r.URL.Path, "/api/local")
 	if r.URL.Path == path { // missing prefix
 		http.Error(w, "invalid request", http.StatusBadRequest)
 		return
 	}
+	if r.Method == httpm.PATCH {
+		// enforce that PATCH requests are always application/json
+		if ct := r.Header.Get("Content-Type"); ct != "application/json" {
+			http.Error(w, "invalid request", http.StatusBadRequest)
+			return
+		}
+	}
+	if !slices.Contains(localapiAllowlist, path) {
+		http.Error(w, fmt.Sprintf("%s not allowed from localapi proxy", path), http.StatusForbidden)
+		return
+	}

 	localAPIURL := "http://" + apitype.LocalAPIHost + "/localapi" + path
 	req, err := http.NewRequestWithContext(r.Context(), r.Method, localAPIURL, r.Body)
@@ -1282,6 +1121,21 @@ func (s *Server) proxyRequestToLocalAPI(w http.ResponseWriter, r *http.Request)
 	}
 }

+// localapiAllowlist is an allowlist of localapi endpoints the
+// web client is allowed to proxy to the client's localapi.
+//
+// Rather than exposing all localapi endpoints over the proxy,
+// this limits to just the ones actually used from the web
+// client frontend.
+var localapiAllowlist = []string{
+	"/v0/logout",
+	"/v0/prefs",
+	"/v0/update/check",
+	"/v0/update/install",
+	"/v0/update/progress",
+	"/v0/upload-client-metrics",
+}
+
 // csrfKey returns a key that can be used for CSRF protection.
 // If an error occurs during key creation, the error is logged and the active process terminated.
 // If the server is running in CGI mode, the key is cached to disk and reused between requests.
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -4,7 +4,6 @@
 package web

 import (
-	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -87,172 +86,75 @@ func TestQnapAuthnURL(t *testing.T) {

 // TestServeAPI tests the web client api's handling of
 //  1. invalid endpoint errors
-//  2. permissioning of api endpoints based on node capabilities
+//  2. localapi proxy allowlist
 func TestServeAPI(t *testing.T) {
-	selfTags := views.SliceOf([]string{"tag:server"})
-	self := &ipnstate.PeerStatus{ID: "self", Tags: &selfTags}
-	prefs := &ipn.Prefs{}
-
-	remoteUser := &tailcfg.UserProfile{ID: tailcfg.UserID(1)}
-	remoteIPWithAllCapabilities := "100.100.100.101"
-	remoteIPWithNoCapabilities := "100.100.100.102"
-
 	lal := memnet.Listen("local-tailscaled.sock:80")
 	defer lal.Close()
-	localapi := mockLocalAPI(t,
-		map[string]*apitype.WhoIsResponse{
-			remoteIPWithAllCapabilities: {
-				Node:        &tailcfg.Node{StableID: "node1"},
-				UserProfile: remoteUser,
-				CapMap:      tailcfg.PeerCapMap{tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{"{\"canEdit\":[\"*\"]}"}},
-			},
-			remoteIPWithNoCapabilities: {
-				Node:        &tailcfg.Node{StableID: "node2"},
-				UserProfile: remoteUser,
-			},
-		},
-		func() *ipnstate.PeerStatus { return self },
-		func() *ipn.Prefs { return prefs },
-		nil,
-	)
+	// Serve dummy localapi. Just returns "success".
+	localapi := &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "success")
+	})}
 	defer localapi.Close()
+
 	go localapi.Serve(lal)
-
-	s := &Server{
-		mode:    ManageServerMode,
-		lc:      &tailscale.LocalClient{Dial: lal.Dial},
-		timeNow: time.Now,
-	}
-
-	type requestTest struct {
-		remoteIP     string
-		wantResponse string
-		wantStatus   int
-	}
+	s := &Server{lc: &tailscale.LocalClient{Dial: lal.Dial}}

 	tests := []struct {
-		reqPath        string
+		name           string
 		reqMethod      string
+		reqPath        string
 		reqContentType string
-		reqBody        string
-		tests          []requestTest
+		wantResp       string
+		wantStatus     int
 	}{{
-		reqPath:   "/not-an-endpoint",
-		reqMethod: httpm.POST,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}},
+		name:       "invalid_endpoint",
+		reqMethod:  httpm.POST,
+		reqPath:    "/not-an-endpoint",
+		wantResp:   "invalid endpoint",
+		wantStatus: http.StatusNotFound,
 	}, {
-		reqPath:   "/local/v0/not-an-endpoint",
-		reqMethod: httpm.POST,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "invalid endpoint",
-			wantStatus:   http.StatusNotFound,
-		}},
+		name:       "not_in_localapi_allowlist",
+		reqMethod:  httpm.POST,
+		reqPath:    "/local/v0/not-allowlisted",
+		wantResp:   "/v0/not-allowlisted not allowed from localapi proxy",
+		wantStatus: http.StatusForbidden,
 	}, {
-		reqPath:   "/local/v0/logout",
-		reqMethod: httpm.POST,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "not allowed", // requesting node has insufficient permissions
-			wantStatus:   http.StatusUnauthorized,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "success", // requesting node has sufficient permissions
-			wantStatus:   http.StatusOK,
-		}},
+		name:       "in_localapi_allowlist",
+		reqMethod:  httpm.POST,
+		reqPath:    "/local/v0/logout",
+		wantResp:   "success", // Successfully allowed to hit localapi.
+		wantStatus: http.StatusOK,
 	}, {
-		reqPath:   "/exit-nodes",
-		reqMethod: httpm.GET,
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "null",
-			wantStatus:   http.StatusOK, // allowed, no additional capabilities required
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "null",
-			wantStatus:   http.StatusOK,
-		}},
-	}, {
-		reqPath:   "/routes",
-		reqMethod: httpm.POST,
-		reqBody:   "{\"setExitNode\":true}",
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "not allowed",
-			wantStatus:   http.StatusUnauthorized,
-		}, {
-			remoteIP:   remoteIPWithAllCapabilities,
-			wantStatus: http.StatusOK,
-		}},
-	}, {
-		reqPath:        "/local/v0/prefs",
+		name:           "patch_bad_contenttype",
 		reqMethod:      httpm.PATCH,
-		reqBody:        "{\"runSSHSet\":true}",
-		reqContentType: "application/json",
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "not allowed",
-			wantStatus:   http.StatusUnauthorized,
-		}, {
-			remoteIP:   remoteIPWithAllCapabilities,
-			wantStatus: http.StatusOK,
-		}},
-	}, {
 		reqPath:        "/local/v0/prefs",
-		reqMethod:      httpm.PATCH,
 		reqContentType: "multipart/form-data",
-		tests: []requestTest{{
-			remoteIP:     remoteIPWithNoCapabilities,
-			wantResponse: "invalid request",
-			wantStatus:   http.StatusBadRequest,
-		}, {
-			remoteIP:     remoteIPWithAllCapabilities,
-			wantResponse: "invalid request",
-			wantStatus:   http.StatusBadRequest,
-		}},
+		wantResp:       "invalid request",
+		wantStatus:     http.StatusBadRequest,
 	}}
 	for _, tt := range tests {
-		for _, req := range tt.tests {
-			t.Run(req.remoteIP+"_requesting_"+tt.reqPath, func(t *testing.T) {
-				var reqBody io.Reader
-				if tt.reqBody != "" {
-					reqBody = bytes.NewBuffer([]byte(tt.reqBody))
-				}
-				r := httptest.NewRequest(tt.reqMethod, "/api"+tt.reqPath, reqBody)
-				r.RemoteAddr = req.remoteIP
-				if tt.reqContentType != "" {
-					r.Header.Add("Content-Type", tt.reqContentType)
-				}
-				w := httptest.NewRecorder()
+		t.Run(tt.name, func(t *testing.T) {
+			r := httptest.NewRequest(tt.reqMethod, "/api"+tt.reqPath, nil)
+			if tt.reqContentType != "" {
+				r.Header.Add("Content-Type", tt.reqContentType)
+			}
+			w := httptest.NewRecorder()

-				s.serveAPI(w, r)
-				res := w.Result()
-				defer res.Body.Close()
-				if gotStatus := res.StatusCode; req.wantStatus != gotStatus {
-					t.Errorf("wrong status; want=%v, got=%v", req.wantStatus, gotStatus)
-				}
-				body, err := io.ReadAll(res.Body)
-				if err != nil {
-					t.Fatal(err)
-				}
-				gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
-				if req.wantResponse != gotResp {
-					t.Errorf("wrong response; want=%q, got=%q", req.wantResponse, gotResp)
-				}
-			})
-		}
+			s.serveAPI(w, r)
+			res := w.Result()
+			defer res.Body.Close()
+			if gotStatus := res.StatusCode; tt.wantStatus != gotStatus {
+				t.Errorf("wrong status; want=%v, got=%v", tt.wantStatus, gotStatus)
+			}
+			body, err := io.ReadAll(res.Body)
+			if err != nil {
+				t.Fatal(err)
+			}
+			gotResp := strings.TrimSuffix(string(body), "\n") // trim trailing newline
+			if tt.wantResp != gotResp {
+				t.Errorf("wrong response; want=%q, got=%q", tt.wantResp, gotResp)
+			}
+		})
 	}
 }

@@ -548,7 +450,7 @@ func TestServeAuth(t *testing.T) {
 		NodeName:      remoteNode.Node.Name,
 		NodeIP:        remoteIP,
 		ProfilePicURL: user.ProfilePicURL,
-		Capabilities:  peerCapabilities{capFeatureAll: true},
+		Capabilities:  peerCapabilities{},
 	}

 	testControlURL := &defaultControlURL
@@ -622,7 +524,7 @@ func TestServeAuth(t *testing.T) {
 			name:          "no-session",
 			path:          "/api/auth",
 			wantStatus:    http.StatusOK,
-			wantResp:      &authResponse{ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:      &authResponse{AuthNeeded: tailscaleAuth, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantNewCookie: false,
 			wantSession:   nil,
 		},
@@ -647,7 +549,7 @@ func TestServeAuth(t *testing.T) {
 			path:       "/api/auth",
 			cookie:     successCookie,
 			wantStatus: http.StatusOK,
-			wantResp:   &authResponse{ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:   &authResponse{AuthNeeded: tailscaleAuth, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantSession: &browserSession{
 				ID:            successCookie,
 				SrcNode:       remoteNode.Node.ID,
@@ -695,7 +597,7 @@ func TestServeAuth(t *testing.T) {
 			path:       "/api/auth",
 			cookie:     successCookie,
 			wantStatus: http.StatusOK,
-			wantResp:   &authResponse{Authorized: true, ViewerIdentity: vi, ServerMode: ManageServerMode},
+			wantResp:   &authResponse{CanManageNode: true, ViewerIdentity: vi, ServerMode: ManageServerMode},
 			wantSession: &browserSession{
 				ID:            successCookie,
 				SrcNode:       remoteNode.Node.ID,
@@ -1197,56 +1099,20 @@ func TestRequireTailscaleIP(t *testing.T) {
 }

 func TestPeerCapabilities(t *testing.T) {
-	userOwnedStatus := &ipnstate.Status{Self: &ipnstate.PeerStatus{UserID: tailcfg.UserID(1)}}
-	tags := views.SliceOf[string]([]string{"tag:server"})
-	tagOwnedStatus := &ipnstate.Status{Self: &ipnstate.PeerStatus{Tags: &tags}}
-
 	// Testing web.toPeerCapabilities
 	toPeerCapsTests := []struct {
 		name     string
-		status   *ipnstate.Status
 		whois    *apitype.WhoIsResponse
 		wantCaps peerCapabilities
 	}{
 		{
 			name:     "empty-whois",
-			status:   userOwnedStatus,
 			whois:    nil,
 			wantCaps: peerCapabilities{},
 		},
 		{
-			name:   "user-owned-node-non-owner-caps-ignored",
-			status: userOwnedStatus,
+			name: "no-webui-caps",
 			whois: &apitype.WhoIsResponse{
-				UserProfile: &tailcfg.UserProfile{ID: tailcfg.UserID(2)},
-				Node:        &tailcfg.Node{ID: tailcfg.NodeID(1)},
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{},
-		},
-		{
-			name:   "user-owned-node-owner-caps-ignored",
-			status: userOwnedStatus,
-			whois: &apitype.WhoIsResponse{
-				UserProfile: &tailcfg.UserProfile{ID: tailcfg.UserID(1)},
-				Node:        &tailcfg.Node{ID: tailcfg.NodeID(1)},
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{capFeatureAll: true}, // should just have wildcard
-		},
-		{
-			name:   "tag-owned-no-webui-caps",
-			status: tagOwnedStatus,
-			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityDebugPeer: []tailcfg.RawMessage{},
 				},
@@ -1254,74 +1120,66 @@ func TestPeerCapabilities(t *testing.T) {
 			wantCaps: peerCapabilities{},
 		},
 		{
-			name:   "tag-owned-one-webui-cap",
-			status: tagOwnedStatus,
+			name: "one-webui-cap",
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:     true,
-				capFeatureSubnets: true,
+				capFeatureSSH:    true,
+				capFeatureSubnet: true,
 			},
 		},
 		{
-			name:   "tag-owned-multiple-webui-cap",
-			status: tagOwnedStatus,
+			name: "multiple-webui-cap",
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
-						"{\"canEdit\":[\"subnets\",\"exitnodes\",\"*\"]}",
+						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
+						"{\"canEdit\":[\"subnet\",\"exitnode\",\"*\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:       true,
-				capFeatureSubnets:   true,
-				capFeatureExitNodes: true,
-				capFeatureAll:       true,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   true,
+				capFeatureExitNode: true,
+				capFeatureAll:      true,
 			},
 		},
 		{
-			name:   "tag-owned-case-insensitive-caps",
-			status: tagOwnedStatus,
+			name: "case=insensitive-caps",
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"SSH\",\"sUBnets\"]}",
+						"{\"canEdit\":[\"SSH\",\"sUBnet\"]}",
 					},
 				},
 			},
 			wantCaps: peerCapabilities{
-				capFeatureSSH:     true,
-				capFeatureSubnets: true,
+				capFeatureSSH:    true,
+				capFeatureSubnet: true,
 			},
 		},
 		{
-			name:   "tag-owned-random-canEdit-contents-get-dropped",
-			status: tagOwnedStatus,
+			name: "random-canEdit-contents-dont-error",
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
 						"{\"canEdit\":[\"unknown-feature\"]}",
 					},
 				},
 			},
-			wantCaps: peerCapabilities{},
+			wantCaps: peerCapabilities{
+				"unknown-feature": true,
+			},
 		},
 		{
-			name:   "tag-owned-no-canEdit-section",
-			status: tagOwnedStatus,
+			name: "no-canEdit-section",
 			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1)},
 				CapMap: tailcfg.PeerCapMap{
 					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
 						"{\"canDoSomething\":[\"*\"]}",
@@ -1330,23 +1188,10 @@ func TestPeerCapabilities(t *testing.T) {
 			},
 			wantCaps: peerCapabilities{},
 		},
-		{
-			name:   "tagged-source-caps-ignored",
-			status: tagOwnedStatus,
-			whois: &apitype.WhoIsResponse{
-				Node: &tailcfg.Node{ID: tailcfg.NodeID(1), Tags: tags.AsSlice()},
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnets\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{},
-		},
 	}
 	for _, tt := range toPeerCapsTests {
 		t.Run("toPeerCapabilities-"+tt.name, func(t *testing.T) {
-			got, err := toPeerCapabilities(tt.status, tt.whois)
+			got, err := toPeerCapabilities(tt.whois)
 			if err != nil {
 				t.Fatalf("unexpected: %v", err)
 			}
@@ -1366,33 +1211,36 @@ func TestPeerCapabilities(t *testing.T) {
 			name: "empty-caps",
 			caps: nil,
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:       false,
-				capFeatureSSH:       false,
-				capFeatureSubnets:   false,
-				capFeatureExitNodes: false,
-				capFeatureAccount:   false,
+				capFeatureAll:      false,
+				capFeatureFunnel:   false,
+				capFeatureSSH:      false,
+				capFeatureSubnet:   false,
+				capFeatureExitNode: false,
+				capFeatureAccount:  false,
 			},
 		},
 		{
 			name: "some-caps",
 			caps: peerCapabilities{capFeatureSSH: true, capFeatureAccount: true},
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:       false,
-				capFeatureSSH:       true,
-				capFeatureSubnets:   false,
-				capFeatureExitNodes: false,
-				capFeatureAccount:   true,
+				capFeatureAll:      false,
+				capFeatureFunnel:   false,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   false,
+				capFeatureExitNode: false,
+				capFeatureAccount:  true,
 			},
 		},
 		{
 			name: "wildcard-in-caps",
 			caps: peerCapabilities{capFeatureAll: true, capFeatureAccount: true},
 			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:       true,
-				capFeatureSSH:       true,
-				capFeatureSubnets:   true,
-				capFeatureExitNodes: true,
-				capFeatureAccount:   true,
+				capFeatureAll:      true,
+				capFeatureFunnel:   true,
+				capFeatureSSH:      true,
+				capFeatureSubnet:   true,
+				capFeatureExitNode: true,
+				capFeatureAccount:  true,
 			},
 		},
 	}
@@ -1453,9 +1301,6 @@ func mockLocalAPI(t *testing.T, whoIs map[string]*apitype.WhoIsResponse, self fu
 			metricCapture(metricNames[0].Name)
 			writeJSON(w, struct{}{})
 			return
-		case "/localapi/v0/logout":
-			fmt.Fprintf(w, "success")
-			return
 		default:
 			t.Fatalf("unhandled localapi test endpoint %q, add to localapi handler func in test", r.URL.Path)
 		}
--- a/client/web/yarn.lock
+++ b/client/web/yarn.lock
--- a/clientupdate/clientupdate.go
+++ b/clientupdate/clientupdate.go
@@ -37,18 +37,11 @@ import (
 )

 const (
+	CurrentTrack  = ""
 	StableTrack   = "stable"
 	UnstableTrack = "unstable"
 )

-var CurrentTrack = func() string {
-	if version.IsUnstableBuild() {
-		return UnstableTrack
-	} else {
-		return StableTrack
-	}
-}()
-
 func versionToTrack(v string) (string, error) {
 	_, rest, ok := strings.Cut(v, ".")
 	if !ok {
@@ -113,7 +106,7 @@ func (args Arguments) validate() error {
 		return fmt.Errorf("only one of Version(%q) or Track(%q) can be set", args.Version, args.Track)
 	}
 	switch args.Track {
-	case StableTrack, UnstableTrack, "":
+	case StableTrack, UnstableTrack, CurrentTrack:
 		// All valid values.
 	default:
 		return fmt.Errorf("unsupported track %q", args.Track)
@@ -126,17 +119,11 @@ type Updater struct {
 	// Update is a platform-specific method that updates the installation. May be
 	// nil (not all platforms support updates from within Tailscale).
 	Update func() error
-
-	// currentVersion is the short form of the current client version as
-	// returned by version.Short(), typically "x.y.z". Used for tests to
-	// override the actual current version.
-	currentVersion string
 }

 func NewUpdater(args Arguments) (*Updater, error) {
 	up := Updater{
-		Arguments:      args,
-		currentVersion: version.Short(),
+		Arguments: args,
 	}
 	if up.Stdout == nil {
 		up.Stdout = os.Stdout
@@ -152,15 +139,18 @@ func NewUpdater(args Arguments) (*Updater, error) {
 	if args.ForAutoUpdate && !canAutoUpdate {
 		return nil, errors.ErrUnsupported
 	}
-	if up.Track == "" {
-		if up.Version != "" {
+	if up.Track == CurrentTrack {
+		switch {
+		case up.Version != "":
 			var err error
 			up.Track, err = versionToTrack(args.Version)
 			if err != nil {
 				return nil, err
 			}
-		} else {
-			up.Track = CurrentTrack
+		case version.IsUnstableBuild():
+			up.Track = UnstableTrack
+		default:
+			up.Track = StableTrack
 		}
 	}
 	if up.Arguments.PkgsAddr == "" {
@@ -177,10 +167,6 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 		return up.updateWindows, true
 	case "linux":
 		switch distro.Get() {
-		case distro.NixOS:
-			// NixOS packages are immutable and managed with a system-wide
-			// configuration.
-			return up.updateNixos, false
 		case distro.Synology:
 			// Synology updates use our own pkgs.tailscale.com instead of the
 			// Synology Package Center. We should eventually get to a regular
@@ -248,11 +234,6 @@ func (up *Updater) getUpdateFunction() (fn updateFunction, canAutoUpdate bool) {
 // CanAutoUpdate reports whether auto-updating via the clientupdate package
 // is supported for the current os/distro.
 func CanAutoUpdate() bool {
-	if version.IsMacSysExt() {
-		// Macsys uses Sparkle for auto-updates, which doesn't have an update
-		// function in this package.
-		return true
-	}
 	_, canAutoUpdate := (&Updater{}).getUpdateFunction()
 	return canAutoUpdate
 }
@@ -274,16 +255,13 @@ func Update(args Arguments) error {
 }

 func (up *Updater) confirm(ver string) bool {
-	// Only check version when we're not switching tracks.
-	if up.Track == "" || up.Track == CurrentTrack {
-		switch c := cmpver.Compare(up.currentVersion, ver); {
-		case c == 0:
-			up.Logf("already running %v version %v; no update needed", up.Track, ver)
-			return false
-		case c > 0:
-			up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, up.currentVersion, ver)
-			return false
-		}
+	switch cmpver.Compare(version.Short(), ver) {
+	case 0:
+		up.Logf("already running %v version %v; no update needed", up.Track, ver)
+		return false
+	case 1:
+		up.Logf("installed %v version %v is newer than the latest available version %v; no update needed", up.Track, version.Short(), ver)
+		return false
 	}
 	if up.Confirm != nil {
 		return up.Confirm(ver)
@@ -454,7 +432,7 @@ func (up *Updater) updateDebLike() error {
 		return fmt.Errorf("apt-get update failed: %w; output:\n%s", err, out)
 	}

-	for range 2 {
+	for i := 0; i < 2; i++ {
 		out, err := exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver).CombinedOutput()
 		if err != nil {
 			if !bytes.Contains(out, []byte(`dpkg was interrupted`)) {
@@ -544,13 +522,6 @@ func (up *Updater) updateArchLike() error {
 you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`)
 }

-func (up *Updater) updateNixos() error {
-	// NixOS package updates are managed on a system level and not individually.
-	// Direct users to update their nix channel or nixpkgs flake input to
-	// receive the latest version.
-	return errors.New(`individual package updates are not supported on NixOS installations. Update your system channel or flake inputs to get the latest Tailscale version from nixpkgs.`)
-}
-
 const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"

 // updateFedoraLike updates tailscale on any distros in the Fedora family,
@@ -669,9 +640,6 @@ func (up *Updater) updateAlpineLike() (err error) {
 		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
 	}
 	if !up.confirm(ver) {
-		if err := checkOutdatedAlpineRepo(up.Logf, ver, up.Track); err != nil {
-			up.Logf("failed to check whether Alpine release is outdated: %v", err)
-		}
 		return nil
 	}

@@ -686,7 +654,6 @@ func (up *Updater) updateAlpineLike() (err error) {

 func parseAlpinePackageVersion(out []byte) (string, error) {
 	s := bufio.NewScanner(bytes.NewReader(out))
-	var maxVer string
 	for s.Scan() {
 		// The line should look like this:
 		// tailscale-1.44.2-r0 description:
@@ -698,48 +665,11 @@ func parseAlpinePackageVersion(out []byte) (string, error) {
 		if len(parts) < 3 {
 			return "", fmt.Errorf("malformed info line: %q", line)
 		}
-		ver := parts[1]
-		if cmpver.Compare(ver, maxVer) > 0 {
-			maxVer = ver
-		}
-	}
-	if maxVer != "" {
-		return maxVer, nil
+		return parts[1], nil
 	}
 	return "", errors.New("tailscale version not found in output")
 }

-var apkRepoVersionRE = regexp.MustCompile(`v[0-9]+\.[0-9]+`)
-
-func checkOutdatedAlpineRepo(logf logger.Logf, apkVer, track string) error {
-	latest, err := LatestTailscaleVersion(track)
-	if err != nil {
-		return err
-	}
-	if latest == apkVer {
-		// Actually on latest release.
-		return nil
-	}
-	f, err := os.Open("/etc/apk/repositories")
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	// Read the first repo line. Typically, there are multiple repos that all
-	// contain the same version in the path, like:
-	//   https://dl-cdn.alpinelinux.org/alpine/v3.20/main
-	//   https://dl-cdn.alpinelinux.org/alpine/v3.20/community
-	s := bufio.NewScanner(f)
-	if !s.Scan() {
-		return s.Err()
-	}
-	alpineVer := apkRepoVersionRE.FindString(s.Text())
-	if alpineVer != "" {
-		logf("The latest Tailscale release for Linux is %q, but your apk repository only provides %q.\nYour Alpine version is %q, you may need to upgrade the system to get the latest Tailscale version: https://wiki.alpinelinux.org/wiki/Upgrading_Alpine", latest, apkVer, alpineVer)
-	}
-	return nil
-}
-
 func (up *Updater) updateMacSys() error {
 	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
 }
@@ -888,7 +818,7 @@ func (up *Updater) switchOutputToFile() (io.Closer, error) {
 func (up *Updater) installMSI(msi string) error {
 	var err error
 	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/norestart", "/qn")
+		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
 		cmd.Dir = filepath.Dir(msi)
 		cmd.Stdout = up.Stdout
 		cmd.Stderr = up.Stderr
@@ -898,7 +828,7 @@ func (up *Updater) installMSI(msi string) error {
 			break
 		}
 		up.Logf("Install attempt failed: %v", err)
-		uninstallVersion := up.currentVersion
+		uninstallVersion := version.Short()
 		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
 			uninstallVersion = v
 		}
@@ -1069,20 +999,6 @@ func (up *Updater) updateLinuxBinary() error {
 	return nil
 }

-func restartSystemdUnit(ctx context.Context) error {
-	if _, err := exec.LookPath("systemctl"); err != nil {
-		// Likely not a systemd-managed distro.
-		return errors.ErrUnsupported
-	}
-	if out, err := exec.Command("systemctl", "daemon-reload").CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl daemon-reload failed: %w\noutput: %s", err, out)
-	}
-	if out, err := exec.Command("systemctl", "restart", "tailscaled.service").CombinedOutput(); err != nil {
-		return fmt.Errorf("systemctl restart failed: %w\noutput: %s", err, out)
-	}
-	return nil
-}
-
 func (up *Updater) downloadLinuxTarball(ver string) (string, error) {
 	dlDir, err := os.UserCacheDir()
 	if err != nil {
@@ -1349,31 +1265,22 @@ func requestedTailscaleVersion(ver, track string) (string, error) {
 // LatestTailscaleVersion returns the latest released version for the given
 // track from pkgs.tailscale.com.
 func LatestTailscaleVersion(track string) (string, error) {
-	if track == "" {
-		track = CurrentTrack
+	if track == CurrentTrack {
+		if version.IsUnstableBuild() {
+			track = UnstableTrack
+		} else {
+			track = StableTrack
+		}
 	}

 	latest, err := latestPackages(track)
 	if err != nil {
 		return "", err
 	}
-	ver := latest.Version
-	switch runtime.GOOS {
-	case "windows":
-		ver = latest.MSIsVersion
-	case "darwin":
-		ver = latest.MacZipsVersion
-	case "linux":
-		ver = latest.TarballsVersion
-		if distro.Get() == distro.Synology {
-			ver = latest.SPKsVersion
-		}
+	if latest.Version == "" {
+		return "", fmt.Errorf("no latest version found for %q track", track)
 	}
-
-	if ver == "" {
-		return "", fmt.Errorf("no latest version found for OS %q on %q track", runtime.GOOS, track)
-	}
-	return ver, nil
+	return latest.Version, nil
 }

 type trackPackages struct {
--- a/clientupdate/clientupdate_test.go
+++ b/clientupdate/clientupdate_test.go
@@ -251,29 +251,6 @@ tailscale installed size:
 			out:     "",
 			wantErr: true,
 		},
-		{
-			desc: "multiple versions",
-			out: `
-tailscale-1.54.1-r0 description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale-1.54.1-r0 webpage:
-https://tailscale.com/
-
-tailscale-1.54.1-r0 installed size:
-34 MiB
-
-tailscale-1.58.2-r0 description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale-1.58.2-r0 webpage:
-https://tailscale.com/
-
-tailscale-1.58.2-r0 installed size:
-35 MiB
-`,
-			want: "1.58.2",
-		},
 	}

 	for _, tt := range tests {
@@ -663,7 +640,7 @@ func genTarball(t *testing.T, path string, files map[string]string) {

 func TestWriteFileOverwrite(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "test")
-	for i := range 2 {
+	for i := 0; i < 2; i++ {
 		content := fmt.Sprintf("content %d", i)
 		if err := writeFile(strings.NewReader(content), path, 0600); err != nil {
 			t.Fatal(err)
@@ -846,107 +823,3 @@ func TestParseUnraidPluginVersion(t *testing.T) {
 		})
 	}
 }
-
-func TestConfirm(t *testing.T) {
-	curTrack := CurrentTrack
-	defer func() { CurrentTrack = curTrack }()
-
-	tests := []struct {
-		desc      string
-		fromTrack string
-		toTrack   string
-		fromVer   string
-		toVer     string
-		confirm   func(string) bool
-		want      bool
-	}{
-		{
-			desc:      "on latest stable",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.0",
-			want:      false,
-		},
-		{
-			desc:      "stable upgrade",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.68.0",
-			want:      true,
-		},
-		{
-			desc:      "unstable upgrade",
-			fromTrack: UnstableTrack,
-			toTrack:   UnstableTrack,
-			fromVer:   "1.67.1",
-			toVer:     "1.67.2",
-			want:      true,
-		},
-		{
-			desc:      "from stable to unstable",
-			fromTrack: StableTrack,
-			toTrack:   UnstableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.67.1",
-			want:      true,
-		},
-		{
-			desc:      "from unstable to stable",
-			fromTrack: UnstableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.67.1",
-			toVer:     "1.66.0",
-			want:      true,
-		},
-		{
-			desc:      "confirm callback rejects",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.1",
-			confirm: func(string) bool {
-				return false
-			},
-			want: false,
-		},
-		{
-			desc:      "confirm callback allows",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.0",
-			toVer:     "1.66.1",
-			confirm: func(string) bool {
-				return true
-			},
-			want: true,
-		},
-		{
-			desc:      "downgrade",
-			fromTrack: StableTrack,
-			toTrack:   StableTrack,
-			fromVer:   "1.66.1",
-			toVer:     "1.66.0",
-			want:      false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			CurrentTrack = tt.fromTrack
-			up := Updater{
-				currentVersion: tt.fromVer,
-				Arguments: Arguments{
-					Track:   tt.toTrack,
-					Confirm: tt.confirm,
-					Logf:    t.Logf,
-				},
-			}
-
-			if got := up.confirm(tt.toVer); got != tt.want {
-				t.Errorf("got %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/clientupdate/distsign/distsign_test.go
+++ b/clientupdate/distsign/distsign_test.go
@@ -445,7 +445,7 @@ type testServer struct {

 func newTestServer(t *testing.T) *testServer {
 	var roots []rootKeyPair
-	for range 3 {
+	for i := 0; i < 3; i++ {
 		roots = append(roots, newRootKeyPair(t))
 	}

--- a/clientupdate/systemd_linux.go
+++ b/clientupdate/systemd_linux.go
@@ -0,0 +1,37 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-systemd/v22/dbus"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	c, err := dbus.NewWithContext(ctx)
+	if err != nil {
+		// Likely not a systemd-managed distro.
+		return errors.ErrUnsupported
+	}
+	defer c.Close()
+	if err := c.ReloadContext(ctx); err != nil {
+		return fmt.Errorf("failed to reload tailsacled.service: %w", err)
+	}
+	ch := make(chan string, 1)
+	if _, err := c.RestartUnitContext(ctx, "tailscaled.service", "replace", ch); err != nil {
+		return fmt.Errorf("failed to restart tailsacled.service: %w", err)
+	}
+	select {
+	case res := <-ch:
+		if res != "done" {
+			return fmt.Errorf("systemd service restart failed with result %q", res)
+		}
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+	return nil
+}
--- a/clientupdate/systemd_other.go
+++ b/clientupdate/systemd_other.go
@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !linux
+
+package clientupdate
+
+import (
+	"context"
+	"errors"
+)
+
+func restartSystemdUnit(ctx context.Context) error {
+	return errors.ErrUnsupported
+}
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -78,11 +78,7 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-	cloneOutput := pkg.Name + "_clone"
-	if *flagBuildTags == "test" {
-		cloneOutput += "_test"
-	}
-	cloneOutput += ".go"
+	cloneOutput := pkg.Name + "_clone.go"
 	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
 		log.Fatal(err)
 	}
@@ -95,21 +91,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	}

 	name := typ.Obj().Name()
-	typeParams := typ.Origin().TypeParams()
-	_, typeParamNames := codegen.FormatTypeParams(typeParams, it)
-	nameWithParams := name + typeParamNames
 	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", nameWithParams, nameWithParams)
+	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
 	writef := func(format string, args ...any) {
 		fmt.Fprintf(buf, "\t"+format+"\n", args...)
 	}
 	writef("if src == nil {")
 	writef("\treturn nil")
 	writef("}")
-	writef("dst := new(%s)", nameWithParams)
+	writef("dst := new(%s)", name)
 	writef("*dst = *src")
-	for i := range t.NumFields() {
+	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
 		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
@@ -133,23 +126,16 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
 				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
-					if codegen.ContainsPointers(ptr.Elem()) {
-						if _, isIface := ptr.Elem().Underlying().(*types.Interface); isIface {
-							it.Import("tailscale.com/types/ptr")
-							writef("\tdst.%s[i] = ptr.To((*src.%s[i]).Clone())", fname, fname)
-						} else {
-							writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
-						}
-					} else {
+					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
 						it.Import("tailscale.com/types/ptr")
+						writef("if src.%s[i] == nil { dst.%s[i] = nil } else {", fname, fname)
 						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
+						writef("}")
+					} else {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
-					writef("}")
 				} else if ft.Elem().String() == "encoding/json.RawMessage" {
 					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
-				} else if _, isIface := ft.Elem().Underlying().(*types.Interface); isIface {
-					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -159,19 +145,14 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
 			}
 		case *types.Pointer:
-			base := ft.Elem()
-			hasPtrs := codegen.ContainsPointers(base)
-			if named, _ := base.(*types.Named); named != nil && hasPtrs {
+			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
 			it.Import("tailscale.com/types/ptr")
 			writef("if dst.%s != nil {", fname)
-			if _, isIface := base.Underlying().(*types.Interface); isIface && hasPtrs {
-				writef("\tdst.%s = ptr.To((*src.%s).Clone())", fname, fname)
-			} else if !hasPtrs {
-				writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
-			} else {
+			writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
+			if codegen.ContainsPointers(ft.Elem()) {
 				writef("\t" + `panic("TODO pointers in pointers")`)
 			}
 			writef("}")
@@ -191,50 +172,18 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 				writef("if dst.%s != nil {", fname)
 				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
 				writef("\tfor k, v := range src.%s {", fname)
-
-				switch elem := elem.Underlying().(type) {
+				switch elem.(type) {
 				case *types.Pointer:
-					writef("\t\tif v == nil { dst.%s[k] = nil } else {", fname)
-					if base := elem.Elem().Underlying(); codegen.ContainsPointers(base) {
-						if _, isIface := base.(*types.Interface); isIface {
-							it.Import("tailscale.com/types/ptr")
-							writef("\t\t\tdst.%s[k] = ptr.To((*v).Clone())", fname)
-						} else {
-							writef("\t\t\tdst.%s[k] = v.Clone()", fname)
-						}
-					} else {
-						it.Import("tailscale.com/types/ptr")
-						writef("\t\t\tdst.%s[k] = ptr.To(*v)", fname)
-					}
-					writef("}")
-				case *types.Interface:
-					if cloneResultType := methodResultType(elem, "Clone"); cloneResultType != nil {
-						if _, isPtr := cloneResultType.(*types.Pointer); isPtr {
-							writef("\t\tdst.%s[k] = *(v.Clone())", fname)
-						} else {
-							writef("\t\tdst.%s[k] = v.Clone()", fname)
-						}
-					} else {
-						writef(`panic("%s (%v) does not have a Clone method")`, fname, elem)
-					}
+					writef("\t\tdst.%s[k] = v.Clone()", fname)
 				default:
 					writef("\t\tdst.%s[k] = *(v.Clone())", fname)
 				}
-
 				writef("\t}")
 				writef("}")
 			} else {
 				it.Import("maps")
 				writef("\tdst.%s = maps.Clone(src.%s)", fname, fname)
 			}
-		case *types.Interface:
-			// If ft is an interface with a "Clone() ft" method, it can be used to clone the field.
-			// This includes scenarios where ft is a constrained type parameter.
-			if cloneResultType := methodResultType(ft, "Clone"); cloneResultType.Underlying() == ft {
-				writef("dst.%s = src.%s.Clone()", fname, fname)
-				continue
-			}
-			writef(`panic("%s (%v) does not have a compatible Clone method")`, fname, ft)
 		default:
 			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
@@ -242,7 +191,7 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")

-	buf.Write(codegen.AssertStructUnchanged(t, name, typeParams, "Clone", it))
+	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }

 // hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
@@ -254,15 +203,3 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
-
-func methodResultType(typ types.Type, method string) types.Type {
-	viewMethod := codegen.LookupMethod(typ, method)
-	if viewMethod == nil {
-		return nil
-	}
-	sig, ok := viewMethod.Type().(*types.Signature)
-	if !ok || sig.Results().Len() != 1 {
-		return nil
-	}
-	return sig.Results().At(0).Type()
-}
--- a/cmd/cloner/clonerex/clonerex.go
+++ b/cmd/cloner/clonerex/clonerex.go
@@ -3,7 +3,6 @@

 //go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type SliceContainer

-// Package clonerex is an example package for the cloner tool.
 package clonerex

 type SliceContainer struct {
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -8,7 +8,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"log"
 	"net/http"
@@ -19,20 +18,36 @@ import (
 	"tailscale.com/tailcfg"
 )

-// storeDeviceID writes deviceID to 'device_id' data field of the named
-// Kubernetes Secret.
-func storeDeviceID(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID) error {
-	s := &kube.Secret{
-		Data: map[string][]byte{
-			"device_id": []byte(deviceID),
-		},
+// findKeyInKubeSecret inspects the kube secret secretName for a data
+// field called "authkey", and returns its value if present.
+func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
+	s, err := kc.GetSecret(ctx, secretName)
+	if err != nil {
+		return "", err
 	}
-	return kc.StrategicMergePatchSecret(ctx, secretName, s, "tailscale-container")
+	ak, ok := s.Data["authkey"]
+	if !ok {
+		return "", nil
+	}
+	return string(ak), nil
 }

-// storeDeviceEndpoints writes device's tailnet IPs and MagicDNS name to fields
-// 'device_ips', 'device_fqdn' of the named Kubernetes Secret.
-func storeDeviceEndpoints(ctx context.Context, secretName string, fqdn string, addresses []netip.Prefix) error {
+// storeDeviceInfo writes deviceID into the "device_id" data field of the kube
+// secret secretName.
+func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string, addresses []netip.Prefix) error {
+	// First check if the secret exists at all. Even if running on
+	// kubernetes, we do not necessarily store state in a k8s secret.
+	if _, err := kc.GetSecret(ctx, secretName); err != nil {
+		if s, ok := err.(*kube.Status); ok {
+			if s.Code >= 400 && s.Code <= 499 {
+				// Assume the secret doesn't exist, or we don't have
+				// permission to access it.
+				return nil
+			}
+		}
+		return err
+	}
+
 	var ips []string
 	for _, addr := range addresses {
 		ips = append(ips, addr.Addr().String())
@@ -42,13 +57,14 @@ func storeDeviceEndpoints(ctx context.Context, secretName string, fqdn string, a
 		return err
 	}

-	s := &kube.Secret{
+	m := &kube.Secret{
 		Data: map[string][]byte{
+			"device_id":   []byte(deviceID),
 			"device_fqdn": []byte(fqdn),
 			"device_ips":  deviceIPs,
 		},
 	}
-	return kc.StrategicMergePatchSecret(ctx, secretName, s, "tailscale-container")
+	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
 }

 // deleteAuthKey deletes the 'authkey' field of the given kube
@@ -72,59 +88,9 @@ func deleteAuthKey(ctx context.Context, secretName string) error {
 	return nil
 }

-var kc kube.Client
+var kc *kube.Client

-// setupKube is responsible for doing any necessary configuration and checks to
-// ensure that tailscale state storage and authentication mechanism will work on
-// Kubernetes.
-func (cfg *settings) setupKube(ctx context.Context) error {
-	if cfg.KubeSecret == "" {
-		return nil
-	}
-	canPatch, canCreate, err := kc.CheckSecretPermissions(ctx, cfg.KubeSecret)
-	if err != nil {
-		return fmt.Errorf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
-	}
-	cfg.KubernetesCanPatch = canPatch
-
-	s, err := kc.GetSecret(ctx, cfg.KubeSecret)
-	if err != nil && kube.IsNotFoundErr(err) && !canCreate {
-		return fmt.Errorf("Tailscale state Secret %s does not exist and we don't have permissions to create it. "+
-			"If you intend to store tailscale state elsewhere than a Kubernetes Secret, "+
-			"you can explicitly set TS_KUBE_SECRET env var to an empty string. "+
-			"Else ensure that RBAC is set up that allows the service account associated with this installation to create Secrets.", cfg.KubeSecret)
-	} else if err != nil && !kube.IsNotFoundErr(err) {
-		return fmt.Errorf("Getting Tailscale state Secret %s: %v", cfg.KubeSecret, err)
-	}
-
-	if cfg.AuthKey == "" && !isOneStepConfig(cfg) {
-		if s == nil {
-			log.Print("TS_AUTHKEY not provided and kube secret does not exist, login will be interactive if needed.")
-			return nil
-		}
-		keyBytes, _ := s.Data["authkey"]
-		key := string(keyBytes)
-
-		if key != "" {
-			// This behavior of pulling authkeys from kube secrets was added
-			// at the same time as the patch permission, so we can enforce
-			// that we must be able to patch out the authkey after
-			// authenticating if you want to use this feature. This avoids
-			// us having to deal with the case where we might leave behind
-			// an unnecessary reusable authkey in a secret, like a rake in
-			// the grass.
-			if !cfg.KubernetesCanPatch {
-				return errors.New("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the secret to manage the authkey.")
-			}
-			cfg.AuthKey = key
-		} else {
-			log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
-		}
-	}
-	return nil
-}
-
-func initKubeClient(root string) {
+func initKube(root string) {
 	if root != "/" {
 		// If we are running in a test, we need to set the root path to the fake
 		// service account directory.
@@ -135,9 +101,9 @@ func initKubeClient(root string) {
 	if err != nil {
 		log.Fatalf("Error creating kube client: %v", err)
 	}
-	if (root != "/") || os.Getenv("TS_KUBERNETES_READ_API_SERVER_ADDRESS_FROM_ENV") == "true" {
-		// Derive the API server address from the environment variables
-		// Used to set http server in tests, or optionally enabled by flag
+	if root != "/" {
+		// If we are running in a test, we need to set the URL to the
+		// httptest server.
 		kc.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
 	}
 }
--- a/cmd/containerboot/kube_test.go
+++ b/cmd/containerboot/kube_test.go
@@ -1,206 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/kube"
-)
-
-func TestSetupKube(t *testing.T) {
-	tests := []struct {
-		name    string
-		cfg     *settings
-		wantErr bool
-		wantCfg *settings
-		kc      kube.Client
-	}{
-		{
-			name: "TS_AUTHKEY set, state Secret exists",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return nil, nil
-				},
-			},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-		},
-		{
-			name: "TS_AUTHKEY set, state Secret does not exist, we have permissions to create it",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, true, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return nil, &kube.Status{Code: 404}
-				},
-			},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-		},
-		{
-			name: "TS_AUTHKEY set, state Secret does not exist, we do not have permissions to create it",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return nil, &kube.Status{Code: 404}
-				},
-			},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			wantErr: true,
-		},
-		{
-			name: "TS_AUTHKEY set, we encounter a non-404 error when trying to retrieve the state Secret",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return nil, &kube.Status{Code: 403}
-				},
-			},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			wantErr: true,
-		},
-		{
-			name: "TS_AUTHKEY set, we encounter a non-404 error when trying to check Secret permissions",
-			cfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			wantCfg: &settings{
-				AuthKey:    "foo",
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, errors.New("broken")
-				},
-			},
-			wantErr: true,
-		},
-		{
-			// Interactive login using URL in Pod logs
-			name: "TS_AUTHKEY not set, state Secret does not exist, we have permissions to create it",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			wantCfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, true, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return nil, &kube.Status{Code: 404}
-				},
-			},
-		},
-		{
-			// Interactive login using URL in Pod logs
-			name: "TS_AUTHKEY not set, state Secret exists, but does not contain auth key",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			wantCfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return &kube.Secret{}, nil
-				},
-			},
-		},
-		{
-			name: "TS_AUTHKEY not set, state Secret contains auth key, we do not have RBAC to patch it",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return false, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return &kube.Secret{Data: map[string][]byte{"authkey": []byte("foo")}}, nil
-				},
-			},
-			wantCfg: &settings{
-				KubeSecret: "foo",
-			},
-			wantErr: true,
-		},
-		{
-			name: "TS_AUTHKEY not set, state Secret contains auth key, we have RBAC to patch it",
-			cfg: &settings{
-				KubeSecret: "foo",
-			},
-			kc: &kube.FakeClient{
-				CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
-					return true, false, nil
-				},
-				GetSecretImpl: func(context.Context, string) (*kube.Secret, error) {
-					return &kube.Secret{Data: map[string][]byte{"authkey": []byte("foo")}}, nil
-				},
-			},
-			wantCfg: &settings{
-				KubeSecret:         "foo",
-				AuthKey:            "foo",
-				KubernetesCanPatch: true,
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		kc = tt.kc
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.cfg.setupKube(context.Background()); (err != nil) != tt.wantErr {
-				t.Errorf("settings.setupKube() error = %v, wantErr %v", err, tt.wantErr)
-			}
-			if diff := cmp.Diff(*tt.cfg, *tt.wantCfg); diff != "" {
-				t.Errorf("unexpected contents of settings after running settings.setupKube()\n(-got +want):\n%s", diff)
-			}
-		})
-	}
-}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -18,11 +18,7 @@
 //     previously advertised routes. To accept routes, use TS_EXTRA_ARGS to pass
 //     in --accept-routes.
 //   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
-//     destination defined by an IP address.
-//   - TS_EXPERIMENTAL_DEST_DNS_NAME: proxy all incoming Tailscale traffic to the given
-//     destination defined by a DNS name. The DNS name will be periodically resolved and firewall rules updated accordingly.
-//     This is currently intended to be used by the Kubernetes operator (ExternalName Services).
-//     This is an experimental env var and will likely change in the future.
+//     destination.
 //   - TS_TAILNET_TARGET_IP: proxy all incoming non-Tailscale traffic to the given
 //     destination defined by an IP.
 //   - TS_TAILNET_TARGET_FQDN: proxy all incoming non-Tailscale traffic to the given
@@ -52,29 +48,13 @@
 //     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
 //     It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes,
 //     and will be re-applied when it changes.
-//   - TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR: if specified, a path to a
-//     directory that containers tailscaled config in file. The config file needs to be
-//     named cap-<current-tailscaled-cap>.hujson. If this is set, TS_HOSTNAME,
-//     TS_EXTRA_ARGS, TS_AUTHKEY,
+//   - EXPERIMENTAL_TS_CONFIGFILE_PATH: if specified, a path to tailscaled
+//     config. If this is set, TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY,
 //     TS_ROUTES, TS_ACCEPT_DNS env vars must not be set. If this is set,
 //     containerboot only runs `tailscaled --config <path-to-this-configfile>`
 //     and not `tailscale up` or `tailscale set`.
 //     The config file contents are currently read once on container start.
 //     NB: This env var is currently experimental and the logic will likely change!
-//     TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS: set to true to
-//     autoconfigure the default network interface for optimal performance for
-//     Tailscale subnet router/exit node.
-//     https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes
-//     NB: This env var is currently experimental and the logic will likely change!
-//   - EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS: if set to true
-//     and if this containerboot instance is an L7 ingress proxy (created by
-//     the Kubernetes operator), set up rules to allow proxying cluster traffic,
-//     received on the Pod IP of this node, to the ingress target in the cluster.
-//     This, in conjunction with MagicDNS name resolution in cluster, can be
-//     useful for cases where a cluster workload needs to access a target in
-//     cluster using the same hostname (in this case, the MagicDNS name of the ingress proxy)
-//     as a non-cluster workload on tailnet.
-//     This is only meant to be configured by the Kubernetes operator.
 //
 // When running on Kubernetes, containerboot defaults to storing state in the
 // "tailscale" kube secret. To store state on local disk instead, set
@@ -93,16 +73,12 @@ import (
 	"fmt"
 	"io/fs"
 	"log"
-	"math"
-	"net"
 	"net/netip"
 	"os"
 	"os/exec"
 	"os/signal"
-	"path"
 	"path/filepath"
 	"reflect"
-	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -115,7 +91,6 @@ import (
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/conffile"
-	kubeutils "tailscale.com/k8s-operator"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/ptr"
@@ -133,33 +108,29 @@ func newNetfilterRunner(logf logger.Logf) (linuxfw.NetfilterRunner, error) {
 func main() {
 	log.SetPrefix("boot: ")
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true
-	cfg := &settings{
-		AuthKey:                               defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:                              defaultEnv("TS_HOSTNAME", ""),
-		Routes:                                defaultEnvStringPointer("TS_ROUTES"),
-		ServeConfigPath:                       defaultEnv("TS_SERVE_CONFIG", ""),
-		ProxyTargetIP:                         defaultEnv("TS_DEST_IP", ""),
-		ProxyTargetDNSName:                    defaultEnv("TS_EXPERIMENTAL_DEST_DNS_NAME", ""),
-		TailnetTargetIP:                       defaultEnv("TS_TAILNET_TARGET_IP", ""),
-		TailnetTargetFQDN:                     defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
-		DaemonExtraArgs:                       defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:                             defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:                          os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:                         defaultBool("TS_USERSPACE", true),
-		StateDir:                              defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:                             defaultEnvBoolPointer("TS_ACCEPT_DNS"),
-		KubeSecret:                            defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:                        defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:                         defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:                                defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:                              defaultBool("TS_AUTH_ONCE", false),
-		Root:                                  defaultEnv("TS_TEST_ONLY_ROOT", "/"),
-		TailscaledConfigFilePath:              tailscaledConfigFilePath(),
-		AllowProxyingClusterTrafficViaIngress: defaultBool("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS", false),
-		PodIP:                                 defaultEnv("POD_IP", ""),
-		EnableForwardingOptimizations:         defaultBool("TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS", false),
-	}

+	cfg := &settings{
+		AuthKey:                  defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
+		Hostname:                 defaultEnv("TS_HOSTNAME", ""),
+		Routes:                   defaultEnvStringPointer("TS_ROUTES"),
+		ServeConfigPath:          defaultEnv("TS_SERVE_CONFIG", ""),
+		ProxyTo:                  defaultEnv("TS_DEST_IP", ""),
+		TailnetTargetIP:          defaultEnv("TS_TAILNET_TARGET_IP", ""),
+		TailnetTargetFQDN:        defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
+		DaemonExtraArgs:          defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
+		ExtraArgs:                defaultEnv("TS_EXTRA_ARGS", ""),
+		InKubernetes:             os.Getenv("KUBERNETES_SERVICE_HOST") != "",
+		UserspaceMode:            defaultBool("TS_USERSPACE", true),
+		StateDir:                 defaultEnv("TS_STATE_DIR", ""),
+		AcceptDNS:                defaultEnvBoolPointer("TS_ACCEPT_DNS"),
+		KubeSecret:               defaultEnv("TS_KUBE_SECRET", "tailscale"),
+		SOCKSProxyAddr:           defaultEnv("TS_SOCKS5_SERVER", ""),
+		HTTPProxyAddr:            defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
+		Socket:                   defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
+		AuthOnce:                 defaultBool("TS_AUTH_ONCE", false),
+		Root:                     defaultEnv("TS_TEST_ONLY_ROOT", "/"),
+		TailscaledConfigFilePath: defaultEnv("EXPERIMENTAL_TS_CONFIGFILE_PATH", ""),
+	}
 	if err := cfg.validate(); err != nil {
 		log.Fatalf("invalid configuration: %v", err)
 	}
@@ -168,8 +139,8 @@ func main() {
 		if err := ensureTunFile(cfg.Root); err != nil {
 			log.Fatalf("Unable to create tuntap device file: %v", err)
 		}
-		if cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.Routes != nil || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" {
-			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTargetIP, cfg.TailnetTargetIP, cfg.TailnetTargetFQDN, cfg.Routes); err != nil {
+		if cfg.ProxyTo != "" || cfg.Routes != nil || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" {
+			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.TailnetTargetIP, cfg.TailnetTargetFQDN, cfg.Routes); err != nil {
 				log.Printf("Failed to enable IP forwarding: %v", err)
 				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
 				if cfg.InKubernetes {
@@ -181,16 +152,44 @@ func main() {
 		}
 	}

+	if cfg.InKubernetes {
+		initKube(cfg.Root)
+	}
+
 	// Context is used for all setup stuff until we're in steady
 	// state, so that if something is hanging we eventually time out
 	// and crashloop the container.
 	bootCtx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()

-	if cfg.InKubernetes {
-		initKubeClient(cfg.Root)
-		if err := cfg.setupKube(bootCtx); err != nil {
-			log.Fatalf("error setting up for running on Kubernetes: %v", err)
+	if cfg.InKubernetes && cfg.KubeSecret != "" {
+		canPatch, err := kc.CheckSecretPermissions(bootCtx, cfg.KubeSecret)
+		if err != nil {
+			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
+		}
+		cfg.KubernetesCanPatch = canPatch
+
+		if cfg.AuthKey == "" && !isOneStepConfig(cfg) {
+			key, err := findKeyInKubeSecret(bootCtx, cfg.KubeSecret)
+			if err != nil {
+				log.Fatalf("Getting authkey from kube secret: %v", err)
+			}
+			if key != "" {
+				// This behavior of pulling authkeys from kube secrets was added
+				// at the same time as the patch permission, so we can enforce
+				// that we must be able to patch out the authkey after
+				// authenticating if you want to use this feature. This avoids
+				// us having to deal with the case where we might leave behind
+				// an unnecessary reusable authkey in a secret, like a rake in
+				// the grass.
+				if !cfg.KubernetesCanPatch {
+					log.Fatalf("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the secret to manage the authkey.")
+				}
+				log.Print("Using authkey found in kube secret")
+				cfg.AuthKey = key
+			} else {
+				log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
+			}
 		}
 	}

@@ -205,12 +204,6 @@ func main() {
 	}
 	defer killTailscaled()

-	if cfg.EnableForwardingOptimizations {
-		if err := client.SetUDPGROForwarding(bootCtx); err != nil {
-			log.Printf("[unexpected] error enabling UDP GRO forwarding: %v", err)
-		}
-	}
-
 	w, err := client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialPrefs|ipn.NotifyInitialState)
 	if err != nil {
 		log.Fatalf("failed to watch tailscaled for updates: %v", err)
@@ -321,7 +314,7 @@ authLoop:
 		}
 	}

-	if hasKubeStateStore(cfg) && isTwoStepConfigAuthOnce(cfg) {
+	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && isTwoStepConfigAuthOnce(cfg) {
 		// We were told to only auth once, so any secret-bound
 		// authkey is no longer needed. We don't strictly need to
 		// wipe it, but it's good hygiene.
@@ -337,16 +330,14 @@ authLoop:
 	}

 	var (
-		startupTasksDone       = false
-		currentIPs             deephash.Sum // tailscale IPs assigned to device
-		currentDeviceID        deephash.Sum // device ID
-		currentDeviceEndpoints deephash.Sum // device FQDN and IPs
+		wantProxy         = cfg.ProxyTo != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != ""
+		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
+		startupTasksDone  = false
+		currentIPs        deephash.Sum // tailscale IPs assigned to device
+		currentDeviceInfo deephash.Sum // device ID and fqdn

 		currentEgressIPs deephash.Sum

-		addrs        []netip.Prefix
-		backendAddrs []net.IP
-
 		certDomain        = new(atomic.Pointer[string])
 		certDomainChanged = make(chan bool, 1)
 	)
@@ -354,50 +345,12 @@ authLoop:
 		go watchServeConfigChanges(ctx, cfg.ServeConfigPath, certDomainChanged, certDomain, client)
 	}
 	var nfr linuxfw.NetfilterRunner
-	if isL3Proxy(cfg) {
+	if wantProxy {
 		nfr, err = newNetfilterRunner(log.Printf)
 		if err != nil {
 			log.Fatalf("error creating new netfilter runner: %v", err)
 		}
 	}
-
-	// Setup for proxies that are configured to proxy to a target specified
-	// by a DNS name (TS_EXPERIMENTAL_DEST_DNS_NAME).
-	const defaultCheckPeriod = time.Minute * 10 // how often to check what IPs the DNS name resolves to
-	var (
-		tc                    = make(chan string, 1)
-		failedResolveAttempts int
-		t                     *time.Timer = time.AfterFunc(defaultCheckPeriod, func() {
-			if cfg.ProxyTargetDNSName != "" {
-				tc <- "recheck"
-			}
-		})
-	)
-	defer t.Stop()
-	// resetTimer resets timer for when to next attempt to resolve the DNS
-	// name for the proxy configured with TS_EXPERIMENTAL_DEST_DNS_NAME. The
-	// timer gets reset to 10 minutes from now unless the last resolution
-	// attempt failed. If one or more consecutive previous resolution
-	// attempts failed, the next resolution attempt will happen after the smallest
-	// of (10 minutes, 2 ^ number-of-consecutive-failed-resolution-attempts
-	// seconds) i.e 2s, 4s, 8s ... 10 minutes.
-	resetTimer := func(lastResolveFailed bool) {
-		if !lastResolveFailed {
-			log.Printf("reconfigureTimer: next DNS resolution attempt in %s", defaultCheckPeriod)
-			t.Reset(defaultCheckPeriod)
-			failedResolveAttempts = 0
-			return
-		}
-		minDelay := 2 // 2 seconds
-		nextTick := time.Second * time.Duration(math.Pow(float64(minDelay), float64(failedResolveAttempts)))
-		if nextTick > defaultCheckPeriod {
-			nextTick = defaultCheckPeriod // cap at 10 minutes
-		}
-		log.Printf("reconfigureTimer: last DNS resolution attempt failed, next DNS resolution attempt in %v", nextTick)
-		t.Reset(nextTick)
-		failedResolveAttempts++
-	}
-
 	notifyChan := make(chan ipn.Notify)
 	errChan := make(chan error)
 	go func() {
@@ -412,7 +365,6 @@ authLoop:
 		}
 	}()
 	var wg sync.WaitGroup
-
 runLoop:
 	for {
 		select {
@@ -435,24 +387,10 @@ runLoop:
 				log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
 			}
 			if n.NetMap != nil {
-				addrs = n.NetMap.SelfNode.Addresses().AsSlice()
+				addrs := n.NetMap.SelfNode.Addresses().AsSlice()
 				newCurrentIPs := deephash.Hash(&addrs)
 				ipsHaveChanged := newCurrentIPs != currentIPs

-				// Store device ID in a Kubernetes Secret before
-				// setting up any routing rules. This ensures
-				// that, for containerboot instances that are
-				// Kubernetes operator proxies, the operator is
-				// able to retrieve the device ID from the
-				// Kubernetes Secret to clean up tailnet nodes
-				// for proxies whose route setup continuously
-				// fails.
-				deviceID := n.NetMap.SelfNode.StableID()
-				if hasKubeStateStore(cfg) && deephash.Update(&currentDeviceID, &deviceID) {
-					if err := storeDeviceID(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID()); err != nil {
-						log.Fatalf("storing device ID in Kubernetes Secret: %v", err)
-					}
-				}
 				if cfg.TailnetTargetFQDN != "" {
 					var (
 						egressAddrs          []netip.Prefix
@@ -475,50 +413,29 @@ runLoop:
 					egressAddrs = node.Addresses().AsSlice()
 					newCurentEgressIPs = deephash.Hash(&egressAddrs)
 					egressIPsHaveChanged = newCurentEgressIPs != currentEgressIPs
-					if egressIPsHaveChanged && len(egressAddrs) != 0 {
-						var rulesInstalled bool
+					if egressIPsHaveChanged && len(egressAddrs) > 0 {
 						for _, egressAddr := range egressAddrs {
 							ea := egressAddr.Addr()
-							if ea.Is4() || (ea.Is6() && nfr.HasIPV6NAT()) {
-								rulesInstalled = true
-								log.Printf("Installing forwarding rules for destination %v", ea.String())
-								if err := installEgressForwardingRule(ctx, ea.String(), addrs, nfr); err != nil {
-									log.Fatalf("installing egress proxy rules for destination %s: %v", ea.String(), err)
-								}
+							// TODO (irbekrm): make it work for IPv6 too.
+							if ea.Is6() {
+								log.Println("Not installing egress forwarding rules for IPv6 as this is currently not supported")
+								continue
+							}
+							log.Printf("Installing forwarding rules for destination %v", ea.String())
+							if err := installEgressForwardingRule(ctx, ea.String(), addrs, nfr); err != nil {
+								log.Fatalf("installing egress proxy rules for destination %s: %v", ea.String(), err)
 							}
-						}
-						if !rulesInstalled {
-							log.Fatalf("no forwarding rules for egress addresses %v, host supports IPv6: %v", egressAddrs, nfr.HasIPV6NAT())
 						}
 					}
 					currentEgressIPs = newCurentEgressIPs
 				}
-				if cfg.ProxyTargetIP != "" && len(addrs) != 0 && ipsHaveChanged {
+				if cfg.ProxyTo != "" && len(addrs) > 0 && ipsHaveChanged {
 					log.Printf("Installing proxy rules")
-					if err := installIngressForwardingRule(ctx, cfg.ProxyTargetIP, addrs, nfr); err != nil {
+					if err := installIngressForwardingRule(ctx, cfg.ProxyTo, addrs, nfr); err != nil {
 						log.Fatalf("installing ingress proxy rules: %v", err)
 					}
 				}
-				if cfg.ProxyTargetDNSName != "" && len(addrs) != 0 && ipsHaveChanged {
-					newBackendAddrs, err := resolveDNS(ctx, cfg.ProxyTargetDNSName)
-					if err != nil {
-						log.Printf("[unexpected] error resolving DNS name %s: %v", cfg.ProxyTargetDNSName, err)
-						resetTimer(true)
-						continue
-					}
-					backendsHaveChanged := !(slices.EqualFunc(backendAddrs, newBackendAddrs, func(ip1 net.IP, ip2 net.IP) bool {
-						return slices.ContainsFunc(newBackendAddrs, func(ip net.IP) bool { return ip.Equal(ip1) })
-					}))
-					if backendsHaveChanged {
-						log.Printf("installing ingress proxy rules for backends %v", newBackendAddrs)
-						if err := installIngressForwardingRuleForDNSTarget(ctx, newBackendAddrs, addrs, nfr); err != nil {
-							log.Fatalf("error installing ingress proxy rules: %v", err)
-						}
-					}
-					resetTimer(false)
-					backendAddrs = newBackendAddrs
-				}
-				if cfg.ServeConfigPath != "" && len(n.NetMap.DNS.CertDomains) != 0 {
+				if cfg.ServeConfigPath != "" && len(n.NetMap.DNS.CertDomains) > 0 {
 					cd := n.NetMap.DNS.CertDomains[0]
 					prev := certDomain.Swap(ptr.To(cd))
 					if prev == nil || *prev != cd {
@@ -528,105 +445,54 @@ runLoop:
 						}
 					}
 				}
-				if cfg.TailnetTargetIP != "" && ipsHaveChanged && len(addrs) != 0 {
+				if cfg.TailnetTargetIP != "" && ipsHaveChanged && len(addrs) > 0 {
 					log.Printf("Installing forwarding rules for destination %v", cfg.TailnetTargetIP)
 					if err := installEgressForwardingRule(ctx, cfg.TailnetTargetIP, addrs, nfr); err != nil {
 						log.Fatalf("installing egress proxy rules: %v", err)
 					}
 				}
-				// If this is a L7 cluster ingress proxy (set up
-				// by Kubernetes operator) and proxying of
-				// cluster traffic to the ingress target is
-				// enabled, set up proxy rule each time the
-				// tailnet IPs of this node change (including
-				// the first time they become available).
-				if cfg.AllowProxyingClusterTrafficViaIngress && cfg.ServeConfigPath != "" && ipsHaveChanged && len(addrs) != 0 {
-					log.Printf("installing rules to forward traffic for %s to node's tailnet IP", cfg.PodIP)
-					if err := installTSForwardingRuleForDestination(ctx, cfg.PodIP, addrs, nfr); err != nil {
-						log.Fatalf("installing rules to forward traffic to node's tailnet IP: %v", err)
-					}
-				}
 				currentIPs = newCurrentIPs

-				// Only store device FQDN and IP addresses to
-				// Kubernetes Secret when any required proxy
-				// route setup has succeeded. IPs and FQDN are
-				// read from the Secret by the Tailscale
-				// Kubernetes operator and, for some proxy
-				// types, such as Tailscale Ingress, advertized
-				// on the Ingress status. Writing them to the
-				// Secret only after the proxy routing has been
-				// set up ensures that the operator does not
-				// advertize endpoints of broken proxies.
-				// TODO (irbekrm): instead of using the IP and FQDN, have some other mechanism for the proxy signal that it is 'Ready'.
-				deviceEndpoints := []any{n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses()}
-				if hasKubeStateStore(cfg) && deephash.Update(&currentDeviceEndpoints, &deviceEndpoints) {
-					if err := storeDeviceEndpoints(ctx, cfg.KubeSecret, n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
-						log.Fatalf("storing device IPs and FQDN in Kubernetes Secret: %v", err)
+				deviceInfo := []any{n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()}
+				if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
+					if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name(), n.NetMap.SelfNode.Addresses().AsSlice()); err != nil {
+						log.Fatalf("storing device ID in kube secret: %v", err)
 					}
 				}
 			}
 			if !startupTasksDone {
-				// For containerboot instances that act as TCP
-				// proxies (proxying traffic to an endpoint
-				// passed via one of the env vars that
-				// containerbot reads) and store state in a
-				// Kubernetes Secret, we consider startup tasks
-				// done at the point when device info has been
-				// successfully stored to state Secret.
-				// For all other containerboot instances, if we
-				// just get to this point the startup tasks can
-				// be considered done.
-				if !isL3Proxy(cfg) || !hasKubeStateStore(cfg) || (currentDeviceEndpoints != deephash.Sum{} && currentDeviceID != deephash.Sum{}) {
+				if (!wantProxy || currentIPs != deephash.Sum{}) && (!wantDeviceInfo || currentDeviceInfo != deephash.Sum{}) {
 					// This log message is used in tests to detect when all
 					// post-auth configuration is done.
 					log.Println("Startup complete, waiting for shutdown signal")
 					startupTasksDone = true

-					// Wait on tailscaled process. It won't
-					// be cleaned up by default when the
-					// container exits as it is not PID1.
-					// TODO (irbekrm): perhaps we can
-					// replace the reaper by a running
-					// cmd.Wait in a goroutine immediately
-					// after starting tailscaled?
+					// Reap all processes, since we are PID1 and need to collect zombies. We can
+					// only start doing this once we've stopped shelling out to things
+					// `tailscale up`, otherwise this goroutine can reap the CLI subprocesses
+					// and wedge bringup.
 					reaper := func() {
 						defer wg.Done()
 						for {
 							var status unix.WaitStatus
-							_, err := unix.Wait4(daemonProcess.Pid, &status, 0, nil)
+							pid, err := unix.Wait4(-1, &status, 0, nil)
 							if errors.Is(err, unix.EINTR) {
 								continue
 							}
 							if err != nil {
-								log.Fatalf("Waiting for tailscaled to exit: %v", err)
+								log.Fatalf("Waiting for exited processes: %v", err)
+							}
+							if pid == daemonProcess.Pid {
+								log.Printf("Tailscaled exited")
+								os.Exit(0)
 							}
-							log.Print("tailscaled exited")
-							os.Exit(0)
 						}
+
 					}
 					wg.Add(1)
 					go reaper()
 				}
 			}
-		case <-tc:
-			newBackendAddrs, err := resolveDNS(ctx, cfg.ProxyTargetDNSName)
-			if err != nil {
-				log.Printf("[unexpected] error resolving DNS name %s: %v", cfg.ProxyTargetDNSName, err)
-				resetTimer(true)
-				continue
-			}
-			backendsHaveChanged := !(slices.EqualFunc(backendAddrs, newBackendAddrs, func(ip1 net.IP, ip2 net.IP) bool {
-				return slices.ContainsFunc(newBackendAddrs, func(ip net.IP) bool { return ip.Equal(ip1) })
-			}))
-			if backendsHaveChanged && len(addrs) != 0 {
-				log.Printf("Backend address change detected, installing proxy rules for backends %v", newBackendAddrs)
-				if err := installIngressForwardingRuleForDNSTarget(ctx, newBackendAddrs, addrs, nfr); err != nil {
-					log.Fatalf("installing ingress proxy rules for DNS target %s: %v", cfg.ProxyTargetDNSName, err)
-				}
-			}
-			backendAddrs = newBackendAddrs
-			resetTimer(false)
 		}
 	}
 	wg.Wait()
@@ -867,12 +733,12 @@ func ensureTunFile(root string) error {
 }

 // ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, clusterProxyTargetIP, tailnetTargetIP, tailnetTargetFQDN string, routes *string) error {
+func ensureIPForwarding(root, clusterProxyTarget, tailnetTargetiP, tailnetTargetFQDN string, routes *string) error {
 	var (
 		v4Forwarding, v6Forwarding bool
 	)
-	if clusterProxyTargetIP != "" {
-		proxyIP, err := netip.ParseAddr(clusterProxyTargetIP)
+	if clusterProxyTarget != "" {
+		proxyIP, err := netip.ParseAddr(clusterProxyTarget)
 		if err != nil {
 			return fmt.Errorf("invalid cluster destination IP: %v", err)
 		}
@@ -882,8 +748,8 @@ func ensureIPForwarding(root, clusterProxyTargetIP, tailnetTargetIP, tailnetTarg
 			v6Forwarding = true
 		}
 	}
-	if tailnetTargetIP != "" {
-		proxyIP, err := netip.ParseAddr(tailnetTargetIP)
+	if tailnetTargetiP != "" {
+		proxyIP, err := netip.ParseAddr(tailnetTargetiP)
 		if err != nil {
 			return fmt.Errorf("invalid tailnet destination IP: %v", err)
 		}
@@ -911,10 +777,7 @@ func ensureIPForwarding(root, clusterProxyTargetIP, tailnetTargetIP, tailnetTarg
 			}
 		}
 	}
-	return enableIPForwarding(v4Forwarding, v6Forwarding, root)
-}

-func enableIPForwarding(v4Forwarding, v6Forwarding bool, root string) error {
 	var paths []string
 	if v4Forwarding {
 		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv4/ip_forward"))
@@ -943,7 +806,7 @@ func enableIPForwarding(v4Forwarding, v6Forwarding bool, root string) error {
 	return nil
 }

-func installEgressForwardingRule(_ context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
+func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
 		return err
@@ -974,58 +837,22 @@ func installEgressForwardingRule(_ context.Context, dstStr string, tsIPs []netip
 	return nil
 }

-// installTSForwardingRuleForDestination accepts a destination address and a
-// list of node's tailnet addresses, sets up rules to forward traffic for
-// destination to the tailnet IP matching the destination IP family.
-// Destination can be Pod IP of this node.
-func installTSForwardingRuleForDestination(ctx context.Context, dstFilter string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
-	dst, err := netip.ParseAddr(dstFilter)
-	if err != nil {
-		return err
-	}
-	var local netip.Addr
-	for _, pfx := range tsIPs {
-		if !pfx.IsSingleIP() {
-			continue
-		}
-		if pfx.Addr().Is4() != dst.Is4() {
-			continue
-		}
-		local = pfx.Addr()
-		break
-	}
-	if !local.IsValid() {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstFilter, tsIPs)
-	}
-	if err := nfr.AddDNATRule(dst, local); err != nil {
-		return fmt.Errorf("installing rule for forwarding traffic to tailnet IP: %w", err)
-	}
-	return nil
-}
-
 func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
 	dst, err := netip.ParseAddr(dstStr)
 	if err != nil {
 		return err
 	}
 	var local netip.Addr
-	proxyHasIPv4Address := false
 	for _, pfx := range tsIPs {
 		if !pfx.IsSingleIP() {
 			continue
 		}
-		if pfx.Addr().Is4() {
-			proxyHasIPv4Address = true
-		}
 		if pfx.Addr().Is4() != dst.Is4() {
 			continue
 		}
 		local = pfx.Addr()
 		break
 	}
-	if proxyHasIPv4Address && dst.Is6() {
-		log.Printf("Warning: proxy backend ClusterIP is an IPv6 address and the proxy has a IPv4 tailnet address. You might need to disable IPv4 address allocation for the proxy for forwarding to work. See https://github.com/tailscale/tailscale/issues/12156")
-	}
 	if !local.IsValid() {
 		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
 	}
@@ -1038,89 +865,15 @@ func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []ne
 	return nil
 }

-func installIngressForwardingRuleForDNSTarget(ctx context.Context, backendAddrs []net.IP, tsIPs []netip.Prefix, nfr linuxfw.NetfilterRunner) error {
-	var (
-		tsv4       netip.Addr
-		tsv6       netip.Addr
-		v4Backends []netip.Addr
-		v6Backends []netip.Addr
-	)
-	for _, pfx := range tsIPs {
-		if pfx.IsSingleIP() && pfx.Addr().Is4() {
-			tsv4 = pfx.Addr()
-			continue
-		}
-		if pfx.IsSingleIP() && pfx.Addr().Is6() {
-			tsv6 = pfx.Addr()
-			continue
-		}
-	}
-	// TODO: log if more than one backend address is found and firewall is
-	// in nftables mode that only the first IP will be used.
-	for _, ip := range backendAddrs {
-		if ip.To4() != nil {
-			v4Backends = append(v4Backends, netip.AddrFrom4([4]byte(ip.To4())))
-		}
-		if ip.To16() != nil {
-			v6Backends = append(v6Backends, netip.AddrFrom16([16]byte(ip.To16())))
-		}
-	}
-
-	// Enable IP forwarding here as opposed to at the start of containerboot
-	// as the IPv4/IPv6 requirements might have changed.
-	// For Kubernetes operator proxies, forwarding for both IPv4 and IPv6 is
-	// enabled by an init container, so in practice enabling forwarding here
-	// is only needed if this proxy has been configured by manually setting
-	// TS_EXPERIMENTAL_DEST_DNS_NAME env var for a containerboot instance.
-	if err := enableIPForwarding(len(v4Backends) != 0, len(v6Backends) != 0, ""); err != nil {
-		log.Printf("[unexpected] failed to ensure IP forwarding: %v", err)
-	}
-
-	updateFirewall := func(dst netip.Addr, backendTargets []netip.Addr) error {
-		if err := nfr.DNATWithLoadBalancer(dst, backendTargets); err != nil {
-			return fmt.Errorf("installing DNAT rules for ingress backends %+#v: %w", backendTargets, err)
-		}
-		// The backend might advertize MSS higher than that of the
-		// tailscale interfaces. Clamp MSS of packets going out via
-		// tailscale0 interface to its MTU to prevent broken connections
-		// in environments where path MTU discovery is not working.
-		if err := nfr.ClampMSSToPMTU("tailscale0", dst); err != nil {
-			return fmt.Errorf("adding rule to clamp traffic via tailscale0: %v", err)
-		}
-		return nil
-	}
-
-	if len(v4Backends) != 0 {
-		if !tsv4.IsValid() {
-			log.Printf("backend targets %v contain at least one IPv4 address, but this node's Tailscale IPs do not contain a valid IPv4 address: %v", backendAddrs, tsIPs)
-		} else if err := updateFirewall(tsv4, v4Backends); err != nil {
-			return fmt.Errorf("Installing IPv4 firewall rules: %w", err)
-		}
-	}
-	if len(v6Backends) != 0 && !tsv6.IsValid() {
-		if !tsv6.IsValid() {
-			log.Printf("backend targets %v contain at least one IPv6 address, but this node's Tailscale IPs do not contain a valid IPv6 address: %v", backendAddrs, tsIPs)
-		} else if !nfr.HasIPV6NAT() {
-			log.Printf("backend targets %v contain at least one IPv6 address, but the chosen firewall mode does not support IPv6 NAT", backendAddrs)
-		} else if err := updateFirewall(tsv6, v6Backends); err != nil {
-			return fmt.Errorf("Installing IPv6 firewall rules: %w", err)
-		}
-	}
-	return nil
-}
-
 // settings is all the configuration for containerboot.
 type settings struct {
 	AuthKey  string
 	Hostname string
 	Routes   *string
-	// ProxyTargetIP is the destination IP to which all incoming
+	// ProxyTo is the destination IP to which all incoming
 	// Tailscale traffic should be proxied. If empty, no proxying
 	// is done. This is typically a locally reachable IP.
-	ProxyTargetIP string
-	// ProxyTargetDNSName is a DNS name to whose backing IP addresses all
-	// incoming Tailscale traffic should be proxied.
-	ProxyTargetDNSName string
+	ProxyTo string
 	// TailnetTargetIP is the destination IP to which all incoming
 	// non-Tailscale traffic should be proxied. This is typically a
 	// Tailscale IP.
@@ -1128,55 +881,33 @@ type settings struct {
 	// TailnetTargetFQDN is an MagicDNS name to which all incoming
 	// non-Tailscale traffic should be proxied. This must be a full Tailnet
 	// node FQDN.
-	TailnetTargetFQDN             string
-	ServeConfigPath               string
-	DaemonExtraArgs               string
-	ExtraArgs                     string
-	InKubernetes                  bool
-	UserspaceMode                 bool
-	StateDir                      string
-	AcceptDNS                     *bool
-	KubeSecret                    string
-	SOCKSProxyAddr                string
-	HTTPProxyAddr                 string
-	Socket                        string
-	AuthOnce                      bool
-	Root                          string
-	KubernetesCanPatch            bool
-	TailscaledConfigFilePath      string
-	EnableForwardingOptimizations bool
-	// If set to true and, if this containerboot instance is a Kubernetes
-	// ingress proxy, set up rules to forward incoming cluster traffic to be
-	// forwarded to the ingress target in cluster.
-	AllowProxyingClusterTrafficViaIngress bool
-	// PodIP is the IP of the Pod if running in Kubernetes. This is used
-	// when setting up rules to proxy cluster traffic to cluster ingress
-	// target.
-	PodIP string
+	TailnetTargetFQDN        string
+	ServeConfigPath          string
+	DaemonExtraArgs          string
+	ExtraArgs                string
+	InKubernetes             bool
+	UserspaceMode            bool
+	StateDir                 string
+	AcceptDNS                *bool
+	KubeSecret               string
+	SOCKSProxyAddr           string
+	HTTPProxyAddr            string
+	Socket                   string
+	AuthOnce                 bool
+	Root                     string
+	KubernetesCanPatch       bool
+	TailscaledConfigFilePath string
 }

 func (s *settings) validate() error {
 	if s.TailscaledConfigFilePath != "" {
-		dir, file := path.Split(s.TailscaledConfigFilePath)
-		if _, err := os.Stat(dir); err != nil {
-			return fmt.Errorf("error validating whether directory with tailscaled config file %s exists: %w", dir, err)
-		}
-		if _, err := os.Stat(s.TailscaledConfigFilePath); err != nil {
-			return fmt.Errorf("error validating whether tailscaled config directory %q contains tailscaled config for current capability version %q: %w. If this is a Tailscale Kubernetes operator proxy, please ensure that the version of the operator is not older than the version of the proxy", dir, file, err)
-		}
 		if _, err := conffile.Load(s.TailscaledConfigFilePath); err != nil {
 			return fmt.Errorf("error validating tailscaled configfile contents: %w", err)
 		}
 	}
-	if s.ProxyTargetIP != "" && s.UserspaceMode {
+	if s.ProxyTo != "" && s.UserspaceMode {
 		return errors.New("TS_DEST_IP is not supported with TS_USERSPACE")
 	}
-	if s.ProxyTargetDNSName != "" && s.UserspaceMode {
-		return errors.New("TS_EXPERIMENTAL_DEST_DNS_NAME is not supported with TS_USERSPACE")
-	}
-	if s.ProxyTargetDNSName != "" && s.ProxyTargetIP != "" {
-		return errors.New("TS_EXPERIMENTAL_DEST_DNS_NAME and TS_DEST_IP cannot both be set")
-	}
 	if s.TailnetTargetIP != "" && s.UserspaceMode {
 		return errors.New("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
 	}
@@ -1187,45 +918,11 @@ func (s *settings) validate() error {
 		return errors.New("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
 	}
 	if s.TailscaledConfigFilePath != "" && (s.AcceptDNS != nil || s.AuthKey != "" || s.Routes != nil || s.ExtraArgs != "" || s.Hostname != "") {
-		return errors.New("TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
-	}
-	if s.AllowProxyingClusterTrafficViaIngress && s.UserspaceMode {
-		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is not supported in userspace mode")
-	}
-	if s.AllowProxyingClusterTrafficViaIngress && s.ServeConfigPath == "" {
-		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is set but this is not a cluster ingress proxy")
-	}
-	if s.AllowProxyingClusterTrafficViaIngress && s.PodIP == "" {
-		return errors.New("EXPERIMENTAL_ALLOW_PROXYING_CLUSTER_TRAFFIC_VIA_INGRESS is set but POD_IP is not set")
-	}
-	if s.EnableForwardingOptimizations && s.UserspaceMode {
-		return errors.New("TS_EXPERIMENTAL_ENABLE_FORWARDING_OPTIMIZATIONS is not supported in userspace mode")
+		return errors.New("EXPERIMENTAL_TS_CONFIGFILE_PATH cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
 	}
 	return nil
 }

-func resolveDNS(ctx context.Context, name string) ([]net.IP, error) {
-	// TODO (irbekrm): look at using recursive.Resolver instead to resolve
-	// the DNS names as well as retrieve TTLs. It looks though that this
-	// seems to return very short TTLs (shorter than on the actual records).
-	ip4s, err := net.DefaultResolver.LookupIP(ctx, "ip4", name)
-	if err != nil {
-		if e, ok := err.(*net.DNSError); !(ok && e.IsNotFound) {
-			return nil, fmt.Errorf("error looking up IPv4 addresses: %v", err)
-		}
-	}
-	ip6s, err := net.DefaultResolver.LookupIP(ctx, "ip6", name)
-	if err != nil {
-		if e, ok := err.(*net.DNSError); !(ok && e.IsNotFound) {
-			return nil, fmt.Errorf("error looking up IPv6 addresses: %v", err)
-		}
-	}
-	if len(ip4s) == 0 && len(ip6s) == 0 {
-		return nil, fmt.Errorf("no IPv4 or IPv6 addresses found for host: %s", name)
-	}
-	return append(ip4s, ip6s...), nil
-}
-
 // defaultEnv returns the value of the given envvar name, or defVal if
 // unset.
 func defaultEnv(name, defVal string) string {
@@ -1322,55 +1019,3 @@ func isTwoStepConfigAlwaysAuth(cfg *settings) bool {
 func isOneStepConfig(cfg *settings) bool {
 	return cfg.TailscaledConfigFilePath != ""
 }
-
-// isL3Proxy returns true if the Tailscale node needs to be configured to act
-// as an L3 proxy, proxying to an endpoint provided via one of the config env
-// vars.
-func isL3Proxy(cfg *settings) bool {
-	return cfg.ProxyTargetIP != "" || cfg.ProxyTargetDNSName != "" || cfg.TailnetTargetIP != "" || cfg.TailnetTargetFQDN != "" || cfg.AllowProxyingClusterTrafficViaIngress
-}
-
-// hasKubeStateStore returns true if the state must be stored in a Kubernetes
-// Secret.
-func hasKubeStateStore(cfg *settings) bool {
-	return cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != ""
-}
-
-// tailscaledConfigFilePath returns the path to the tailscaled config file that
-// should be used for the current capability version. It is determined by the
-// TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR environment variable and looks for a
-// file named cap-<capability_version>.hujson in the directory. It searches for
-// the highest capability version that is less than or equal to the current
-// capability version.
-func tailscaledConfigFilePath() string {
-	dir := os.Getenv("TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR")
-	if dir == "" {
-		return ""
-	}
-	fe, err := os.ReadDir(dir)
-	if err != nil {
-		log.Fatalf("error reading tailscaled config directory %q: %v", dir, err)
-	}
-	maxCompatVer := tailcfg.CapabilityVersion(-1)
-	for _, e := range fe {
-		// We don't check if type if file as in most cases this will
-		// come from a mounted kube Secret, where the directory contents
-		// will be various symlinks.
-		if e.Type().IsDir() {
-			continue
-		}
-		cv, err := kubeutils.CapVerFromFileName(e.Name())
-		if err != nil {
-			log.Printf("skipping file %q in tailscaled config directory %q: %v", e.Name(), dir, err)
-			continue
-		}
-		if cv > maxCompatVer && cv <= tailcfg.CurrentCapabilityVersion {
-			maxCompatVer = cv
-		}
-	}
-	if maxCompatVer == -1 {
-		log.Fatalf("no tailscaled config file found in %q for current capability version %q", dir, tailcfg.CurrentCapabilityVersion)
-	}
-	log.Printf("Using tailscaled config file %q for capability version %q", maxCompatVer, tailcfg.CurrentCapabilityVersion)
-	return path.Join(dir, kubeutils.TailscaledConfigFileNameForCap(maxCompatVer))
-}
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -52,7 +52,7 @@ func TestContainerBoot(t *testing.T) {
 	}
 	defer kube.Close()

-	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: ptr.To("foo"), Version: "alpha0"}
+	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: func(s string) *string { return &s }("foo"), Version: "alpha0"}
 	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
 	if err != nil {
 		t.Fatalf("error unmarshaling tailscaled config: %v", err)
@@ -65,7 +65,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net",
 		"proc/sys/net/ipv4",
 		"proc/sys/net/ipv6/conf/all",
-		"etc/tailscaled",
+		"etc",
 	}
 	for _, path := range dirs {
 		if err := os.MkdirAll(filepath.Join(d, path), 0700); err != nil {
@@ -80,7 +80,7 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net/tun":                           []byte(""),
 		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
 		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
-		"etc/tailscaled/cap-95.hujson":          tailscaledConfBytes,
+		"etc/tailscaled":                        tailscaledConfBytes,
 	}
 	resetFiles := func() {
 		for path, content := range files {
@@ -116,9 +116,6 @@ func TestContainerBoot(t *testing.T) {
 		// WantFiles files that should exist in the container and their
 		// contents.
 		WantFiles map[string]string
-		// WantFatalLog is the fatal log message we expect from containerboot.
-		// If set for a phase, the test will finish on that phase.
-		WantFatalLog string
 	}
 	runningNotify := &ipn.Notify{
 		State: ptr.To(ipn.Running),
@@ -352,57 +349,12 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
 					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "1",
-						"proc/sys/net/ipv6/conf/all/forwarding": "0",
-					},
 				},
 				{
 					Notify: runningNotify,
 				},
 			},
 		},
-		{
-			Name: "egress_proxy_fqdn_ipv6_target_on_ipv4_host",
-			Env: map[string]string{
-				"TS_AUTHKEY":               "tskey-key",
-				"TS_TAILNET_TARGET_FQDN":   "ipv6-node.test.ts.net", // resolves to IPv6 address
-				"TS_USERSPACE":             "false",
-				"TS_TEST_FAKE_NETFILTER_6": "false",
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp",
-						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
-					},
-					WantFiles: map[string]string{
-						"proc/sys/net/ipv4/ip_forward":          "1",
-						"proc/sys/net/ipv6/conf/all/forwarding": "0",
-					},
-				},
-				{
-					Notify: &ipn.Notify{
-						State: ptr.To(ipn.Running),
-						NetMap: &netmap.NetworkMap{
-							SelfNode: (&tailcfg.Node{
-								StableID:  tailcfg.StableNodeID("myID"),
-								Name:      "test-node.test.ts.net",
-								Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
-							}).View(),
-							Peers: []tailcfg.NodeView{
-								(&tailcfg.Node{
-									StableID:  tailcfg.StableNodeID("ipv6ID"),
-									Name:      "ipv6-node.test.ts.net",
-									Addresses: []netip.Prefix{netip.MustParsePrefix("::1/128")},
-								}).View(),
-							},
-						},
-					},
-					WantFatalLog: "no forwarding rules for egress addresses [::1/128], host supports IPv6: false",
-				},
-			},
-		},
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
@@ -686,14 +638,14 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "experimental tailscaled config path",
+			Name: "experimental tailscaled configfile",
 			Env: map[string]string{
-				"TS_EXPERIMENTAL_VERSIONED_CONFIG_DIR": filepath.Join(d, "etc/tailscaled/"),
+				"EXPERIMENTAL_TS_CONFIGFILE_PATH": filepath.Join(d, "etc/tailscaled"),
 			},
 			Phases: []phase{
 				{
 					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled/cap-95.hujson",
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled",
 					},
 				}, {
 					Notify: runningNotify,
@@ -745,25 +697,6 @@ func TestContainerBoot(t *testing.T) {
 			var wantCmds []string
 			for i, p := range test.Phases {
 				lapi.Notify(p.Notify)
-				if p.WantFatalLog != "" {
-					err := tstest.WaitFor(2*time.Second, func() error {
-						state, err := cmd.Process.Wait()
-						if err != nil {
-							return err
-						}
-						if state.ExitCode() != 1 {
-							return fmt.Errorf("process exited with code %d but wanted %d", state.ExitCode(), 1)
-						}
-						waitLogLine(t, time.Second, cbOut, p.WantFatalLog)
-						return nil
-					})
-					if err != nil {
-						t.Fatal(err)
-					}
-
-					// Early test return, we don't expect the successful startup log message.
-					return
-				}
 				wantCmds = append(wantCmds, p.WantCmds...)
 				waitArgs(t, 2*time.Second, d, argFile, strings.Join(wantCmds, "\n"))
 				err := tstest.WaitFor(2*time.Second, func() error {
--- a/cmd/derper/README.md
+++ b/cmd/derper/README.md
@@ -1,109 +0,0 @@
-# DERP
-
-This is the code for the [Tailscale DERP server](https://tailscale.com/kb/1232/derp-servers).
-
-In general, you should not need to or want to run this code. The overwhelming
-majority of Tailscale users (both individuals and companies) do not.
-
-In the happy path, Tailscale establishes direct connections between peers and
-data plane traffic flows directly between them, without using DERP for more than
-acting as a low bandwidth side channel to bootstrap the NAT traversal. If you
-find yourself wanting DERP for more bandwidth, the real problem is usually the
-network configuration of your Tailscale node(s), making sure that Tailscale can
-get direction connections via some mechanism.
-
-If you've decided or been advised to run your own `derper`, then read on.
-
-## Caveats
-
-* Node sharing and other cross-Tailnet features don't work when using custom
-  DERP servers.
-
-* DERP servers only see encrypted WireGuard packets and thus are not useful for
-  network-level debugging.
-
-* The Tailscale control plane does certain geo-level steering features and
-  optimizations that are not available when using custom DERP servers.
-
-## Guide to running `cmd/derper`
-
-* You must build and update the `cmd/derper` binary yourself. There are no
-  packages. Use `go install tailscale.com/cmd/derper@latest` with the latest
-  version of Go. You should update this binary approximately as regularly as
-  you update Tailscale nodes. If using `--verify-clients`, the `derper` binary
-  and `tailscaled` binary on the machine must be built from the same git revision.
-  (It might work otherwise, but they're developed and only tested together.)
-
-* The DERP protocol does a protocol switch inside TLS from HTTP to a custom
-  bidirectional binary protocol. It is thus incompatible with many HTTP proxies.
-  Do not put `derper` behind another HTTP proxy.
-
-* The `tailscaled` client does its own selection of the fastest/nearest DERP
-  server based on latency measurements. Do not put `derper` behind a global load
-  balancer.
-
-* DERP servers should ideally have both a static IPv4 and static IPv6 address.
-Both of those should be listed in the DERP map so the client doesn't need to
-rely on its DNS which might be broken and dependent on DERP to get back up.
-
-* A DERP server should not share an IP address with any other DERP server.
-
-* Avoid having multiple DERP nodes in a region. If you must, they all need to be
-  meshed with each other and monitored. Having two one-node "regions" in the
-  same datacenter is usually easier and more reliable than meshing, at the cost
-  of more required connections from clients in some cases. If your clients
-  aren't mobile (battery constrained), one node regions are definitely
-  preferred. If you really need multiple nodes in a region for HA reasons, two
-  is sufficient.
-
-* Monitor your DERP servers with [`cmd/derpprobe`](../derpprobe/).
-
-* If using `--verify-clients`, a `tailscaled` must be running alongside the
-  `derper`, and all clients must be visible to the derper tailscaled in the ACL.
-
-* If using `--verify-clients`, a `tailscaled` must also be running alongside
-  your `derpprobe`, and `derpprobe` needs to use `--derp-map=local`.
-
-* The firewall on the `derper` should permit TCP ports 80 and 443 and UDP port
-  3478.
-
-* Only LetsEncrypt certs are rotated automatically. Other cert updates require a
-  restart.
-
-* Don't use a firewall in front of `derper` that suppresses `RST`s upon
-  receiving traffic to a dead or unknown connection.
-
-* Don't rate-limit UDP STUN packets.
-
-* Don't rate-limit outbound TCP traffic (only inbound).
-
-## Diagnostics
-
-This is not a complete guide on DERP diagnostics.
-
-Running your own DERP services requires exeprtise in multi-layer network and
-application diagnostics. As the DERP runs multiple protocols at multiple layers
-and is not a regular HTTP(s) server you will need expertise in correlative
-analysis to diagnose the most tricky problems. There is no "plain text" or
-"open" mode of operation for DERP.
-
-* The debug handler is accessible at URL path `/debug/`. It is only accessible
-  over localhost or from a Tailscale IP address.
-
-* Go pprof can be accessed via the debug handler at `/debug/pprof/`
-
-* Prometheus compatible metrics can be gathered from the debug handler at
-  `/debug/varz`.
-
-* `cmd/stunc` in the Tailscale repository provides a basic tool for diagnosing
-  issues with STUN.
-
-* `cmd/derpprobe` provides a service for monitoring DERP cluster health.
-
-* `tailscale debug derp` and `tailscale netcheck` provide additional client
-  driven diagnostic information for DERP communications.
-
-* Tailscale logs may provide insight for certain problems, such as if DERPs are
-  unreachable or peers are regularly not reachable in their DERP home regions.
-  There are many possible misconfiguration causes for these problems, but
-  regular log entries are a good first indicator that there is a problem.
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -5,45 +5,35 @@ package main

 import (
 	"context"
-	"encoding/binary"
 	"encoding/json"
 	"expvar"
 	"log"
-	"math/rand/v2"
 	"net"
 	"net/http"
-	"net/netip"
-	"strconv"
 	"strings"
-	"sync/atomic"
 	"time"

 	"tailscale.com/syncs"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/slicesx"
 )

 const refreshTimeout = time.Minute

-type dnsEntryMap struct {
-	IPs     map[string][]net.IP
-	Percent map[string]float64 // "foo.com" => 0.5 for 50%
-}
+type dnsEntryMap map[string][]net.IP

 var (
-	dnsCache            atomic.Pointer[dnsEntryMap]
+	dnsCache            syncs.AtomicValue[dnsEntryMap]
 	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache atomic.Pointer[dnsEntryMap]
+	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
 	bootstrapLookupMap  syncs.Map[string, bool]
 )

 var (
-	bootstrapDNSRequests        = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits            = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses          = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits          = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses        = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-	unpublishedDNSPercentMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_percent_misses")
+	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
+	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
+	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
+	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
+	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
 )

 func init() {
@@ -69,13 +59,15 @@ func refreshBootstrapDNS() {
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
-	dnsEntries := resolveList(ctx, *bootstrapDNS)
+	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
 	// Randomize the order of the IPs for each name to avoid the client biasing
 	// to IPv6
-	for _, vv := range dnsEntries.IPs {
-		slicesx.Shuffle(vv)
+	for k := range dnsEntries {
+		ips := dnsEntries[k]
+		slicesx.Shuffle(ips)
+		dnsEntries[k] = ips
 	}
-	j, err := json.MarshalIndent(dnsEntries.IPs, "", "\t")
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
 	if err != nil {
 		// leave the old values in place
 		return
@@ -89,50 +81,27 @@ func refreshUnpublishedDNS() {
 	if *unpublishedDNS == "" {
 		return
 	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
-	dnsEntries := resolveList(ctx, *unpublishedDNS)
+
+	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
 	unpublishedDNSCache.Store(dnsEntries)
 }

-// resolveList takes a comma-separated list of DNS names to resolve.
-//
-// If an entry contains a slash, it's two DNS names: the first is the one to
-// resolve and the second is that of a TXT recording containing the rollout
-// percentage in range "0".."100". If the TXT record doesn't exist or is
-// malformed, the percentage is 0. If the TXT record is not provided (there's no
-// slash), then the percentage is 100.
-func resolveList(ctx context.Context, list string) *dnsEntryMap {
-	ents := strings.Split(list, ",")
-
-	ret := &dnsEntryMap{}
+func resolveList(ctx context.Context, names []string) dnsEntryMap {
+	dnsEntries := make(dnsEntryMap)

 	var r net.Resolver
-	for _, ent := range ents {
-		name, txtName, _ := strings.Cut(ent, "/")
+	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
 		if err != nil {
 			log.Printf("bootstrap DNS lookup %q: %v", name, err)
 			continue
 		}
-		mak.Set(&ret.IPs, name, addrs)
-
-		if txtName == "" {
-			mak.Set(&ret.Percent, name, 1.0)
-			continue
-		}
-		vals, err := r.LookupTXT(ctx, txtName)
-		if err != nil {
-			log.Printf("bootstrap DNS lookup %q: %v", txtName, err)
-			continue
-		}
-		for _, v := range vals {
-			if v, err := strconv.Atoi(v); err == nil && v >= 0 && v <= 100 {
-				mak.Set(&ret.Percent, name, float64(v)/100)
-			}
-		}
+		dnsEntries[name] = addrs
 	}
-	return ret
+	return dnsEntries
 }

 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
@@ -146,36 +115,22 @@ func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	// Try answering a query from our hidden map first
 	if q := r.URL.Query().Get("q"); q != "" {
 		bootstrapLookupMap.Store(q, true)
-		if bootstrapLookupMap.Len() > 500 { // defensive
-			bootstrapLookupMap.Clear()
-		}
-		if m := unpublishedDNSCache.Load(); m != nil && len(m.IPs[q]) > 0 {
+		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
 			unpublishedDNSHits.Add(1)

-			percent := m.Percent[q]
-			if remoteAddrMatchesPercent(r.RemoteAddr, percent) {
-				// Only return the specific query, not everything.
-				m := map[string][]net.IP{q: m.IPs[q]}
-				j, err := json.MarshalIndent(m, "", "\t")
-				if err == nil {
-					w.Write(j)
-					return
-				}
-			} else {
-				unpublishedDNSPercentMisses.Add(1)
+			// Only return the specific query, not everything.
+			m := dnsEntryMap{q: ips}
+			j, err := json.MarshalIndent(m, "", "\t")
+			if err == nil {
+				w.Write(j)
+				return
 			}
 		}

 		// If we have a "q" query for a name in the published cache
 		// list, then track whether that's a hit/miss.
-		m := dnsCache.Load()
-		var inPub bool
-		var ips []net.IP
-		if m != nil {
-			ips, inPub = m.IPs[q]
-		}
-		if inPub {
-			if len(ips) > 0 {
+		if m, ok := dnsCache.Load()[q]; ok {
+			if len(m) > 0 {
 				publishedDNSHits.Add(1)
 			} else {
 				publishedDNSMisses.Add(1)
@@ -191,29 +146,3 @@ func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	j := dnsCacheBytes.Load()
 	w.Write(j)
 }
-
-// percent is [0.0, 1.0].
-func remoteAddrMatchesPercent(remoteAddr string, percent float64) bool {
-	if percent == 0 {
-		return false
-	}
-	if percent == 1 {
-		return true
-	}
-	reqIPStr, _, err := net.SplitHostPort(remoteAddr)
-	if err != nil {
-		return false
-	}
-	reqIP, err := netip.ParseAddr(reqIPStr)
-	if err != nil {
-		return false
-	}
-	if reqIP.IsLoopback() {
-		// For local testing.
-		return rand.Float64() < 0.5
-	}
-	reqIP16 := reqIP.As16()
-	rndSrc := rand.NewPCG(binary.LittleEndian.Uint64(reqIP16[:8]), binary.LittleEndian.Uint64(reqIP16[8:]))
-	rnd := rand.New(rndSrc)
-	return percent > rnd.Float64()
-}
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -4,19 +4,15 @@
 package main

 import (
-	"bytes"
 	"encoding/json"
-	"io"
 	"net"
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"net/url"
 	"reflect"
 	"testing"

 	"tailscale.com/tstest"
-	"tailscale.com/tstest/nettest"
 )

 func BenchmarkHandleBootstrapDNS(b *testing.B) {
@@ -41,7 +37,7 @@ func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p),

 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}

-func getBootstrapDNS(t *testing.T, q string) map[string][]net.IP {
+func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
 	t.Helper()
 	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
 	w := httptest.NewRecorder()
@@ -51,17 +47,14 @@ func getBootstrapDNS(t *testing.T, q string) map[string][]net.IP {
 	if res.StatusCode != 200 {
 		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
 	}
-	var m map[string][]net.IP
-	var buf bytes.Buffer
-	if err := json.NewDecoder(io.TeeReader(res.Body, &buf)).Decode(&m); err != nil {
-		t.Fatalf("error decoding response body %q: %v", buf.Bytes(), err)
+	var ips dnsEntryMap
+	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
+		t.Fatalf("error decoding response body: %v", err)
 	}
-	return m
+	return ips
 }

 func TestUnpublishedDNS(t *testing.T) {
-	nettest.SkipIfNoNetwork(t)
-
 	const published = "login.tailscale.com"
 	const unpublished = "log.tailscale.io"

@@ -111,21 +104,15 @@ func resetMetrics() {
 // Verify that we don't count an empty list in the unpublishedDNSCache as a
 // cache hit in our metrics.
 func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := &dnsEntryMap{
-		IPs: map[string][]net.IP{"tailscale.com": {net.IPv4(10, 10, 10, 10)}},
+	pub := dnsEntryMap{
+		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
 	}
 	dnsCache.Store(pub)
 	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))

-	unpublishedDNSCache.Store(&dnsEntryMap{
-		IPs: map[string][]net.IP{
-			"log.tailscale.io":           {},
-			"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-		},
-		Percent: map[string]float64{
-			"log.tailscale.io":           1.0,
-			"controlplane.tailscale.com": 1.0,
-		},
+	unpublishedDNSCache.Store(dnsEntryMap{
+		"log.tailscale.io":           {},
+		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
 	})

 	t.Run("CacheMiss", func(t *testing.T) {
@@ -135,8 +122,8 @@ func TestUnpublishedDNSEmptyList(t *testing.T) {
 			ips := getBootstrapDNS(t, q)

 			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub.IPs) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub.IPs)
+			if !reflect.DeepEqual(ips, pub) {
+				t.Errorf("got ips=%+v; want %+v", ips, pub)
 			}
 			if v := unpublishedDNSHits.Value(); v != 0 {
 				t.Errorf("got hits=%d; want 0", v)
@@ -151,7 +138,7 @@ func TestUnpublishedDNSEmptyList(t *testing.T) {
 	t.Run("CacheHit", func(t *testing.T) {
 		resetMetrics()
 		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := map[string][]net.IP{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
+		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
 		if !reflect.DeepEqual(ips, want) {
 			t.Errorf("got ips=%+v; want %+v", ips, want)
 		}
@@ -176,54 +163,3 @@ func TestLookupMetric(t *testing.T) {
 		t.Errorf("bootstrapLookupMap.Len() want=5, got %v", bootstrapLookupMap.Len())
 	}
 }
-
-func TestRemoteAddrMatchesPercent(t *testing.T) {
-	tests := []struct {
-		remoteAddr string
-		percent    float64
-		want       bool
-	}{
-		// 0% and 100%.
-		{"10.0.0.1:1234", 0.0, false},
-		{"10.0.0.1:1234", 1.0, true},
-
-		// Invalid IP.
-		{"", 1.0, true},
-		{"", 0.0, false},
-		{"", 0.5, false},
-
-		// Small manual sample at 50%. The func uses a deterministic PRNG seed.
-		{"1.2.3.4:567", 0.5, true},
-		{"1.2.3.5:567", 0.5, true},
-		{"1.2.3.6:567", 0.5, false},
-		{"1.2.3.7:567", 0.5, true},
-		{"1.2.3.8:567", 0.5, false},
-		{"1.2.3.9:567", 0.5, true},
-		{"1.2.3.10:567", 0.5, true},
-	}
-	for _, tt := range tests {
-		got := remoteAddrMatchesPercent(tt.remoteAddr, tt.percent)
-		if got != tt.want {
-			t.Errorf("remoteAddrMatchesPercent(%q, %v) = %v; want %v", tt.remoteAddr, tt.percent, got, tt.want)
-		}
-	}
-
-	var match, all int
-	const wantPercent = 0.5
-	for a := range 256 {
-		for b := range 256 {
-			all++
-			if remoteAddrMatchesPercent(
-				netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 2, byte(a), byte(b)}), 12345).String(),
-				wantPercent) {
-				match++
-			}
-		}
-	}
-	gotPercent := float64(match) / float64(all)
-	const tolerance = 0.005
-	t.Logf("got percent %v (goal %v)", gotPercent, wantPercent)
-	if gotPercent < wantPercent-tolerance || gotPercent > wantPercent+tolerance {
-		t.Errorf("got %v; want %v ± %v", gotPercent, wantPercent, tolerance)
-	}
-}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -10,25 +10,22 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-        github.com/go-json-experiment/json                           from tailscale.com/types/opt
-        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json+
-        github.com/go-json-experiment/json/jsontext                  from github.com/go-json-experiment/json+
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
   L    github.com/google/nftables/expr                              from github.com/google/nftables+
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/google/uuid                                       from tailscale.com/util/fastuuid
+        github.com/google/uuid                                       from tailscale.com/tsweb
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-   L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
+        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
@@ -52,15 +49,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/net/tsaddr
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/netmon+
-        google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
-        google.golang.org/protobuf/encoding/prototext                from github.com/prometheus/common/expfmt+
-        google.golang.org/protobuf/encoding/protowire                from google.golang.org/protobuf/encoding/protodelim+
+        go4.org/netipx                                               from tailscale.com/wgengine/filter+
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
-        google.golang.org/protobuf/internal/editiondefaults          from google.golang.org/protobuf/internal/filedesc
        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
@@ -76,15 +71,16 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/prometheus/client_golang/prometheus+
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/prometheus/client_model/go+
-        google.golang.org/protobuf/reflect/protoregistry             from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/runtime/protoiface                from google.golang.org/protobuf/internal/impl+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/prometheus/client_model/go+
+        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
+     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
+        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/util                            from nhooyr.io/websocket
        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
        tailscale.com                                                from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
@@ -93,20 +89,21 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/derp                                           from tailscale.com/cmd/derper+
        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/drive                                          from tailscale.com/client/tailscale+
-        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
-        tailscale.com/health                                         from tailscale.com/net/tlsdial+
-        tailscale.com/hostinfo                                       from tailscale.com/net/netmon+
+        tailscale.com/envknob                                        from tailscale.com/derp+
+        tailscale.com/health                                         from tailscale.com/net/tlsdial
+        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/client/tailscale
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
        tailscale.com/metrics                                        from tailscale.com/cmd/derper+
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
-        tailscale.com/net/ktimeout                                   from tailscale.com/cmd/derper
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-     💣 tailscale.com/net/netmon                                     from tailscale.com/derp/derphttp+
-     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
+        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
+        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
        tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
@@ -120,17 +117,17 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/derp+
        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/derp
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg+
-        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
@@ -139,36 +136,34 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/types/preftype                                 from tailscale.com/ipn
        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/client/tailscale+
-        tailscale.com/types/views                                    from tailscale.com/ipn+
-        tailscale.com/util/cibuild                                   from tailscale.com/health
-        tailscale.com/util/clientmetric                              from tailscale.com/net/netmon+
+        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
+        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
+        tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy+
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-        tailscale.com/util/fastuuid                                  from tailscale.com/tsweb
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
-        tailscale.com/util/mak                                       from tailscale.com/health+
+        tailscale.com/util/mak                                       from tailscale.com/syncs+
        tailscale.com/util/multierr                                  from tailscale.com/health+
        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
-        tailscale.com/util/set                                       from tailscale.com/derp+
+        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
-        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
+        tailscale.com/util/vizerror                                  from tailscale.com/tsweb+
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
-        tailscale.com/version/distro                                 from tailscale.com/envknob+
-        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap
+        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
+        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
@@ -179,7 +174,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   W    golang.org/x/exp/constraints                                 from tailscale.com/util/winutil
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http
@@ -189,10 +183,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from github.com/josharian/native+
-  LD    golang.org/x/sys/unix                                        from github.com/google/nftables+
-   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
-   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
@@ -204,10 +198,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        bytes                                                        from bufio+
        cmp                                                          from slices+
        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from google.golang.org/protobuf/internal/impl+
+        compress/gzip                                                from internal/profile+
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdh+
+        crypto                                                       from crypto/ecdsa+
        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
@@ -232,15 +226,15 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from github.com/fxamacker/cbor/v2+
+        encoding/base32                                              from tailscale.com/tka+
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
        errors                                                       from bufio+
-        expvar                                                       from github.com/prometheus/client_golang/prometheus+
-        flag                                                         from tailscale.com/cmd/derper
+        expvar                                                       from tailscale.com/cmd/derper+
+        flag                                                         from tailscale.com/cmd/derper+
        fmt                                                          from compress/flate+
        go/token                                                     from google.golang.org/protobuf/internal/strs
        hash                                                         from crypto+
@@ -253,13 +247,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        io/ioutil                                                    from github.com/mitchellh/go-ps+
        log                                                          from expvar+
        log/internal                                                 from log
-        maps                                                         from tailscale.com/ipn+
+        maps                                                         from tailscale.com/types/views+
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
        math/rand                                                    from github.com/mdlayher/netlink+
-        math/rand/v2                                                 from tailscale.com/util/fastuuid+
-        mime                                                         from github.com/prometheus/common/expfmt+
+        mime                                                         from mime/multipart+
        mime/multipart                                               from net/http
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
@@ -271,18 +264,18 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
-        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
        os/signal                                                    from tailscale.com/cmd/derper
   W    os/user                                                      from tailscale.com/util/winutil
-        path                                                         from github.com/prometheus/client_golang/prometheus/internal+
+        path                                                         from golang.org/x/crypto/acme/autocert+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp                                                       from internal/profile+
        regexp/syntax                                                from regexp
-        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/debug                                                from golang.org/x/crypto/acme+
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof+
        slices                                                       from tailscale.com/ipn/ipnstate+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
@@ -290,6 +283,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
        syscall                                                      from crypto/rand+
+        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from runtime/pprof
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -2,16 +2,9 @@
 // SPDX-License-Identifier: BSD-3-Clause

 // The derper binary is a simple DERP server.
-//
-// For more information, see:
-//
-//   - About: https://tailscale.com/kb/1232/derp-servers
-//   - Protocol & Go docs: https://pkg.go.dev/tailscale.com/derp
-//   - Running a DERP server: https://github.com/tailscale/tailscale/tree/main/cmd/derper#derp
 package main // import "tailscale.com/cmd/derper"

 import (
-	"cmp"
 	"context"
 	"crypto/tls"
 	"encoding/json"
@@ -28,54 +21,42 @@ import (
 	"os/signal"
 	"path/filepath"
 	"regexp"
-	"runtime"
-	runtimemetrics "runtime/metrics"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"

+	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/metrics"
-	"tailscale.com/net/ktimeout"
 	"tailscale.com/net/stunserver"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
-	"tailscale.com/version"
+	"tailscale.com/util/cmpx"
 )

 var (
-	dev         = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
-	versionFlag = flag.Bool("version", false, "print version and exit")
-	addr        = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
-	httpPort    = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort    = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath  = flag.String("c", "", "config file path")
-	certMode    = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir     = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname    = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	runSTUN     = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
+	dev        = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
+	addr       = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
+	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	configPath = flag.String("c", "", "config file path")
+	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
+	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
+	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")

-	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS    = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list. If an entry contains a slash, the second part names a DNS record to poll for its TXT record with a `0` to `100` value for rollout percentage.")
-	verifyClients   = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
-	verifyClientURL = flag.String("verify-client-url", "", "if non-empty, an admission controller URL for permitting client connections; see tailcfg.DERPAdmitClientRequest")
-	verifyFailOpen  = flag.Bool("verify-client-url-fail-open", true, "whether we fail open if --verify-client-url is unreachable")
+	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
+	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")

 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
-
-	// tcpKeepAlive is intentionally long, to reduce battery cost. There is an L7 keepalive on a higher frequency schedule.
-	tcpKeepAlive = flag.Duration("tcp-keepalive-time", 10*time.Minute, "TCP keepalive time")
-	// tcpUserTimeout is intentionally short, so that hung connections are cleaned up promptly. DERPs should be nearby users.
-	tcpUserTimeout = flag.Duration("tcp-user-timeout", 15*time.Second, "TCP user timeout")
 )

 var (
@@ -140,10 +121,6 @@ func writeNewConfig() config {

 func main() {
 	flag.Parse()
-	if *versionFlag {
-		fmt.Println(version.Long())
-		return
-	}

 	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer cancel()
@@ -170,8 +147,6 @@ func main() {

 	s := derp.NewServer(cfg.PrivateKey, log.Printf)
 	s.SetVerifyClient(*verifyClients)
-	s.SetVerifyClientURL(*verifyClientURL)
-	s.SetVerifyClientURLFailOpen(*verifyFailOpen)

 	if *meshPSKFile != "" {
 		b, err := os.ReadFile(*meshPSKFile)
@@ -200,12 +175,7 @@ func main() {
 			http.Error(w, "derp server disabled", http.StatusNotFound)
 		}))
 	}
-
-	// These two endpoints are the same. Different versions of the clients
-	// have assumes different paths over time so we support both.
-	mux.HandleFunc("/derp/probe", derphttp.ProbeHandler)
-	mux.HandleFunc("/derp/latency-check", derphttp.ProbeHandler)
-
+	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -215,16 +185,11 @@ func main() {
 		io.WriteString(w, `<html><body>
 <h1>DERP</h1>
 <p>
-  This is a <a href="https://tailscale.com/">Tailscale</a> DERP server.
+  This is a
+  <a href="https://tailscale.com/">Tailscale</a>
+  <a href="https://pkg.go.dev/tailscale.com/derp">DERP</a>
+  server.
 </p>
-<p>
-  Documentation:
-</p>
-<ul>
-  <li><a href="https://tailscale.com/kb/1232/derp-servers">About DERP</a></li>
-  <li><a href="https://pkg.go.dev/tailscale.com/derp">Protocol & Go docs</a></li>
-  <li><a href="https://github.com/tailscale/tailscale/tree/main/cmd/derper#derp">How to run a DERP server</a></li>
-</ul>
 `)
 		if !*runDERP {
 			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
@@ -250,31 +215,8 @@ func main() {
 		}
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))
-	debug.Handle("set-mutex-profile-fraction", "SetMutexProfileFraction", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		s := r.FormValue("rate")
-		if s == "" || r.Header.Get("Sec-Debug") != "derp" {
-			http.Error(w, "To set, use: curl -HSec-Debug:derp 'http://derp/debug/set-mutex-profile-fraction?rate=100'", http.StatusBadRequest)
-			return
-		}
-		v, err := strconv.Atoi(s)
-		if err != nil {
-			http.Error(w, "bad rate value", http.StatusBadRequest)
-			return
-		}
-		old := runtime.SetMutexProfileFraction(v)
-		fmt.Fprintf(w, "mutex changed from %v to %v\n", old, v)
-	}))

-	// Longer lived DERP connections send an application layer keepalive. Note
-	// if the keepalive is hit, the user timeout will take precedence over the
-	// keepalive counter, so the probe if unanswered will take effect promptly,
-	// this is less tolerant of high loss, but high loss is unexpected.
-	lc := net.ListenConfig{
-		Control:   ktimeout.UserTimeout(*tcpUserTimeout),
-		KeepAlive: *tcpKeepAlive,
-	}
-
-	quietLogger := log.New(logger.HTTPServerLogFilter{Inner: log.Printf}, "", 0)
+	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
 		Addr:     *addr,
 		Handler:  mux,
@@ -350,12 +292,7 @@ func main() {
 					// duration exceeds server's WriteTimeout".
 					WriteTimeout: 5 * time.Minute,
 				}
-				ln, err := lc.Listen(context.Background(), "tcp", port80srv.Addr)
-				if err != nil {
-					log.Fatal(err)
-				}
-				defer ln.Close()
-				err = port80srv.Serve(ln)
+				err := port80srv.ListenAndServe()
 				if err != nil {
 					if err != http.ErrServerClosed {
 						log.Fatal(err)
@@ -363,15 +300,10 @@ func main() {
 				}
 			}()
 		}
-		err = rateLimitedListenAndServeTLS(httpsrv, &lc)
+		err = rateLimitedListenAndServeTLS(httpsrv)
 	} else {
 		log.Printf("derper: serving on %s", *addr)
-		var ln net.Listener
-		ln, err = lc.Listen(context.Background(), "tcp", httpsrv.Addr)
-		if err != nil {
-			log.Fatal(err)
-		}
-		err = httpsrv.Serve(ln)
+		err = httpsrv.ListenAndServe()
 	}
 	if err != nil && err != http.ErrServerClosed {
 		log.Fatalf("derper: %v", err)
@@ -403,6 +335,17 @@ func isChallengeChar(c rune) bool {
 		c == '.' || c == '-' || c == '_'
 }

+// probeHandler is the endpoint that js/wasm clients hit to measure
+// DERP latency, since they can't do UDP STUN queries.
+func probeHandler(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case "HEAD", "GET":
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	default:
+		http.Error(w, "bogus probe method", http.StatusMethodNotAllowed)
+	}
+}
+
 var validProdHostname = regexp.MustCompile(`^derp([^.]*)\.tailscale\.com\.?$`)

 func prodAutocertHostPolicy(_ context.Context, host string) error {
@@ -425,8 +368,8 @@ func defaultMeshPSKFile() string {
 	return ""
 }

-func rateLimitedListenAndServeTLS(srv *http.Server, lc *net.ListenConfig) error {
-	ln, err := lc.Listen(context.Background(), "tcp", cmp.Or(srv.Addr, ":https"))
+func rateLimitedListenAndServeTLS(srv *http.Server) error {
+	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
 	if err != nil {
 		return err
 	}
@@ -481,15 +424,21 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	return cn, nil
 }

-func init() {
-	expvar.Publish("go_sync_mutex_wait_seconds", expvar.Func(func() any {
-		const name = "/sync/mutex/wait/total:seconds" // Go 1.20+
-		var s [1]runtimemetrics.Sample
-		s[0].Name = name
-		runtimemetrics.Read(s[:])
-		if v := s[0].Value; v.Kind() == runtimemetrics.KindFloat64 {
-			return v.Float64()
-		}
-		return 0
-	}))
+// logFilter is used to filter out useless error logs that are logged to
+// the net/http.Server.ErrorLog logger.
+type logFilter struct{}
+
+func (logFilter) Write(p []byte) (int, error) {
+	b := mem.B(p)
+	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
+		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
+		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
+		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
+		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
+		// Skip this log message, but say that we processed it
+		return len(p), nil
+	}
+
+	log.Printf("%s", p)
+	return len(p), nil
 }
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -99,13 +99,10 @@ func TestNoContent(t *testing.T) {
 func TestDeps(t *testing.T) {
 	deptest.DepChecker{
 		BadDeps: map[string]string{
-			"testing":                            "do not use testing package in production code",
 			"gvisor.dev/gvisor/pkg/buffer":       "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/cpuid":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip":        "https://github.com/tailscale/tailscale/issues/9756",
 			"gvisor.dev/gvisor/pkg/tcpip/header": "https://github.com/tailscale/tailscale/issues/9756",
-			"tailscale.com/net/packet":           "not needed in derper",
-			"github.com/gaissmai/bart":           "not needed in derper",
 		},
 	}.Check(t)
 }
--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -9,12 +9,13 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"net/netip"
 	"strings"
 	"time"

 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/netmon"
+	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )

@@ -35,8 +36,7 @@ func startMesh(s *derp.Server) error {

 func startMeshWithHost(s *derp.Server, host string) error {
 	logf := logger.WithPrefix(log.Printf, fmt.Sprintf("mesh(%q): ", host))
-	netMon := netmon.NewStatic() // good enough for cmd/derper; no need for netns fanciness
-	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf, netMon)
+	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf)
 	if err != nil {
 		return err
 	}
@@ -69,8 +69,8 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		return d.DialContext(ctx, network, addr)
 	})

-	add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }
-	remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }
+	add := func(k key.NodePublic, _ netip.AddrPort) { s.AddPacketForwarder(k, c) }
+	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
 	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
 	return nil
 }
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -7,6 +7,8 @@ package main
 import (
 	"flag"
 	"fmt"
+	"html"
+	"io"
 	"log"
 	"net/http"
 	"sort"
@@ -14,40 +16,21 @@ import (

 	"tailscale.com/prober"
 	"tailscale.com/tsweb"
-	"tailscale.com/version"
 )

 var (
-	derpMapURL   = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://) or 'local' to use the local tailscaled's DERP map")
-	versionFlag  = flag.Bool("version", false, "print version and exit")
-	listen       = flag.String("listen", ":8030", "HTTP listen address")
-	probeOnce    = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-	spread       = flag.Bool("spread", true, "whether to spread probing over time")
-	interval     = flag.Duration("interval", 15*time.Second, "probe interval")
-	meshInterval = flag.Duration("mesh-interval", 15*time.Second, "mesh probe interval")
-	stunInterval = flag.Duration("stun-interval", 15*time.Second, "STUN probe interval")
-	tlsInterval  = flag.Duration("tls-interval", 15*time.Second, "TLS probe interval")
-	bwInterval   = flag.Duration("bw-interval", 0, "bandwidth probe interval (0 = no bandwidth probing)")
-	bwSize       = flag.Int64("bw-probe-size-bytes", 1_000_000, "bandwidth probe size")
+	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
+	listen     = flag.String("listen", ":8030", "HTTP listen address")
+	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
+	spread     = flag.Bool("spread", true, "whether to spread probing over time")
+	interval   = flag.Duration("interval", 15*time.Second, "probe interval")
 )

 func main() {
 	flag.Parse()
-	if *versionFlag {
-		fmt.Println(version.Long())
-		return
-	}

 	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
-	opts := []prober.DERPOpt{
-		prober.WithMeshProbing(*meshInterval),
-		prober.WithSTUNProbing(*stunInterval),
-		prober.WithTLSProbing(*tlsInterval),
-	}
-	if *bwInterval > 0 {
-		opts = append(opts, prober.WithBandwidthProbing(*bwInterval, *bwSize))
-	}
-	dp, err := prober.DERP(p, *derpMapURL, opts...)
+	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -68,14 +51,8 @@ func main() {
 	}

 	mux := http.NewServeMux()
-	d := tsweb.Debugger(mux)
-	d.Handle("probe-run", "Run a probe", tsweb.StdHandler(tsweb.ReturnHandlerFunc(p.RunHandler), tsweb.HandlerOptions{Logf: log.Printf}))
-	mux.Handle("/", tsweb.StdHandler(p.StatusHandler(
-		prober.WithTitle("DERP Prober"),
-		prober.WithPageLink("Prober metrics", "/debug/varz"),
-		prober.WithProbeLink("Run Probe", "/debug/probe-run?name={{.Name}}"),
-	), tsweb.HandlerOptions{Logf: log.Printf}))
-	log.Printf("Listening on %s", *listen)
+	tsweb.Debugger(mux)
+	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
 	log.Fatal(http.ListenAndServe(*listen, mux))
 }

@@ -108,3 +85,26 @@ func getOverallStatus(p *prober.Prober) (o overallStatus) {
 	sort.Strings(o.good)
 	return
 }
+
+func serveFunc(p *prober.Prober) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		st := getOverallStatus(p)
+		summary := "All good"
+		if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
+			// Returning a 500 allows monitoring this server externally and configuring
+			// an alert on HTTP response code.
+			w.WriteHeader(500)
+			summary = fmt.Sprintf("%d problems", len(st.bad))
+		}
+
+		io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
+		fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
+		for _, s := range st.bad {
+			fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
+		}
+		for _, s := range st.good {
+			fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
+		}
+		io.WriteString(w, "</ul></body></html>\n")
+	}
+}
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -13,16 +13,11 @@ import (

 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
-	"tailscale.com/release/dist/qnap"
 	"tailscale.com/release/dist/synology"
 	"tailscale.com/release/dist/unixpkgs"
 )

-var (
-	synologyPackageCenter bool
-	qnapPrivateKeyPath    string
-	qnapCertificatePath   string
-)
+var synologyPackageCenter bool

 func getTargets() ([]dist.Target, error) {
 	var ret []dist.Target
@@ -38,14 +33,7 @@ func getTargets() ([]dist.Target, error) {
 	// Since only we can provide packages to Synology for
 	// distribution, we default to building the "sideload" variant of
 	// packages that we distribute on pkgs.tailscale.com.
-	//
-	// To build for package center, run
-	// ./tool/go run ./cmd/dist build --synology-package-center synology
 	ret = append(ret, synology.Targets(synologyPackageCenter, nil)...)
-	if (qnapPrivateKeyPath == "") != (qnapCertificatePath == "") {
-		return nil, errors.New("both --qnap-private-key-path and --qnap-certificate-path must be set")
-	}
-	ret = append(ret, qnap.Targets(qnapPrivateKeyPath, qnapCertificatePath)...)
 	return ret, nil
 }

@@ -54,8 +42,6 @@ func main() {
 	for _, subcmd := range cmd.Subcommands {
 		if subcmd.Name == "build" {
 			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
-			subcmd.FlagSet.StringVar(&qnapPrivateKeyPath, "qnap-private-key-path", "", "sign qnap packages with given key (must also provide --qnap-certificate-path)")
-			subcmd.FlagSet.StringVar(&qnapCertificatePath, "qnap-certificate-path", "", "sign qnap packages with given certificate (must also provide --qnap-private-key-path)")
 		}
 	}

--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@@ -7,7 +7,6 @@
 package main

 import (
-	"cmp"
 	"context"
 	"flag"
 	"fmt"
@@ -17,6 +16,7 @@ import (

 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/util/cmpx"
 )

 func main() {
@@ -40,7 +40,7 @@ func main() {
 		log.Fatal("at least one tag must be specified")
 	}

-	baseURL := cmp.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
+	baseURL := cmpx.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")

 	credentials := clientcredentials.Config{
 		ClientID:     clientID,
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -158,13 +158,11 @@ func main() {
 	if !ok && (!oiok || !osok) {
 		log.Fatal("set envvar TS_API_KEY to your Tailscale API key or TS_OAUTH_ID and TS_OAUTH_SECRET to your Tailscale OAuth ID and Secret")
 	}
-	if apiKey != "" && (oauthId != "" || oauthSecret != "") {
+	if ok && (oiok || osok) {
 		log.Fatal("set either the envvar TS_API_KEY or TS_OAUTH_ID and TS_OAUTH_SECRET")
 	}
 	var client *http.Client
-	if oiok && (oauthId != "" || oauthSecret != "") {
-		// Both should ideally be set, but if either are non-empty it means the user had an intent
-		// to set _something_, so they should receive the oauth error flow.
+	if oiok {
 		oauthConfig := &clientcredentials.Config{
 			ClientID:     oauthId,
 			ClientSecret: oauthSecret,
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -31,12 +31,10 @@ var (
 //go:embed hello.tmpl.html
 var embeddedTemplate string

-var localClient tailscale.LocalClient
-
 func main() {
 	flag.Parse()
 	if *testIP != "" {
-		res, err := localClient.WhoIs(context.Background(), *testIP)
+		res, err := tailscale.WhoIs(context.Background(), *testIP)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -78,7 +76,7 @@ func main() {
 					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 						switch hi.ServerName {
 						case "hello.ts.net":
-							return localClient.GetCertificate(hi)
+							return tailscale.GetCertificate(hi)
 						case "hello.ipn.dev":
 							c, err := tls.LoadX509KeyPair(
 								"/etc/hello/hello.ipn.dev.crt",
@@ -172,7 +170,7 @@ func root(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	who, err := localClient.WhoIs(r.Context(), r.RemoteAddr)
+	who, err := tailscale.WhoIs(r.Context(), r.RemoteAddr)
 	var data tmplData
 	if err != nil {
 		if devMode() {
--- a/cmd/hello/hello.tmpl.html
+++ b/cmd/hello/hello.tmpl.html
@@ -430,8 +430,6 @@
    <footer class="footer text-gray-600 text-center mb-12">
      <p>Read about <a href="https://tailscale.com/kb/1017/install#advanced-features" class="text-blue-600 hover:text-blue-800"
          target="_blank">what you can do next &rarr;</a></p>
-      <p>Read about <a href="https://tailscale.com/kb/1073/hello" class="text-blue-600 hover:text-blue-800"
-          target="_blank">the Hello service &rarr;</a></p>
    </footer>
  </main>
 </body>
--- a/cmd/k8s-nameserver/main.go
+++ b/cmd/k8s-nameserver/main.go
@@ -1,379 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-// k8s-nameserver is a simple nameserver implementation meant to be used with
-// k8s-operator to allow to resolve magicDNS names associated with tailnet
-// proxies in cluster.
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"net"
-	"os"
-	"os/signal"
-	"path/filepath"
-	"sync"
-	"syscall"
-
-	"github.com/fsnotify/fsnotify"
-	"github.com/miekg/dns"
-	operatorutils "tailscale.com/k8s-operator"
-	"tailscale.com/util/dnsname"
-)
-
-const (
-	// tsNetDomain is the domain that this DNS nameserver has registered a handler for.
-	tsNetDomain = "ts.net"
-	// addr is the the address that the UDP and TCP listeners will listen on.
-	addr = ":1053"
-
-	// The following constants are specific to the nameserver configuration
-	// provided by a mounted Kubernetes Configmap. The Configmap mounted at
-	// /config is the only supported way for configuring this nameserver.
-	defaultDNSConfigDir    = "/config"
-	kubeletMountedConfigLn = "..data"
-)
-
-// nameserver is a simple nameserver that responds to DNS queries for A records
-// for ts.net domain names over UDP or TCP. It serves DNS responses from
-// in-memory IPv4 host records. It is intended to be deployed on Kubernetes with
-// a ConfigMap mounted at /config that should contain the host records. It
-// dynamically reconfigures its in-memory mappings as the contents of the
-// mounted ConfigMap changes.
-type nameserver struct {
-	// configReader returns the latest desired configuration (host records)
-	// for the nameserver. By default it gets set to a reader that reads
-	// from a Kubernetes ConfigMap mounted at /config, but this can be
-	// overridden in tests.
-	configReader configReaderFunc
-	// configWatcher is a watcher that returns an event when the desired
-	// configuration has changed and the nameserver should update the
-	// in-memory records.
-	configWatcher <-chan string
-
-	mu sync.Mutex // protects following
-	// ip4 are the in-memory hostname -> IP4 mappings that the nameserver
-	// uses to respond to A record queries.
-	ip4 map[dnsname.FQDN][]net.IP
-}
-
-func main() {
-	ctx, cancel := context.WithCancel(context.Background())
-
-	// Ensure that we watch the kube Configmap mounted at /config for
-	// nameserver configuration updates and send events when updates happen.
-	c := ensureWatcherForKubeConfigMap(ctx)
-
-	ns := &nameserver{
-		configReader:  configMapConfigReader,
-		configWatcher: c,
-	}
-
-	// Ensure that in-memory records get set up to date now and will get
-	// reset when the configuration changes.
-	ns.runRecordsReconciler(ctx)
-
-	// Register a DNS server handle for ts.net domain names. Not having a
-	// handle registered for any other domain names is how we enforce that
-	// this nameserver can only be used for ts.net domains - querying any
-	// other domain names returns Rcode Refused.
-	dns.HandleFunc(tsNetDomain, ns.handleFunc())
-
-	// Listen for DNS queries over UDP and TCP.
-	udpSig := make(chan os.Signal)
-	tcpSig := make(chan os.Signal)
-	go listenAndServe("udp", addr, udpSig)
-	go listenAndServe("tcp", addr, tcpSig)
-	sig := make(chan os.Signal, 1)
-	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
-	s := <-sig
-	log.Printf("OS signal (%s) received, shutting down", s)
-	cancel()    // exit the records reconciler and configmap watcher goroutines
-	udpSig <- s // stop the UDP listener
-	tcpSig <- s // stop the TCP listener
-}
-
-// handleFunc is a DNS query handler that can respond to A record queries from
-// the nameserver's in-memory records.
-// - If an A record query is received and the
-// nameserver's in-memory records contain records for the queried domain name,
-// return a success response.
-// - If an A record query is received, but the
-// nameserver's in-memory records do not contain records for the queried domain name,
-// return NXDOMAIN.
-// - If an A record query is received, but the queried domain name is not valid, return Format Error.
-// - If a query is received for any other record type than A, return Not Implemented.
-func (n *nameserver) handleFunc() func(w dns.ResponseWriter, r *dns.Msg) {
-	h := func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		defer func() {
-			w.WriteMsg(m)
-		}()
-		if len(r.Question) < 1 {
-			log.Print("[unexpected] nameserver received a request with no questions")
-			m = r.SetRcodeFormatError(r)
-			return
-		}
-		// TODO (irbekrm): maybe set message compression
-		switch r.Question[0].Qtype {
-		case dns.TypeA:
-			q := r.Question[0].Name
-			fqdn, err := dnsname.ToFQDN(q)
-			if err != nil {
-				m = r.SetRcodeFormatError(r)
-				return
-			}
-			// The only supported use of this nameserver is as a
-			// single source of truth for MagicDNS names by
-			// non-tailnet Kubernetes workloads.
-			m.Authoritative = true
-			m.RecursionAvailable = false
-
-			ips := n.lookupIP4(fqdn)
-			if ips == nil || len(ips) == 0 {
-				// As we are the authoritative nameserver for MagicDNS
-				// names, if we do not have a record for this MagicDNS
-				// name, it does not exist.
-				m = m.SetRcode(r, dns.RcodeNameError)
-				return
-			}
-			// TODO (irbekrm): TTL is currently set to 0, meaning
-			// that cluster workloads will not cache the DNS
-			// records. Revisit this in future when we understand
-			// the usage patterns better- is it putting too much
-			// load on kube DNS server or is this fine?
-			for _, ip := range ips {
-				rr := &dns.A{Hdr: dns.RR_Header{Name: q, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 0}, A: ip}
-				m.SetRcode(r, dns.RcodeSuccess)
-				m.Answer = append(m.Answer, rr)
-			}
-		case dns.TypeAAAA:
-			// TODO (irbekrm): add IPv6 support.
-			// The nameserver currently does not support IPv6
-			// (records are not being created for IPv6 Pod addresses).
-			// However, we can expect that some callers will
-			// nevertheless send AAAA queries.
-			// We have to return NOERROR if a query is received for
-			// an AAAA record for a DNS name that we have an A
-			// record for- else the caller might not follow with an
-			// A record query.
-			// https://github.com/tailscale/tailscale/issues/12321
-			// https://datatracker.ietf.org/doc/html/rfc4074
-			q := r.Question[0].Name
-			fqdn, err := dnsname.ToFQDN(q)
-			if err != nil {
-				m = r.SetRcodeFormatError(r)
-				return
-			}
-			// The only supported use of this nameserver is as a
-			// single source of truth for MagicDNS names by
-			// non-tailnet Kubernetes workloads.
-			m.Authoritative = true
-			ips := n.lookupIP4(fqdn)
-			if len(ips) == 0 {
-				// As we are the authoritative nameserver for MagicDNS
-				// names, if we do not have a record for this MagicDNS
-				// name, it does not exist.
-				m = m.SetRcode(r, dns.RcodeNameError)
-				return
-			}
-			m.SetRcode(r, dns.RcodeSuccess)
-		default:
-			log.Printf("[unexpected] nameserver received a query for an unsupported record type: %s", r.Question[0].String())
-			m.SetRcode(r, dns.RcodeNotImplemented)
-		}
-	}
-	return h
-}
-
-// runRecordsReconciler ensures that nameserver's in-memory records are
-// reset when the provided configuration changes.
-func (n *nameserver) runRecordsReconciler(ctx context.Context) {
-	log.Print("updating nameserver's records from the provided configuration...")
-	if err := n.resetRecords(); err != nil { // ensure records are up to date before the nameserver starts
-		log.Fatalf("error setting nameserver's records: %v", err)
-	}
-	log.Print("nameserver's records were updated")
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				log.Printf("context cancelled, exiting records reconciler")
-				return
-			case <-n.configWatcher:
-				log.Print("configuration update detected, resetting records")
-				if err := n.resetRecords(); err != nil {
-					// TODO (irbekrm): this runs in a
-					// container that will be thrown away,
-					// so this should be ok. But maybe still
-					// need to ensure that the DNS server
-					// terminates connections more
-					// gracefully.
-					log.Fatalf("error resetting records: %v", err)
-				}
-				log.Print("nameserver records were reset")
-			}
-		}
-	}()
-}
-
-// resetRecords sets the in-memory DNS records of this nameserver from the
-// provided configuration. It does not check for the diff, so the caller is
-// expected to ensure that this is only called when reset is needed.
-func (n *nameserver) resetRecords() error {
-	dnsCfgBytes, err := n.configReader()
-	if err != nil {
-		log.Printf("error reading nameserver's configuration: %v", err)
-		return err
-	}
-	if dnsCfgBytes == nil || len(dnsCfgBytes) < 1 {
-		log.Print("nameserver's configuration is empty, any in-memory records will be unset")
-		n.mu.Lock()
-		n.ip4 = make(map[dnsname.FQDN][]net.IP)
-		n.mu.Unlock()
-		return nil
-	}
-	dnsCfg := &operatorutils.Records{}
-	err = json.Unmarshal(dnsCfgBytes, dnsCfg)
-	if err != nil {
-		return fmt.Errorf("error unmarshalling nameserver configuration: %v\n", err)
-	}
-
-	if dnsCfg.Version != operatorutils.Alpha1Version {
-		return fmt.Errorf("unsupported configuration version %s, supported versions are %s\n", dnsCfg.Version, operatorutils.Alpha1Version)
-	}
-
-	ip4 := make(map[dnsname.FQDN][]net.IP)
-	defer func() {
-		n.mu.Lock()
-		defer n.mu.Unlock()
-		n.ip4 = ip4
-	}()
-
-	if len(dnsCfg.IP4) == 0 {
-		log.Print("nameserver's configuration contains no records, any in-memory records will be unset")
-		return nil
-	}
-
-	for fqdn, ips := range dnsCfg.IP4 {
-		fqdn, err := dnsname.ToFQDN(fqdn)
-		if err != nil {
-			log.Printf("invalid nameserver's configuration: %s is not a valid FQDN: %v; skipping this record", fqdn, err)
-			continue // one invalid hostname should not break the whole nameserver
-		}
-		for _, ipS := range ips {
-			ip := net.ParseIP(ipS).To4()
-			if ip == nil { // To4 returns nil if IP is not a IPv4 address
-				log.Printf("invalid nameserver's configuration: %v does not appear to be an IPv4 address; skipping this record", ipS)
-				continue // one invalid IP address should not break the whole nameserver
-			}
-			ip4[fqdn] = []net.IP{ip}
-		}
-	}
-	return nil
-}
-
-// listenAndServe starts a DNS server for the provided network and address.
-func listenAndServe(net, addr string, shutdown chan os.Signal) {
-	s := &dns.Server{Addr: addr, Net: net}
-	go func() {
-		<-shutdown
-		log.Printf("shutting down server for %s", net)
-		s.Shutdown()
-	}()
-	log.Printf("listening for %s queries on %s", net, addr)
-	if err := s.ListenAndServe(); err != nil {
-		log.Fatalf("error running %s server: %v", net, err)
-	}
-}
-
-// ensureWatcherForKubeConfigMap sets up a new file watcher for the ConfigMap
-// that's expected to be mounted at /config. Returns a channel that receives an
-// event every time the contents get updated.
-func ensureWatcherForKubeConfigMap(ctx context.Context) chan string {
-	c := make(chan string)
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		log.Fatalf("error creating a new watcher for the mounted ConfigMap: %v", err)
-	}
-	// kubelet mounts configmap to a Pod using a series of symlinks, one of
-	// which is <mount-dir>/..data that Kubernetes recommends consumers to
-	// use if they need to monitor changes
-	// https://github.com/kubernetes/kubernetes/blob/v1.28.1/pkg/volume/util/atomic_writer.go#L39-L61
-	toWatch := filepath.Join(defaultDNSConfigDir, kubeletMountedConfigLn)
-	go func() {
-		defer watcher.Close()
-		log.Printf("starting file watch for %s", defaultDNSConfigDir)
-		for {
-			select {
-			case <-ctx.Done():
-				log.Print("context cancelled, exiting ConfigMap watcher")
-				return
-			case event, ok := <-watcher.Events:
-				if !ok {
-					log.Fatal("watcher finished; exiting")
-				}
-				if event.Name == toWatch {
-					msg := fmt.Sprintf("ConfigMap update received: %s", event)
-					log.Print(msg)
-					c <- msg
-				}
-			case err, ok := <-watcher.Errors:
-				if err != nil {
-					// TODO (irbekrm): this runs in a
-					// container that will be thrown away,
-					// so this should be ok. But maybe still
-					// need to ensure that the DNS server
-					// terminates connections more
-					// gracefully.
-					log.Fatalf("[unexpected] error watching configuration: %v", err)
-				}
-				if !ok {
-					// TODO (irbekrm): this runs in a
-					// container that will be thrown away,
-					// so this should be ok. But maybe still
-					// need to ensure that the DNS server
-					// terminates connections more
-					// gracefully.
-					log.Fatalf("[unexpected] errors watcher exited")
-				}
-			}
-		}
-	}()
-	if err = watcher.Add(defaultDNSConfigDir); err != nil {
-		log.Fatalf("failed setting up a watcher for the mounted ConfigMap: %v", err)
-	}
-	return c
-}
-
-// configReaderFunc is a function that returns the desired nameserver configuration.
-type configReaderFunc func() ([]byte, error)
-
-// configMapConfigReader reads the desired nameserver configuration from a
-// records.json file in a ConfigMap mounted at /config.
-var configMapConfigReader configReaderFunc = func() ([]byte, error) {
-	if contents, err := os.ReadFile(filepath.Join(defaultDNSConfigDir, operatorutils.DNSRecordsCMKey)); err == nil {
-		return contents, nil
-	} else if os.IsNotExist(err) {
-		return nil, nil
-	} else {
-		return nil, err
-	}
-}
-
-// lookupIP4 returns any IPv4 addresses for the given FQDN from nameserver's
-// in-memory records.
-func (n *nameserver) lookupIP4(fqdn dnsname.FQDN) []net.IP {
-	if n.ip4 == nil {
-		return nil
-	}
-	n.mu.Lock()
-	defer n.mu.Unlock()
-	f := n.ip4[fqdn]
-	return f
-}
--- a/cmd/k8s-nameserver/main_test.go
+++ b/cmd/k8s-nameserver/main_test.go
@@ -1,229 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"net"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/miekg/dns"
-	"tailscale.com/util/dnsname"
-)
-
-func TestNameserver(t *testing.T) {
-
-	tests := []struct {
-		name     string
-		ip4      map[dnsname.FQDN][]net.IP
-		query    *dns.Msg
-		wantResp *dns.Msg
-	}{
-		{
-			name: "A record query, record exists",
-			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
-			query: &dns.Msg{
-				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeA}},
-				MsgHdr:   dns.MsgHdr{Id: 1, RecursionDesired: true},
-			},
-			wantResp: &dns.Msg{
-				Answer: []dns.RR{&dns.A{Hdr: dns.RR_Header{
-					Name: "foo.bar.com", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 0},
-					A: net.IP{1, 2, 3, 4}}},
-				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeA}},
-				MsgHdr: dns.MsgHdr{
-					Id:                 1,
-					Rcode:              dns.RcodeSuccess,
-					RecursionAvailable: false,
-					RecursionDesired:   true,
-					Response:           true,
-					Opcode:             dns.OpcodeQuery,
-					Authoritative:      true,
-				}},
-		},
-		{
-			name: "A record query, record does not exist",
-			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
-			query: &dns.Msg{
-				Question: []dns.Question{{Name: "baz.bar.com", Qtype: dns.TypeA}},
-				MsgHdr:   dns.MsgHdr{Id: 1},
-			},
-			wantResp: &dns.Msg{
-				Question: []dns.Question{{Name: "baz.bar.com", Qtype: dns.TypeA}},
-				MsgHdr: dns.MsgHdr{
-					Id:                 1,
-					Rcode:              dns.RcodeNameError,
-					RecursionAvailable: false,
-					Response:           true,
-					Opcode:             dns.OpcodeQuery,
-					Authoritative:      true,
-				}},
-		},
-		{
-			name: "A record query, but the name is not a valid FQDN",
-			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
-			query: &dns.Msg{
-				Question: []dns.Question{{Name: "foo..bar.com", Qtype: dns.TypeA}},
-				MsgHdr:   dns.MsgHdr{Id: 1},
-			},
-			wantResp: &dns.Msg{
-				Question: []dns.Question{{Name: "foo..bar.com", Qtype: dns.TypeA}},
-				MsgHdr: dns.MsgHdr{
-					Id:       1,
-					Rcode:    dns.RcodeFormatError,
-					Response: true,
-					Opcode:   dns.OpcodeQuery,
-				}},
-		},
-		{
-			name: "AAAA record query, A record exists",
-			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
-			query: &dns.Msg{
-				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeAAAA}},
-				MsgHdr:   dns.MsgHdr{Id: 1},
-			},
-			wantResp: &dns.Msg{
-				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeAAAA}},
-				MsgHdr: dns.MsgHdr{
-					Id:            1,
-					Rcode:         dns.RcodeSuccess,
-					Response:      true,
-					Opcode:        dns.OpcodeQuery,
-					Authoritative: true,
-				}},
-		},
-		{
-			name: "AAAA record query, A record does not exist",
-			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
-			query: &dns.Msg{
-				Question: []dns.Question{{Name: "baz.bar.com", Qtype: dns.TypeAAAA}},
-				MsgHdr:   dns.MsgHdr{Id: 1},
-			},
-			wantResp: &dns.Msg{
-				Question: []dns.Question{{Name: "baz.bar.com", Qtype: dns.TypeAAAA}},
-				MsgHdr: dns.MsgHdr{
-					Id:            1,
-					Rcode:         dns.RcodeNameError,
-					Response:      true,
-					Opcode:        dns.OpcodeQuery,
-					Authoritative: true,
-				}},
-		},
-		{
-			name: "CNAME record query",
-			ip4:  map[dnsname.FQDN][]net.IP{dnsname.FQDN("foo.bar.com."): {{1, 2, 3, 4}}},
-			query: &dns.Msg{
-				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeCNAME}},
-				MsgHdr:   dns.MsgHdr{Id: 1},
-			},
-			wantResp: &dns.Msg{
-				Question: []dns.Question{{Name: "foo.bar.com", Qtype: dns.TypeCNAME}},
-				MsgHdr: dns.MsgHdr{
-					Id:       1,
-					Rcode:    dns.RcodeNotImplemented,
-					Response: true,
-					Opcode:   dns.OpcodeQuery,
-				}},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ns := &nameserver{
-				ip4: tt.ip4,
-			}
-			handler := ns.handleFunc()
-			fakeRespW := &fakeResponseWriter{}
-			handler(fakeRespW, tt.query)
-			if diff := cmp.Diff(*fakeRespW.msg, *tt.wantResp); diff != "" {
-				t.Fatalf("unexpected response (-got +want): \n%s", diff)
-			}
-		})
-	}
-}
-
-func TestResetRecords(t *testing.T) {
-	tests := []struct {
-		name     string
-		config   []byte
-		hasIp4   map[dnsname.FQDN][]net.IP
-		wantsIp4 map[dnsname.FQDN][]net.IP
-		wantsErr bool
-	}{
-		{
-			name:     "previously empty nameserver.ip4 gets set",
-			config:   []byte(`{"version": "v1alpha1", "ip4": {"foo.bar.com": ["1.2.3.4"]}}`),
-			wantsIp4: map[dnsname.FQDN][]net.IP{"foo.bar.com.": {{1, 2, 3, 4}}},
-		},
-		{
-			name:     "nameserver.ip4 gets reset",
-			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
-			config:   []byte(`{"version": "v1alpha1", "ip4": {"foo.bar.com": ["1.2.3.4"]}}`),
-			wantsIp4: map[dnsname.FQDN][]net.IP{"foo.bar.com.": {{1, 2, 3, 4}}},
-		},
-		{
-			name:     "configuration with incompatible version",
-			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
-			config:   []byte(`{"version": "v1beta1", "ip4": {"foo.bar.com": ["1.2.3.4"]}}`),
-			wantsIp4: map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
-			wantsErr: true,
-		},
-		{
-			name:     "nameserver.ip4 gets reset to empty config when no configuration is provided",
-			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
-			wantsIp4: make(map[dnsname.FQDN][]net.IP),
-		},
-		{
-			name:     "nameserver.ip4 gets reset to empty config when the provided configuration is empty",
-			hasIp4:   map[dnsname.FQDN][]net.IP{"baz.bar.com.": {{1, 1, 3, 3}}},
-			config:   []byte(`{"version": "v1alpha1", "ip4": {}}`),
-			wantsIp4: make(map[dnsname.FQDN][]net.IP),
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ns := &nameserver{
-				ip4:          tt.hasIp4,
-				configReader: func() ([]byte, error) { return tt.config, nil },
-			}
-			if err := ns.resetRecords(); err == nil == tt.wantsErr {
-				t.Errorf("resetRecords() returned err: %v, wantsErr: %v", err, tt.wantsErr)
-			}
-			if diff := cmp.Diff(ns.ip4, tt.wantsIp4); diff != "" {
-				t.Fatalf("unexpected nameserver.ip4 contents (-got +want): \n%s", diff)
-			}
-		})
-	}
-}
-
-// fakeResponseWriter is a faked out dns.ResponseWriter that can be used in
-// tests that need to read the response message that was written.
-type fakeResponseWriter struct {
-	msg *dns.Msg
-}
-
-var _ dns.ResponseWriter = &fakeResponseWriter{}
-
-func (fr *fakeResponseWriter) WriteMsg(msg *dns.Msg) error {
-	fr.msg = msg
-	return nil
-}
-func (fr *fakeResponseWriter) LocalAddr() net.Addr {
-	return nil
-}
-func (fr *fakeResponseWriter) RemoteAddr() net.Addr {
-	return nil
-}
-func (fr *fakeResponseWriter) Write([]byte) (int, error) {
-	return 0, nil
-}
-func (fr *fakeResponseWriter) Close() error {
-	return nil
-}
-func (fr *fakeResponseWriter) TsigStatus() error {
-	return nil
-}
-func (fr *fakeResponseWriter) TsigTimersOnly(bool) {}
-func (fr *fakeResponseWriter) Hijack()             {}
--- a/cmd/k8s-operator/connector.go
+++ b/cmd/k8s-operator/connector.go
@@ -33,8 +33,11 @@ import (

 const (
 	reasonConnectorCreationFailed = "ConnectorCreationFailed"
-	reasonConnectorCreated        = "ConnectorCreated"
-	reasonConnectorInvalid        = "ConnectorInvalid"
+
+	reasonConnectorCreated           = "ConnectorCreated"
+	reasonConnectorCleanupFailed     = "ConnectorCleanupFailed"
+	reasonConnectorCleanupInProgress = "ConnectorCleanupInProgress"
+	reasonConnectorInvalid           = "ConnectorInvalid"

 	messageConnectorCreationFailed = "Failed creating Connector: %v"
 	messageConnectorInvalid        = "Connector is invalid: %v"
@@ -105,7 +108,7 @@ func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Reque
 	}

 	oldCnStatus := cn.Status.DeepCopy()
-	setStatus := func(cn *tsapi.Connector, _ tsapi.ConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
+	setStatus := func(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
 		tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, status, reason, message, cn.Generation, a.clock, logger)
 		if !apiequality.Semantic.DeepEqual(oldCnStatus, cn.Status) {
 			// An error encountered here should get returned by the Reconcile function.
@@ -161,17 +164,6 @@ func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logge
 		hostname = string(cn.Spec.Hostname)
 	}
 	crl := childResourceLabels(cn.Name, a.tsnamespace, "connector")
-
-	proxyClass := cn.Spec.ProxyClass
-	if proxyClass != "" {
-		if ready, err := proxyClassIsReady(ctx, proxyClass, a.Client); err != nil {
-			return fmt.Errorf("error verifying ProxyClass for Connector: %w", err)
-		} else if !ready {
-			logger.Infof("ProxyClass %s specified for the Connector, but is not (yet) Ready, waiting..", proxyClass)
-			return nil
-		}
-	}
-
 	sts := &tailscaleSTSConfig{
 		ParentResourceName:  cn.Name,
 		ParentResourceUID:   string(cn.UID),
@@ -181,7 +173,6 @@ func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logge
 		Connector: &connector{
 			isExitNode: cn.Spec.ExitNode,
 		},
-		ProxyClassName: proxyClass,
 	}

 	if cn.Spec.SubnetRouter != nil && len(cn.Spec.SubnetRouter.AdvertiseRoutes) > 0 {
@@ -208,27 +199,7 @@ func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logge
 	gaugeConnectorResources.Set(int64(connectors.Len()))

 	_, err := a.ssr.Provision(ctx, logger, sts)
-	if err != nil {
-		return err
-	}
-
-	_, tsHost, ips, err := a.ssr.DeviceInfo(ctx, crl)
-	if err != nil {
-		return err
-	}
-
-	if tsHost == "" {
-		logger.Debugf("no Tailscale hostname known yet, waiting for connector pod to finish auth")
-		// No hostname yet. Wait for the connector pod to auth.
-		cn.Status.TailnetIPs = nil
-		cn.Status.Hostname = ""
-		return nil
-	}
-
-	cn.Status.TailnetIPs = ips
-	cn.Status.Hostname = tsHost
-
-	return nil
+	return err
 }

 func (a *ConnectorReconciler) maybeCleanupConnector(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) (bool, error) {
--- a/cmd/k8s-operator/connector_test.go
+++ b/cmd/k8s-operator/connector_test.go
@@ -17,7 +17,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tstest"
-	"tailscale.com/util/mak"
 )

 func TestConnector(t *testing.T) {
@@ -30,7 +29,7 @@ func TestConnector(t *testing.T) {
 		},
 		TypeMeta: metav1.TypeMeta{
 			Kind:       tsapi.ConnectorKind,
-			APIVersion: "tailscale.com/v1alpha1",
+			APIVersion: "tailscale.io/v1alpha1",
 		},
 		Spec: tsapi.ConnectorSpec{
 			SubnetRouter: &tsapi.SubnetRouter{
@@ -68,57 +67,45 @@ func TestConnector(t *testing.T) {
 	fullName, shortName := findGenName(t, fc, "", "test", "connector")

 	opts := configOpts{
-		stsName:      shortName,
-		secretName:   fullName,
-		parentType:   "connector",
-		hostname:     "test-connector",
-		isExitNode:   true,
-		subnetRoutes: "10.40.0.0/14",
+		stsName:                    shortName,
+		secretName:                 fullName,
+		parentType:                 "connector",
+		hostname:                   "test-connector",
+		shouldUseDeclarativeConfig: true,
+		isExitNode:                 true,
+		subnetRoutes:               "10.40.0.0/14",
+		confFileHash:               "9321660203effb80983eaecc7b5ac5a8c53934926f46e895b9fe295dcfc5a904",
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
-
-	// Connector status should get updated with the IP/hostname info when available.
-	const hostname = "foo.tailnetxyz.ts.net"
-	mustUpdate(t, fc, "operator-ns", opts.secretName, func(secret *corev1.Secret) {
-		mak.Set(&secret.Data, "device_id", []byte("1234"))
-		mak.Set(&secret.Data, "device_fqdn", []byte(hostname))
-		mak.Set(&secret.Data, "device_ips", []byte(`["127.0.0.1", "::1"]`))
-	})
-	expectReconciled(t, cr, "", "test")
-	cn.Finalizers = append(cn.Finalizers, "tailscale.com/finalizer")
-	cn.Status.IsExitNode = cn.Spec.ExitNode
-	cn.Status.SubnetRoutes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
-	cn.Status.Hostname = hostname
-	cn.Status.TailnetIPs = []string{"127.0.0.1", "::1"}
-	expectEqual(t, fc, cn, func(o *tsapi.Connector) {
-		o.Status.Conditions = nil
-	})
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSTS(opts))

 	// Add another route to be advertised.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
 	})
 	opts.subnetRoutes = "10.40.0.0/14,10.44.0.0/20"
+	opts.confFileHash = "fb6c4daf67425f983985750cd8d6f2beae77e614fcb34176604571f5623d6862"
 	expectReconciled(t, cr, "", "test")

-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(opts))

 	// Remove a route.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.44.0.0/20"}
 	})
 	opts.subnetRoutes = "10.44.0.0/20"
+	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(opts))

 	// Remove the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter = nil
 	})
 	opts.subnetRoutes = ""
+	opts.confFileHash = "7c421a99128eb80e79a285a82702f19f8f720615542a15bd794858a6275d8079"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(opts))

 	// Re-add the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
@@ -127,8 +114,9 @@ func TestConnector(t *testing.T) {
 		}
 	})
 	opts.subnetRoutes = "10.44.0.0/20"
+	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(opts))

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -164,22 +152,25 @@ func TestConnector(t *testing.T) {
 	fullName, shortName = findGenName(t, fc, "", "test", "connector")

 	opts = configOpts{
-		stsName:      shortName,
-		secretName:   fullName,
-		parentType:   "connector",
-		subnetRoutes: "10.40.0.0/14",
-		hostname:     "test-connector",
+		stsName:                    shortName,
+		secretName:                 fullName,
+		parentType:                 "connector",
+		shouldUseDeclarativeConfig: true,
+		subnetRoutes:               "10.40.0.0/14",
+		hostname:                   "test-connector",
+		confFileHash:               "57d922331890c9b1c8c6ae664394cb254334c551d9cd9db14537b5d9da9fb17e",
 	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSTS(opts))

 	// Add an exit node.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.ExitNode = true
 	})
 	opts.isExitNode = true
+	opts.confFileHash = "1499b591fd97a50f0330db6ec09979792c49890cf31f5da5bb6a3f50dba1e77a"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
+	expectEqual(t, fc, expectedSTS(opts))

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -192,103 +183,3 @@ func TestConnector(t *testing.T) {
 	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
-
-func TestConnectorWithProxyClass(t *testing.T) {
-	// Setup
-	pc := &tsapi.ProxyClass{
-		ObjectMeta: metav1.ObjectMeta{Name: "custom-metadata"},
-		Spec: tsapi.ProxyClassSpec{StatefulSet: &tsapi.StatefulSet{
-			Labels:      map[string]string{"foo": "bar"},
-			Annotations: map[string]string{"bar.io/foo": "some-val"},
-			Pod:         &tsapi.Pod{Annotations: map[string]string{"foo.io/bar": "some-val"}}}},
-	}
-	cn := &tsapi.Connector{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "test",
-			UID:  types.UID("1234-UID"),
-		},
-		TypeMeta: metav1.TypeMeta{
-			Kind:       tsapi.ConnectorKind,
-			APIVersion: "tailscale.io/v1alpha1",
-		},
-		Spec: tsapi.ConnectorSpec{
-			SubnetRouter: &tsapi.SubnetRouter{
-				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
-			},
-			ExitNode: true,
-		},
-	}
-	fc := fake.NewClientBuilder().
-		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pc, cn).
-		WithStatusSubresource(pc, cn).
-		Build()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	cr := &ConnectorReconciler{
-		Client: fc,
-		clock:  cl,
-		ssr: &tailscaleSTSReconciler{
-			Client:            fc,
-			tsClient:          ft,
-			defaultTags:       []string{"tag:k8s"},
-			operatorNamespace: "operator-ns",
-			proxyImage:        "tailscale/tailscale",
-		},
-		logger: zl.Sugar(),
-	}
-
-	// 1. Connector is created with no ProxyClass specified, create
-	// resources with the default configuration.
-	expectReconciled(t, cr, "", "test")
-	fullName, shortName := findGenName(t, fc, "", "test", "connector")
-
-	opts := configOpts{
-		stsName:      shortName,
-		secretName:   fullName,
-		parentType:   "connector",
-		hostname:     "test-connector",
-		isExitNode:   true,
-		subnetRoutes: "10.40.0.0/14",
-	}
-	expectEqual(t, fc, expectedSecret(t, fc, opts), nil)
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
-
-	// 2. Update Connector to specify a ProxyClass. ProxyClass is not yet
-	// ready, so its configuration is NOT applied to the Connector
-	// resources.
-	mustUpdate(t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.ProxyClass = "custom-metadata"
-	})
-	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
-
-	// 3. ProxyClass is set to Ready by proxy-class reconciler. Connector
-	// get reconciled and configuration from the ProxyClass is applied to
-	// its resources.
-	mustUpdateStatus(t, fc, "", "custom-metadata", func(pc *tsapi.ProxyClass) {
-		pc.Status = tsapi.ProxyClassStatus{
-			Conditions: []metav1.Condition{{
-				Status:             metav1.ConditionTrue,
-				Type:               string(tsapi.ProxyClassready),
-				ObservedGeneration: pc.Generation,
-			}}}
-	})
-	opts.proxyClass = pc.Name
-	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
-
-	// 4. Connector.spec.proxyClass field is unset, Connector gets
-	// reconciled and configuration from the ProxyClass is removed from the
-	// cluster resources for the Connector.
-	mustUpdate(t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.ProxyClass = ""
-	})
-	opts.proxyClass = ""
-	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(t, fc, opts), removeHashAnnotation)
-}
--- a/cmd/k8s-operator/depaware.txt
+++ b/cmd/k8s-operator/depaware.txt
@@ -1,997 +0,0 @@
-tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/depaware)
-
-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
-   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-   L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/defaults+
-   L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
-   L    github.com/aws/aws-sdk-go-v2/aws/defaults                    from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/aws/middleware                  from github.com/aws/aws-sdk-go-v2/aws/retry+
-   L    github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics  from github.com/aws/aws-sdk-go-v2/aws/retry+
-   L    github.com/aws/aws-sdk-go-v2/aws/protocol/query              from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/aws-sdk-go-v2/aws/protocol/restjson           from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/aws/protocol/xml                from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/aws-sdk-go-v2/aws/ratelimit                   from github.com/aws/aws-sdk-go-v2/aws/retry
-   L    github.com/aws/aws-sdk-go-v2/aws/retry                       from github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client+
-   L    github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4          from github.com/aws/aws-sdk-go-v2/aws/signer/v4
-   L    github.com/aws/aws-sdk-go-v2/aws/signer/v4                   from github.com/aws/aws-sdk-go-v2/internal/auth/smithy+
-   L    github.com/aws/aws-sdk-go-v2/aws/transport/http              from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/config                          from tailscale.com/ipn/store/awsstore
-   L    github.com/aws/aws-sdk-go-v2/credentials                     from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds        from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds       from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client from github.com/aws/aws-sdk-go-v2/credentials/endpointcreds
-   L    github.com/aws/aws-sdk-go-v2/credentials/processcreds        from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/credentials/ssocreds            from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/credentials/stscreds            from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds                from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/feature/ec2/imds/internal/config from github.com/aws/aws-sdk-go-v2/feature/ec2/imds
-   L    github.com/aws/aws-sdk-go-v2/internal/auth                   from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
-   L    github.com/aws/aws-sdk-go-v2/internal/auth/smithy            from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/internal/configsources          from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/internal/endpoints              from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn   from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/internal/endpoints/v2           from github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints+
-   L    github.com/aws/aws-sdk-go-v2/internal/ini                    from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/aws-sdk-go-v2/internal/rand                   from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/aws-sdk-go-v2/internal/sdk                    from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/aws-sdk-go-v2/internal/sdkio                  from github.com/aws/aws-sdk-go-v2/credentials/processcreds
-   L    github.com/aws/aws-sdk-go-v2/internal/shareddefaults         from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/internal/strings                from github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4
-   L    github.com/aws/aws-sdk-go-v2/internal/sync/singleflight      from github.com/aws/aws-sdk-go-v2/aws
-   L    github.com/aws/aws-sdk-go-v2/internal/timeconv               from github.com/aws/aws-sdk-go-v2/aws/retry
-   L    github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/aws-sdk-go-v2/service/internal/presigned-url  from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/aws-sdk-go-v2/service/ssm                     from tailscale.com/ipn/store/awsstore
-   L    github.com/aws/aws-sdk-go-v2/service/ssm/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/ssm
-   L    github.com/aws/aws-sdk-go-v2/service/ssm/types               from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/aws-sdk-go-v2/service/sso                     from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/service/sso/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sso
-   L    github.com/aws/aws-sdk-go-v2/service/sso/types               from github.com/aws/aws-sdk-go-v2/service/sso
-   L    github.com/aws/aws-sdk-go-v2/service/ssooidc                 from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/internal/endpoints from github.com/aws/aws-sdk-go-v2/service/ssooidc
-   L    github.com/aws/aws-sdk-go-v2/service/ssooidc/types           from github.com/aws/aws-sdk-go-v2/service/ssooidc
-   L    github.com/aws/aws-sdk-go-v2/service/sts                     from github.com/aws/aws-sdk-go-v2/config+
-   L    github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints  from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/aws-sdk-go-v2/service/sts/types               from github.com/aws/aws-sdk-go-v2/credentials/stscreds+
-   L    github.com/aws/smithy-go                                     from github.com/aws/aws-sdk-go-v2/aws/protocol/restjson+
-   L    github.com/aws/smithy-go/auth                                from github.com/aws/aws-sdk-go-v2/internal/auth+
-   L    github.com/aws/smithy-go/auth/bearer                         from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/smithy-go/context                             from github.com/aws/smithy-go/auth/bearer
-   L    github.com/aws/smithy-go/document                            from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/smithy-go/encoding                            from github.com/aws/smithy-go/encoding/json+
-   L    github.com/aws/smithy-go/encoding/httpbinding                from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
-   L    github.com/aws/smithy-go/encoding/json                       from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/smithy-go/encoding/xml                        from github.com/aws/aws-sdk-go-v2/service/sts
-   L    github.com/aws/smithy-go/endpoints                           from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/smithy-go/internal/sync/singleflight          from github.com/aws/smithy-go/auth/bearer
-   L    github.com/aws/smithy-go/io                                  from github.com/aws/aws-sdk-go-v2/feature/ec2/imds+
-   L    github.com/aws/smithy-go/logging                             from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/smithy-go/middleware                          from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/smithy-go/private/requestcompression          from github.com/aws/aws-sdk-go-v2/config
-   L    github.com/aws/smithy-go/ptr                                 from github.com/aws/aws-sdk-go-v2/aws+
-   L    github.com/aws/smithy-go/rand                                from github.com/aws/aws-sdk-go-v2/aws/middleware+
-   L    github.com/aws/smithy-go/time                                from github.com/aws/aws-sdk-go-v2/service/ssm+
-   L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
-   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
-   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
-        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
-        github.com/bits-and-blooms/bitset                            from github.com/gaissmai/bart
-     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-     💣 github.com/davecgh/go-spew/spew                              from k8s.io/apimachinery/pkg/util/dump
-   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
-   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/util/osdiag+
-   W 💣 github.com/dblohm7/wingoes/com/automation                    from tailscale.com/util/osdiag/internal/wsc
-   W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
-   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/osdiag+
-  LW 💣 github.com/digitalocean/go-smbios/smbios                     from tailscale.com/posture
-        github.com/distribution/reference                            from tailscale.com/cmd/k8s-operator
-        github.com/emicklei/go-restful/v3                            from k8s.io/kube-openapi/pkg/common
-        github.com/emicklei/go-restful/v3/log                        from github.com/emicklei/go-restful/v3
-        github.com/evanphx/json-patch/v5                             from sigs.k8s.io/controller-runtime/pkg/client
-        github.com/evanphx/json-patch/v5/internal/json               from github.com/evanphx/json-patch/v5
-     💣 github.com/fsnotify/fsnotify                                 from sigs.k8s.io/controller-runtime/pkg/certwatcher
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-        github.com/gaissmai/bart                                     from tailscale.com/net/ipset+
-        github.com/go-json-experiment/json                           from tailscale.com/types/opt
-        github.com/go-json-experiment/json/internal                  from github.com/go-json-experiment/json/internal/jsonflags+
-        github.com/go-json-experiment/json/internal/jsonflags        from github.com/go-json-experiment/json/internal/jsonopts+
-        github.com/go-json-experiment/json/internal/jsonopts         from github.com/go-json-experiment/json/jsontext+
-        github.com/go-json-experiment/json/internal/jsonwire         from github.com/go-json-experiment/json/jsontext+
-        github.com/go-json-experiment/json/jsontext                  from tailscale.com/logtail+
-        github.com/go-logr/logr                                      from github.com/go-logr/logr/slogr+
-        github.com/go-logr/logr/slogr                                from github.com/go-logr/zapr
-        github.com/go-logr/zapr                                      from sigs.k8s.io/controller-runtime/pkg/log/zap+
-   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
-   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
-        github.com/go-openapi/jsonpointer                            from github.com/go-openapi/jsonreference
-        github.com/go-openapi/jsonreference                          from k8s.io/kube-openapi/pkg/internal+
-        github.com/go-openapi/jsonreference/internal                 from github.com/go-openapi/jsonreference
-        github.com/go-openapi/swag                                   from github.com/go-openapi/jsonpointer+
-   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
-     💣 github.com/gogo/protobuf/proto                               from k8s.io/api/admission/v1+
-        github.com/gogo/protobuf/sortkeys                            from k8s.io/api/admission/v1+
-        github.com/golang/groupcache/lru                             from k8s.io/client-go/tools/record+
-        github.com/golang/protobuf/proto                             from k8s.io/client-go/discovery+
-        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-        github.com/google/gnostic-models/compiler                    from github.com/google/gnostic-models/openapiv2+
-        github.com/google/gnostic-models/extensions                  from github.com/google/gnostic-models/compiler
-        github.com/google/gnostic-models/jsonschema                  from github.com/google/gnostic-models/compiler
-        github.com/google/gnostic-models/openapiv2                   from k8s.io/client-go/discovery+
-        github.com/google/gnostic-models/openapiv3                   from k8s.io/kube-openapi/pkg/handler3+
-     💣 github.com/google/go-cmp/cmp                                 from k8s.io/apimachinery/pkg/util/diff+
-        github.com/google/go-cmp/cmp/internal/diff                   from github.com/google/go-cmp/cmp
-        github.com/google/go-cmp/cmp/internal/flags                  from github.com/google/go-cmp/cmp+
-        github.com/google/go-cmp/cmp/internal/function               from github.com/google/go-cmp/cmp
-     💣 github.com/google/go-cmp/cmp/internal/value                  from github.com/google/go-cmp/cmp
-        github.com/google/gofuzz                                     from k8s.io/apimachinery/pkg/apis/meta/v1+
-        github.com/google/gofuzz/bytesource                          from github.com/google/gofuzz
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/google/uuid                                       from github.com/prometheus-community/pro-bing+
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/clientupdate/distsign+
-   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
-        github.com/imdario/mergo                                     from k8s.io/client-go/tools/clientcmd
-   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
-   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/jmespath/go-jmespath                              from github.com/aws/aws-sdk-go-v2/service/ssm
-        github.com/josharian/intern                                  from github.com/mailru/easyjson/jlexer
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/netmon
-   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-     💣 github.com/json-iterator/go                                  from sigs.k8s.io/structured-merge-diff/v4/fieldpath+
-        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
-        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/huff0+
-        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/zstd                           from tailscale.com/util/zstdframe
-        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
-        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
-        github.com/mailru/easyjson/buffer                            from github.com/mailru/easyjson/jwriter
-     💣 github.com/mailru/easyjson/jlexer                            from github.com/go-openapi/swag
-        github.com/mailru/easyjson/jwriter                           from github.com/go-openapi/swag
-   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
-   L 💣 github.com/mdlayher/netlink                                  from github.com/google/nftables+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
-   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-        github.com/miekg/dns                                         from tailscale.com/net/dns/recursive
-     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-        github.com/modern-go/concurrent                              from github.com/json-iterator/go
-     💣 github.com/modern-go/reflect2                                from github.com/json-iterator/go
-        github.com/munnerz/goautoneg                                 from k8s.io/kube-openapi/pkg/handler3
-        github.com/opencontainers/go-digest                          from github.com/distribution/reference
-   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
-   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
-   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
-   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
-   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
-        github.com/pkg/errors                                        from github.com/evanphx/json-patch/v5+
-   D    github.com/prometheus-community/pro-bing                     from tailscale.com/wgengine/netstack
-     💣 github.com/prometheus/client_golang/prometheus               from github.com/prometheus/client_golang/prometheus/collectors+
-        github.com/prometheus/client_golang/prometheus/collectors    from sigs.k8s.io/controller-runtime/pkg/internal/controller/metrics
-        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/client_golang/prometheus/promhttp      from sigs.k8s.io/controller-runtime/pkg/metrics/server+
-        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
-        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
-  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
-  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
-  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
-   L 💣 github.com/safchain/ethtool                                  from tailscale.com/doctor/ethtool+
-        github.com/spf13/pflag                                       from k8s.io/client-go/tools/clientcmd
-   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
-   W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
-   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
-   W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
-   W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
-        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
-  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
-  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal
-  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
-        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
-        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
-        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
-        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
-        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
-        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-        github.com/tailscale/hujson                                  from tailscale.com/ipn/conffile
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/net/routetable+
-        github.com/tailscale/peercred                                from tailscale.com/ipn/ipnauth
-        github.com/tailscale/web-client-prebuilt                     from tailscale.com/client/web
-     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
-   W 💣 github.com/tailscale/wireguard-go/conn/winrio                from github.com/tailscale/wireguard-go/conn
-     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/net/tstun+
-     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
-   W 💣 github.com/tailscale/wireguard-go/ipc/namedpipe              from github.com/tailscale/wireguard-go/ipc
-        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
-        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
-        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
-     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
-        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
-   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
-   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
-   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-        go.uber.org/multierr                                         from go.uber.org/zap+
-        go.uber.org/zap                                              from github.com/go-logr/zapr+
-        go.uber.org/zap/buffer                                       from go.uber.org/zap/internal/bufferpool+
-        go.uber.org/zap/internal                                     from go.uber.org/zap
-        go.uber.org/zap/internal/bufferpool                          from go.uber.org/zap+
-        go.uber.org/zap/internal/color                               from go.uber.org/zap/zapcore
-        go.uber.org/zap/internal/exit                                from go.uber.org/zap/zapcore
-        go.uber.org/zap/internal/pool                                from go.uber.org/zap+
-        go.uber.org/zap/internal/stacktrace                          from go.uber.org/zap
-        go.uber.org/zap/zapcore                                      from github.com/go-logr/zapr+
-     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
-   W 💣 golang.zx2c4.com/wintun                                      from github.com/tailscale/wireguard-go/tun
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/dns+
-        gomodules.xyz/jsonpatch/v2                                   from sigs.k8s.io/controller-runtime/pkg/webhook+
-        google.golang.org/protobuf/encoding/protodelim               from github.com/prometheus/common/expfmt
-        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
-        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
-        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
-        google.golang.org/protobuf/internal/editiondefaults          from google.golang.org/protobuf/internal/filedesc+
-        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
-        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/protodelim+
-        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
-     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
-        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
-     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/types/descriptorpb                from github.com/google/gnostic-models/openapiv3+
-        google.golang.org/protobuf/types/gofeaturespb                from google.golang.org/protobuf/reflect/protodesc
-        google.golang.org/protobuf/types/known/anypb                 from github.com/google/gnostic-models/compiler+
-        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
-        gopkg.in/inf.v0                                              from k8s.io/apimachinery/pkg/api/resource
-        gopkg.in/yaml.v2                                             from k8s.io/kube-openapi/pkg/util/proto+
-        gopkg.in/yaml.v3                                             from github.com/go-openapi/swag+
-        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/buffer+
-        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/buffer
-     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip+
-        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs
-     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
-        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
-        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
-        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
-        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/buffer+
-     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
-     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
-        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
-     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/atomicbitops+
-     💣 gvisor.dev/gvisor/pkg/sync/locking                           from gvisor.dev/gvisor/pkg/tcpip/stack
-        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
-     💣 gvisor.dev/gvisor/pkg/tcpip/checksum                         from gvisor.dev/gvisor/pkg/buffer+
-        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
-        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4
-        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
-        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
-        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
-        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
-     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/stack/gro                        from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
-        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
-        gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop          from gvisor.dev/gvisor/pkg/tcpip/transport/raw
-        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
-        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
-     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
-        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
-        k8s.io/api/admission/v1                                      from sigs.k8s.io/controller-runtime/pkg/webhook/admission
-        k8s.io/api/admission/v1beta1                                 from sigs.k8s.io/controller-runtime/pkg/webhook/admission
-        k8s.io/api/admissionregistration/v1                          from k8s.io/api/admissionregistration/v1alpha1+
-        k8s.io/api/admissionregistration/v1alpha1                    from k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1+
-        k8s.io/api/admissionregistration/v1beta1                     from k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1+
-        k8s.io/api/apidiscovery/v2                                   from k8s.io/client-go/discovery
-        k8s.io/api/apidiscovery/v2beta1                              from k8s.io/client-go/discovery
-        k8s.io/api/apiserverinternal/v1alpha1                        from k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1+
-        k8s.io/api/apps/v1                                           from k8s.io/client-go/applyconfigurations/apps/v1+
-        k8s.io/api/apps/v1beta1                                      from k8s.io/api/extensions/v1beta1+
-        k8s.io/api/apps/v1beta2                                      from k8s.io/client-go/applyconfigurations/apps/v1beta2+
-        k8s.io/api/authentication/v1                                 from k8s.io/api/admission/v1+
-        k8s.io/api/authentication/v1alpha1                           from k8s.io/client-go/kubernetes/scheme+
-        k8s.io/api/authentication/v1beta1                            from k8s.io/client-go/kubernetes/scheme+
-        k8s.io/api/authorization/v1                                  from k8s.io/client-go/kubernetes/scheme+
-        k8s.io/api/authorization/v1beta1                             from k8s.io/client-go/kubernetes/scheme+
-        k8s.io/api/autoscaling/v1                                    from k8s.io/client-go/applyconfigurations/autoscaling/v1+
-        k8s.io/api/autoscaling/v2                                    from k8s.io/client-go/applyconfigurations/autoscaling/v2+
-        k8s.io/api/autoscaling/v2beta1                               from k8s.io/client-go/applyconfigurations/autoscaling/v2beta1+
-        k8s.io/api/autoscaling/v2beta2                               from k8s.io/client-go/applyconfigurations/autoscaling/v2beta2+
-        k8s.io/api/batch/v1                                          from k8s.io/api/batch/v1beta1+
-        k8s.io/api/batch/v1beta1                                     from k8s.io/client-go/applyconfigurations/batch/v1beta1+
-        k8s.io/api/certificates/v1                                   from k8s.io/client-go/applyconfigurations/certificates/v1+
-        k8s.io/api/certificates/v1alpha1                             from k8s.io/client-go/applyconfigurations/certificates/v1alpha1+
-        k8s.io/api/certificates/v1beta1                              from k8s.io/client-go/applyconfigurations/certificates/v1beta1+
-        k8s.io/api/coordination/v1                                   from k8s.io/client-go/applyconfigurations/coordination/v1+
-        k8s.io/api/coordination/v1beta1                              from k8s.io/client-go/applyconfigurations/coordination/v1beta1+
-        k8s.io/api/core/v1                                           from k8s.io/api/apps/v1+
-        k8s.io/api/discovery/v1                                      from k8s.io/client-go/applyconfigurations/discovery/v1+
-        k8s.io/api/discovery/v1beta1                                 from k8s.io/client-go/applyconfigurations/discovery/v1beta1+
-        k8s.io/api/events/v1                                         from k8s.io/client-go/applyconfigurations/events/v1+
-        k8s.io/api/events/v1beta1                                    from k8s.io/client-go/applyconfigurations/events/v1beta1+
-        k8s.io/api/extensions/v1beta1                                from k8s.io/client-go/applyconfigurations/extensions/v1beta1+
-        k8s.io/api/flowcontrol/v1                                    from k8s.io/client-go/applyconfigurations/flowcontrol/v1+
-        k8s.io/api/flowcontrol/v1beta1                               from k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1+
-        k8s.io/api/flowcontrol/v1beta2                               from k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2+
-        k8s.io/api/flowcontrol/v1beta3                               from k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3+
-        k8s.io/api/networking/v1                                     from k8s.io/client-go/applyconfigurations/networking/v1+
-        k8s.io/api/networking/v1alpha1                               from k8s.io/client-go/applyconfigurations/networking/v1alpha1+
-        k8s.io/api/networking/v1beta1                                from k8s.io/client-go/applyconfigurations/networking/v1beta1+
-        k8s.io/api/node/v1                                           from k8s.io/client-go/applyconfigurations/node/v1+
-        k8s.io/api/node/v1alpha1                                     from k8s.io/client-go/applyconfigurations/node/v1alpha1+
-        k8s.io/api/node/v1beta1                                      from k8s.io/client-go/applyconfigurations/node/v1beta1+
-        k8s.io/api/policy/v1                                         from k8s.io/client-go/applyconfigurations/policy/v1+
-        k8s.io/api/policy/v1beta1                                    from k8s.io/client-go/applyconfigurations/policy/v1beta1+
-        k8s.io/api/rbac/v1                                           from k8s.io/client-go/applyconfigurations/rbac/v1+
-        k8s.io/api/rbac/v1alpha1                                     from k8s.io/client-go/applyconfigurations/rbac/v1alpha1+
-        k8s.io/api/rbac/v1beta1                                      from k8s.io/client-go/applyconfigurations/rbac/v1beta1+
-        k8s.io/api/resource/v1alpha2                                 from k8s.io/client-go/applyconfigurations/resource/v1alpha2+
-        k8s.io/api/scheduling/v1                                     from k8s.io/client-go/applyconfigurations/scheduling/v1+
-        k8s.io/api/scheduling/v1alpha1                               from k8s.io/client-go/applyconfigurations/scheduling/v1alpha1+
-        k8s.io/api/scheduling/v1beta1                                from k8s.io/client-go/applyconfigurations/scheduling/v1beta1+
-        k8s.io/api/storage/v1                                        from k8s.io/client-go/applyconfigurations/storage/v1+
-        k8s.io/api/storage/v1alpha1                                  from k8s.io/client-go/applyconfigurations/storage/v1alpha1+
-        k8s.io/api/storage/v1beta1                                   from k8s.io/client-go/applyconfigurations/storage/v1beta1+
-        k8s.io/api/storagemigration/v1alpha1                         from k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1+
-        k8s.io/apiextensions-apiserver/pkg/apis/apiextensions        from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
-     💣 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1     from sigs.k8s.io/controller-runtime/pkg/webhook/conversion
-        k8s.io/apimachinery/pkg/api/equality                         from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
-        k8s.io/apimachinery/pkg/api/errors                           from k8s.io/apimachinery/pkg/util/managedfields/internal+
-        k8s.io/apimachinery/pkg/api/meta                             from k8s.io/apimachinery/pkg/api/validation+
-        k8s.io/apimachinery/pkg/api/resource                         from k8s.io/api/autoscaling/v1+
-        k8s.io/apimachinery/pkg/api/validation                       from k8s.io/apimachinery/pkg/util/managedfields/internal+
-     💣 k8s.io/apimachinery/pkg/apis/meta/internalversion            from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
-        k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme     from k8s.io/client-go/metadata
-     💣 k8s.io/apimachinery/pkg/apis/meta/v1                         from k8s.io/api/admission/v1+
-        k8s.io/apimachinery/pkg/apis/meta/v1/unstructured            from k8s.io/apimachinery/pkg/runtime/serializer/versioning+
-        k8s.io/apimachinery/pkg/apis/meta/v1/validation              from k8s.io/apimachinery/pkg/api/validation+
-     💣 k8s.io/apimachinery/pkg/apis/meta/v1beta1                    from k8s.io/apimachinery/pkg/apis/meta/internalversion
-        k8s.io/apimachinery/pkg/conversion                           from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
-        k8s.io/apimachinery/pkg/conversion/queryparams               from k8s.io/apimachinery/pkg/runtime+
-        k8s.io/apimachinery/pkg/fields                               from k8s.io/apimachinery/pkg/api/equality+
-        k8s.io/apimachinery/pkg/labels                               from k8s.io/apimachinery/pkg/api/equality+
-        k8s.io/apimachinery/pkg/runtime                              from k8s.io/api/admission/v1+
-        k8s.io/apimachinery/pkg/runtime/schema                       from k8s.io/api/admission/v1+
-        k8s.io/apimachinery/pkg/runtime/serializer                   from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
-        k8s.io/apimachinery/pkg/runtime/serializer/json              from k8s.io/apimachinery/pkg/runtime/serializer+
-        k8s.io/apimachinery/pkg/runtime/serializer/protobuf          from k8s.io/apimachinery/pkg/runtime/serializer
-        k8s.io/apimachinery/pkg/runtime/serializer/recognizer        from k8s.io/apimachinery/pkg/runtime/serializer+
-        k8s.io/apimachinery/pkg/runtime/serializer/streaming         from k8s.io/client-go/rest+
-        k8s.io/apimachinery/pkg/runtime/serializer/versioning        from k8s.io/apimachinery/pkg/runtime/serializer+
-        k8s.io/apimachinery/pkg/selection                            from k8s.io/apimachinery/pkg/apis/meta/v1+
-        k8s.io/apimachinery/pkg/types                                from k8s.io/api/admission/v1+
-        k8s.io/apimachinery/pkg/util/cache                           from k8s.io/client-go/tools/cache
-        k8s.io/apimachinery/pkg/util/diff                            from k8s.io/client-go/tools/cache
-        k8s.io/apimachinery/pkg/util/dump                            from k8s.io/apimachinery/pkg/util/diff+
-        k8s.io/apimachinery/pkg/util/errors                          from k8s.io/apimachinery/pkg/api/meta+
-        k8s.io/apimachinery/pkg/util/framer                          from k8s.io/apimachinery/pkg/runtime/serializer/json+
-        k8s.io/apimachinery/pkg/util/intstr                          from k8s.io/api/apps/v1+
-        k8s.io/apimachinery/pkg/util/json                            from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
-        k8s.io/apimachinery/pkg/util/managedfields                   from k8s.io/client-go/applyconfigurations/admissionregistration/v1+
-        k8s.io/apimachinery/pkg/util/managedfields/internal          from k8s.io/apimachinery/pkg/util/managedfields
-        k8s.io/apimachinery/pkg/util/mergepatch                      from k8s.io/apimachinery/pkg/util/strategicpatch
-        k8s.io/apimachinery/pkg/util/naming                          from k8s.io/apimachinery/pkg/runtime+
-        k8s.io/apimachinery/pkg/util/net                             from k8s.io/apimachinery/pkg/watch+
-        k8s.io/apimachinery/pkg/util/rand                            from k8s.io/apiserver/pkg/storage/names
-        k8s.io/apimachinery/pkg/util/runtime                         from k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme+
-        k8s.io/apimachinery/pkg/util/sets                            from k8s.io/apimachinery/pkg/api/meta+
-        k8s.io/apimachinery/pkg/util/strategicpatch                  from k8s.io/client-go/tools/record+
-        k8s.io/apimachinery/pkg/util/uuid                            from sigs.k8s.io/controller-runtime/pkg/internal/controller+
-        k8s.io/apimachinery/pkg/util/validation                      from k8s.io/apimachinery/pkg/api/validation+
-        k8s.io/apimachinery/pkg/util/validation/field                from k8s.io/apimachinery/pkg/api/errors+
-        k8s.io/apimachinery/pkg/util/wait                            from k8s.io/client-go/tools/cache+
-        k8s.io/apimachinery/pkg/util/yaml                            from k8s.io/apimachinery/pkg/runtime/serializer/json
-        k8s.io/apimachinery/pkg/version                              from k8s.io/client-go/discovery+
-        k8s.io/apimachinery/pkg/watch                                from k8s.io/apimachinery/pkg/apis/meta/v1+
-        k8s.io/apimachinery/third_party/forked/golang/json           from k8s.io/apimachinery/pkg/util/strategicpatch
-        k8s.io/apimachinery/third_party/forked/golang/reflect        from k8s.io/apimachinery/pkg/conversion
-        k8s.io/apiserver/pkg/storage/names                           from tailscale.com/cmd/k8s-operator
-        k8s.io/client-go/applyconfigurations/admissionregistration/v1 from k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1+
-        k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 from k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1
-        k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1 from k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1
-        k8s.io/client-go/applyconfigurations/apiserverinternal/v1alpha1 from k8s.io/client-go/kubernetes/typed/apiserverinternal/v1alpha1
-        k8s.io/client-go/applyconfigurations/apps/v1                 from k8s.io/client-go/kubernetes/typed/apps/v1
-        k8s.io/client-go/applyconfigurations/apps/v1beta1            from k8s.io/client-go/kubernetes/typed/apps/v1beta1
-        k8s.io/client-go/applyconfigurations/apps/v1beta2            from k8s.io/client-go/kubernetes/typed/apps/v1beta2
-        k8s.io/client-go/applyconfigurations/autoscaling/v1          from k8s.io/client-go/kubernetes/typed/apps/v1+
-        k8s.io/client-go/applyconfigurations/autoscaling/v2          from k8s.io/client-go/kubernetes/typed/autoscaling/v2
-        k8s.io/client-go/applyconfigurations/autoscaling/v2beta1     from k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1
-        k8s.io/client-go/applyconfigurations/autoscaling/v2beta2     from k8s.io/client-go/kubernetes/typed/autoscaling/v2beta2
-        k8s.io/client-go/applyconfigurations/batch/v1                from k8s.io/client-go/applyconfigurations/batch/v1beta1+
-        k8s.io/client-go/applyconfigurations/batch/v1beta1           from k8s.io/client-go/kubernetes/typed/batch/v1beta1
-        k8s.io/client-go/applyconfigurations/certificates/v1         from k8s.io/client-go/kubernetes/typed/certificates/v1
-        k8s.io/client-go/applyconfigurations/certificates/v1alpha1   from k8s.io/client-go/kubernetes/typed/certificates/v1alpha1
-        k8s.io/client-go/applyconfigurations/certificates/v1beta1    from k8s.io/client-go/kubernetes/typed/certificates/v1beta1
-        k8s.io/client-go/applyconfigurations/coordination/v1         from k8s.io/client-go/kubernetes/typed/coordination/v1
-        k8s.io/client-go/applyconfigurations/coordination/v1beta1    from k8s.io/client-go/kubernetes/typed/coordination/v1beta1
-        k8s.io/client-go/applyconfigurations/core/v1                 from k8s.io/client-go/applyconfigurations/apps/v1+
-        k8s.io/client-go/applyconfigurations/discovery/v1            from k8s.io/client-go/kubernetes/typed/discovery/v1
-        k8s.io/client-go/applyconfigurations/discovery/v1beta1       from k8s.io/client-go/kubernetes/typed/discovery/v1beta1
-        k8s.io/client-go/applyconfigurations/events/v1               from k8s.io/client-go/kubernetes/typed/events/v1
-        k8s.io/client-go/applyconfigurations/events/v1beta1          from k8s.io/client-go/kubernetes/typed/events/v1beta1
-        k8s.io/client-go/applyconfigurations/extensions/v1beta1      from k8s.io/client-go/kubernetes/typed/extensions/v1beta1
-        k8s.io/client-go/applyconfigurations/flowcontrol/v1          from k8s.io/client-go/kubernetes/typed/flowcontrol/v1
-        k8s.io/client-go/applyconfigurations/flowcontrol/v1beta1     from k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta1
-        k8s.io/client-go/applyconfigurations/flowcontrol/v1beta2     from k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta2
-        k8s.io/client-go/applyconfigurations/flowcontrol/v1beta3     from k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3
-        k8s.io/client-go/applyconfigurations/internal                from k8s.io/client-go/applyconfigurations/admissionregistration/v1+
-        k8s.io/client-go/applyconfigurations/meta/v1                 from k8s.io/client-go/applyconfigurations/admissionregistration/v1+
-        k8s.io/client-go/applyconfigurations/networking/v1           from k8s.io/client-go/kubernetes/typed/networking/v1
-        k8s.io/client-go/applyconfigurations/networking/v1alpha1     from k8s.io/client-go/kubernetes/typed/networking/v1alpha1
-        k8s.io/client-go/applyconfigurations/networking/v1beta1      from k8s.io/client-go/kubernetes/typed/networking/v1beta1
-        k8s.io/client-go/applyconfigurations/node/v1                 from k8s.io/client-go/kubernetes/typed/node/v1
-        k8s.io/client-go/applyconfigurations/node/v1alpha1           from k8s.io/client-go/kubernetes/typed/node/v1alpha1
-        k8s.io/client-go/applyconfigurations/node/v1beta1            from k8s.io/client-go/kubernetes/typed/node/v1beta1
-        k8s.io/client-go/applyconfigurations/policy/v1               from k8s.io/client-go/kubernetes/typed/policy/v1
-        k8s.io/client-go/applyconfigurations/policy/v1beta1          from k8s.io/client-go/kubernetes/typed/policy/v1beta1
-        k8s.io/client-go/applyconfigurations/rbac/v1                 from k8s.io/client-go/kubernetes/typed/rbac/v1
-        k8s.io/client-go/applyconfigurations/rbac/v1alpha1           from k8s.io/client-go/kubernetes/typed/rbac/v1alpha1
-        k8s.io/client-go/applyconfigurations/rbac/v1beta1            from k8s.io/client-go/kubernetes/typed/rbac/v1beta1
-        k8s.io/client-go/applyconfigurations/resource/v1alpha2       from k8s.io/client-go/kubernetes/typed/resource/v1alpha2
-        k8s.io/client-go/applyconfigurations/scheduling/v1           from k8s.io/client-go/kubernetes/typed/scheduling/v1
-        k8s.io/client-go/applyconfigurations/scheduling/v1alpha1     from k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1
-        k8s.io/client-go/applyconfigurations/scheduling/v1beta1      from k8s.io/client-go/kubernetes/typed/scheduling/v1beta1
-        k8s.io/client-go/applyconfigurations/storage/v1              from k8s.io/client-go/kubernetes/typed/storage/v1
-        k8s.io/client-go/applyconfigurations/storage/v1alpha1        from k8s.io/client-go/kubernetes/typed/storage/v1alpha1
-        k8s.io/client-go/applyconfigurations/storage/v1beta1         from k8s.io/client-go/kubernetes/typed/storage/v1beta1
-        k8s.io/client-go/applyconfigurations/storagemigration/v1alpha1 from k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1
-        k8s.io/client-go/discovery                                   from k8s.io/client-go/applyconfigurations/meta/v1+
-        k8s.io/client-go/dynamic                                     from sigs.k8s.io/controller-runtime/pkg/cache/internal+
-        k8s.io/client-go/features                                    from k8s.io/client-go/tools/cache
-        k8s.io/client-go/kubernetes                                  from k8s.io/client-go/tools/leaderelection/resourcelock
-        k8s.io/client-go/kubernetes/scheme                           from k8s.io/client-go/discovery+
-        k8s.io/client-go/kubernetes/typed/admissionregistration/v1   from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1 from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1 from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/apiserverinternal/v1alpha1 from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/apps/v1                    from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/apps/v1beta1               from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/apps/v1beta2               from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/authentication/v1          from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/authentication/v1alpha1    from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/authentication/v1beta1     from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/authorization/v1           from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/authorization/v1beta1      from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/autoscaling/v1             from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/autoscaling/v2             from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/autoscaling/v2beta2        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/batch/v1                   from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/batch/v1beta1              from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/certificates/v1            from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/certificates/v1alpha1      from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/certificates/v1beta1       from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/coordination/v1            from k8s.io/client-go/kubernetes+
-        k8s.io/client-go/kubernetes/typed/coordination/v1beta1       from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/core/v1                    from k8s.io/client-go/kubernetes+
-        k8s.io/client-go/kubernetes/typed/discovery/v1               from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/discovery/v1beta1          from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/events/v1                  from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/events/v1beta1             from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/extensions/v1beta1         from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/flowcontrol/v1             from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta1        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta2        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/networking/v1              from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/networking/v1alpha1        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/networking/v1beta1         from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/node/v1                    from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/node/v1alpha1              from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/node/v1beta1               from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/policy/v1                  from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/policy/v1beta1             from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/rbac/v1                    from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/rbac/v1alpha1              from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/rbac/v1beta1               from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/resource/v1alpha2          from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/scheduling/v1              from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1        from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/scheduling/v1beta1         from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/storage/v1                 from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/storage/v1alpha1           from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/storage/v1beta1            from k8s.io/client-go/kubernetes
-        k8s.io/client-go/kubernetes/typed/storagemigration/v1alpha1  from k8s.io/client-go/kubernetes
-        k8s.io/client-go/metadata                                    from sigs.k8s.io/controller-runtime/pkg/cache/internal+
-        k8s.io/client-go/openapi                                     from k8s.io/client-go/discovery
-        k8s.io/client-go/pkg/apis/clientauthentication               from k8s.io/client-go/pkg/apis/clientauthentication/install+
-        k8s.io/client-go/pkg/apis/clientauthentication/install       from k8s.io/client-go/plugin/pkg/client/auth/exec
-     💣 k8s.io/client-go/pkg/apis/clientauthentication/v1            from k8s.io/client-go/pkg/apis/clientauthentication/install+
-     💣 k8s.io/client-go/pkg/apis/clientauthentication/v1beta1       from k8s.io/client-go/pkg/apis/clientauthentication/install+
-        k8s.io/client-go/pkg/version                                 from k8s.io/client-go/rest
-        k8s.io/client-go/plugin/pkg/client/auth/exec                 from k8s.io/client-go/rest
-        k8s.io/client-go/rest                                        from k8s.io/client-go/discovery+
-        k8s.io/client-go/rest/watch                                  from k8s.io/client-go/rest
-        k8s.io/client-go/restmapper                                  from sigs.k8s.io/controller-runtime/pkg/client/apiutil
-        k8s.io/client-go/tools/auth                                  from k8s.io/client-go/tools/clientcmd
-        k8s.io/client-go/tools/cache                                 from sigs.k8s.io/controller-runtime/pkg/cache+
-        k8s.io/client-go/tools/cache/synctrack                       from k8s.io/client-go/tools/cache
-        k8s.io/client-go/tools/clientcmd                             from sigs.k8s.io/controller-runtime/pkg/client/config
-        k8s.io/client-go/tools/clientcmd/api                         from k8s.io/client-go/plugin/pkg/client/auth/exec+
-        k8s.io/client-go/tools/clientcmd/api/latest                  from k8s.io/client-go/tools/clientcmd
-     💣 k8s.io/client-go/tools/clientcmd/api/v1                      from k8s.io/client-go/tools/clientcmd/api/latest
-        k8s.io/client-go/tools/internal/events                       from k8s.io/client-go/tools/record
-        k8s.io/client-go/tools/leaderelection                        from sigs.k8s.io/controller-runtime/pkg/manager+
-        k8s.io/client-go/tools/leaderelection/resourcelock           from k8s.io/client-go/tools/leaderelection+
-        k8s.io/client-go/tools/metrics                               from k8s.io/client-go/plugin/pkg/client/auth/exec+
-        k8s.io/client-go/tools/pager                                 from k8s.io/client-go/tools/cache
-        k8s.io/client-go/tools/record                                from sigs.k8s.io/controller-runtime/pkg/cluster+
-        k8s.io/client-go/tools/record/util                           from k8s.io/client-go/tools/record
-        k8s.io/client-go/tools/reference                             from k8s.io/client-go/kubernetes/typed/core/v1+
-        k8s.io/client-go/transport                                   from k8s.io/client-go/plugin/pkg/client/auth/exec+
-        k8s.io/client-go/util/cert                                   from k8s.io/client-go/rest+
-        k8s.io/client-go/util/connrotation                           from k8s.io/client-go/plugin/pkg/client/auth/exec+
-        k8s.io/client-go/util/flowcontrol                            from k8s.io/client-go/kubernetes+
-        k8s.io/client-go/util/homedir                                from k8s.io/client-go/tools/clientcmd
-        k8s.io/client-go/util/keyutil                                from k8s.io/client-go/util/cert
-        k8s.io/client-go/util/workqueue                              from k8s.io/client-go/transport+
-        k8s.io/klog/v2                                               from k8s.io/apimachinery/pkg/api/meta+
-        k8s.io/klog/v2/internal/buffer                               from k8s.io/klog/v2
-        k8s.io/klog/v2/internal/clock                                from k8s.io/klog/v2
-        k8s.io/klog/v2/internal/dbg                                  from k8s.io/klog/v2
-        k8s.io/klog/v2/internal/serialize                            from k8s.io/klog/v2
-        k8s.io/klog/v2/internal/severity                             from k8s.io/klog/v2+
-        k8s.io/klog/v2/internal/sloghandler                          from k8s.io/klog/v2
-        k8s.io/kube-openapi/pkg/cached                               from k8s.io/kube-openapi/pkg/handler3
-        k8s.io/kube-openapi/pkg/common                               from k8s.io/kube-openapi/pkg/handler3
-        k8s.io/kube-openapi/pkg/handler3                             from k8s.io/client-go/openapi
-        k8s.io/kube-openapi/pkg/internal                             from k8s.io/kube-openapi/pkg/spec3+
-        k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json from k8s.io/kube-openapi/pkg/internal+
-        k8s.io/kube-openapi/pkg/schemaconv                           from k8s.io/apimachinery/pkg/util/managedfields+
-        k8s.io/kube-openapi/pkg/spec3                                from k8s.io/client-go/openapi+
-        k8s.io/kube-openapi/pkg/util/proto                           from k8s.io/apimachinery/pkg/util/managedfields+
-        k8s.io/kube-openapi/pkg/validation/spec                      from k8s.io/apimachinery/pkg/util/managedfields+
-        k8s.io/utils/buffer                                          from k8s.io/client-go/tools/cache
-        k8s.io/utils/clock                                           from k8s.io/apimachinery/pkg/util/cache+
-        k8s.io/utils/clock/testing                                   from k8s.io/client-go/util/flowcontrol
-        k8s.io/utils/internal/third_party/forked/golang/net          from k8s.io/utils/net
-        k8s.io/utils/net                                             from k8s.io/apimachinery/pkg/util/net+
-        k8s.io/utils/pointer                                         from k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1+
-        k8s.io/utils/ptr                                             from k8s.io/client-go/tools/cache+
-        k8s.io/utils/strings/slices                                  from k8s.io/apimachinery/pkg/labels
-        k8s.io/utils/trace                                           from k8s.io/client-go/tools/cache
-        nhooyr.io/websocket                                          from tailscale.com/control/controlhttp+
-        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/util                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
-        sigs.k8s.io/controller-runtime/pkg/builder                   from tailscale.com/cmd/k8s-operator
-        sigs.k8s.io/controller-runtime/pkg/cache                     from sigs.k8s.io/controller-runtime/pkg/cluster+
-        sigs.k8s.io/controller-runtime/pkg/cache/internal            from sigs.k8s.io/controller-runtime/pkg/cache
-        sigs.k8s.io/controller-runtime/pkg/certwatcher               from sigs.k8s.io/controller-runtime/pkg/metrics/server+
-        sigs.k8s.io/controller-runtime/pkg/certwatcher/metrics       from sigs.k8s.io/controller-runtime/pkg/certwatcher
-        sigs.k8s.io/controller-runtime/pkg/client                    from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/client/apiutil            from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/client/config             from tailscale.com/cmd/k8s-operator
-        sigs.k8s.io/controller-runtime/pkg/cluster                   from sigs.k8s.io/controller-runtime/pkg/manager
-        sigs.k8s.io/controller-runtime/pkg/config                    from sigs.k8s.io/controller-runtime/pkg/manager
-        sigs.k8s.io/controller-runtime/pkg/controller                from sigs.k8s.io/controller-runtime/pkg/builder
-        sigs.k8s.io/controller-runtime/pkg/conversion                from sigs.k8s.io/controller-runtime/pkg/webhook/conversion
-        sigs.k8s.io/controller-runtime/pkg/event                     from sigs.k8s.io/controller-runtime/pkg/handler+
-        sigs.k8s.io/controller-runtime/pkg/handler                   from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/healthz                   from sigs.k8s.io/controller-runtime/pkg/manager+
-        sigs.k8s.io/controller-runtime/pkg/internal/controller       from sigs.k8s.io/controller-runtime/pkg/controller
-        sigs.k8s.io/controller-runtime/pkg/internal/controller/metrics from sigs.k8s.io/controller-runtime/pkg/internal/controller
-        sigs.k8s.io/controller-runtime/pkg/internal/field/selector   from sigs.k8s.io/controller-runtime/pkg/cache/internal
-        sigs.k8s.io/controller-runtime/pkg/internal/httpserver       from sigs.k8s.io/controller-runtime/pkg/manager+
-        sigs.k8s.io/controller-runtime/pkg/internal/log              from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/internal/recorder         from sigs.k8s.io/controller-runtime/pkg/cluster+
-        sigs.k8s.io/controller-runtime/pkg/internal/source           from sigs.k8s.io/controller-runtime/pkg/source
-        sigs.k8s.io/controller-runtime/pkg/internal/syncs            from sigs.k8s.io/controller-runtime/pkg/cache/internal
-        sigs.k8s.io/controller-runtime/pkg/leaderelection            from sigs.k8s.io/controller-runtime/pkg/manager
-        sigs.k8s.io/controller-runtime/pkg/log                       from sigs.k8s.io/controller-runtime/pkg/client+
-        sigs.k8s.io/controller-runtime/pkg/log/zap                   from tailscale.com/cmd/k8s-operator
-        sigs.k8s.io/controller-runtime/pkg/manager                   from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/manager/signals           from tailscale.com/cmd/k8s-operator
-        sigs.k8s.io/controller-runtime/pkg/metrics                   from sigs.k8s.io/controller-runtime/pkg/certwatcher/metrics+
-        sigs.k8s.io/controller-runtime/pkg/metrics/server            from sigs.k8s.io/controller-runtime/pkg/manager
-        sigs.k8s.io/controller-runtime/pkg/predicate                 from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/ratelimiter               from sigs.k8s.io/controller-runtime/pkg/controller+
-        sigs.k8s.io/controller-runtime/pkg/reconcile                 from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/recorder                  from sigs.k8s.io/controller-runtime/pkg/leaderelection+
-        sigs.k8s.io/controller-runtime/pkg/source                    from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/webhook                   from sigs.k8s.io/controller-runtime/pkg/manager
-        sigs.k8s.io/controller-runtime/pkg/webhook/admission         from sigs.k8s.io/controller-runtime/pkg/builder+
-        sigs.k8s.io/controller-runtime/pkg/webhook/conversion        from sigs.k8s.io/controller-runtime/pkg/builder
-        sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics  from sigs.k8s.io/controller-runtime/pkg/webhook+
-        sigs.k8s.io/json                                             from k8s.io/apimachinery/pkg/runtime/serializer/json+
-        sigs.k8s.io/json/internal/golang/encoding/json               from sigs.k8s.io/json
-     💣 sigs.k8s.io/structured-merge-diff/v4/fieldpath               from k8s.io/apimachinery/pkg/util/managedfields+
-        sigs.k8s.io/structured-merge-diff/v4/merge                   from k8s.io/apimachinery/pkg/util/managedfields/internal
-        sigs.k8s.io/structured-merge-diff/v4/schema                  from k8s.io/apimachinery/pkg/util/managedfields+
-        sigs.k8s.io/structured-merge-diff/v4/typed                   from k8s.io/apimachinery/pkg/util/managedfields+
-        sigs.k8s.io/structured-merge-diff/v4/value                   from k8s.io/apimachinery/pkg/runtime+
-        sigs.k8s.io/yaml                                             from k8s.io/apimachinery/pkg/runtime/serializer/json+
-        sigs.k8s.io/yaml/goyaml.v2                                   from sigs.k8s.io/yaml
-        tailscale.com                                                from tailscale.com/version
-        tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
-        tailscale.com/client/tailscale                               from tailscale.com/client/web+
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
-        tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/clientupdate                                   from tailscale.com/client/web+
-        tailscale.com/clientupdate/distsign                          from tailscale.com/clientupdate
-        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp+
-        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
-        tailscale.com/control/controlhttp                            from tailscale.com/control/controlclient
-        tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
-        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
-        tailscale.com/derp/derphttp                                  from tailscale.com/ipn/localapi+
-        tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
-        tailscale.com/doctor/ethtool                                 from tailscale.com/ipn/ipnlocal
-     💣 tailscale.com/doctor/permissions                             from tailscale.com/ipn/ipnlocal
-        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
-        tailscale.com/drive                                          from tailscale.com/client/tailscale+
-        tailscale.com/envknob                                        from tailscale.com/client/tailscale+
-        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
-        tailscale.com/hostinfo                                       from tailscale.com/client/web+
-        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
-        tailscale.com/ipn                                            from tailscale.com/client/tailscale+
-        tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
-     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
-        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/localapi+
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/ipn/localapi                                   from tailscale.com/tsnet
-        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/ipn/store                                      from tailscale.com/ipn/ipnlocal+
-   L    tailscale.com/ipn/store/awsstore                             from tailscale.com/ipn/store
-        tailscale.com/ipn/store/kubestore                            from tailscale.com/cmd/k8s-operator+
-        tailscale.com/ipn/store/mem                                  from tailscale.com/ipn/ipnlocal+
-        tailscale.com/k8s-operator                                   from tailscale.com/cmd/k8s-operator
-        tailscale.com/k8s-operator/apis                              from tailscale.com/k8s-operator/apis/v1alpha1
-        tailscale.com/k8s-operator/apis/v1alpha1                     from tailscale.com/cmd/k8s-operator+
-        tailscale.com/k8s-operator/sessionrecording                  from tailscale.com/cmd/k8s-operator
-        tailscale.com/k8s-operator/sessionrecording/conn             from tailscale.com/k8s-operator/sessionrecording/spdy
-        tailscale.com/k8s-operator/sessionrecording/spdy             from tailscale.com/k8s-operator/sessionrecording
-        tailscale.com/k8s-operator/sessionrecording/tsrecorder       from tailscale.com/k8s-operator/sessionrecording+
-        tailscale.com/kube                                           from tailscale.com/cmd/k8s-operator+
-        tailscale.com/licenses                                       from tailscale.com/client/web
-        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
-        tailscale.com/log/sockstatlog                                from tailscale.com/ipn/ipnlocal
-        tailscale.com/logpolicy                                      from tailscale.com/ipn/ipnlocal+
-        tailscale.com/logtail                                        from tailscale.com/control/controlclient+
-        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
-        tailscale.com/logtail/filch                                  from tailscale.com/log/sockstatlog+
-        tailscale.com/metrics                                        from tailscale.com/derp+
-        tailscale.com/net/captivedetection                           from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
-        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns+
-        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
-        tailscale.com/net/dns/resolvconffile                         from tailscale.com/cmd/k8s-operator+
-        tailscale.com/net/dns/resolver                               from tailscale.com/net/dns
-        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
-        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-        tailscale.com/net/ipset                                      from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/memnet                                     from tailscale.com/tsnet
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
-        tailscale.com/net/netcheck                                   from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
-        tailscale.com/net/netkernelconf                              from tailscale.com/ipn/ipnlocal
-        tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
-     💣 tailscale.com/net/netmon                                     from tailscale.com/control/controlclient+
-     💣 tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
-   W 💣 tailscale.com/net/netstat                                    from tailscale.com/portlist
-        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
-        tailscale.com/net/packet                                     from tailscale.com/net/connstats+
-        tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun
-        tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
-        tailscale.com/net/portmapper                                 from tailscale.com/ipn/localapi+
-        tailscale.com/net/proxymux                                   from tailscale.com/tsnet
-        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
-        tailscale.com/net/socks5                                     from tailscale.com/tsnet
-        tailscale.com/net/sockstats                                  from tailscale.com/control/controlclient+
-        tailscale.com/net/stun                                       from tailscale.com/ipn/localapi+
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
-        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
-        tailscale.com/net/tsaddr                                     from tailscale.com/client/web+
-        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/clientupdate/distsign+
-        tailscale.com/net/tstun                                      from tailscale.com/tsd+
-        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
-        tailscale.com/omit                                           from tailscale.com/ipn/conffile
-        tailscale.com/paths                                          from tailscale.com/client/tailscale+
-     💣 tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
-        tailscale.com/posture                                        from tailscale.com/ipn/ipnlocal
-        tailscale.com/proxymap                                       from tailscale.com/tsd+
-     💣 tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
-        tailscale.com/sessionrecording                               from tailscale.com/cmd/k8s-operator+
-        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
-        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/taildrop                                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/netmon+
-        tailscale.com/tsd                                            from tailscale.com/ipn/ipnlocal+
-        tailscale.com/tsnet                                          from tailscale.com/cmd/k8s-operator+
-        tailscale.com/tstime                                         from tailscale.com/cmd/k8s-operator+
-        tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
-        tailscale.com/tstime/rate                                    from tailscale.com/derp+
-        tailscale.com/types/appctype                                 from tailscale.com/ipn/ipnlocal
-        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
-        tailscale.com/types/empty                                    from tailscale.com/ipn+
-        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/client/tailscale+
-        tailscale.com/types/lazy                                     from tailscale.com/ipn/ipnlocal+
-        tailscale.com/types/logger                                   from tailscale.com/appc+
-        tailscale.com/types/logid                                    from tailscale.com/ipn/ipnlocal+
-        tailscale.com/types/netlogtype                               from tailscale.com/net/connstats+
-        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
-        tailscale.com/types/nettype                                  from tailscale.com/ipn/localapi+
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
-        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/preftype                                 from tailscale.com/ipn+
-        tailscale.com/types/ptr                                      from tailscale.com/cmd/k8s-operator+
-        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
-        tailscale.com/types/tkatype                                  from tailscale.com/client/tailscale+
-        tailscale.com/types/views                                    from tailscale.com/appc+
-        tailscale.com/util/cibuild                                   from tailscale.com/health
-        tailscale.com/util/clientmetric                              from tailscale.com/cmd/k8s-operator+
-        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
-        tailscale.com/util/cmpver                                    from tailscale.com/clientupdate+
-        tailscale.com/util/ctxkey                                    from tailscale.com/cmd/k8s-operator+
-     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
-   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
-        tailscale.com/util/dnsname                                   from tailscale.com/appc+
-        tailscale.com/util/execqueue                                 from tailscale.com/appc+
-        tailscale.com/util/goroutines                                from tailscale.com/ipn/ipnlocal
-        tailscale.com/util/groupmember                               from tailscale.com/client/web+
-     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
-        tailscale.com/util/httphdr                                   from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
-        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
-        tailscale.com/util/mak                                       from tailscale.com/appc+
-        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/must                                      from tailscale.com/clientupdate/distsign+
-        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
-     💣 tailscale.com/util/osdiag                                    from tailscale.com/ipn/localapi
-   W 💣 tailscale.com/util/osdiag/internal/wsc                       from tailscale.com/util/osdiag
-        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal
-        tailscale.com/util/osuser                                    from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/progresstracking                          from tailscale.com/ipn/localapi
-        tailscale.com/util/race                                      from tailscale.com/net/dns/resolver
-        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
-        tailscale.com/util/rands                                     from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/ringbuffer                                from tailscale.com/wgengine/magicsock
-        tailscale.com/util/set                                       from tailscale.com/cmd/k8s-operator+
-        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
-        tailscale.com/util/slicesx                                   from tailscale.com/appc+
-        tailscale.com/util/syspolicy                                 from tailscale.com/control/controlclient+
-        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
-        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
-        tailscale.com/util/testenv                                   from tailscale.com/control/controlclient+
-        tailscale.com/util/truncate                                  from tailscale.com/logtail
-        tailscale.com/util/uniq                                      from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
-     💣 tailscale.com/util/winutil                                   from tailscale.com/clientupdate+
-   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/clientupdate+
-   W 💣 tailscale.com/util/winutil/gp                                from tailscale.com/net/dns
-   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
-   W 💣 tailscale.com/util/winutil/winenv                            from tailscale.com/hostinfo+
-        tailscale.com/util/zstdframe                                 from tailscale.com/control/controlclient+
-        tailscale.com/version                                        from tailscale.com/client/web+
-        tailscale.com/version/distro                                 from tailscale.com/client/web+
-        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/capture                               from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/filter/filtertype                     from tailscale.com/types/netmap+
-     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/netlog                                from tailscale.com/wgengine
-        tailscale.com/wgengine/netstack                              from tailscale.com/tsnet
-        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
-     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine+
-        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
-   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
-        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
-  LD    golang.org/x/crypto/blowfish                                 from github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf
-        golang.org/x/crypto/chacha20                                 from github.com/tailscale/golang-x-crypto/ssh+
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
-        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
-        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
-        golang.org/x/exp/maps                                        from sigs.k8s.io/controller-runtime/pkg/cache+
-        golang.org/x/exp/slices                                      from tailscale.com/cmd/k8s-operator+
-        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
-        golang.org/x/net/dns/dnsmessage                              from net+
-        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
-        golang.org/x/net/http/httpproxy                              from net/http+
-        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
-        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
-        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
-        golang.org/x/net/icmp                                        from github.com/prometheus-community/pro-bing+
-        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from github.com/miekg/dns+
-        golang.org/x/net/ipv6                                        from github.com/miekg/dns+
-        golang.org/x/net/proxy                                       from tailscale.com/net/netns
-   D    golang.org/x/net/route                                       from net+
-        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials+
-        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/k8s-operator
-        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
-        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from github.com/josharian/native+
-  LD    golang.org/x/sys/unix                                        from github.com/fsnotify/fsnotify+
-   W    golang.org/x/sys/windows                                     from github.com/dblohm7/wingoes+
-   W    golang.org/x/sys/windows/registry                            from github.com/dblohm7/wingoes+
-   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
-        golang.org/x/term                                            from k8s.io/client-go/plugin/pkg/client/auth/exec+
-        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
-        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
-        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/log+
-        archive/tar                                                  from tailscale.com/clientupdate
-        bufio                                                        from compress/flate+
-        bytes                                                        from archive/tar+
-        cmp                                                          from github.com/gaissmai/bart+
-        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding+
-        compress/zlib                                                from debug/pe+
-        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509+
-        crypto/ecdh                                                  from crypto/ecdsa+
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls+
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
-        crypto/x509                                                  from crypto/tls+
-        crypto/x509/pkix                                             from crypto/x509+
-        database/sql                                                 from github.com/prometheus/client_golang/prometheus/collectors
-        database/sql/driver                                          from database/sql+
-   W    debug/dwarf                                                  from debug/pe
-   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from crypto/internal/nistec+
-        encoding                                                     from encoding/gob+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from github.com/fxamacker/cbor/v2+
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/csv                                                 from github.com/spf13/pflag
-        encoding/gob                                                 from github.com/gorilla/securecookie
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
-        errors                                                       from archive/tar+
-        expvar                                                       from github.com/prometheus/client_golang/prometheus+
-        flag                                                         from github.com/spf13/pflag+
-        fmt                                                          from archive/tar+
-        go/ast                                                       from go/doc+
-        go/build/constraint                                          from go/parser
-        go/doc                                                       from k8s.io/apimachinery/pkg/runtime
-        go/doc/comment                                               from go/doc
-        go/parser                                                    from k8s.io/apimachinery/pkg/runtime
-        go/scanner                                                   from go/ast+
-        go/token                                                     from go/ast+
-        hash                                                         from compress/zlib+
-        hash/adler32                                                 from compress/zlib+
-        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
-        hash/maphash                                                 from go4.org/mem
-        html                                                         from html/template+
-        html/template                                                from github.com/gorilla/csrf
-        io                                                           from archive/tar+
-        io/fs                                                        from archive/tar+
-        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
-        log                                                          from expvar+
-        log/internal                                                 from log+
-        log/slog                                                     from github.com/go-logr/logr+
-        log/slog/internal                                            from log/slog
-        maps                                                         from sigs.k8s.io/controller-runtime/pkg/predicate+
-        math                                                         from archive/tar+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from github.com/google/go-cmp/cmp+
-        math/rand/v2                                                 from tailscale.com/derp+
-        mime                                                         from github.com/prometheus/common/expfmt+
-        mime/multipart                                               from github.com/go-openapi/swag+
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptest                                            from tailscale.com/control/controlclient
-        net/http/httptrace                                           from github.com/prometheus-community/pro-bing+
-        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
-        net/http/internal                                            from net/http+
-        net/http/pprof                                               from sigs.k8s.io/controller-runtime/pkg/manager+
-        net/netip                                                    from github.com/gaissmai/bart+
-        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
-        os/signal                                                    from sigs.k8s.io/controller-runtime/pkg/manager/signals
-        os/user                                                      from archive/tar+
-        path                                                         from archive/tar+
-        path/filepath                                                from archive/tar+
-        reflect                                                      from archive/tar+
-        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints+
-        regexp/syntax                                                from regexp
-        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
-        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
-        runtime/pprof                                                from net/http/pprof+
-        runtime/trace                                                from net/http/pprof
-        slices                                                       from encoding/base32+
-        sort                                                         from archive/tar+
-        strconv                                                      from archive/tar+
-        strings                                                      from archive/tar+
-        sync                                                         from archive/tar+
-        sync/atomic                                                  from context+
-        syscall                                                      from archive/tar+
-        text/tabwriter                                               from k8s.io/apimachinery/pkg/util/diff+
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
-        time                                                         from archive/tar+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from crypto/x509+
-        unicode/utf8                                                 from bufio+
--- a/cmd/k8s-operator/deploy/chart/templates/deployment.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/deployment.yaml
@@ -21,9 +21,6 @@ spec:
      {{- end }}
      labels:
        app: operator
-        {{- with .Values.operatorConfig.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
@@ -49,11 +46,9 @@ spec:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- $operatorTag:= printf ":%s" ( .Values.operatorConfig.image.tag | default .Chart.AppVersion )}}
-          image: {{ coalesce .Values.operatorConfig.image.repo .Values.operatorConfig.image.repository }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }}
+          image: {{ .Values.operatorConfig.image.repo }}{{- if .Values.operatorConfig.image.digest -}}{{ printf "@%s" .Values.operatorConfig.image.digest}}{{- else -}}{{ printf "%s" $operatorTag }}{{- end }}
          imagePullPolicy: {{ .Values.operatorConfig.image.pullPolicy }}
          env:
-            - name: OPERATOR_INITIAL_TAGS
-              value: {{ join "," .Values.operatorConfig.defaultTags }}
            - name: OPERATOR_HOSTNAME
              value: {{ .Values.operatorConfig.hostname }}
            - name: OPERATOR_SECRET
@@ -70,16 +65,13 @@ spec:
              value: /oauth/client_secret
            {{- $proxyTag := printf ":%s" ( .Values.proxyConfig.image.tag | default .Chart.AppVersion )}}
            - name: PROXY_IMAGE
-              value: {{ coalesce .Values.proxyConfig.image.repo .Values.proxyConfig.image.repository }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }}
+              value: {{ .Values.proxyConfig.image.repo }}{{- if .Values.proxyConfig.image.digest -}}{{ printf "@%s" .Values.proxyConfig.image.digest}}{{- else -}}{{ printf "%s" $proxyTag }}{{- end }}
            - name: PROXY_TAGS
              value: {{ .Values.proxyConfig.defaultTags }}
            - name: APISERVER_PROXY
              value: "{{ .Values.apiServerProxyConfig.mode }}"
            - name: PROXY_FIREWALL_MODE
              value: {{ .Values.proxyConfig.firewallMode }}
-            {{- with .Values.operatorConfig.extraEnv }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
          volumeMounts:
          - name: oauth
            mountPath: /oauth
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@@ -24,9 +24,6 @@ rules:
 - apiGroups: ["tailscale.com"]
  resources: ["connectors", "connectors/status", "proxyclasses", "proxyclasses/status"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: ["tailscale.com"]
-  resources: ["dnsconfigs", "dnsconfigs/status"]
-  verbs: ["get", "list", "watch", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -48,14 +45,11 @@ metadata:
  namespace: {{ .Release.Namespace }}
 rules:
 - apiGroups: [""]
-  resources: ["secrets", "serviceaccounts", "configmaps"]
+  resources: ["secrets"]
  verbs: ["*"]
 - apiGroups: ["apps"]
-  resources: ["statefulsets", "deployments"]
+  resources: ["statefulsets"]
  verbs: ["*"]
- apiGroups: ["discovery.k8s.io"]
-  resources: ["endpointslices"]
-  verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
--- a/cmd/k8s-operator/deploy/chart/values.yaml
+++ b/cmd/k8s-operator/deploy/chart/values.yaml
@@ -12,19 +12,11 @@ oauth: {}
 # of chart installation. We do not use Helm's CRD installation mechanism as that
 # does not allow for upgrading CRDs.
 # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
-installCRDs: true
+installCRDs: "true"

 operatorConfig:
-  # ACL tag that operator will be tagged with. Operator must be made owner of
-  # these tags
-  # https://tailscale.com/kb/1236/kubernetes-operator/?q=operator#setting-up-the-kubernetes-operator
-  # Multiple tags are defined as array items and passed to the operator as a comma-separated string
-  defaultTags:
-    - "tag:k8s-operator"
-
  image:
-    # Repository defaults to DockerHub, but images are also synced to ghcr.io/tailscale/k8s-operator.
-    repository: tailscale/k8s-operator
+    repo: tailscale/k8s-operator
    # Digest will be prioritized over tag. If neither are set appVersion will be
    # used.
    tag: ""
@@ -38,7 +30,6 @@ operatorConfig:
  resources: {}

  podAnnotations: {}
-  podLabels: {}

  tolerations: []

@@ -48,25 +39,13 @@ operatorConfig:

  securityContext: {}

-  extraEnv: []
-  # - name: EXTRA_VAR1
-  #   value: "value1"
-  # - name: EXTRA_VAR2
-  #   value: "value2"
-
-
 # proxyConfig contains configuraton that will be applied to any ingress/egress
 # proxies created by the operator.
 # https://tailscale.com/kb/1236/kubernetes-operator/#cluster-ingress
 # https://tailscale.com/kb/1236/kubernetes-operator/#cluster-egress
-# Note that this section contains only a few global configuration options and
-# will not be updated with more configuration options in the future.
-# If you need more configuration options, take a look at ProxyClass:
-# https://tailscale.com/kb/1236/kubernetes-operator#cluster-resource-customization-using-proxyclass-custom-resource
 proxyConfig:
  image:
-    # Repository defaults to DockerHub, but images are also synced to ghcr.io/tailscale/tailscale.
-    repository: tailscale/tailscale
+    repo: tailscale/tailscale
    # Digest will be prioritized over tag. If neither are set appVersion will be
    # used.
    tag: ""
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
+    controller-gen.kubebuilder.io/version: v0.13.0
  name: connectors.tailscale.com
 spec:
  group: tailscale.com
@@ -31,95 +31,44 @@ spec:
      name: v1alpha1
      schema:
        openAPIV3Schema:
-          description: |-
-            Connector defines a Tailscale node that will be deployed in the cluster. The
-            node can be configured to act as a Tailscale subnet router and/or a Tailscale
-            exit node.
-            Connector is a cluster-scoped resource.
-            More info:
-            https://tailscale.com/kb/1236/kubernetes-operator#deploying-exit-nodes-and-subnet-routers-on-kubernetes-using-connector-custom-resource
          type: object
          required:
            - spec
          properties:
            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
              type: string
            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
              type: string
            metadata:
              type: object
            spec:
-              description: |-
-                ConnectorSpec describes the desired Tailscale component.
-                More info:
-                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+              description: ConnectorSpec describes the desired Tailscale component.
              type: object
              properties:
                exitNode:
-                  description: |-
-                    ExitNode defines whether the Connector node should act as a
-                    Tailscale exit node. Defaults to false.
-                    https://tailscale.com/kb/1103/exit-nodes
+                  description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
                  type: boolean
                hostname:
-                  description: |-
-                    Hostname is the tailnet hostname that should be assigned to the
-                    Connector node. If unset, hostname defaults to <connector
-                    name>-connector. Hostname can contain lower case letters, numbers and
-                    dashes, it must not start or end with a dash and must be between 2
-                    and 63 characters long.
+                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
                  type: string
                  pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
-                proxyClass:
-                  description: |-
-                    ProxyClass is the name of the ProxyClass custom resource that
-                    contains configuration options that should be applied to the
-                    resources created for this Connector. If unset, the operator will
-                    create resources with the default configuration.
-                  type: string
                subnetRouter:
-                  description: |-
-                    SubnetRouter defines subnet routes that the Connector node should
-                    expose to tailnet. If unset, none are exposed.
-                    https://tailscale.com/kb/1019/subnets/
+                  description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
                  type: object
                  required:
                    - advertiseRoutes
                  properties:
                    advertiseRoutes:
-                      description: |-
-                        AdvertiseRoutes refer to CIDRs that the subnet router should make
-                        available. Route values must be strings that represent a valid IPv4
-                        or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
-                        https://tailscale.com/kb/1201/4via6-subnets/
+                      description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
                      type: array
                      minItems: 1
                      items:
                        type: string
                        format: cidr
                tags:
-                  description: |-
-                    Tags that the Tailscale node will be tagged with.
-                    Defaults to [tag:k8s].
-                    To autoapprove the subnet routes or exit node defined by a Connector,
-                    you can configure Tailscale ACLs to give these tags the necessary
-                    permissions.
-                    See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
-                    If you specify custom tags here, you must also make the operator an owner of these tags.
-                    See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
-                    Tags cannot be changed once a Connector node has been created.
-                    Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+                  description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
                  type: array
                  items:
                    type: string
@@ -128,93 +77,48 @@ spec:
                - rule: has(self.subnetRouter) || self.exitNode == true
                  message: A Connector needs to be either an exit node or a subnet router, or both.
            status:
-              description: |-
-                ConnectorStatus describes the status of the Connector. This is set
-                and managed by the Tailscale operator.
+              description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
              type: object
              properties:
                conditions:
-                  description: |-
-                    List of status conditions to indicate the status of the Connector.
-                    Known condition types are `ConnectorReady`.
+                  description: List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
                  type: array
                  items:
-                    description: Condition contains details for one aspect of the current state of this API Resource.
+                    description: ConnectorCondition contains condition information for a Connector.
                    type: object
                    required:
-                      - lastTransitionTime
-                      - message
-                      - reason
                      - status
                      - type
                    properties:
                      lastTransitionTime:
-                        description: |-
-                          lastTransitionTime is the last time the condition transitioned from one status to another.
-                          This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                        description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
                        type: string
                        format: date-time
                      message:
-                        description: |-
-                          message is a human readable message indicating details about the transition.
-                          This may be an empty string.
+                        description: Message is a human readable description of the details of the last transition, complementing reason.
                        type: string
-                        maxLength: 32768
                      observedGeneration:
-                        description: |-
-                          observedGeneration represents the .metadata.generation that the condition was set based upon.
-                          For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-                          with respect to the current state of the instance.
+                        description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
                        type: integer
                        format: int64
-                        minimum: 0
                      reason:
-                        description: |-
-                          reason contains a programmatic identifier indicating the reason for the condition's last transition.
-                          Producers of specific condition types may define expected values and meanings for this field,
-                          and whether the values are considered a guaranteed API.
-                          The value should be a CamelCase string.
-                          This field may not be empty.
+                        description: Reason is a brief machine readable explanation for the condition's last transition.
                        type: string
-                        maxLength: 1024
-                        minLength: 1
-                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
                      status:
-                        description: status of the condition, one of True, False, Unknown.
+                        description: Status of the condition, one of ('True', 'False', 'Unknown').
                        type: string
-                        enum:
-                          - "True"
-                          - "False"
-                          - Unknown
                      type:
-                        description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        description: Type of the condition, known values are (`SubnetRouterReady`).
                        type: string
-                        maxLength: 316
-                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                  x-kubernetes-list-map-keys:
                    - type
                  x-kubernetes-list-type: map
-                hostname:
-                  description: |-
-                    Hostname is the fully qualified domain name of the Connector node.
-                    If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the
-                    node.
-                  type: string
                isExitNode:
                  description: IsExitNode is set to true if the Connector acts as an exit node.
                  type: boolean
                subnetRoutes:
-                  description: |-
-                    SubnetRoutes are the routes currently exposed to tailnet via this
-                    Connector instance.
+                  description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
                  type: string
-                tailnetIPs:
-                  description: |-
-                    TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6)
-                    assigned to the Connector node.
-                  type: array
-                  items:
-                    type: string
      served: true
      storage: true
      subresources:
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_dnsconfigs.yaml
@@ -1,181 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.15.1-0.20240618033008-7824932b0cab
-  name: dnsconfigs.tailscale.com
-spec:
-  group: tailscale.com
-  names:
-    kind: DNSConfig
-    listKind: DNSConfigList
-    plural: dnsconfigs
-    shortNames:
-      - dc
-    singular: dnsconfig
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - description: Service IP address of the nameserver
-          jsonPath: .status.nameserver.ip
-          name: NameserverIP
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: |-
-            DNSConfig can be deployed to cluster to make a subset of Tailscale MagicDNS
-            names resolvable by cluster workloads. Use this if: A) you need to refer to
-            tailnet services, exposed to cluster via Tailscale Kubernetes operator egress
-            proxies by the MagicDNS names of those tailnet services (usually because the
-            services run over HTTPS)
-            B) you have exposed a cluster workload to the tailnet using Tailscale Ingress
-            and you also want to refer to the workload from within the cluster over the
-            Ingress's MagicDNS name (usually because you have some callback component
-            that needs to use the same URL as that used by a non-cluster client on
-            tailnet).
-            When a DNSConfig is applied to a cluster, Tailscale Kubernetes operator will
-            deploy a nameserver for ts.net DNS names and automatically populate it with records
-            for any Tailscale egress or Ingress proxies deployed to that cluster.
-            Currently you must manually update your cluster DNS configuration to add the
-            IP address of the deployed nameserver as a ts.net stub nameserver.
-            Instructions for how to do it:
-            https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns (for CoreDNS),
-            https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns (for kube-dns).
-            Tailscale Kubernetes operator will write the address of a Service fronting
-            the nameserver to dsnconfig.status.nameserver.ip.
-            DNSConfig is a singleton - you must not create more than one.
-            NB: if you want cluster workloads to be able to refer to Tailscale Ingress
-            using its MagicDNS name, you must also annotate the Ingress resource with
-            tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation to
-            ensure that the proxy created for the Ingress listens on its Pod IP address.
-            NB: Clusters where Pods get assigned IPv6 addresses only are currently not supported.
-          type: object
-          required:
-            - spec
-          properties:
-            apiVersion:
-              description: |-
-                APIVersion defines the versioned schema of this representation of an object.
-                Servers should convert recognized schemas to the latest internal value, and
-                may reject unrecognized values.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-              type: string
-            kind:
-              description: |-
-                Kind is a string value representing the REST resource this object represents.
-                Servers may infer this from the endpoint the client submits requests to.
-                Cannot be updated.
-                In CamelCase.
-                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: |-
-                Spec describes the desired DNS configuration.
-                More info:
-                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-              type: object
-              required:
-                - nameserver
-              properties:
-                nameserver:
-                  description: |-
-                    Configuration for a nameserver that can resolve ts.net DNS names
-                    associated with in-cluster proxies for Tailscale egress Services and
-                    Tailscale Ingresses. The operator will always deploy this nameserver
-                    when a DNSConfig is applied.
-                  type: object
-                  properties:
-                    image:
-                      description: Nameserver image.
-                      type: object
-                      properties:
-                        repo:
-                          description: Repo defaults to tailscale/k8s-nameserver.
-                          type: string
-                        tag:
-                          description: Tag defaults to operator's own tag.
-                          type: string
-            status:
-              description: |-
-                Status describes the status of the DNSConfig. This is set
-                and managed by the Tailscale operator.
-              type: object
-              properties:
-                conditions:
-                  type: array
-                  items:
-                    description: Condition contains details for one aspect of the current state of this API Resource.
-                    type: object
-                    required:
-                      - lastTransitionTime
-                      - message
-                      - reason
-                      - status
-                      - type
-                    properties:
-                      lastTransitionTime:
-                        description: |-
-                          lastTransitionTime is the last time the condition transitioned from one status to another.
-                          This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
-                        type: string
-                        format: date-time
-                      message:
-                        description: |-
-                          message is a human readable message indicating details about the transition.
-                          This may be an empty string.
-                        type: string
-                        maxLength: 32768
-                      observedGeneration:
-                        description: |-
-                          observedGeneration represents the .metadata.generation that the condition was set based upon.
-                          For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
-                          with respect to the current state of the instance.
-                        type: integer
-                        format: int64
-                        minimum: 0
-                      reason:
-                        description: |-
-                          reason contains a programmatic identifier indicating the reason for the condition's last transition.
-                          Producers of specific condition types may define expected values and meanings for this field,
-                          and whether the values are considered a guaranteed API.
-                          The value should be a CamelCase string.
-                          This field may not be empty.
-                        type: string
-                        maxLength: 1024
-                        minLength: 1
-                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      status:
-                        description: status of the condition, one of True, False, Unknown.
-                        type: string
-                        enum:
-                          - "True"
-                          - "False"
-                          - Unknown
-                      type:
-                        description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        type: string
-                        maxLength: 316
-                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
-                nameserver:
-                  description: Nameserver describes the status of nameserver cluster resources.
-                  type: object
-                  properties:
-                    ip:
-                      description: |-
-                        IP is the ClusterIP of the Service fronting the deployed ts.net nameserver.
-                        Currently you must manually update your cluster DNS config to add
-                        this address as a stub nameserver for ts.net for cluster workloads to be
-                        able to resolve MagicDNS names associated with egress or Ingress
-                        proxies.
-                        The IP address will change if you delete and recreate the DNSConfig.
-                      type: string
-      served: true
-      storage: true
-      subresources:
-        status: {}
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_proxyclasses.yaml
--- a/cmd/k8s-operator/deploy/examples/dnsconfig.yaml
+++ b/cmd/k8s-operator/deploy/examples/dnsconfig.yaml
@@ -1,6 +0,0 @@
-apiVersion: tailscale.com/v1alpha1
-kind: DNSConfig 
-metadata:
-  name: ts-dns
-spec:
-  nameserver: {}
--- a/cmd/k8s-operator/deploy/examples/proxclass.yaml
+++ b/cmd/k8s-operator/deploy/examples/proxclass.yaml
@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: prod
+spec:
+  statefulSet:
+    pod:
+      nodeSelector:
+        beta.kubernetes.io/os: "linux"
+      imagePullSecrets:
+      - name: "foo"
--- a/cmd/k8s-operator/deploy/examples/proxyclass.yaml
+++ b/cmd/k8s-operator/deploy/examples/proxyclass.yaml
@@ -1,23 +0,0 @@
-apiVersion: tailscale.com/v1alpha1
-kind: ProxyClass
-metadata:
-  name: prod
-spec:
-  metrics:
-    enable: true
-  statefulSet:
-    annotations:
-      platform-component: infra
-    pod:
-      labels:
-        team: eng
-      nodeSelector:
-        kubernetes.io/os: "linux"
-      imagePullSecrets:
-      - name: "foo"
-      tailscaleContainer:
-        image: "ghcr.io/tailscale/tailscale:v1.64"
-        imagePullPolicy: IfNotPresent
-      tailscaleInitContainer:
-        image: "ghcr.io/tailscale/tailscale:v1.64"
-        imagePullPolicy: IfNotPresent
--- a/cmd/k8s-operator/deploy/examples/proxyclassremoveinit.yaml
+++ b/cmd/k8s-operator/deploy/examples/proxyclassremoveinit.yaml
@@ -0,0 +1,10 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: removeinit
+spec:
+  statefulSet:
+    pod:
+      patches:
+      - op: remove
+        path: "/spec/initContainers/0"
--- a/cmd/k8s-operator/deploy/manifests/nameserver/cm.yaml
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/cm.yaml
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: dnsrecords
--- a/cmd/k8s-operator/deploy/manifests/nameserver/deploy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/deploy.yaml
@@ -1,37 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nameserver 
-spec:
-  replicas: 1
-  revisionHistoryLimit: 5
-  selector:
-    matchLabels:
-      app: nameserver
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: nameserver
-    spec:
-      containers:
-      - imagePullPolicy: IfNotPresent
-        name: nameserver
-        ports:
-        - name: tcp
-          protocol: TCP
-          containerPort: 1053
-        - name: udp
-          protocol: UDP
-          containerPort: 1053
-        volumeMounts:
-        - name: dnsrecords
-          mountPath: /config
-      restartPolicy: Always
-      serviceAccount: nameserver
-      serviceAccountName: nameserver
-      volumes:
-      - name: dnsrecords
-        configMap:
-          name: dnsrecords
--- a/cmd/k8s-operator/deploy/manifests/nameserver/sa.yaml
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/sa.yaml
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: nameserver
--- a/cmd/k8s-operator/deploy/manifests/nameserver/svc.yaml
+++ b/cmd/k8s-operator/deploy/manifests/nameserver/svc.yaml
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nameserver
-spec:
-  selector:
-    app: nameserver
-  ports:
-  - name: udp
-    targetPort: 1053
-    port: 53
-    protocol: UDP
-  - name: tcp
-    targetPort: 1053
-    port: 53
-    protocol: TCP 
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
--- a/cmd/k8s-operator/deploy/manifests/proxy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/proxy.yaml
@@ -14,8 +14,10 @@ spec:
        - name: sysctler
          securityContext:
            privileged: true
-          command: ["/bin/sh", "-c"]
-          args: [sysctl -w net.ipv4.ip_forward=1 && if sysctl net.ipv6.conf.all.forwarding; then sysctl -w net.ipv6.conf.all.forwarding=1; fi]
+          command: ["/bin/sh"]
+          args:
+            - -c
+            - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
      resources:
        requests:
          cpu: 1m
@@ -26,10 +28,8 @@ spec:
          env:
            - name: TS_USERSPACE
              value: "false"
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
+            - name: TS_AUTH_ONCE
+              value: "true"
          securityContext:
            capabilities:
              add:
--- a/cmd/k8s-operator/deploy/manifests/userspace-proxy.yaml
+++ b/cmd/k8s-operator/deploy/manifests/userspace-proxy.yaml
@@ -20,7 +20,5 @@ spec:
          env:
            - name: TS_USERSPACE
              value: "true"
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
+            - name: TS_AUTH_ONCE
+              value: "true"
--- a/cmd/k8s-operator/dnsrecords.go
+++ b/cmd/k8s-operator/dnsrecords.go
@@ -1,334 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"slices"
-
-	"go.uber.org/zap"
-	corev1 "k8s.io/api/core/v1"
-	discoveryv1 "k8s.io/api/discovery/v1"
-	networkingv1 "k8s.io/api/networking/v1"
-	apiequality "k8s.io/apimachinery/pkg/api/equality"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/utils/net"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	operatorutils "tailscale.com/k8s-operator"
-	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/util/mak"
-)
-
-const (
-	dnsRecordsRecocilerFinalizer = "tailscale.com/dns-records-reconciler"
-	annotationTSMagicDNSName     = "tailscale.com/magic-dnsname"
-)
-
-// dnsRecordsReconciler knows how to update dnsrecords ConfigMap with DNS
-// records.
-// The records that it creates are:
-//   - For tailscale Ingress, a mapping of the Ingress's MagicDNSName to the IP address of
-//     the ingress proxy Pod.
-//   - For egress proxies configured via tailscale.com/tailnet-fqdn annotation, a
-//     mapping of the tailnet FQDN to the IP address of the egress proxy Pod.
-//
-// Records will only be created if there is exactly one ready
-// tailscale.com/v1alpha1.DNSConfig instance in the cluster (so that we know
-// that there is a ts.net nameserver deployed in the cluster).
-type dnsRecordsReconciler struct {
-	client.Client
-	tsNamespace           string // namespace in which we provision tailscale resources
-	logger                *zap.SugaredLogger
-	isDefaultLoadBalancer bool // true if operator is the default ingress controller in this cluster
-}
-
-// Reconcile takes a reconcile.Request for a headless Service fronting a
-// tailscale proxy and updates DNS Records in dnsrecords ConfigMap for the
-// in-cluster ts.net nameserver if required.
-func (dnsRR *dnsRecordsReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
-	logger := dnsRR.logger.With("Service", req.NamespacedName)
-	logger.Debugf("starting reconcile")
-	defer logger.Debugf("reconcile finished")
-
-	headlessSvc := new(corev1.Service)
-	err = dnsRR.Client.Get(ctx, req.NamespacedName, headlessSvc)
-	if apierrors.IsNotFound(err) {
-		logger.Debugf("Service not found")
-		return reconcile.Result{}, nil
-	}
-	if err != nil {
-		return reconcile.Result{}, fmt.Errorf("failed to get Service: %w", err)
-	}
-	if !(isManagedByType(headlessSvc, "svc") || isManagedByType(headlessSvc, "ingress")) {
-		logger.Debugf("Service is not a headless Service for a tailscale ingress or egress proxy; do nothing")
-		return reconcile.Result{}, nil
-	}
-
-	if !headlessSvc.DeletionTimestamp.IsZero() {
-		logger.Debug("Service is being deleted, clean up resources")
-		return reconcile.Result{}, dnsRR.maybeCleanup(ctx, headlessSvc, logger)
-	}
-
-	// Check that there is a ts.net nameserver deployed to the cluster by
-	// checking that there is tailscale.com/v1alpha1.DNSConfig resource in a
-	// Ready state.
-	dnsCfgLst := new(tsapi.DNSConfigList)
-	if err = dnsRR.List(ctx, dnsCfgLst); err != nil {
-		return reconcile.Result{}, fmt.Errorf("error listing DNSConfigs: %w", err)
-	}
-	if len(dnsCfgLst.Items) == 0 {
-		logger.Debugf("DNSConfig does not exist, not creating DNS records")
-		return reconcile.Result{}, nil
-	}
-	if len(dnsCfgLst.Items) > 1 {
-		logger.Errorf("Invalid cluster state - more than one DNSConfig found in cluster. Please ensure no more than one exists")
-		return reconcile.Result{}, nil
-	}
-	dnsCfg := dnsCfgLst.Items[0]
-	if !operatorutils.DNSCfgIsReady(&dnsCfg) {
-		logger.Info("DNSConfig is not ready yet, waiting...")
-		return reconcile.Result{}, nil
-	}
-
-	return reconcile.Result{}, dnsRR.maybeProvision(ctx, headlessSvc, logger)
-}
-
-// maybeProvision ensures that dnsrecords ConfigMap contains a record for the
-// proxy associated with the headless Service.
-// The record is only provisioned if the proxy is for a tailscale Ingress or
-// egress configured via tailscale.com/tailnet-fqdn annotation.
-//
-// For Ingress, the record is a mapping between the MagicDNSName of the Ingress, retrieved from
-// ingress.status.loadBalancer.ingress.hostname field and the proxy Pod IP addresses
-// retrieved from the EndpoinSlice associated with this headless Service, i.e
-// Records{IP4: <MagicDNS name of the Ingress>: <[IPs of the ingress proxy Pods]>}
-//
-// For egress, the record is a mapping between tailscale.com/tailnet-fqdn
-// annotation and the proxy Pod IP addresses, retrieved from the EndpointSlice
-// associated with this headless Service, i.e
-// Records{IP4: {<tailscale.com/tailnet-fqdn>: <[IPs of the egress proxy Pods]>}
-//
-// If records need to be created for this proxy, maybeProvision will also:
-// - update the headless Service with a tailscale.com/magic-dnsname annotation
-// - update the headless Service with a finalizer
-func (dnsRR *dnsRecordsReconciler) maybeProvision(ctx context.Context, headlessSvc *corev1.Service, logger *zap.SugaredLogger) error {
-	if headlessSvc == nil {
-		logger.Info("[unexpected] maybeProvision called with a nil Service")
-		return nil
-	}
-	isEgressFQDNSvc, err := dnsRR.isSvcForFQDNEgressProxy(ctx, headlessSvc)
-	if err != nil {
-		return fmt.Errorf("error checking whether the Service is for an egress proxy: %w", err)
-	}
-	if !(isEgressFQDNSvc || isManagedByType(headlessSvc, "ingress")) {
-		logger.Debug("Service is not fronting a proxy that we create DNS records for; do nothing")
-		return nil
-	}
-	fqdn, err := dnsRR.fqdnForDNSRecord(ctx, headlessSvc, logger)
-	if err != nil {
-		return fmt.Errorf("error determining DNS name for record: %w", err)
-	}
-	if fqdn == "" {
-		logger.Debugf("MagicDNS name does not (yet) exist, not provisioning DNS record")
-		return nil // a new reconcile will be triggered once it's added
-	}
-
-	oldHeadlessSvc := headlessSvc.DeepCopy()
-	// Ensure that headless Service is annotated with a finalizer to help
-	// with records cleanup when proxy resources are deleted.
-	if !slices.Contains(headlessSvc.Finalizers, dnsRecordsRecocilerFinalizer) {
-		headlessSvc.Finalizers = append(headlessSvc.Finalizers, dnsRecordsRecocilerFinalizer)
-	}
-	// Ensure that headless Service is annotated with the current MagicDNS
-	// name to help with records cleanup when proxy resources are deleted or
-	// MagicDNS name changes.
-	oldFqdn := headlessSvc.Annotations[annotationTSMagicDNSName]
-	if oldFqdn != "" && oldFqdn != fqdn { // i.e user has changed the value of tailscale.com/tailnet-fqdn annotation
-		logger.Debugf("MagicDNS name has changed, remvoving record for %s", oldFqdn)
-		updateFunc := func(rec *operatorutils.Records) {
-			delete(rec.IP4, oldFqdn)
-		}
-		if err = dnsRR.updateDNSConfig(ctx, updateFunc); err != nil {
-			return fmt.Errorf("error removing record for %s: %w", oldFqdn, err)
-		}
-	}
-	mak.Set(&headlessSvc.Annotations, annotationTSMagicDNSName, fqdn)
-	if !apiequality.Semantic.DeepEqual(oldHeadlessSvc, headlessSvc) {
-		logger.Infof("provisioning DNS record for MagicDNS name: %s", fqdn) // this will be printed exactly once
-		if err := dnsRR.Update(ctx, headlessSvc); err != nil {
-			return fmt.Errorf("error updating proxy headless Service metadata: %w", err)
-		}
-	}
-
-	// Get the Pod IP addresses for the proxy from the EndpointSlice for the
-	// headless Service.
-	labels := map[string]string{discoveryv1.LabelServiceName: headlessSvc.Name} // https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/#ownership
-	eps, err := getSingleObject[discoveryv1.EndpointSlice](ctx, dnsRR.Client, dnsRR.tsNamespace, labels)
-	if err != nil {
-		return fmt.Errorf("error getting the EndpointSlice for the proxy's headless Service: %w", err)
-	}
-	if eps == nil {
-		logger.Debugf("proxy's headless Service EndpointSlice does not yet exist. We will reconcile again once it's created")
-		return nil
-	}
-	// An EndpointSlice for a Service can have a list of endpoints that each
-	// can have multiple addresses - these are the IP addresses of any Pods
-	// selected by that Service. Pick all the IPv4 addresses.
-	ips := make([]string, 0)
-	for _, ep := range eps.Endpoints {
-		for _, ip := range ep.Addresses {
-			if !net.IsIPv4String(ip) {
-				logger.Infof("EndpointSlice contains IP address %q that is not IPv4, ignoring. Currently only IPv4 is supported", ip)
-			} else {
-				ips = append(ips, ip)
-			}
-		}
-	}
-	if len(ips) == 0 {
-		logger.Debugf("EndpointSlice for the Service contains no IPv4 addresses. We will reconcile again once they are created.")
-		return nil
-	}
-	updateFunc := func(rec *operatorutils.Records) {
-		mak.Set(&rec.IP4, fqdn, ips)
-	}
-	if err = dnsRR.updateDNSConfig(ctx, updateFunc); err != nil {
-		return fmt.Errorf("error updating DNS records: %w", err)
-	}
-	return nil
-}
-
-// maybeCleanup ensures that the DNS record for the proxy has been removed from
-// dnsrecords ConfigMap and the tailscale.com/dns-records-reconciler finalizer
-// has been removed from the Service. If the record is not found in the
-// ConfigMap, the ConfigMap does not exist, or the Service does not have
-// tailscale.com/magic-dnsname annotation, just remove the finalizer.
-func (h *dnsRecordsReconciler) maybeCleanup(ctx context.Context, headlessSvc *corev1.Service, logger *zap.SugaredLogger) error {
-	ix := slices.Index(headlessSvc.Finalizers, dnsRecordsRecocilerFinalizer)
-	if ix == -1 {
-		logger.Debugf("no finalizer, nothing to do")
-		return nil
-	}
-	cm := &corev1.ConfigMap{}
-	err := h.Client.Get(ctx, types.NamespacedName{Name: operatorutils.DNSRecordsCMName, Namespace: h.tsNamespace}, cm)
-	if apierrors.IsNotFound(err) {
-		logger.Debug("'dsnrecords' ConfigMap not found")
-		return h.removeHeadlessSvcFinalizer(ctx, headlessSvc)
-	}
-	if err != nil {
-		return fmt.Errorf("error retrieving 'dnsrecords' ConfigMap: %w", err)
-	}
-	if cm.Data == nil {
-		logger.Debug("'dnsrecords' ConfigMap contains no records")
-		return h.removeHeadlessSvcFinalizer(ctx, headlessSvc)
-	}
-	_, ok := cm.Data[operatorutils.DNSRecordsCMKey]
-	if !ok {
-		logger.Debug("'dnsrecords' ConfigMap contains no records")
-		return h.removeHeadlessSvcFinalizer(ctx, headlessSvc)
-	}
-	fqdn, _ := headlessSvc.GetAnnotations()[annotationTSMagicDNSName]
-	if fqdn == "" {
-		return h.removeHeadlessSvcFinalizer(ctx, headlessSvc)
-	}
-	logger.Infof("removing DNS record for MagicDNS name %s", fqdn)
-	updateFunc := func(rec *operatorutils.Records) {
-		delete(rec.IP4, fqdn)
-	}
-	if err = h.updateDNSConfig(ctx, updateFunc); err != nil {
-		return fmt.Errorf("error updating DNS config: %w", err)
-	}
-	return h.removeHeadlessSvcFinalizer(ctx, headlessSvc)
-}
-
-func (dnsRR *dnsRecordsReconciler) removeHeadlessSvcFinalizer(ctx context.Context, headlessSvc *corev1.Service) error {
-	idx := slices.Index(headlessSvc.Finalizers, dnsRecordsRecocilerFinalizer)
-	if idx == -1 {
-		return nil
-	}
-	headlessSvc.Finalizers = append(headlessSvc.Finalizers[:idx], headlessSvc.Finalizers[idx+1:]...)
-	return dnsRR.Update(ctx, headlessSvc)
-}
-
-// fqdnForDNSRecord returns MagicDNS name associated with a given headless Service.
-// If the headless Service is for a tailscale Ingress proxy, returns ingress.status.loadBalancer.ingress.hostname.
-// If the headless Service is for an tailscale egress proxy configured via tailscale.com/tailnet-fqdn annotation, returns the annotation value.
-// This function is not expected to be called with headless Services for other
-// proxy types, or any other Services, but it just returns an empty string if
-// that happens.
-func (dnsRR *dnsRecordsReconciler) fqdnForDNSRecord(ctx context.Context, headlessSvc *corev1.Service, logger *zap.SugaredLogger) (string, error) {
-	parentName := parentFromObjectLabels(headlessSvc)
-	if isManagedByType(headlessSvc, "ingress") {
-		ing := new(networkingv1.Ingress)
-		if err := dnsRR.Get(ctx, parentName, ing); err != nil {
-			return "", err
-		}
-		if len(ing.Status.LoadBalancer.Ingress) == 0 {
-			return "", nil
-		}
-		return ing.Status.LoadBalancer.Ingress[0].Hostname, nil
-	}
-	if isManagedByType(headlessSvc, "svc") {
-		svc := new(corev1.Service)
-		if err := dnsRR.Get(ctx, parentName, svc); apierrors.IsNotFound(err) {
-			logger.Info("[unexpected] parent Service for egress proxy %s not found", headlessSvc.Name)
-			return "", nil
-		} else if err != nil {
-			return "", err
-		}
-		return svc.Annotations[AnnotationTailnetTargetFQDN], nil
-	}
-	return "", nil
-}
-
-// updateDNSConfig runs the provided update function against dnsrecords
-// ConfigMap. At this point the in-cluster ts.net nameserver is expected to be
-// successfully created together with the ConfigMap.
-func (dnsRR *dnsRecordsReconciler) updateDNSConfig(ctx context.Context, update func(*operatorutils.Records)) error {
-	cm := &corev1.ConfigMap{}
-	err := dnsRR.Get(ctx, types.NamespacedName{Name: operatorutils.DNSRecordsCMName, Namespace: dnsRR.tsNamespace}, cm)
-	if apierrors.IsNotFound(err) {
-		dnsRR.logger.Info("[unexpected] dnsrecords ConfigMap not found in cluster. Not updating DNS records. Please open an isue and attach operator logs.")
-		return nil
-	}
-	if err != nil {
-		return fmt.Errorf("error retrieving dnsrecords ConfigMap: %w", err)
-	}
-	dnsRecords := operatorutils.Records{Version: operatorutils.Alpha1Version, IP4: map[string][]string{}}
-	if cm.Data != nil && cm.Data[operatorutils.DNSRecordsCMKey] != "" {
-		if err := json.Unmarshal([]byte(cm.Data[operatorutils.DNSRecordsCMKey]), &dnsRecords); err != nil {
-			return err
-		}
-	}
-	update(&dnsRecords)
-	dnsRecordsBs, err := json.Marshal(dnsRecords)
-	if err != nil {
-		return fmt.Errorf("error marshalling DNS records: %w", err)
-	}
-	mak.Set(&cm.Data, operatorutils.DNSRecordsCMKey, string(dnsRecordsBs))
-	return dnsRR.Update(ctx, cm)
-}
-
-// isSvcForFQDNEgressProxy returns true if the Service is a headless Service
-// created for a proxy for a tailscale egress Service configured via
-// tailscale.com/tailnet-fqdn annotation.
-func (dnsRR *dnsRecordsReconciler) isSvcForFQDNEgressProxy(ctx context.Context, svc *corev1.Service) (bool, error) {
-	if !isManagedByType(svc, "svc") {
-		return false, nil
-	}
-	parentName := parentFromObjectLabels(svc)
-	parentSvc := new(corev1.Service)
-	if err := dnsRR.Get(ctx, parentName, parentSvc); apierrors.IsNotFound(err) {
-		return false, nil
-	} else if err != nil {
-		return false, err
-	}
-	annots := parentSvc.Annotations
-	return annots != nil && annots[AnnotationTailnetTargetFQDN] != "", nil
-}
--- a/cmd/k8s-operator/dnsrecords_test.go
+++ b/cmd/k8s-operator/dnsrecords_test.go
@@ -1,198 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"go.uber.org/zap"
-	corev1 "k8s.io/api/core/v1"
-	discoveryv1 "k8s.io/api/discovery/v1"
-	networkingv1 "k8s.io/api/networking/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	operatorutils "tailscale.com/k8s-operator"
-	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
-	"tailscale.com/tstest"
-	"tailscale.com/types/ptr"
-)
-
-func TestDNSRecordsReconciler(t *testing.T) {
-	// Preconfigure a cluster with a DNSConfig
-	dnsConfig := &tsapi.DNSConfig{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "test",
-		},
-		TypeMeta: metav1.TypeMeta{Kind: "DNSConfig"},
-		Spec: tsapi.DNSConfigSpec{
-			Nameserver: &tsapi.Nameserver{},
-		}}
-	ing := &networkingv1.Ingress{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "ts-ingress",
-			Namespace: "test",
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-		},
-		Status: networkingv1.IngressStatus{
-			LoadBalancer: networkingv1.IngressLoadBalancerStatus{
-				Ingress: []networkingv1.IngressLoadBalancerIngress{{
-					Hostname: "cluster.ingress.ts.net"}},
-			},
-		},
-	}
-	cm := &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "dnsrecords", Namespace: "tailscale"}}
-	fc := fake.NewClientBuilder().
-		WithScheme(tsapi.GlobalScheme).
-		WithObjects(cm).
-		WithObjects(dnsConfig).
-		WithObjects(ing).
-		WithStatusSubresource(dnsConfig, ing).
-		Build()
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	cl := tstest.NewClock(tstest.ClockOpts{})
-	// Set the ready condition of the DNSConfig
-	mustUpdateStatus[tsapi.DNSConfig](t, fc, "", "test", func(c *tsapi.DNSConfig) {
-		operatorutils.SetDNSConfigCondition(c, tsapi.NameserverReady, metav1.ConditionTrue, reasonNameserverCreated, reasonNameserverCreated, 0, cl, zl.Sugar())
-	})
-	dnsRR := &dnsRecordsReconciler{
-		Client:      fc,
-		logger:      zl.Sugar(),
-		tsNamespace: "tailscale",
-	}
-
-	// 1. DNS record is created for an egress proxy configured via
-	// tailscale.com/tailnet-fqdn annotation
-	egressSvcFQDN := &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:        "egress-fqdn",
-			Namespace:   "test",
-			Annotations: map[string]string{"tailscale.com/tailnet-fqdn": "foo.bar.ts.net"},
-		},
-		Spec: corev1.ServiceSpec{
-			ExternalName: "unused",
-			Type:         corev1.ServiceTypeExternalName,
-		},
-	}
-	headlessForEgressSvcFQDN := headlessSvcForParent(egressSvcFQDN, "svc") // create the proxy headless Service
-	ep := endpointSliceForService(headlessForEgressSvcFQDN, "10.9.8.7")
-	mustCreate(t, fc, egressSvcFQDN)
-	mustCreate(t, fc, headlessForEgressSvcFQDN)
-	mustCreate(t, fc, ep)
-	expectReconciled(t, dnsRR, "tailscale", "egress-fqdn") // dns-records-reconciler reconcile the headless Service
-	// ConfigMap should now have a record for foo.bar.ts.net -> 10.8.8.7
-	wantHosts := map[string][]string{"foo.bar.ts.net": {"10.9.8.7"}}
-	expectHostsRecords(t, fc, wantHosts)
-
-	// 2. DNS record is updated if tailscale.com/tailnet-fqdn annotation's
-	// value changes
-	mustUpdate(t, fc, "test", "egress-fqdn", func(svc *corev1.Service) {
-		svc.Annotations["tailscale.com/tailnet-fqdn"] = "baz.bar.ts.net"
-	})
-	expectReconciled(t, dnsRR, "tailscale", "egress-fqdn") // dns-records-reconciler reconcile the headless Service
-	wantHosts = map[string][]string{"baz.bar.ts.net": {"10.9.8.7"}}
-	expectHostsRecords(t, fc, wantHosts)
-
-	// 3. DNS record is updated if the IP address of the proxy Pod changes.
-	ep = endpointSliceForService(headlessForEgressSvcFQDN, "10.6.5.4")
-	mustUpdate(t, fc, ep.Namespace, ep.Name, func(ep *discoveryv1.EndpointSlice) {
-		ep.Endpoints[0].Addresses = []string{"10.6.5.4"}
-	})
-	expectReconciled(t, dnsRR, "tailscale", "egress-fqdn") // dns-records-reconciler reconcile the headless Service
-	wantHosts = map[string][]string{"baz.bar.ts.net": {"10.6.5.4"}}
-	expectHostsRecords(t, fc, wantHosts)
-
-	// 4. DNS record is created for an ingress proxy configured via Ingress
-	headlessForIngress := headlessSvcForParent(ing, "ingress")
-	ep = endpointSliceForService(headlessForIngress, "10.9.8.7")
-	mustCreate(t, fc, headlessForIngress)
-	mustCreate(t, fc, ep)
-	expectReconciled(t, dnsRR, "tailscale", "ts-ingress") // dns-records-reconciler should reconcile the headless Service
-	wantHosts["cluster.ingress.ts.net"] = []string{"10.9.8.7"}
-	expectHostsRecords(t, fc, wantHosts)
-
-	// 5. DNS records are updated if Ingress's MagicDNS name changes (i.e users changed spec.tls.hosts[0])
-	t.Log("test case 5")
-	mustUpdateStatus(t, fc, "test", "ts-ingress", func(ing *networkingv1.Ingress) {
-		ing.Status.LoadBalancer.Ingress[0].Hostname = "another.ingress.ts.net"
-	})
-	expectReconciled(t, dnsRR, "tailscale", "ts-ingress") // dns-records-reconciler should reconcile the headless Service
-	delete(wantHosts, "cluster.ingress.ts.net")
-	wantHosts["another.ingress.ts.net"] = []string{"10.9.8.7"}
-	expectHostsRecords(t, fc, wantHosts)
-
-	// 6. DNS records are updated if Ingress proxy's Pod IP changes
-	mustUpdate(t, fc, ep.Namespace, ep.Name, func(ep *discoveryv1.EndpointSlice) {
-		ep.Endpoints[0].Addresses = []string{"7.8.9.10"}
-	})
-	expectReconciled(t, dnsRR, "tailscale", "ts-ingress")
-	wantHosts["another.ingress.ts.net"] = []string{"7.8.9.10"}
-	expectHostsRecords(t, fc, wantHosts)
-}
-
-func headlessSvcForParent(o client.Object, typ string) *corev1.Service {
-	return &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      o.GetName(),
-			Namespace: "tailscale",
-			Labels: map[string]string{
-				LabelManaged:         "true",
-				LabelParentName:      o.GetName(),
-				LabelParentNamespace: o.GetNamespace(),
-				LabelParentType:      typ,
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "None",
-			Type:      corev1.ServiceTypeClusterIP,
-			Selector:  map[string]string{"foo": "bar"},
-		},
-	}
-}
-
-func endpointSliceForService(svc *corev1.Service, ip string) *discoveryv1.EndpointSlice {
-	return &discoveryv1.EndpointSlice{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      svc.Name,
-			Namespace: svc.Namespace,
-			Labels:    map[string]string{discoveryv1.LabelServiceName: svc.Name},
-		},
-		Endpoints: []discoveryv1.Endpoint{{
-			Addresses: []string{ip},
-		}},
-	}
-}
-
-func expectHostsRecords(t *testing.T, cl client.Client, wantsHosts map[string][]string) {
-	t.Helper()
-	cm := new(corev1.ConfigMap)
-	if err := cl.Get(context.Background(), types.NamespacedName{Name: "dnsrecords", Namespace: "tailscale"}, cm); err != nil {
-		t.Fatalf("getting dnsconfig ConfigMap: %v", err)
-	}
-	if cm.Data == nil {
-		t.Fatal("dnsconfig ConfigMap has no data")
-	}
-	dnsConfigString, ok := cm.Data[operatorutils.DNSRecordsCMKey]
-	if !ok {
-		t.Fatal("dnsconfig ConfigMap does not contain dnsconfig")
-	}
-	dnsConfig := &operatorutils.Records{}
-	if err := json.Unmarshal([]byte(dnsConfigString), dnsConfig); err != nil {
-		t.Fatalf("unmarshaling dnsconfig: %v", err)
-	}
-	if diff := cmp.Diff(dnsConfig.IP4, wantsHosts); diff != "" {
-		t.Fatalf("unexpected dns config (-got +want):\n%s", diff)
-	}
-}
--- a/cmd/k8s-operator/generate/main.go
+++ b/cmd/k8s-operator/generate/main.go
@@ -3,7 +3,6 @@

 //go:build !plan9

-// The generate command creates tailscale.com CRDs.
 package main

 import (
@@ -20,14 +19,10 @@ import (
 )

 const (
-	operatorDeploymentFilesPath   = "cmd/k8s-operator/deploy"
-	connectorCRDPath              = operatorDeploymentFilesPath + "/crds/tailscale.com_connectors.yaml"
-	proxyClassCRDPath             = operatorDeploymentFilesPath + "/crds/tailscale.com_proxyclasses.yaml"
-	dnsConfigCRDPath              = operatorDeploymentFilesPath + "/crds/tailscale.com_dnsconfigs.yaml"
-	helmTemplatesPath             = operatorDeploymentFilesPath + "/chart/templates"
-	connectorCRDHelmTemplatePath  = helmTemplatesPath + "/connector.yaml"
-	proxyClassCRDHelmTemplatePath = helmTemplatesPath + "/proxyclass.yaml"
-	dnsConfigCRDHelmTemplatePath  = helmTemplatesPath + "/dnsconfig.yaml"
+	operatorDeploymentFilesPath = "cmd/k8s-operator/deploy"
+	crdPath                     = operatorDeploymentFilesPath + "/crds/tailscale.com_connectors.yaml"
+	helmTemplatesPath           = operatorDeploymentFilesPath + "/chart/templates"
+	crdTemplatePath             = helmTemplatesPath + "/connectors.yaml"

 	helmConditionalStart = "{{ if .Values.installCRDs -}}\n"
 	helmConditionalEnd   = "{{- end -}}"
@@ -39,19 +34,19 @@ func main() {
 	}
 	repoRoot := "../../"
 	switch os.Args[1] {
-	case "helmcrd": // insert CRDs to Helm templates behind a installCRDs=true conditional check
-		log.Print("Adding CRDs to Helm templates")
+	case "helmcrd": // insert CRD to Helm templates behind a installCRDs=true conditional check
+		log.Print("Adding Connector CRD to Helm templates")
 		if err := generate("./"); err != nil {
-			log.Fatalf("error adding CRDs to Helm templates: %v", err)
+			log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
 		}
 		return
 	case "staticmanifests": // generate static manifests from Helm templates (including the CRD)
 	default:
 		log.Fatalf("unknown option %s, known options are 'staticmanifests', 'helmcrd'", os.Args[1])
 	}
-	log.Printf("Inserting CRDs Helm templates")
+	log.Printf("Inserting CRD into the Helm templates")
 	if err := generate(repoRoot); err != nil {
-		log.Fatalf("error adding CRDs to Helm templates: %v", err)
+		log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
 	}
 	defer func() {
 		if err := cleanup(repoRoot); err != nil {
@@ -111,54 +106,34 @@ func main() {
 	}
 }

-// generate places tailscale.com CRDs (currently Connector, ProxyClass and DNSConfig) into
-// the Helm chart templates behind .Values.installCRDs=true condition (true by
-// default).
 func generate(baseDir string) error {
-	addCRDToHelm := func(crdPath, crdTemplatePath string) error {
-		chartBytes, err := os.ReadFile(filepath.Join(baseDir, crdPath))
-		if err != nil {
-			return fmt.Errorf("error reading CRD contents: %w", err)
-		}
-		// Place a new temporary Helm template file with the templated CRD
-		// contents into Helm templates.
-		file, err := os.Create(filepath.Join(baseDir, crdTemplatePath))
-		if err != nil {
-			return fmt.Errorf("error creating CRD template file: %w", err)
-		}
-		if _, err := file.Write([]byte(helmConditionalStart)); err != nil {
-			return fmt.Errorf("error writing helm if statement start: %w", err)
-		}
-		if _, err := file.Write(chartBytes); err != nil {
-			return fmt.Errorf("error writing chart bytes: %w", err)
-		}
-		if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
-			return fmt.Errorf("error writing helm if-statement end: %w", err)
-		}
-		return nil
+	log.Print("Placing Connector CRD into Helm templates..")
+	chartBytes, err := os.ReadFile(filepath.Join(baseDir, crdPath))
+	if err != nil {
+		return fmt.Errorf("error reading CRD contents: %w", err)
 	}
-	if err := addCRDToHelm(connectorCRDPath, connectorCRDHelmTemplatePath); err != nil {
-		return fmt.Errorf("error adding Connector CRD to Helm templates: %w", err)
+	// Place a new temporary Helm template file with the templated CRD
+	// contents into Helm templates.
+	file, err := os.Create(filepath.Join(baseDir, crdTemplatePath))
+	if err != nil {
+		return fmt.Errorf("error creating CRD template file: %w", err)
 	}
-	if err := addCRDToHelm(proxyClassCRDPath, proxyClassCRDHelmTemplatePath); err != nil {
-		return fmt.Errorf("error adding ProxyClass CRD to Helm templates: %w", err)
+	if _, err := file.Write([]byte(helmConditionalStart)); err != nil {
+		return fmt.Errorf("error writing helm if statement start: %w", err)
 	}
-	if err := addCRDToHelm(dnsConfigCRDPath, dnsConfigCRDHelmTemplatePath); err != nil {
-		return fmt.Errorf("error adding DNSConfig CRD to Helm templates: %w", err)
+	if _, err := file.Write(chartBytes); err != nil {
+		return fmt.Errorf("error writing chart bytes: %w", err)
+	}
+	if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
+		return fmt.Errorf("error writing helm if-statement end: %w", err)
 	}
 	return nil
 }

 func cleanup(baseDir string) error {
 	log.Print("Cleaning up CRD from Helm templates")
-	if err := os.Remove(filepath.Join(baseDir, connectorCRDHelmTemplatePath)); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("error cleaning up Connector CRD template: %w", err)
-	}
-	if err := os.Remove(filepath.Join(baseDir, proxyClassCRDHelmTemplatePath)); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("error cleaning up ProxyClass CRD template: %w", err)
-	}
-	if err := os.Remove(filepath.Join(baseDir, dnsConfigCRDHelmTemplatePath)); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("error cleaning up DNSConfig CRD template: %w", err)
+	if err := os.Remove(filepath.Join(baseDir, crdTemplatePath)); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("error cleaning up CRD template: %w", err)
 	}
 	return nil
 }
--- a/cmd/k8s-operator/generate/main_test.go
+++ b/cmd/k8s-operator/generate/main_test.go
@@ -42,7 +42,7 @@ func Test_generate(t *testing.T) {
 		t.Fatalf("Helm chart linter failed: %v", err)
 	}

-	// Test that default Helm install contains the Connector and ProxyClass CRDs.
+	// Test that default Helm install contains the CRD
 	installContentsWithCRD := bytes.NewBuffer([]byte{})
 	helmTemplateWithCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath)
 	helmTemplateWithCRDCmd.Stderr = os.Stderr
@@ -51,16 +51,10 @@ func Test_generate(t *testing.T) {
 		t.Fatalf("templating Helm chart with CRDs failed: %v", err)
 	}
 	if !strings.Contains(installContentsWithCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("Connector CRD not found in default chart install")
-	}
-	if !strings.Contains(installContentsWithCRD.String(), "name: proxyclasses.tailscale.com") {
-		t.Errorf("ProxyClass CRD not found in default chart install")
-	}
-	if !strings.Contains(installContentsWithCRD.String(), "name: dnsconfigs.tailscale.com") {
-		t.Errorf("DNSConfig CRD not found in default chart install")
+		t.Errorf("CRD not found in default chart install")
 	}

-	// Test that CRDs can be excluded from Helm chart install
+	// Test that CRD can be excluded from Helm chart install
 	installContentsWithoutCRD := bytes.NewBuffer([]byte{})
 	helmTemplateWithoutCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath, "--set", "installCRDs=false")
 	helmTemplateWithoutCRDCmd.Stderr = os.Stderr
@@ -69,12 +63,6 @@ func Test_generate(t *testing.T) {
 		t.Fatalf("templating Helm chart without CRDs failed: %v", err)
 	}
 	if strings.Contains(installContentsWithoutCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("Connector CRD found in chart install that should not contain a CRD")
-	}
-	if strings.Contains(installContentsWithoutCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("ProxyClass CRD found in chart install that should not contain a CRD")
-	}
-	if strings.Contains(installContentsWithoutCRD.String(), "name: dnsconfigs.tailscale.com") {
-		t.Errorf("DNSConfig CRD found in chart install that should not contain a CRD")
+		t.Errorf("CRD found in chart install that should not contain a CRD")
 	}
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .71.0
 .57.0