brew: added TODO; revised README; added to formula caveats and test

Several tweaks:
  * added correct 'services start' msg via formula caveats method added
  * added 'tailscaled -version' to formula test block
  * added TODO file, extracted from author's private Tailscale brew TODO notes
  * added more brew notes to README

Signed-off-by: Mike Kramlich <groglogic@gmail.com>

.bencher/config.yaml

@@ -1 +0,0 @@
-suppress_failure_on_regression: true

.gitattributes

@@ -1,2 +1 @@
 go.mod filter=go-mod
-*.go  diff=golang

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a bug report
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,81 +0,0 @@
-name: Bug report
-description: File a bug report. If you need help, contact support instead
-labels: [needs-triage, bug]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
-        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: What is the issue?
-      description: What happened? What did you expect to happen?
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to reproduce
-      description: What are the steps you took that hit this issue?
-    validations:
-      required: false
-  - type: textarea
-    id: changes
-    attributes:
-      label: Are there any recent changes that introduced the issue?
-      description: If so, what are those changes?
-    validations:
-      required: false
-  - type: dropdown
-    id: os
-    attributes:
-      label: OS
-      description: What OS are you using? You may select more than one.
-      multiple: true
-      options:
-        - Linux
-        - macOS
-        - Windows
-        - iOS
-        - Android
-        - Synology
-        - Other
-    validations:
-      required: false
-  - type: input
-    id: os-version
-    attributes:
-      label: OS version
-      description: What OS version are you using?
-      placeholder: e.g., Debian 11.0, macOS Big Sur 11.6, Synology DSM 7
-    validations:
-      required: false
-  - type: input
-    id: ts-version
-    attributes:
-      label: Tailscale version
-      description: What Tailscale version are you using?
-      placeholder: e.g., 1.14.4
-    validations:
-      required: false
-  - type: textarea
-    id: other-software
-    attributes:
-      label: Other software
-      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
-    validations:
-      required: false
-  - type: input
-    id: bug-report
-    attributes:
-      label: Bug report
-      description: Please run [`tailscale bugreport`](https://tailscale.com/kb/1080/cli/?q=Cli#bugreport) and share the bug identifier. The identifier is a random string which allows Tailscale support to locate your account and gives a point to focus on when looking for errors.
-      placeholder: e.g., BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a bug report!

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,5 @@
 blank_issues_enabled: true
 contact_links:
-  - name: Support
-    url: https://tailscale.com/contact/support/
-    about: Contact us for support
-  - name: Troubleshooting
+  - name: Support and Product Questions
     url: https://tailscale.com/kb/1023/troubleshooting
-    about: See the troubleshooting guide for help addressing common issues
+    about: Please send support questions and questions about the Tailscale product to support@tailscale.com

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,26 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,42 +0,0 @@
-name: Feature request
-description: Propose a new feature
-title: "FR: "
-labels: [needs-triage, fr]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Please check if your feature request is [already filed](https://github.com/tailscale/tailscale/issues).
-        Tell us about your idea!
-  - type: textarea
-    id: problem
-    attributes:
-      label: What are you trying to do?
-      description: Tell us about the problem you're trying to solve.
-    validations:
-      required: false
-  - type: textarea
-    id: solution
-    attributes:
-      label: How should we solve this?
-      description: If you have an idea of how you'd like to see this feature work, let us know.
-    validations:
-      required: false
-  - type: textarea
-    id: alternative
-    attributes:
-      label: What is the impact of not solving this?
-      description: (How) Are you currently working around the issue?
-    validations:
-      required: false
-  - type: textarea
-    id: context
-    attributes:
-      label: Anything else?
-      description: Any additional context to share, e.g., links
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a feature request!

.github/dependabot.yml

@@ -1,21 +0,0 @@
-# Documentation for this file can be found at:
-# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
-version: 2
-updates:
-  ## Disabled between releases. We reenable it briefly after every
-  ## stable release, pull in all changes, and close it again so that
-  ## the tree remains more stable during development and the upstream
-  ## changes have time to soak before the next release.
-  # - package-ecosystem: "gomod"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "daily"
-  #   commit-message:
-  #     prefix: "go.mod:"
-  #   open-pull-requests-limit: 100
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: ".github:"

.github/licenses.tmpl

@@ -1,17 +0,0 @@
-# Tailscale CLI and daemon dependencies
-
-The following open source dependencies are used to build the [tailscale][] and
-[tailscaled][] commands. These are primarily used on Linux and BSD variants as
-well as an [option for macOS][].
-
-[tailscale]: https://pkg.go.dev/tailscale.com/cmd/tailscale
-[tailscaled]: https://pkg.go.dev/tailscale.com/cmd/tailscaled
-[option for macOS]: https://tailscale.com/kb/1065/macos-variants/
-
-## Go Packages
-
-Some packages may only be included on certain architectures or operating systems.
-
-{{ range . }}
- - [{{.Name}}](https://pkg.go.dev/{{.Name}}) ([{{.LicenseName}}]({{.LicenseURL}}))
-{{- end }}

.github/workflows/checklocks.yml

@@ -1,34 +0,0 @@
-name: checklocks
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - '**/*.go'
-      - '.github/workflows/checklocks.yml'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  checklocks:
-    runs-on: [ ubuntu-latest ]
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-
-      - name: Build checklocks
-        run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks
-
-      - name: Run checklocks vet
-        # TODO(#12625): add more packages as we add annotations
-        run: |-
-          ./tool/go vet -vettool=/tmp/checklocks \
-            ./envknob           \
-            ./ipn/store/mem     \
-            ./net/stun/stuntest \
-            ./net/wsconn        \
-            ./proxymap

.github/workflows/codeql-analysis.yml

@@ -1,83 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main, release-branch/* ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  merge_group:
-    branches: [ main ]
-  schedule:
-    - cron: '31 14 * * 5'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Install a more recent Go that understands modern go.mod content.
-    - name: Install Go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2

.github/workflows/coverage.yml

@@ -0,0 +1,48 @@
+name: Code Coverage
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+      # https://markphelps.me/2019/11/speed-up-your-go-builds-with-actions-cache/
+    - name: Restore Cache
+      uses: actions/cache@preview
+      id: cache
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-${{ hashFiles('**/go.sum') }}
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Run tests on linux with coverage data
+      run: go test -race -coverprofile=coverage.txt -bench=. -benchtime=1x ./...
+
+    - name: coveralls.io
+      uses: shogo82148/actions-goveralls@v1
+      env:
+        COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.COVERALLS_BOT_PUBLIC_REPO_TOKEN }}
+      with:
+        path-to-profile: ./coverage.txt

.github/workflows/cross-darwin.yml

@@ -0,0 +1,53 @@
+name: Darwin-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: macOS build cmd
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: macOS build tests
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-freebsd.yml

@@ -0,0 +1,53 @@
+name: FreeBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: FreeBSD build cmd
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: FreeBSD build tests
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-openbsd.yml

@@ -0,0 +1,53 @@
+name: OpenBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: OpenBSD build cmd
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: OpenBSD build tests
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-windows.yml

@@ -0,0 +1,53 @@
+name: Windows-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Windows build cmd
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Windows build tests
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/depaware.yml

@@ -0,0 +1,28 @@
+name: depaware
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: depaware tailscaled
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+
+    - name: depaware tailscale
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale

.github/workflows/docker-file-build.yml

@@ -1,15 +0,0 @@
-name: "Dockerfile build"
-on: 
-  push:
-    branches:
-    - main
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: "Build Docker image"
-      run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -1,27 +0,0 @@
-name: update-flakehub
-
-on:
-  push:
-    tags:
-      - "v[0-9]+.*[02468].[0-9]+"
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The existing tag to publish to FlakeHub"
-        type: "string"
-        required: true
-jobs:
-  flakehub-publish:
-    runs-on: "ubuntu-latest"
-    permissions:
-      id-token: "write"
-      contents: "read"
-    steps:
-      - uses: "actions/checkout@v4"
-        with:
-          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
-      - uses: "DeterminateSystems/nix-installer-action@main"
-      - uses: "DeterminateSystems/flakehub-push@main"
-        with:
-          visibility: "public"
-          tag: "${{ inputs.tag }}"

.github/workflows/golangci-lint.yml

@@ -1,40 +0,0 @@
-name: golangci-lint
-on:
-  # For now, only lint pull requests, not the main branches.
-  pull_request:
-
-  # TODO(andrew): enable for main branch after an initial waiting period.
-  #push:
-  #  branches:
-  #    - main
-
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pull-requests: read
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          cache: false
-
-      - name: golangci-lint
-        # Note: this is the 'v3' tag as of 2023-08-14
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
-        with:
-          version: v1.56
-
-          # Show only new issues if it's a pull request.
-          only-new-issues: true

.github/workflows/govulncheck.yml

@@ -1,51 +0,0 @@
-name: govulncheck
-
-on:
-  schedule:
-    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
-  workflow_dispatch: # allow manual trigger for testing
-  pull_request:
-    paths:
-      - ".github/workflows/govulncheck.yml"
-
-jobs:
-  source-scan:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
-
-      - name: Install govulncheck
-        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
-
-      - name: Scan source code for known vulnerabilities
-        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
-
-      - name: Post to slack
-        if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@v1.24.0
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
-        with:
-          channel-id: 'C05PXRM304B'
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Govulncheck failed in ${{ github.repository }}"
-                  },
-                  "accessory": {
-                    "type": "button",
-                    "text": {
-                      "type": "plain_text",
-                      "text": "View results"
-                    },
-                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-                  }
-                }
-              ]
-            }

.github/workflows/installer.yml

@@ -1,109 +0,0 @@
-name: test installer.sh
-
-on:
-  push:
-    branches:
-      - "main"
-    paths:
-      - scripts/installer.sh
-  pull_request:
-    branches:
-      - "*"
-    paths:
-      - scripts/installer.sh
-
-jobs:
-  test:
-    strategy:
-      # Don't abort the entire matrix if one element fails.
-      fail-fast: false
-      # Don't start all of these at once, which could saturate Github workers.
-      max-parallel: 4
-      matrix:
-        image:
-          # This is a list of Docker images against which we test our installer.
-          # If you find that some of these no longer exist, please feel free
-          # to remove them from the list.
-          # When adding new images, please only use official ones.
-          - "debian:oldstable-slim"
-          - "debian:stable-slim"
-          - "debian:testing-slim"
-          - "debian:sid-slim"
-          - "ubuntu:18.04"
-          - "ubuntu:20.04"
-          - "ubuntu:22.04"
-          - "ubuntu:23.04"
-          - "elementary/docker:stable"
-          - "elementary/docker:unstable"
-          - "parrotsec/core:lts-amd64"
-          - "parrotsec/core:latest"
-          - "kalilinux/kali-rolling"
-          - "kalilinux/kali-dev"
-          - "oraclelinux:9"
-          - "oraclelinux:8"
-          - "fedora:latest"
-          - "rockylinux:8.7"
-          - "rockylinux:9"
-          - "amazonlinux:latest"
-          - "opensuse/leap:latest"
-          - "opensuse/tumbleweed:latest"
-          - "archlinux:latest"
-          - "alpine:3.14"
-          - "alpine:latest"
-          - "alpine:edge"
-        deps:
-          # Run all images installing curl as a dependency.
-          - curl
-        include:
-          # Check a few images with wget rather than curl.
-          - { image: "debian:oldstable-slim", deps: "wget" }
-          - { image: "debian:sid-slim", deps: "wget" }
-          - { image: "ubuntu:23.04", deps: "wget" }
-          # Ubuntu 16.04 also needs apt-transport-https installed.
-          - { image: "ubuntu:16.04", deps: "curl apt-transport-https" }
-          - { image: "ubuntu:16.04", deps: "wget apt-transport-https" }
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ matrix.image }}
-      options: --user root
-    steps:
-    - name: install dependencies (pacman)
-      # Refresh the package databases to ensure that the tailscale package is
-      # defined.
-      run: pacman -Sy
-      if: contains(matrix.image, 'archlinux')
-    - name: install dependencies (yum)
-      # tar and gzip are needed by the actions/checkout below.
-      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
-      if: |
-        contains(matrix.image, 'centos')
-        || contains(matrix.image, 'oraclelinux')
-        || contains(matrix.image, 'fedora')
-        || contains(matrix.image, 'amazonlinux')
-    - name: install dependencies (zypper)
-      # tar and gzip are needed by the actions/checkout below.
-      run: zypper --non-interactive install tar gzip ${{ matrix.deps }}
-      if: contains(matrix.image, 'opensuse')
-    - name: install dependencies (apt-get)
-      run: |
-        apt-get update
-        apt-get install -y ${{ matrix.deps }}
-      if: |
-        contains(matrix.image, 'debian')
-        || contains(matrix.image, 'ubuntu')
-        || contains(matrix.image, 'elementary')
-        || contains(matrix.image, 'parrotsec')
-        || contains(matrix.image, 'kalilinux')
-    - name: checkout
-      # We cannot use v4, as it requires a newer glibc version than some of the
-      # tested images provide. See
-      # https://github.com/actions/checkout/issues/1487
-      uses: actions/checkout@v3
-    - name: run installer
-      run: scripts/installer.sh
-      # Package installation can fail in docker because systemd is not running
-      # as PID 1, so ignore errors at this step. The real check is the
-      # `tailscale --version` command below.
-      continue-on-error: true
-    - name: check tailscale version
-      run: tailscale --version

.github/workflows/kubemanifests.yaml

@@ -1,31 +0,0 @@
-name: "Kubernetes manifests"
-on:
-  pull_request:
-   paths: 
-   - 'cmd/k8s-operator/**'
-   - 'k8s-operator/**'
-   - '.github/workflows/kubemanifests.yaml'
-
-# Cancel workflow run if there is a newer push to the same PR for which it is
-# running
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  testchart:
-    runs-on: [ ubuntu-latest ]
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v4
-    - name: Build and lint Helm chart
-      run: |
-        eval `./tool/go run ./cmd/mkversion`
-        ./tool/helm package --app-version="${VERSION_SHORT}" --version=${VERSION_SHORT} './cmd/k8s-operator/deploy/chart'
-        ./tool/helm lint "tailscale-operator-${VERSION_SHORT}.tgz"
-    - name: Verify that static manifests are up to date
-      run: |
-        make kube-generate-all
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "Generated files for Tailscale Kubernetes operator are out of date. Please run 'make kube-generate-all' and commit the diff."; exit 1)

.github/workflows/license.yml

@@ -0,0 +1,40 @@
+name: license
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Run license checker
+      run: ./scripts/check_license_headers.sh .
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/linux.yml

@@ -0,0 +1,48 @@
+name: Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Run tests on linux
+      run: go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.github/workflows/linux32.yml

@@ -0,0 +1,48 @@
+name: Linux 32-bit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Basic build
+      run: GOARCH=386 go build ./cmd/...
+
+    - name: Run tests on linux
+      run: GOARCH=386 go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.github/workflows/ssh-integrationtest.yml

@@ -1,23 +0,0 @@
-# Run the ssh integration tests with `make sshintegrationtest`.
-# These tests can also be running locally.
-name: "ssh-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "ssh/**"
-      - "tempfork/gliderlabs/ssh/**"
-      - ".github/workflows/ssh-integrationtest"
-jobs:
-  ssh-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run SSH integration tests
-        run: |
-          make sshintegrationtest

.github/workflows/staticcheck.yml

@@ -0,0 +1,46 @@
+name: staticcheck
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.16
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Print staticcheck version
+      run: go run honnef.co/go/tools/cmd/staticcheck -version
+
+    - name: Run staticcheck
+      run: "go run honnef.co/go/tools/cmd/staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/test.yml

@@ -1,601 +0,0 @@
-# This is our main "CI tests" workflow. It runs everything that should run on
-# both PRs and merged commits, and for the latter reports failures to slack.
-name: CI
-
-env:
-  # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
-  # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
-  # ends up being unable to compile our code.
-  #
-  # When this happens, we want to disable the fuzz target until OSS-Fuzz catches
-  # up. However, we also don't want to forget to turn it back on when OSS-Fuzz
-  # can once again build our code.
-  #
-  # This variable toggles the fuzz job between two modes:
-  #  - false: we expect fuzzing to be happy, and should report failure if it's not.
-  #  - true: we expect fuzzing is broken, and should report failure if it start working.
-  TS_FUZZ_CURRENTLY_BROKEN: false
-
-on:
-  push:
-    branches:
-      - "main"
-      - "release-branch/*"
-  pull_request:
-    # all PRs on all branches
-  merge_group:
-    branches:
-      - "main"
-
-concurrency:
-  # For PRs, later CI runs preempt previous ones. e.g. a force push on a PR
-  # cancels running CI jobs and starts all new ones.
-  #
-  # For non-PR pushes, concurrency.group needs to be unique for every distinct
-  # CI run we want to have happen. Use run_id, which in practice means all
-  # non-PR CI runs will be allowed to run without preempting each other.
-  group: ${{ github.workflow }}-$${{ github.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  race-root-integration:
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          - shard: '1/4'
-          - shard: '2/4'
-          - shard: '3/4'
-          - shard: '4/4'
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: build test wrapper
-      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
-    - name: integration tests as root
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper -exec "sudo -E" -race ./tstest/integration/
-      env:
-        TS_TEST_SHARD: ${{ matrix.shard }}
-
-  test:
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          - goarch: amd64
-            coverflags: "-coverprofile=/tmp/coverage.out"
-          - goarch: amd64
-            buildflags: "-race"
-            shard: '1/3'
-          - goarch: amd64
-            buildflags: "-race"
-            shard: '2/3'
-          - goarch: amd64
-            buildflags: "-race"
-            shard: '3/3'
-          - goarch: "386" # thanks yaml
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-
-    - name: build all
-      if: matrix.buildflags == '' # skip on race builder
-      run: ./tool/go build ${{matrix.buildflags}} ./...
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: build variant CLIs
-      if: matrix.buildflags == '' # skip on race builder
-      run: |
-        export TS_USE_TOOLCHAIN=1
-        ./build_dist.sh --extra-small ./cmd/tailscaled
-        ./build_dist.sh --box ./cmd/tailscaled
-        ./build_dist.sh --extra-small --box ./cmd/tailscaled
-        rm -f tailscaled
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: get qemu # for tstest/archtest
-      if: matrix.goarch == 'amd64' && matrix.buildflags == ''
-      run: |
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-    - name: build test wrapper
-      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
-    - name: test all
-      run: NOBASHDEBUG=true PATH=$PWD/tool:$PATH /tmp/testwrapper ${{matrix.coverflags}} ./... ${{matrix.buildflags}}
-      env:
-        GOARCH: ${{ matrix.goarch }}
-        TS_TEST_SHARD: ${{ matrix.shard }}
-    - name: Publish to coveralls.io
-      if: matrix.coverflags != '' # only publish results if we've tracked coverage
-      uses: shogo82148/actions-goveralls@v1
-      with:
-        path-to-profile: /tmp/coverage.out
-    - name: bench all
-      run: ./tool/go test ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ $(for x in $(git grep -l "^func Benchmark" | xargs dirname | sort | uniq); do echo "./$x"; done)
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: check that no tracked files changed
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-    - name: check that no new files were added
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-  windows:
-    runs-on: windows-2022
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-
-    - name: Install Go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-        cache: false
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-go-2-
-    - name: test
-      run: go run ./cmd/testwrapper ./...
-    - name: bench all
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test ./... -bench . -benchtime 1x -run "^$"
-
-  privileged:
-    runs-on: ubuntu-22.04
-    container:
-      image: golang:latest
-      options: --privileged
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: chown
-      run: chown -R $(id -u):$(id -g) $PWD
-    - name: privileged tests
-      run: ./tool/go test ./util/linuxfw ./derp/xdp
-
-  vm:
-    runs-on: ["self-hosted", "linux", "vm"]
-    # VM tests run with some privileges, don't let them run on 3p PRs.
-    if: github.repository == 'tailscale/tailscale'
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: Run VM tests
-      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-      env:
-        HOME: "/var/lib/ghrunner/home"
-        TMPDIR: "/tmp"
-        XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-  race-build:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: build all
-      run: ./tool/go install -race ./cmd/...
-    - name: build tests
-      run: ./tool/go test -race -exec=true ./...
-
-  cross: # cross-compile checks, build only.
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Note: linux/amd64 is not in this matrix, because that goos/goarch is
-          # tested more exhaustively in the 'test' job above.
-          - goos: linux
-            goarch: arm64
-          - goos: linux
-            goarch: "386" # thanks yaml
-          - goos: linux
-            goarch: loong64
-          - goos: linux
-            goarch: arm
-            goarm: "5"
-          - goos: linux
-            goarch: arm
-            goarm: "7"
-          # macOS
-          - goos: darwin
-            goarch: amd64
-          - goos: darwin
-            goarch: arm64
-          # Windows
-          - goos: windows
-            goarch: amd64
-          - goos: windows
-            goarch: arm64
-          # BSDs
-          - goos: freebsd
-            goarch: amd64
-          - goos: openbsd
-            goarch: amd64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build all
-      run: ./tool/go build ./cmd/...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-    - name: build tests
-      run: ./tool/go test -exec=true ./...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        CGO_ENABLED: "0"
-
-  ios: # similar to cross above, but iOS can't build most of the repo. So, just
-       #make it build a few smoke packages.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: build some
-      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-      env:
-        GOOS: ios
-        GOARCH: arm64
-
-  crossmin: # cross-compile for platforms where we only check cmd/tailscale{,d}
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Plan9
-          - goos: plan9
-            goarch: amd64
-          # AIX
-          - goos: aix
-            goarch: ppc64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build core
-      run: ./tool/go build ./cmd/tailscale ./cmd/tailscaled
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-
-  android:
-    # similar to cross above, but android fails to build a few pieces of the
-    # repo. We should fix those pieces, they're small, but as a stepping stone,
-    # only test the subset of android that our past smoke test checked.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-    - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/netmon ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-      env:
-        GOOS: android
-        GOARCH: arm64
-
-  wasm: # builds tsconnect, which is the only wasm build we support
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-go-2-
-    - name: build tsconnect client
-      run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-      env:
-        GOOS: js
-        GOARCH: wasm
-    - name: build tsconnect server
-      # Note, no GOOS/GOARCH in env on this build step, we're running a build
-      # tool that handles the build itself.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-
-  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: test tailscale_go
-      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
-
-
-  fuzz:
-    # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
-    # of the file), so it's more complex than usual: the 'build fuzzers' step
-    # might fail, and depending on the value of 'TS_FUZZ_CURRENTLY_BROKEN', that
-    # might or might not be fine. The steps after the build figure out whether
-    # the success/failure is expected, and appropriately pass/fail the job
-    # overall accordingly.
-    #
-    # Practically, this means that all steps after 'build fuzzers' must have an
-    # explicit 'if' condition, because the default condition for steps is
-    # 'success()', meaning "only run this if no previous steps failed".
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-22.04
-    steps:
-    - name: build fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      # continue-on-error makes steps.build.conclusion be 'success' even if
-      # steps.build.outcome is 'failure'. This means this step does not
-      # contribute to the job's overall pass/fail evaluation.
-      continue-on-error: true
-      with:
-       oss-fuzz-project-name: 'tailscale'
-       dry-run: false
-       language: go
-    - name: report unexpectedly broken fuzz build
-      if: steps.build.outcome == 'failure' && env.TS_FUZZ_CURRENTLY_BROKEN != 'true'
-      run: |
-        echo "fuzzer build failed, see above for why"
-        echo "if the failure is due to OSS-Fuzz not being on the latest Go yet,"
-        echo "set TS_FUZZ_CURRENTLY_BROKEN=true in .github/workflows/test.yml"
-        echo "to temporarily disable fuzzing until OSS-Fuzz works again."
-        exit 1
-    - name: report unexpectedly working fuzz build
-      if: steps.build.outcome == 'success' && env.TS_FUZZ_CURRENTLY_BROKEN == 'true'
-      run: |
-        echo "fuzzer build succeeded, but we expect it to be broken"
-        echo "please set TS_FUZZ_CURRENTLY_BROKEN=false in .github/workflows/test.yml"
-        echo "to reenable fuzz testing"
-        exit 1
-    - name: run fuzzers
-      id: run
-      # Run the fuzzers whenever they're able to build, even if we're going to
-      # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
-      # value.
-      if: steps.build.outcome == 'success'
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: upload crash
-      uses: actions/upload-artifact@v3
-      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts
-
-  depaware:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: check depaware
-      run: |
-        export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
-
-  go_generate:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: check that 'go generate' is clean
-      run: |
-        pkgs=$(./tool/go list ./... | grep -Ev 'dnsfallback|k8s-operator|xdp')
-        ./tool/go generate $pkgs
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
-
-  go_mod_tidy:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: check that 'go mod tidy' is clean
-      run: |
-        ./tool/go mod tidy
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
-
-  licenses:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: check licenses
-      run: ./scripts/check_license_headers.sh .
-
-  staticcheck:
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        goos: ["linux", "windows", "darwin"]
-        goarch: ["amd64"]
-        include:
-          - goos: "windows"
-            goarch: "386"
-    steps:
-    - name: checkout
-      uses: actions/checkout@v4
-    - name: install staticcheck
-      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
-    - name: run staticcheck
-      run: |
-        export GOROOT=$(./tool/go env GOROOT)
-        export PATH=$GOROOT/bin:$PATH
-        staticcheck -- $(./tool/go list ./... | grep -v tempfork)
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-
-  notify_slack:
-    if: always()
-    # Any of these jobs failing causes a slack notification.
-    needs: 
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    runs-on: ubuntu-22.04
-    steps:
-    - name: notify  
-      # Only notify slack for merged commits, not PR failures.
-      #
-      # It may be tempting to move this condition into the job's 'if' block, but
-      # don't: Github only collapses the test list into "everything is OK" if
-      # all jobs succeeded. A skipped job results in the list staying expanded.
-      # By having the job always run, but skipping its only step as needed, we
-      # let the CI output collapse nicely in PRs.
-      if: failure() && github.event_name == 'push'
-      uses: ruby/action-slack@v3.2.1
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "title": "Failure: ${{ github.workflow }}",
-              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
-              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
-              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
-              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-
-  check_mergeability:
-    if: always()
-    runs-on: ubuntu-22.04
-    needs:
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    steps:
-    - name: Decide if change is okay to merge
-      if: github.event_name != 'push'
-      uses: re-actors/alls-green@release/v1
-      with:
-        jobs: ${{ toJSON(needs) }}

.github/workflows/update-flake.yml

@@ -1,49 +0,0 @@
-name: update-flake
-
-on:
-  # run action when a change lands in the main branch which updates go.mod. Also
-  # allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/workflows/update-flakes.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  update-flake:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-
-      - name: Run update-flakes
-        run: ./update-flake.sh
-
-      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
-          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
-          branch: flakes
-          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
-          title: "go.mod.sri: update SRI hash for go.mod changes"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          reviewers: danderson

.github/workflows/update-webclient-prebuilt.yml

@@ -1,52 +0,0 @@
-name: update-webclient-prebuilt
-
-on:
-  # manually triggered
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  update-webclient-prebuilt:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-
-      - name: Run go get
-        run: |
-          ./tool/go version # build gocross if needed using regular GOPROXY
-          GOPROXY=direct ./tool/go get github.com/tailscale/web-client-prebuilt
-          ./tool/go mod tidy
-
-      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
-        id: generate-token
-        with:
-          # TODO(will): this should use the code updater app rather than licensing.
-          # It has the same permissions, so not a big deal, but still.
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        id: pull-request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: OSS Updater <noreply+oss-updater@tailscale.com>
-          committer: OSS Updater <noreply+oss-updater@tailscale.com>
-          branch: actions/update-webclient-prebuilt
-          commit-message: "go.mod: update web-client-prebuilt module"
-          title: "go.mod: update web-client-prebuilt module"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          reviewers: ${{ github.triggering_actor }}
-
-      - name: Summary
-        if: ${{ steps.pull-request.outputs.pull-request-number }}
-        run: echo "${{ steps.pull-request.outputs.pull-request-operation}} ${{ steps.pull-request.outputs.pull-request-url }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/webclient.yml

@@ -1,40 +0,0 @@
-name: webclient
-on:
-  workflow_dispatch:
-  # For now, only run on requests, not the main branches.
-  pull_request:
-    branches:
-      - "*"
-    paths:
-      - "client/web/**"
-      - ".github/workflows/webclient.yml"
-      - "!**.md"
-  # TODO(soniaappasamy): enable for main branch after an initial waiting period.
-  #push:
-  #  branches:
-  #    - main
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  webclient:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Install deps
-        run: ./tool/yarn --cwd client/web
-      - name: Run lint
-        run: ./tool/yarn --cwd client/web run --silent lint
-      - name: Run test
-        run: ./tool/yarn --cwd client/web run --silent test
-      - name: Run formatter check
-        run: |
-          ./tool/yarn --cwd client/web run --silent format-check || ( \
-            echo "Run this command on your local device to fix the error:" && \
-            echo "" && \
-            echo "  ./tool/yarn --cwd client/web format" && \
-            echo "" && exit 1)

.github/workflows/windows.yml

@@ -0,0 +1,52 @@
+name: Windows
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.16.x
+
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Restore Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Test
+      run: go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.gitignore

@@ -5,11 +5,9 @@
 *.dll
 *.so
 *.dylib
-*.spk
 
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
-ssh/tailssh/testcontainers/tailscaled
 
 # Test binary, built with `go test -c`
 *.test
@@ -23,23 +21,3 @@ ssh/tailssh/testcontainers/tailscaled
 # direnv config, this may be different for other people so it's probably safer
 # to make this nonspecific.
 .envrc
-
-# Ignore personal VS Code settings
-.vscode/
-
-# Support personal project-specific GOPATH
-.gopath/
-
-# Ignore nix build result path
-/result
-
-# Ignore direnv nix-shell environment cache
-.direnv/
-
-# Ignore web client node modules
-.vite/
-client/web/node_modules
-client/web/build/assets
-
-/gocross
-/dist

.golangci.yml

@@ -1,104 +0,0 @@
-linters:
-  # Don't enable any linters by default; just the ones that we explicitly
-  # enable in the list below.
-  disable-all: true
-  enable:
-    - bidichk
-    - gofmt
-    - goimports
-    - govet
-    - misspell
-    - revive
-
-# Configuration for how we run golangci-lint
-run:
-  timeout: 5m
-
-issues:
-  # Excluding configuration per-path, per-linter, per-text and per-source
-  exclude-rules:
-    # These are forks of an upstream package and thus are exempt from stylistic
-    # changes that would make pulling in upstream changes harder.
-    - path: tempfork/.*\.go
-      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
-    - path: util/singleflight/.*\.go
-      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
-
-# Per-linter settings are contained in this top-level key
-linters-settings:
-  # Enable all rules by default; we don't use invisible unicode runes.
-  bidichk:
-
-  gofmt:
-    rewrite-rules:
-      - pattern: 'interface{}'
-        replacement: 'any'
-
-  goimports:
-
-  govet:
-    # Matches what we use in corp as of 2023-12-07
-    enable:
-      - asmdecl
-      - assign
-      - atomic
-      - bools
-      - buildtag
-      - cgocall
-      - copylocks
-      - deepequalerrors
-      - errorsas
-      - framepointer
-      - httpresponse
-      - ifaceassert
-      - loopclosure
-      - lostcancel
-      - nilfunc
-      - nilness
-      - printf
-      - reflectvaluecompare
-      - shift
-      - sigchanyzer
-      - sortslice
-      - stdmethods
-      - stringintconv
-      - structtag
-      - testinggoroutine
-      - tests
-      - unmarshal
-      - unreachable
-      - unsafeptr
-      - unusedresult
-    settings:
-      printf:
-        # List of print function names to check (in addition to default)
-        funcs:
-          - github.com/tailscale/tailscale/types/logger.Discard
-          # NOTE(andrew-d): this doesn't currently work because the printf
-          # analyzer doesn't support type declarations
-          #- github.com/tailscale/tailscale/types/logger.Logf
-
-  misspell:
-
-  revive:
-    enable-all-rules: false
-    ignore-generated-header: true
-    rules:
-      - name: atomic
-      - name: context-keys-type
-      - name: defer
-        arguments: [[
-          # Calling 'recover' at the time a defer is registered (i.e. "defer recover()") has no effect.
-          "immediate-recover",
-          # Calling 'recover' outside of a deferred function has no effect
-          "recover",
-          # Returning values from a deferred function has no effect
-          "return",
-        ]]
-      - name: duplicated-imports
-      - name: errorf
-      - name: string-of-int
-      - name: time-equal
-      - name: unconditional-recursion
-      - name: useless-break
-      - name: waitgroup-by-value

ALPINE.txt

@@ -1 +0,0 @@
-3.18

CODEOWNERS

@@ -1 +0,0 @@
-/tailcfg/ @tailscale/control-protocol-owners

Dockerfile

@@ -1,22 +1,33 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
+# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
 
-# Note that this Dockerfile is currently NOT used to build any of the published
-# Tailscale container images and may have drifted from the image build mechanism
-# we use.
-# Tailscale images are currently built using https://github.com/tailscale/mkctr,
-# and the build script can be found in ./build_docker.sh.
+############################################################################
 #
+# WARNING: Tailscale is not yet officially supported in Docker,
+# Kubernetes, etc.
 #
+# It might work, but we don't regularly test it, and it's not as polished as
+# our currently supported platforms. This is provided for people who know
+# how Tailscale works and what they're doing.
+#
+# Our tracking bug for officially support container use cases is:
+#    https://github.com/tailscale/tailscale/issues/504
+#
+# Also, see the various bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
+
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
 #
-#     $ docker build -t tailscale/tailscale .
+#     $ docker build -t tailscale:tailscale .
 #
 # To run the tailscaled agent:
 #
-#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale/tailscale tailscaled
+#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale:tailscale tailscaled
 #
 # To then log in:
 #
@@ -27,45 +38,22 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.22-alpine AS build-env
+FROM golang:1.16-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
-COPY go.mod go.sum ./
+COPY go.mod .
+COPY go.sum .
 RUN go mod download
 
-# Pre-build some stuff before the following COPY line invalidates the Docker cache.
-RUN go install \
-    github.com/aws/aws-sdk-go-v2/aws \
-    github.com/aws/aws-sdk-go-v2/config \
-    gvisor.dev/gvisor/pkg/tcpip/adapters/gonet \
-    gvisor.dev/gvisor/pkg/tcpip/stack \
-    golang.org/x/crypto/ssh \
-    golang.org/x/crypto/acme \
-    nhooyr.io/websocket \
-    github.com/mdlayher/netlink
-
 COPY . .
 
 # see build_docker.sh
-ARG VERSION_LONG=""
-ENV VERSION_LONG=$VERSION_LONG
-ARG VERSION_SHORT=""
-ENV VERSION_SHORT=$VERSION_SHORT
-ARG VERSION_GIT_HASH=""
-ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
-ARG TARGETARCH
+ARG goflags_arg=""
+ENV GOFLAGS=$goflags_arg
 
-RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.longStamp=$VERSION_LONG \
-      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
-      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
-      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
-
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN go install -v ./cmd/...
 
+FROM alpine:3.11
+RUN apk add --no-cache ca-certificates iptables iproute2
 COPY --from=build-env /go/bin/* /usr/local/bin/
-# For compat with the previous run.sh, although ideally you should be
-# using build_docker.sh which sets an entrypoint for the image.
-RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh

Dockerfile.base

@@ -1,5 +0,0 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
-
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils

LICENSE

@@ -1,6 +1,7 @@
 BSD 3-Clause License
 
-Copyright (c) 2020 Tailscale Inc & AUTHORS.
+Copyright (c) 2020 Tailscale & AUTHORS.
+All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

Makefile

@@ -1,128 +1,18 @@
-IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "x86_64"
-SYNO_DSM ?= "7"
-TAGS ?= "latest"
+usage:
+	echo "See Makefile"
 
-PLATFORM ?= "flyio" ## flyio==linux/amd64. Set to "" to build all platforms.
+vet:
+	go vet ./...
 
-vet: ## Run go vet
-	./tool/go vet ./...
+updatedeps:
+	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
+	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
 
-tidy: ## Run go mod tidy
-	./tool/go mod tidy
+depaware:
+	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
 
-lint: ## Run golangci-lint
-	./tool/go run github.com/golangci/golangci-lint/cmd/golangci-lint run
+check: staticcheck vet depaware
 
-updatedeps: ## Update depaware deps
-	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
-	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
-		tailscale.com/cmd/stund
-
-depaware: ## Run depaware checks
-	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
-	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper \
-		tailscale.com/cmd/k8s-operator \
-		tailscale.com/cmd/stund
-
-buildwindows: ## Build tailscale CLI for windows/amd64
-	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-build386: ## Build tailscale CLI for linux/386
-	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildlinuxarm: ## Build tailscale CLI for linux/arm
-	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildwasm: ## Build tailscale CLI for js/wasm
-	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
-buildplan9:
-	GOOS=plan9 GOARCH=amd64 ./tool/go install ./cmd/tailscale ./cmd/tailscaled
-
-buildlinuxloong64: ## Build tailscale CLI for linux/loong64
-	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildmultiarchimage: ## Build (and optionally push) multiarch docker image
-	./build_docker.sh
-
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ## Perform basic checks and compilation tests
-
-staticcheck: ## Run staticcheck.io checks
-	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
-
-kube-generate-all: kube-generate-deepcopy ## Refresh generated files for Tailscale Kubernetes Operator
-	./tool/go generate ./cmd/k8s-operator
-
-# Tailscale operator watches Connector custom resources in a Kubernetes cluster
-# and caches them locally. Caching is done implicitly by controller-runtime
-# library (the middleware used by Tailscale operator to create kube control
-# loops). When a Connector resource is GET/LIST-ed from within our control loop,
-# the request goes through the cache. To ensure that cache contents don't get
-# modified by control loops, controller-runtime deep copies the requested
-# object. In order for this to work, Connector must implement deep copy
-# functionality so we autogenerate it here.
-# https://github.com/kubernetes-sigs/controller-runtime/blob/v0.16.3/pkg/cache/internal/cache_reader.go#L86-L89
-kube-generate-deepcopy: ## Refresh generated deepcopy functionality for Tailscale kube API types
-	./scripts/kube-deepcopy.sh
-
-spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
-
-spkall: ## Build synology packages for all architectures and DSM versions
-	./tool/go run ./cmd/dist build synology
-
-pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
-	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
-	scp tailscale.spk root@${SYNO_HOST}:
-	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
-
-publishdevimage: ## Build and publish tailscale image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=client ./build_docker.sh
-
-publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=operator ./build_docker.sh
-
-publishdevnameserver: ## Build and publish k8s-nameserver image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-nameserver" || (echo "REPO=... must not be tailscale/k8s-nameserver" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-nameserver" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-nameserver" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=k8s-nameserver ./build_docker.sh
-
-.PHONY: sshintegrationtest
-sshintegrationtest: ## Run the SSH integration tests in various Docker containers
-	@GOOS=linux GOARCH=amd64 ./tool/go test -tags integrationtest -c ./ssh/tailssh -o ssh/tailssh/testcontainers/tailssh.test && \
-	GOOS=linux GOARCH=amd64 ./tool/go build -o ssh/tailssh/testcontainers/tailscaled ./cmd/tailscaled && \
-	echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \
-	echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers
-
-help: ## Show this help
-	@echo "\nSpecify a command. The choices are:\n"
-	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'
-	@echo ""
-.PHONY: help
-
-.DEFAULT_GOAL := help
+staticcheck:
+	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)

README.md

@@ -6,41 +6,26 @@ Private WireGuard® networks made easy
 
 ## Overview
 
-This repository contains the majority of Tailscale's open source code.
-Notably, it includes the `tailscaled` daemon and
-the `tailscale` CLI tool. The `tailscaled` daemon runs on Linux, Windows,
-[macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees
-on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's
-code, but this repo doesn't contain the mobile GUI code.
+This repository contains all the open source Tailscale client code and
+the `tailscaled` daemon and `tailscale` CLI tool. The `tailscaled`
+daemon runs primarily on Linux; it also works to varying degrees on
+FreeBSD, OpenBSD, Darwin, and Windows.
 
-Other [Tailscale repos](https://github.com/orgs/tailscale/repositories) of note:
-
-* the Android app is at https://github.com/tailscale/tailscale-android
-* the Synology package is at https://github.com/tailscale/tailscale-synology
-* the QNAP package is at https://github.com/tailscale/tailscale-qpkg
-* the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey
-
-For background on which parts of Tailscale are open source and why,
-see [https://tailscale.com/opensource/](https://tailscale.com/opensource/).
+The Android app is at https://github.com/tailscale/tailscale-android
 
 ## Using
 
-We serve packages for a variety of distros and platforms at
-[https://pkgs.tailscale.com](https://pkgs.tailscale.com/).
+We serve packages for a variety of distros at
+https://pkgs.tailscale.com .
 
 ## Other clients
 
 The [macOS, iOS, and Windows clients](https://tailscale.com/download)
 use the code in this repository but additionally include small GUI
-wrappers. The GUI wrappers on non-open source platforms are themselves
-not open source.
+wrappers that are not open source.
 
 ## Building
 
-We always require the latest Go release, currently Go 1.22. (While we build
-releases with our [Go fork](https://github.com/tailscale/go/), its use is not
-required.)
-
 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```
@@ -57,6 +42,11 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.
 
+We only guarantee to support the latest Go release and any Go beta or
+release candidate builds (currently Go 1.16) in module mode. It might
+work in earlier Go versions or in GOPATH mode, but we're making no
+effort to keep those working.
+
 ## Bugs
 
 Please file any issues about this code or the hosted service on
@@ -71,9 +61,6 @@ We require [Developer Certificate of
 Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
 `Signed-off-by` lines in commits.
 
-See `git log` for our commit message style. It's basically the same as
-[Go's style](https://github.com/golang/go/wiki/CommitMessage).
-
 ## About Us
 
 [Tailscale](https://tailscale.com/) is primarily developed by the

TODO

@@ -0,0 +1,35 @@
+TODO for Tailscale Mac Homebrew
+
+This is a grab bag of ideas, issues, tasks, bugs and upgrades.
+Ordered starting roughly with the most important or ideally next.
+Not rigorous. Not limited to it. Subjective. Revised as we go.
+-----------------------------------------------------------------
+
+( ) in formula set version tag value properly
+( ) in formula test block, assert versions reported by running installed tailscale{d} match expected
+( ) in formula after built or installed, calc "shasum -a256" of the tailscale{d} and print it. helpful for security conscious folks afterward to ensure the binaries have not changed when unexpected (since they provide a VPN and run as root)
+( ) for the tarball variants (most especially for tb-github), define the tarball's expected sha256 (the "want") in the proper way; dl-tarball-sha.sh uses only a placeholder technique for WIP
+( ) correct or suppress this (default and automatic?) message by brew during install, because sudo required:
+        To have launchd start tailscale now and restart at login:
+          brew services start tailscale
+( ) make scripts learn what tun value was picked by tailscaled (likely utun<NUM>)
+(X) added correct message via formula caveat:
+       To have launchd start tailscale now and restart at boot:
+            sudo brew services start tailscale
+( ) write/confirm test after reboot
+( ) README:  make it clear this is not an official/company Tailscale package
+( ) retest the tarball versions, make sure they work right; esp the version stuff
+( ) tailcfg Hostinfo.Package: control/controlclient/direct.go packageType(): either inject an ENVVAR, or have it decide by exe/path?
+( ) fix that 1.5-vs-1.4.4 FIXME bug in the "global, tb-github" test case in install* (after log msg "checking exe location and diffs...")
+( ) shrink the gap to ideal minimum (via refactors anywhere) between our formulae plists and Brad's daemon install plist, the latter being in: cmd/tailscaled/install_darwin.go
+( ) ideally eliminate all TODOs from formula and scripts and README; or, just remove/satisfy as many as you can soon in upcoming sessions
+( ) can pass extra args at brew install time, and inside your formula they are readable from ARGV.value. BEST/ONLY if they become stable/perm -- embedded in the installed-for-launchd-plist version
+( ) print log location by formula when brew installed (ideally also the state file, sock and utun); via caveats method?
+( ) discuss paths in README
+( ) document or automate-away the $PWD path assumption deviance issue in make-test-source-tarball.sh
+( ) stop script: TODO the installed plist is gone?
+( ) stop script: TODO wipeout brew git checkout cache and/or add test for with-vs-without
+( ) has the master-vs-main bug come back? since I twiddle the tag/branch/head stuff in formula to fix that other bug
+( ) add test variants for other brew tool versions?
+( ) in future: think about documenting the plist EnvironmentVariables key, as a way for user to set Tailscale-specific ENVVARS for tailscaled to read (like for debugging or testing)
+( ) in future: maybe maybe play with the plist's ProcessType key, as a way to tune cpu/io and battery use

VERSION.txt

@@ -1 +1 @@
-1.71.0
+1.5.0

api.md

@@ -1,104 +1,774 @@
-> [!IMPORTANT]
-> The Tailscale API documentation has moved to https://tailscale.com/api
-
 # Tailscale API
 
-The Tailscale API documentation is located in **[tailscale/publicapi](./publicapi/readme.md#tailscale-api)**.
+The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.
+
+# Authentication
+Currently based on {some authentication method}. Visit the [admin panel](https://api.tailscale.com/admin) and navigate to the `Keys` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints.
 
 # APIs
 
-**[Overview](./publicapi/readme.md)**
+* **[Devices](#device)**
+  - [GET device](#device-get)
+  - [DELETE device](#device-delete)
+  - Routes
+    - [GET device routes](#device-routes-get)
+    - [POST device routes](#device-routes-post)
+* **[Tailnets](#tailnet)**
+  - ACLs
+    - [GET tailnet ACL](#tailnet-acl-get)
+    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
+    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
+  - [Devices](#tailnet-devices)
+    - [GET tailnet devices](#tailnet-devices-get)
+  - [DNS](#tailnet-dns)
+    - [GET tailnet DNS nameservers](#tailnet-dns-nameservers-get)
+    - [POST tailnet DNS nameservers](#tailnet-dns-nameservers-post)
+    - [GET tailnet DNS preferences](#tailnet-dns-preferences-get)
+    - [POST tailnet DNS preferences](#tailnet-dns-preferences-post)
+    - [GET tailnet DNS searchpaths](#tailnet-dns-searchpaths-get)
+    - [POST tailnet DNS searchpaths](#tailnet-dns-searchpaths-post)
 
-**[Device](./publicapi/device.md#device)**
+## Device
+<!-- TODO: description about what devices are -->
+Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
+You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.
 
-<a href="device-delete"></a>
-<a href="expire-device-key"></a>
-<a href="device-routes-get">
-<a href="device-routes-post"></a>
-<a href="#device-authorized-post"></a>
-<a href="device-tags-post"></a>
-<a href="device-key-post"></a>
-<a href="tailnet-acl-get"></a>
+To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
+Find the device you're looking for and get the "id" field.
+This is your deviceID. 
 
-- Get a device: [`GET /api/v2/device/{deviceid}`](./publicapi/device.md#get-device)
-- Delete a device: [`DELETE /api/v2/device/{deviceID}`](./publicapi/device.md#delete-device)
-- Expire device key: [`POST /api/v2/device/{deviceID}/expire`](./publicapi/device.md#expire-device-key)
-- [**Routes**](./publicapi/device.md#routes)
-  - Get device routes: [`GET /api/v2/device/{deviceID}/routes`](./publicapi/device.md#get-device-routes)
-  - Set device routes: [`POST /api/v2/device/{deviceID}/routes`](./publicapi/device.md#set-device-routes)
-- [**Authorize**](./publicapi/device.md#authorize)
-  - Authorize a device: [`POST /api/v2/device/{deviceID}/authorized`](./publicapi/device.md#authorize-device)
-- [**Tags**](./publicapi/device.md#tags)
-  - Update tags: [`POST /api/v2/device/{deviceID}/tags`](./publicapi/device.md#update-device-tags)
-- [**Keys**](./publicapi/device.md#keys)
-  - Update device key: [`POST /api/v2/device/{deviceID}/key`](./publicapi/device.md#update-device-key)
-- [**IP Addresses**](./publicapi/device.md#ip-addresses)
-  - Set device IPv4 address: [`POST /api/v2/device/{deviceID}/ip`](./publicapi/device.md#set-device-ipv4-address)
-- [**Device posture attributes**](./publicapi/device.md#device-posture-attributes)
-  - Get device posture attributes: [`GET /api/v2/device/{deviceID}/attributes`](./publicapi/device.md#get-device-posture-attributes)
-  - Set custom device posture attributes: [`POST /api/v2/device/{deviceID}/attributes/{attributeKey}`](./publicapi/device.md#set-device-posture-attributes)
-  - Delete custom device posture attributes: [`DELETE /api/v2/device/{deviceID}/attributes/{attributeKey}`](./publicapi/device.md#delete-custom-device-posture-attributes)
-- [**Device invites**](./publicapi/device.md#invites-to-a-device)
-  - List device invites: [`GET /api/v2/device/{deviceID}/device-invites`](./publicapi/device.md#list-device-invites)
-  - Create device invites: [`POST /api/v2/device/{deviceID}/device-invites`](./publicapi/device.md#create-device-invites)
+<a name=device-get></div>
 
-**[Tailnet](./publicapi/tailnet.md#tailnet)**
+#### `GET /api/v2/device/:deviceid` - lists the details for a device
+Returns the details for the specified device.
+Supply the device of interest in the path using its ID.
+Use the `fields` query parameter to explicitly indicate which fields are returned.
 
-<a href="tailnet-acl-post"></a>
-<a href="tailnet-acl-preview-post"></a>
-<a href="tailnet-acl-validate-post"></a>
-<a href="tailnet-devices"></a>
-<a href="tailnet-keys-get"></a>
-<a href="tailnet-keys-post"></a>
-<a href="tailnet-keys-key-get"></a>
-<a href="tailnet-keys-key-delete"></a>
-<a href="tailnet-dns"></a>
-<a href="tailnet-dns-nameservers-get"></a>
-<a href="tailnet-dns-nameservers-post"></a>
-<a href="tailnet-dns-preferences-get"></a>
-<a href="tailnet-dns-preferences-post"></a>
-<a href="tailnet-dns-searchpaths-get"></a>
-<a href="tailnet-dns-searchpaths-post"></a>
 
-- [**Policy File**](./publicapi/tailnet.md#policy-file)
-  - Get policy file: [`GET /api/v2/tailnet/{tailnet}/acl`](./publicapi/tailnet.md#get-policy-file)
-  - Update policy file: [`POST /api/v2/tailnet/{tailnet}/acl`](./publicapi/tailnet.md#update-policy-file)
-  - Preview rule matches: [`POST /api/v2/tailnet/{tailnet}/acl/preview`](./publicapi/tailnet.md#preview-policy-file-rule-matches)
-  - Validate and test policy file: [`POST /api/v2/tailnet/{tailnet}/acl/validate`](./publicapi/tailnet.md#validate-and-test-policy-file)
-- [**Devices**](./publicapi/tailnet.md#devices)
-  - List tailnet devices: [`GET /api/v2/tailnet/{tailnet}/devices`](./publicapi/tailnet.md#list-tailnet-devices)
-- [**Keys**](./publicapi/tailnet.md#tailnet-keys)
-  - List tailnet keys: [`GET /api/v2/tailnet/{tailnet}/keys`](./publicapi/tailnet.md#list-tailnet-keys)
-  - Create an auth key: [`POST /api/v2/tailnet/{tailnet}/keys`](./publicapi/tailnet.md#create-auth-key)
-  - Get a key: [`GET /api/v2/tailnet/{tailnet}/keys/{keyid}`](./publicapi/tailnet.md#get-key)
-  - Delete a key: [`DELETE /api/v2/tailnet/{tailnet}/keys/{keyid}`](./publicapi/tailnet.md#delete-key)
-- [**DNS**](./publicapi/tailnet.md#dns)
-  - [**Nameservers**](./publicapi/tailnet.md#nameservers)
-    - Get nameservers: [`GET /api/v2/tailnet/{tailnet}/dns/nameservers`](./publicapi/tailnet.md#get-nameservers)
-    - Set nameservers: [`POST /api/v2/tailnet/{tailnet}/dns/nameservers`](./publicapi/tailnet.md#set-nameservers)
-  - [**Preferences**](./publicapi/tailnet.md#preferences)
-    - Get DNS preferences: [`GET /api/v2/tailnet/{tailnet}/dns/preferences`](./publicapi/tailnet.md#get-dns-preferences)
-    - Set DNS preferences: [`POST /api/v2/tailnet/{tailnet}/dns/preferences`](./publicapi/tailnet.md#set-dns-preferences)
-  - [**Search Paths**](./publicapi/tailnet.md#search-paths)
-    - Get search paths: [`GET /api/v2/tailnet/{tailnet}/dns/searchpaths`](./publicapi/tailnet.md#get-search-paths)
-    - Set search paths: [`POST /api/v2/tailnet/{tailnet}/dns/searchpaths`](./publicapi/tailnet.md#set-search-paths)
-  - [**Split DNS**](./publicapi/tailnet.md#split-dns)
-    - Get split DNS: [`GET /api/v2/tailnet/{tailnet}/dns/split-dns`](./publicapi/tailnet.md#get-split-dns)
-    - Update split DNS: [`PATCH /api/v2/tailnet/{tailnet}/dns/split-dns`](./publicapi/tailnet.md#update-split-dns)
-    - Set split DNS: [`PUT /api/v2/tailnet/{tailnet}/dns/split-dns`](./publicapi/tailnet.md#set-split-dns)
-- [**User invites**](./publicapi/tailnet.md#tailnet-user-invites)
-  - List user invites: [`GET /api/v2/tailnet/{tailnet}/user-invites`](./publicapi/tailnet.md#list-user-invites)
-  - Create user invites: [`POST /api/v2/tailnet/{tailnet}/user-invites`](./publicapi/tailnet.md#create-user-invites)
+##### Parameters
+##### Query Parameters
+`fields` - Controls which fields will be included in the returned response.
+Currently, supported options are: 
+* `all`: returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
 
-**[User invites](./publicapi/userinvites.md#user-invites)**
+Use commas to separate multiple options.
+If more than one option is indicated, then the union is used.
+For example, for `fields=default,all`, all fields are returned.
+If the `fields` parameter is not provided, then the default option is used.
 
-- Get user invite: [`GET /api/v2/user-invites/{userInviteId}`](./publicapi/userinvites.md#get-user-invite)
-- Delete user invite: [`DELETE /api/v2/user-invites/{userInviteId}`](./publicapi/userinvites.md#delete-user-invite)
-- Resend user invite (by email): [`POST /api/v2/user-invites/{userInviteId}/resend`](#resend-user-invite)
+##### Example 
+```
+GET /api/v2/device/12345
+curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
+  -u "tskey-yourapikey123:"
+```
 
-**[Device invites](./publicapi/deviceinvites.md#device-invites)**
+Response
+```
+{
+  "addresses":[
+    "100.105.58.116"
+  ],
+  "id":"12345",
+  "user":"user1@example.com",
+  "name":"user1-device.example.com",
+  "hostname":"User1-Device",
+  "clientVersion":"date.20201107",
+  "updateAvailable":false,
+  "os":"macOS",
+  "created":"2020-11-20T20:56:49Z",
+  "lastSeen":"2020-11-20T16:15:55-05:00",
+  "keyExpiryDisabled":false,
+  "expires":"2021-05-19T20:56:49Z",
+  "authorized":true,
+  "isExternal":false,
+  "machineKey":"mkey:user1-machine-key",
+  "nodeKey":"nodekey:user1-node-key",
+  "blocksIncomingConnections":false,
+  "enabledRoutes":[
+    
+  ],
+  "advertisedRoutes":[
+    
+  ],
+  "clientConnectivity": {
+    "endpoints":[
+      "209.195.87.231:59128",
+      "192.168.0.173:59128"
+    ],
+    "derp":"",
+    "mappingVariesByDestIP":false,
+    "latency":{
+      "Dallas":{
+        "latencyMs":60.463043
+      },
+      "New York City":{
+        "preferred":true,
+        "latencyMs":31.323811
+      },
+      "San Francisco":{
+        "latencyMs":81.313389
+      }
+    },
+    "clientSupports":{
+      "hairPinning":false,
+      "ipv6":false,
+      "pcp":false,
+      "pmp":false,
+      "udp":true,
+      "upnp":false
+    }
+  }
+}
+```
 
-- Get device invite: [`GET /api/v2/device-invites/{deviceInviteId}`](./publicapi/deviceinvites.md#get-device-invite)
-- Delete device invite: [`DELETE /api/v2/device-invites/{deviceInviteId}`](./publicapi/deviceinvites.md#delete-device-invite)
-- Resend device invite (by email): [`POST /api/v2/device-invites/{deviceInviteId}/resend`](./publicapi/deviceinvites.md#resend-device-invite)
-- Accept device invite [`POST /api/v2/device-invites/-/accept`](#accept-device-invite)
+<a name=device-delete></div>
+
+#### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
+Deletes the provided device from its tailnet. 
+The device must belong to the user's tailnet.
+Deleting shared/external devices is not supported.
+Supply the device of interest in the path using its ID.
+
+
+##### Parameters
+No parameters.
+
+##### Example
+```
+DELETE /api/v2/device/12345
+curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
+  -u "tskey-yourapikey123:" -v
+```
+
+Response
+
+If successful, the response should be empty: 
+```
+< HTTP/1.1 200 OK
+...
+* Connection #0 to host left intact
+* Closing connection 0
+```
+
+If the device is not owned by your tailnet: 
+```
+< HTTP/1.1 501 Not Implemented
+...
+{"message":"cannot delete devices outside of your tailnet"}
+```
+
+
+<a name=device-routes-get></div>
+
+#### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device
+
+Retrieves the list of subnet routes that a device is advertising, as well as those that are enabled for it. Enabled routes are not necessarily advertised (e.g. for pre-enabling), and likewise, advertised routes are not necessarily enabled.
+
+##### Parameters
+
+No parameters.
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
+-u "tskey-yourapikey123:"
+```
+
+Response
+```
+{
+   "advertisedRoutes" : [
+      "10.0.1.0/24",
+      "1.2.0.0/16",
+      "2.0.0.0/24"
+   ],
+   "enabledRoutes" : []
+}
+```
+
+<a name=device-routes-post></div>
+
+#### `POST /api/v2/device/:deviceID/routes` - set the subnet routes that are enabled for a device
+
+Sets which subnet routes are enabled to be routed by a device by replacing the existing list of subnet routes with the supplied parameters. Routes can be enabled without a device advertising them (e.g. for preauth). Returns a list of enabled subnet routes and a list of advertised subnet routes for a device.
+
+##### Parameters
+
+###### POST Body
+`routes` - The new list of enabled subnet routes in JSON.
+```
+{
+  "routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]
+}
+```
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
+-u "tskey-yourapikey123:" \
+--data-binary '{"routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]}'
+```
+
+Response
+
+```
+{
+   "advertisedRoutes" : [
+      "10.0.1.0/24",
+      "1.2.0.0/16",
+      "2.0.0.0/24"
+   ],
+   "enabledRoutes" : [
+      "10.0.1.0/24",
+      "1.2.0.0/16",
+      "2.0.0.0/24"
+   ]
+}
+```
+
+## Tailnet 
+A tailnet is the name of your Tailscale network. 
+You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
+
+
+`alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:
+
+```
+GET /api/v2/tailnet/example.com/...
+curl https://api.tailscale.com/api/v2/tailnet/example.com/...
+```
+
+
+For solo plans, the tailnet is the email you signed up with.
+So `alice@gmail.com` has the tailnet `alice@gmail.com` since `@gmail.com` is a shared email host.
+Her API calls would have the following format:
+```
+GET /api/v2/tailnet/alice@gmail.com/...
+curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
+```
+
+Tailnets are a top-level resource. ACL is an example of a resource that is tied to a top-level tailnet.
+
+For more information on Tailscale networks/tailnets, click [here](https://tailscale.com/kb/1064/invite-team-members).
+
+### ACL
+
+<a name=tailnet-acl-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/acl` - fetch ACL for a tailnet
+
+Retrieves the ACL that is currently set for the given tailnet. Supply the tailnet of interest in the path. This endpoint can send back either the HuJSON of the ACL or a parsed JSON, depending on the `Accept` header.
+
+##### Parameters
+
+###### Headers
+`Accept` - Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
+
+##### Returns
+Returns the ACL HuJSON by default. Returns a parsed JSON of the ACL (sans comments) if the `Accept` type is explicitly set to `application/json`. An `ETag` header is also sent in the response, which can be optionally used in POST requests to avoid missed updates.
+<!-- TODO (chungdaniel): define error types and a set of docs for them -->
+
+##### Example
+
+###### Requesting a HuJSON response:
+```
+GET /api/v2/tailnet/example.com/acl
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
+  -u "tskey-yourapikey123:" \
+  -H "Accept: application/hujson" \
+  -v
+```
+
+Response
+```
+...
+Content-Type: application/hujson
+Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
+...
+
+// Example/default ACLs for unrestricted connections.
+{
+    "Tests": [],
+    // Declare static groups of users beyond those in the identity service.
+    "Groups": {
+        "group:example": [
+            "user1@example.com",
+            "user2@example.com"
+        ],
+    },
+    // Declare convenient hostname aliases to use in place of IP addresses.
+    "Hosts": {
+        "example-host-1": "100.100.100.100",
+    },
+    // Access control lists.
+    "ACLs": [
+        // Match absolutely everything. Comment out this section if you want
+        // to define specific ACL restrictions.
+        {
+            "Action": "accept",
+            "Users": [
+                "*"
+            ],
+            "Ports": [
+                "*:*"
+            ]
+        },
+    ]
+}
+```
+
+###### Requesting a JSON response:
+```
+GET /api/v2/tailnet/example.com/acl
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
+  -u "tskey-yourapikey123:" \
+  -H "Accept: application/json" \
+  -v
+```
+
+Response
+```
+...
+Content-Type: application/json
+Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
+...
+{
+   "acls" : [
+      {
+         "action" : "accept",
+         "ports" : [
+            "*:*"
+         ],
+         "users" : [
+            "*"
+         ]
+      }
+   ],
+   "groups" : {
+      "group:example" : [
+         "user1@example.com",
+         "user2@example.com"
+      ]
+   },
+   "hosts" : {
+      "example-host-1" : "100.100.100.100"
+   }
+}
+```
+
+<a name=tailnet-acl-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/acl` - set ACL for a tailnet
+
+Sets the ACL for the given tailnet. HuJSON and JSON are both accepted inputs. An `If-Match` header can be set to avoid missed updates.
+
+Returns error for invalid ACLs.
+Returns error if using an `If-Match` header and the ETag does not match.
+
+##### Parameters
+
+###### Headers
+`If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.
+
+`Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
+
+###### POST Body
+ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/acl
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
+  -u "tskey-yourapikey123:" \
+  -H "If-Match: \"e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c\""
+  --data-binary '// Example/default ACLs for unrestricted connections.
+{
+  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
+  ],
+  // Declare static groups of users beyond those in the identity service.
+  "Groups": {
+    "group:example": [ "user1@example.com", "user2@example.com" ],
+  },
+  // Declare convenient hostname aliases to use in place of IP addresses.
+  "Hosts": {
+    "example-host-1": "100.100.100.100",
+  },
+  // Access control lists.
+  "ACLs": [
+    // Match absolutely everything. Comment out this section if you want
+    // to define specific ACL restrictions.
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
+  ]
+}'
+```
+
+Response
+```
+// Example/default ACLs for unrestricted connections.
+{
+  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
+  ],
+  // Declare static groups of users beyond those in the identity service.
+  "Groups": {
+    "group:example": [ "user1@example.com", "user2@example.com" ],
+  },
+  // Declare convenient hostname aliases to use in place of IP addresses.
+  "Hosts": {
+    "example-host-1": "100.100.100.100",
+  },
+  // Access control lists.
+  "ACLs": [
+    // Match absolutely everything. Comment out this section if you want
+    // to define specific ACL restrictions.
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
+  ]
+}
+```
+
+<a name=tailnet-acl-preview-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/acl/preview` - preview rule matches on an ACL for a resource
+Determines what rules match for a user on an ACL without saving the ACL to the server.
+
+##### Parameters
+
+###### Query Parameters
+`user` - A user's email. The provided ACL is queried with this user to determine which rules match.
+
+###### POST Body
+ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/acl/preiew
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl?user=user1@example.com' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '// Example/default ACLs for unrestricted connections.
+{
+  // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
+  "Tests": [
+    // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
+  ],
+  // Declare static groups of users beyond those in the identity service.
+  "Groups": {
+    "group:example": [ "user1@example.com", "user2@example.com" ],
+  },
+  // Declare convenient hostname aliases to use in place of IP addresses.
+  "Hosts": {
+    "example-host-1": "100.100.100.100",
+  },
+  // Access control lists.
+  "ACLs": [
+    // Match absolutely everything. Comment out this section if you want
+    // to define specific ACL restrictions.
+    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
+  ]
+}'
+```
+
+Response
+```
+{"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
+```
+
+<a name=tailnet-devices></a>
+
+### Devices
+
+<a name=tailnet-devices-get></a>
+
+#### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
+Lists the devices in a tailnet. 
+Supply the tailnet of interest in the path.
+Use the `fields` query parameter to explicitly indicate which fields are returned.
+
+
+##### Parameters
+
+###### Query Parameters
+`fields` - Controls which fields will be included in the returned response.
+Currently, supported options are: 
+* `all`: Returns all fields in the response.
+* `default`: return all fields except:
+  * `enabledRoutes`
+  * `advertisedRoutes`
+  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+
+Use commas to separate multiple options.
+If more than one option is indicated, then the union is used.
+For example, for `fields=default,all`, all fields are returned.
+If the `fields` parameter is not provided, then the default option is used.
+
+##### Example
+
+```
+GET /api/v2/tailnet/example.com/devices
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
+  -u "tskey-yourapikey123:"
+```
+
+Response 
+```
+{
+  "devices":[
+    {
+      "addresses":[
+        "100.68.203.125"
+      ],
+      "clientVersion":"date.20201107",
+      "os":"macOS",
+      "name":"user1-device.example.com",
+      "created":"2020-11-30T22:20:04Z",
+      "lastSeen":"2020-11-30T17:20:04-05:00",
+      "hostname":"User1-Device",
+      "machineKey":"mkey:user1-node-key",
+      "nodeKey":"nodekey:user1-node-key",
+      "id":"12345",
+      "user":"user1@example.com",
+      "expires":"2021-05-29T22:20:04Z",
+      "keyExpiryDisabled":false,
+      "authorized":false,
+      "isExternal":false,
+      "updateAvailable":false,
+      "blocksIncomingConnections":false,
+    },
+    {
+      "addresses":[
+        "100.111.63.90"
+      ],
+      "clientVersion":"date.20201107",
+      "os":"macOS",
+      "name":"user2-device.example.com",
+      "created":"2020-11-30T22:21:03Z",
+      "lastSeen":"2020-11-30T17:21:03-05:00",
+      "hostname":"User2-Device",
+      "machineKey":"mkey:user2-machine-key",
+      "nodeKey":"nodekey:user2-node-key",
+      "id":"48810",
+      "user":"user2@example.com",
+      "expires":"2021-05-29T22:21:03Z",
+      "keyExpiryDisabled":false,
+      "authorized":false,
+      "isExternal":false,
+      "updateAvailable":false,
+      "blocksIncomingConnections":false,
+    }
+  ]
+}
+```
+
+<a name=tailnet-dns></a>
+
+### DNS
+
+<a name=tailnet-dns-nameservers-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
+Lists the DNS nameservers for a tailnet. 
+Supply the tailnet of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Example 
+
+```
+GET /api/v2/tailnet/example.com/dns/nameservers
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
+  -u "tskey-yourapikey123:"
+```
+
+Response 
+```
+{
+  "dns": ["8.8.8.8"],
+}
+```
+
+<a name=tailnet-dns-nameservers-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
+Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
+Supply the tailnet of interest in the path.
+Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).
+
+##### Parameters
+###### POST Body
+`dns` - The new list of DNS nameservers in JSON.
+```
+{
+  "dns":["8.8.8.8"]
+}
+```
+
+##### Returns
+Returns the new list of nameservers and the status of MagicDNS. 
+
+If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).
+
+##### Example
+###### Adding DNS nameservers with the MagicDNS on:
+```
+POST /api/v2/tailnet/example.com/dns/nameservers
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"dns": ["8.8.8.8"]}'
+```
+
+Response:
+```
+{
+  "dns":["8.8.8.8"],
+  "magicDNS":true,
+}
+```
+
+###### Removing all DNS nameservers with the MagicDNS on:
+```
+POST /api/v2/tailnet/example.com/dns/nameservers
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"dns": []}'
+```
+
+Response:
+```
+{
+  "dns":[],
+  "magicDNS": false,
+}
+```
+
+<a name=tailnet-dns-preferences-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/dns/preferences` - retrieves the DNS preferences for a tailnet
+Retrieves the DNS preferences that are currently set for the given tailnet.
+Supply the tailnet of interest in the path.
+
+##### Parameters
+No parameters. 
+
+##### Example
+```
+GET /api/v2/tailnet/example.com/dns/preferences
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
+  -u "tskey-yourapikey123:" 
+```
+
+Response:
+```
+{
+  "magicDNS":false, 
+}
+```
+
+<a name=tailnet-dns-preferences-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
+Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
+Note that MagicDNS is dependent on DNS servers. 
+
+If there is at least one DNS server, then MagicDNS can be enabled. 
+Otherwise, it returns an error.
+Note that removing all nameservers will turn off MagicDNS. 
+To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.
+
+##### Parameters
+###### POST Body
+The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
+`magicDNS` -  Automatically registers DNS names for devices in your tailnet.
+```
+{
+  "magicDNS": true
+}
+```
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/dns/preferences
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"magicDNS": true}'
+```
+
+
+Response:
+
+If there are no DNS servers, it returns an error message:
+```
+{
+  "message":"need at least one nameserver to enable MagicDNS"
+}
+```
+
+If there are DNS servers: 
+```
+{
+  "magicDNS":true,
+}
+```
+
+<a name=tailnet-dns-searchpaths-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
+Retrieves the list of search paths that is currently set for the given tailnet. 
+Supply the tailnet of interest in the path.
+
+
+##### Parameters
+No parameters.
+
+##### Example
+```
+GET /api/v2/tailnet/example.com/dns/searchpaths
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
+  -u "tskey-yourapikey123:" 
+```
+
+Response:
+```
+{
+  "searchPaths": ["user1.example.com"],
+}
+```
+
+<a name=tailnet-dns-searchpaths-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
+Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.
+
+##### Parameters
+
+###### POST Body
+`searchPaths` - A list of searchpaths in JSON.
+```
+{
+  "searchPaths: ["user1.example.com", "user2.example.com"]
+}
+```
+
+##### Example
+```
+POST /api/v2/tailnet/example.com/dns/searchpaths
+curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '{"searchPaths": ["user1.example.com", "user2.example.com"]}'
+```
+
+Response:
+```
+{
+  "searchPaths": ["user1.example.com", "user2.example.com"],
+}
+```

appc/appconnector.go

@@ -1,596 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package appc implements App Connectors.
-// An AppConnector provides DNS domain oriented routing of traffic. An App
-// Connector becomes a DNS server for a peer, authoritative for the set of
-// configured domains. DNS resolution of the target domain triggers dynamic
-// publication of routes to ensure that traffic to the domain is routed through
-// the App Connector.
-package appc
-
-import (
-	"context"
-	"fmt"
-	"net/netip"
-	"slices"
-	"strings"
-	"sync"
-	"time"
-
-	xmaps "golang.org/x/exp/maps"
-	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/types/logger"
-	"tailscale.com/types/views"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/dnsname"
-	"tailscale.com/util/execqueue"
-	"tailscale.com/util/mak"
-	"tailscale.com/util/slicesx"
-)
-
-// rateLogger responds to calls to update by adding a count for the current period and
-// calling the callback if any previous period has finished since update was last called
-type rateLogger struct {
-	interval    time.Duration
-	start       time.Time
-	periodStart time.Time
-	periodCount int64
-	now         func() time.Time
-	callback    func(int64, time.Time, int64)
-}
-
-func (rl *rateLogger) currentIntervalStart(now time.Time) time.Time {
-	millisSince := now.Sub(rl.start).Milliseconds() % rl.interval.Milliseconds()
-	return now.Add(-(time.Duration(millisSince)) * time.Millisecond)
-}
-
-func (rl *rateLogger) update(numRoutes int64) {
-	now := rl.now()
-	periodEnd := rl.periodStart.Add(rl.interval)
-	if periodEnd.Before(now) {
-		if rl.periodCount != 0 {
-			rl.callback(rl.periodCount, rl.periodStart, numRoutes)
-		}
-		rl.periodCount = 0
-		rl.periodStart = rl.currentIntervalStart(now)
-	}
-	rl.periodCount++
-}
-
-func newRateLogger(now func() time.Time, interval time.Duration, callback func(int64, time.Time, int64)) *rateLogger {
-	nowTime := now()
-	return &rateLogger{
-		callback:    callback,
-		now:         now,
-		interval:    interval,
-		start:       nowTime,
-		periodStart: nowTime,
-	}
-}
-
-// RouteAdvertiser is an interface that allows the AppConnector to advertise
-// newly discovered routes that need to be served through the AppConnector.
-type RouteAdvertiser interface {
-	// AdvertiseRoute adds one or more route advertisements skipping any that
-	// are already advertised.
-	AdvertiseRoute(...netip.Prefix) error
-
-	// UnadvertiseRoute removes any matching route advertisements.
-	UnadvertiseRoute(...netip.Prefix) error
-}
-
-var (
-	metricStoreRoutesRateBuckets = []int64{1, 2, 3, 4, 5, 10, 100, 1000}
-	metricStoreRoutesNBuckets    = []int64{1, 2, 3, 4, 5, 10, 100, 1000, 10000}
-	metricStoreRoutesRate        []*clientmetric.Metric
-	metricStoreRoutesN           []*clientmetric.Metric
-)
-
-func initMetricStoreRoutes() {
-	for _, n := range metricStoreRoutesRateBuckets {
-		metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_rate_%d", n)))
-	}
-	metricStoreRoutesRate = append(metricStoreRoutesRate, clientmetric.NewCounter("appc_store_routes_rate_over"))
-	for _, n := range metricStoreRoutesNBuckets {
-		metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter(fmt.Sprintf("appc_store_routes_n_routes_%d", n)))
-	}
-	metricStoreRoutesN = append(metricStoreRoutesN, clientmetric.NewCounter("appc_store_routes_n_routes_over"))
-}
-
-func recordMetric(val int64, buckets []int64, metrics []*clientmetric.Metric) {
-	if len(buckets) < 1 {
-		return
-	}
-	// finds the first bucket where val <=, or len(buckets) if none match
-	// for bucket values of 1, 10, 100; 0-1 goes to [0], 2-10 goes to [1], 11-100 goes to [2], 101+ goes to [3]
-	bucket, _ := slices.BinarySearch(buckets, val)
-	metrics[bucket].Add(1)
-}
-
-func metricStoreRoutes(rate, nRoutes int64) {
-	if len(metricStoreRoutesRate) == 0 {
-		initMetricStoreRoutes()
-	}
-	recordMetric(rate, metricStoreRoutesRateBuckets, metricStoreRoutesRate)
-	recordMetric(nRoutes, metricStoreRoutesNBuckets, metricStoreRoutesN)
-}
-
-// RouteInfo is a data structure used to persist the in memory state of an AppConnector
-// so that we can know, even after a restart, which routes came from ACLs and which were
-// learned from domains.
-type RouteInfo struct {
-	// Control is the routes from the 'routes' section of an app connector acl.
-	Control []netip.Prefix `json:",omitempty"`
-	// Domains are the routes discovered by observing DNS lookups for configured domains.
-	Domains map[string][]netip.Addr `json:",omitempty"`
-	// Wildcards are the configured DNS lookup domains to observe. When a DNS query matches Wildcards,
-	// its result is added to Domains.
-	Wildcards []string `json:",omitempty"`
-}
-
-// AppConnector is an implementation of an AppConnector that performs
-// its function as a subsystem inside of a tailscale node. At the control plane
-// side App Connector routing is configured in terms of domains rather than IP
-// addresses.
-// The AppConnectors responsibility inside tailscaled is to apply the routing
-// and domain configuration as supplied in the map response.
-// DNS requests for configured domains are observed. If the domains resolve to
-// routes not yet served by the AppConnector the local node configuration is
-// updated to advertise the new route.
-type AppConnector struct {
-	logf            logger.Logf
-	routeAdvertiser RouteAdvertiser
-
-	// storeRoutesFunc will be called to persist routes if it is not nil.
-	storeRoutesFunc func(*RouteInfo) error
-
-	// mu guards the fields that follow
-	mu sync.Mutex
-
-	// domains is a map of lower case domain names with no trailing dot, to an
-	// ordered list of resolved IP addresses.
-	domains map[string][]netip.Addr
-
-	// controlRoutes is the list of routes that were last supplied by control.
-	controlRoutes []netip.Prefix
-
-	// wildcards is the list of domain strings that match subdomains.
-	wildcards []string
-
-	// queue provides ordering for update operations
-	queue execqueue.ExecQueue
-
-	writeRateMinute *rateLogger
-	writeRateDay    *rateLogger
-}
-
-// NewAppConnector creates a new AppConnector.
-func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser, routeInfo *RouteInfo, storeRoutesFunc func(*RouteInfo) error) *AppConnector {
-	ac := &AppConnector{
-		logf:            logger.WithPrefix(logf, "appc: "),
-		routeAdvertiser: routeAdvertiser,
-		storeRoutesFunc: storeRoutesFunc,
-	}
-	if routeInfo != nil {
-		ac.domains = routeInfo.Domains
-		ac.wildcards = routeInfo.Wildcards
-		ac.controlRoutes = routeInfo.Control
-	}
-	ac.writeRateMinute = newRateLogger(time.Now, time.Minute, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in minute starting at %v (%d routes)", c, s, l)
-		metricStoreRoutes(c, l)
-	})
-	ac.writeRateDay = newRateLogger(time.Now, 24*time.Hour, func(c int64, s time.Time, l int64) {
-		ac.logf("routeInfo write rate: %d in 24 hours starting at %v (%d routes)", c, s, l)
-	})
-	return ac
-}
-
-// ShouldStoreRoutes returns true if the appconnector was created with the controlknob on
-// and is storing its discovered routes persistently.
-func (e *AppConnector) ShouldStoreRoutes() bool {
-	return e.storeRoutesFunc != nil
-}
-
-// storeRoutesLocked takes the current state of the AppConnector and persists it
-func (e *AppConnector) storeRoutesLocked() error {
-	if !e.ShouldStoreRoutes() {
-		return nil
-	}
-
-	// log write rate and write size
-	numRoutes := int64(len(e.controlRoutes))
-	for _, rs := range e.domains {
-		numRoutes += int64(len(rs))
-	}
-	e.writeRateMinute.update(numRoutes)
-	e.writeRateDay.update(numRoutes)
-
-	return e.storeRoutesFunc(&RouteInfo{
-		Control:   e.controlRoutes,
-		Domains:   e.domains,
-		Wildcards: e.wildcards,
-	})
-}
-
-// ClearRoutes removes all route state from the AppConnector.
-func (e *AppConnector) ClearRoutes() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-	e.controlRoutes = nil
-	e.domains = nil
-	e.wildcards = nil
-	return e.storeRoutesLocked()
-}
-
-// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
-// given the new domains and routes.
-func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
-	e.queue.Add(func() {
-		// Add the new routes first.
-		e.updateRoutes(routes)
-		e.updateDomains(domains)
-	})
-}
-
-// UpdateDomains asynchronously replaces the current set of configured domains
-// with the supplied set of domains. Domains must not contain a trailing dot,
-// and should be lower case. If the domain contains a leading '*' label it
-// matches all subdomains of a domain.
-func (e *AppConnector) UpdateDomains(domains []string) {
-	e.queue.Add(func() {
-		e.updateDomains(domains)
-	})
-}
-
-// Wait waits for the currently scheduled asynchronous configuration changes to
-// complete.
-func (e *AppConnector) Wait(ctx context.Context) {
-	e.queue.Wait(ctx)
-}
-
-func (e *AppConnector) updateDomains(domains []string) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	var oldDomains map[string][]netip.Addr
-	oldDomains, e.domains = e.domains, make(map[string][]netip.Addr, len(domains))
-	e.wildcards = e.wildcards[:0]
-	for _, d := range domains {
-		d = strings.ToLower(d)
-		if len(d) == 0 {
-			continue
-		}
-		if strings.HasPrefix(d, "*.") {
-			e.wildcards = append(e.wildcards, d[2:])
-			continue
-		}
-		e.domains[d] = oldDomains[d]
-		delete(oldDomains, d)
-	}
-
-	// Ensure that still-live wildcards addresses are preserved as well.
-	for d, addrs := range oldDomains {
-		for _, wc := range e.wildcards {
-			if dnsname.HasSuffix(d, wc) {
-				e.domains[d] = addrs
-				delete(oldDomains, d)
-				break
-			}
-		}
-	}
-
-	// Everything left in oldDomains is a domain we're no longer tracking
-	// and if we are storing route info we can unadvertise the routes
-	if e.ShouldStoreRoutes() {
-		toRemove := []netip.Prefix{}
-		for _, addrs := range oldDomains {
-			for _, a := range addrs {
-				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
-			}
-		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", xmaps.Keys(oldDomains), toRemove, err)
-		}
-	}
-
-	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
-}
-
-// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
-// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
-// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
-// covered by new ranges.
-func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	// If there was no change since the last update, no work to do.
-	if slices.Equal(e.controlRoutes, routes) {
-		return
-	}
-
-	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-		e.logf("failed to advertise routes: %v: %v", routes, err)
-		return
-	}
-
-	var toRemove []netip.Prefix
-
-	// If we're storing routes and know e.controlRoutes is a good
-	// representation of what should be in AdvertisedRoutes we can stop
-	// advertising routes that used to be in e.controlRoutes but are not
-	// in routes.
-	if e.ShouldStoreRoutes() {
-		toRemove = routesWithout(e.controlRoutes, routes)
-	}
-
-nextRoute:
-	for _, r := range routes {
-		for _, addr := range e.domains {
-			for _, a := range addr {
-				if r.Contains(a) && netip.PrefixFrom(a, a.BitLen()) != r {
-					pfx := netip.PrefixFrom(a, a.BitLen())
-					toRemove = append(toRemove, pfx)
-					continue nextRoute
-				}
-			}
-		}
-	}
-
-	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-	}
-
-	e.controlRoutes = routes
-	if err := e.storeRoutesLocked(); err != nil {
-		e.logf("failed to store route info: %v", err)
-	}
-}
-
-// Domains returns the currently configured domain list.
-func (e *AppConnector) Domains() views.Slice[string] {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	return views.SliceOf(xmaps.Keys(e.domains))
-}
-
-// DomainRoutes returns a map of domains to resolved IP
-// addresses.
-func (e *AppConnector) DomainRoutes() map[string][]netip.Addr {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	drCopy := make(map[string][]netip.Addr)
-	for k, v := range e.domains {
-		drCopy[k] = append(drCopy[k], v...)
-	}
-
-	return drCopy
-}
-
-// ObserveDNSResponse is a callback invoked by the DNS resolver when a DNS
-// response is being returned over the PeerAPI. The response is parsed and
-// matched against the configured domains, if matched the routeAdvertiser is
-// advised to advertise the discovered route.
-func (e *AppConnector) ObserveDNSResponse(res []byte) {
-	var p dnsmessage.Parser
-	if _, err := p.Start(res); err != nil {
-		return
-	}
-	if err := p.SkipAllQuestions(); err != nil {
-		return
-	}
-
-	// cnameChain tracks a chain of CNAMEs for a given query in order to reverse
-	// a CNAME chain back to the original query for flattening. The keys are
-	// CNAME record targets, and the value is the name the record answers, so
-	// for www.example.com CNAME example.com, the map would contain
-	// ["example.com"] = "www.example.com".
-	var cnameChain map[string]string
-
-	// addressRecords is a list of address records found in the response.
-	var addressRecords map[string][]netip.Addr
-
-	for {
-		h, err := p.AnswerHeader()
-		if err == dnsmessage.ErrSectionDone {
-			break
-		}
-		if err != nil {
-			return
-		}
-
-		if h.Class != dnsmessage.ClassINET {
-			if err := p.SkipAnswer(); err != nil {
-				return
-			}
-			continue
-		}
-
-		switch h.Type {
-		case dnsmessage.TypeCNAME, dnsmessage.TypeA, dnsmessage.TypeAAAA:
-		default:
-			if err := p.SkipAnswer(); err != nil {
-				return
-			}
-			continue
-
-		}
-
-		domain := strings.TrimSuffix(strings.ToLower(h.Name.String()), ".")
-		if len(domain) == 0 {
-			continue
-		}
-
-		if h.Type == dnsmessage.TypeCNAME {
-			res, err := p.CNAMEResource()
-			if err != nil {
-				return
-			}
-			cname := strings.TrimSuffix(strings.ToLower(res.CNAME.String()), ".")
-			if len(cname) == 0 {
-				continue
-			}
-			mak.Set(&cnameChain, cname, domain)
-			continue
-		}
-
-		switch h.Type {
-		case dnsmessage.TypeA:
-			r, err := p.AResource()
-			if err != nil {
-				return
-			}
-			addr := netip.AddrFrom4(r.A)
-			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
-		case dnsmessage.TypeAAAA:
-			r, err := p.AAAAResource()
-			if err != nil {
-				return
-			}
-			addr := netip.AddrFrom16(r.AAAA)
-			mak.Set(&addressRecords, domain, append(addressRecords[domain], addr))
-		default:
-			if err := p.SkipAnswer(); err != nil {
-				return
-			}
-			continue
-		}
-	}
-
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	for domain, addrs := range addressRecords {
-		domain, isRouted := e.findRoutedDomainLocked(domain, cnameChain)
-
-		// domain and none of the CNAMEs in the chain are routed
-		if !isRouted {
-			continue
-		}
-
-		// advertise each address we have learned for the routed domain, that
-		// was not already known.
-		var toAdvertise []netip.Prefix
-		for _, addr := range addrs {
-			if !e.isAddrKnownLocked(domain, addr) {
-				toAdvertise = append(toAdvertise, netip.PrefixFrom(addr, addr.BitLen()))
-			}
-		}
-
-		if len(toAdvertise) > 0 {
-			e.logf("[v2] observed new routes for %s: %s", domain, toAdvertise)
-			e.scheduleAdvertisement(domain, toAdvertise...)
-		}
-	}
-}
-
-// starting from the given domain that resolved to an address, find it, or any
-// of the domains in the CNAME chain toward resolving it, that are routed
-// domains, returning the routed domain name and a bool indicating whether a
-// routed domain was found.
-// e.mu must be held.
-func (e *AppConnector) findRoutedDomainLocked(domain string, cnameChain map[string]string) (string, bool) {
-	var isRouted bool
-	for {
-		_, isRouted = e.domains[domain]
-		if isRouted {
-			break
-		}
-
-		// match wildcard domains
-		for _, wc := range e.wildcards {
-			if dnsname.HasSuffix(domain, wc) {
-				e.domains[domain] = nil
-				isRouted = true
-				break
-			}
-		}
-
-		next, ok := cnameChain[domain]
-		if !ok {
-			break
-		}
-		domain = next
-	}
-	return domain, isRouted
-}
-
-// isAddrKnownLocked returns true if the address is known to be associated with
-// the given domain. Known domain tables are updated for covered routes to speed
-// up future matches.
-// e.mu must be held.
-func (e *AppConnector) isAddrKnownLocked(domain string, addr netip.Addr) bool {
-	if e.hasDomainAddrLocked(domain, addr) {
-		return true
-	}
-	for _, route := range e.controlRoutes {
-		if route.Contains(addr) {
-			// record the new address associated with the domain for faster matching in subsequent
-			// requests and for diagnostic records.
-			e.addDomainAddrLocked(domain, addr)
-			return true
-		}
-	}
-	return false
-}
-
-// scheduleAdvertisement schedules an advertisement of the given address
-// associated with the given domain.
-func (e *AppConnector) scheduleAdvertisement(domain string, routes ...netip.Prefix) {
-	e.queue.Add(func() {
-		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-			e.logf("failed to advertise routes for %s: %v: %v", domain, routes, err)
-			return
-		}
-		e.mu.Lock()
-		defer e.mu.Unlock()
-
-		for _, route := range routes {
-			if !route.IsSingleIP() {
-				continue
-			}
-			addr := route.Addr()
-			if !e.hasDomainAddrLocked(domain, addr) {
-				e.addDomainAddrLocked(domain, addr)
-				e.logf("[v2] advertised route for %v: %v", domain, addr)
-			}
-		}
-		if err := e.storeRoutesLocked(); err != nil {
-			e.logf("failed to store route info: %v", err)
-		}
-	})
-}
-
-// hasDomainAddrLocked returns true if the address has been observed in a
-// resolution of domain.
-func (e *AppConnector) hasDomainAddrLocked(domain string, addr netip.Addr) bool {
-	_, ok := slices.BinarySearchFunc(e.domains[domain], addr, compareAddr)
-	return ok
-}
-
-// addDomainAddrLocked adds the address to the list of addresses resolved for
-// domain and ensures the list remains sorted. Does not attempt to deduplicate.
-func (e *AppConnector) addDomainAddrLocked(domain string, addr netip.Addr) {
-	e.domains[domain] = append(e.domains[domain], addr)
-	slices.SortFunc(e.domains[domain], compareAddr)
-}
-
-func compareAddr(l, r netip.Addr) int {
-	return l.Compare(r)
-}
-
-// routesWithout returns a without b where a and b
-// are unsorted slices of netip.Prefix
-func routesWithout(a, b []netip.Prefix) []netip.Prefix {
-	m := make(map[netip.Prefix]bool, len(b))
-	for _, p := range b {
-		m[p] = true
-	}
-	return slicesx.Filter(make([]netip.Prefix, 0, len(a)), a, func(p netip.Prefix) bool {
-		return !m[p]
-	})
-}

appc/appconnector_test.go

@@ -1,604 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package appc
-
-import (
-	"context"
-	"net/netip"
-	"reflect"
-	"slices"
-	"testing"
-	"time"
-
-	xmaps "golang.org/x/exp/maps"
-	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/appc/appctest"
-	"tailscale.com/tstest"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/mak"
-	"tailscale.com/util/must"
-)
-
-func fakeStoreRoutes(*RouteInfo) error { return nil }
-
-func TestUpdateDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, &appctest.RouteCollector{}, nil, nil)
-		}
-		a.UpdateDomains([]string{"example.com"})
-
-		a.Wait(ctx)
-		if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		addr := netip.MustParseAddr("192.0.0.8")
-		a.domains["example.com"] = append(a.domains["example.com"], addr)
-		a.UpdateDomains([]string{"example.com"})
-		a.Wait(ctx)
-
-		if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		// domains are explicitly downcased on set.
-		a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
-		a.Wait(ctx)
-		if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-	}
-}
-
-func TestUpdateRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"*.example.com"})
-
-		// This route should be collapsed into the range
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
-		a.Wait(ctx)
-
-		if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
-			t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		}
-
-		// This route should not be collapsed or removed
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
-		a.Wait(ctx)
-
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
-		a.updateRoutes(routes)
-
-		slices.SortFunc(rc.Routes(), prefixCompare)
-		rc.SetRoutes(slices.Compact(rc.Routes()))
-		slices.SortFunc(routes, prefixCompare)
-
-		// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
-		}
-
-		// Ensure that the contained /32 is removed, replaced by the /24.
-		wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
-		if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
-			t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
-		}
-	}
-}
-
-func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
-		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
-		a.updateRoutes(routes)
-
-		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-			t.Fatalf("got %v, want %v", rc.Routes(), routes)
-		}
-	}
-}
-
-func TestDomainRoutes(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		a.Wait(context.Background())
-
-		want := map[string][]netip.Addr{
-			"example.com": {netip.MustParseAddr("192.0.0.8")},
-		}
-
-		if got := a.DomainRoutes(); !reflect.DeepEqual(got, want) {
-			t.Fatalf("DomainRoutes: got %v, want %v", got, want)
-		}
-	}
-}
-
-func TestObserveDNSResponse(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-
-		// a has no domains configured, so it should not advertise any routes
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
-
-		a.updateDomains([]string{"example.com"})
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		// a CNAME record chain should result in a route being added if the chain
-		// matches a routed domain.
-		a.updateDomains([]string{"www.example.com", "example.com"})
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.9", "www.example.com.", "chain.example.com.", "example.com."))
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.9/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		// a CNAME record chain should result in a route being added if the chain
-		// even if only found in the middle of the chain
-		a.ObserveDNSResponse(dnsCNAMEResponse("192.0.0.10", "outside.example.org.", "www.example.com.", "example.org."))
-		a.Wait(ctx)
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("192.0.0.10/32"))
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
-
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
-			t.Errorf("got %v; want %v", got, want)
-		}
-
-		// don't re-advertise routes that have already been advertised
-		a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
-
-		// don't advertise addresses that are already in a control provided route
-		pfx := netip.MustParsePrefix("192.0.2.0/24")
-		a.updateRoutes([]netip.Prefix{pfx})
-		wantRoutes = append(wantRoutes, pfx)
-		a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
-		a.Wait(ctx)
-		if !slices.Equal(rc.Routes(), wantRoutes) {
-			t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-		}
-		if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
-			t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
-		}
-	}
-}
-
-func TestWildcardDomains(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-
-		a.updateDomains([]string{"*.example.com"})
-		a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
-		a.Wait(ctx)
-		if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
-			t.Errorf("routes: got %v; want %v", got, want)
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
-
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if _, ok := a.domains["foo.example.com"]; !ok {
-			t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
-		}
-		if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
-			t.Errorf("wildcards: got %v; want %v", got, want)
-		}
-
-		// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-		a.updateDomains([]string{"*.example.com", "example.com"})
-		if len(a.wildcards) != 1 {
-			t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
-		}
-	}
-}
-
-// dnsResponse is a test helper that creates a DNS response buffer for the given domain and address
-func dnsResponse(domain, address string) []byte {
-	addr := netip.MustParseAddr(address)
-	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
-	b.EnableCompression()
-	b.StartAnswers()
-	switch addr.BitLen() {
-	case 32:
-		b.AResource(
-			dnsmessage.ResourceHeader{
-				Name:  dnsmessage.MustNewName(domain),
-				Type:  dnsmessage.TypeA,
-				Class: dnsmessage.ClassINET,
-				TTL:   0,
-			},
-			dnsmessage.AResource{
-				A: addr.As4(),
-			},
-		)
-	case 128:
-		b.AAAAResource(
-			dnsmessage.ResourceHeader{
-				Name:  dnsmessage.MustNewName(domain),
-				Type:  dnsmessage.TypeAAAA,
-				Class: dnsmessage.ClassINET,
-				TTL:   0,
-			},
-			dnsmessage.AAAAResource{
-				AAAA: addr.As16(),
-			},
-		)
-	default:
-		panic("invalid address length")
-	}
-	return must.Get(b.Finish())
-}
-
-func dnsCNAMEResponse(address string, domains ...string) []byte {
-	addr := netip.MustParseAddr(address)
-	b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
-	b.EnableCompression()
-	b.StartAnswers()
-
-	if len(domains) >= 2 {
-		for i, domain := range domains[:len(domains)-1] {
-			b.CNAMEResource(
-				dnsmessage.ResourceHeader{
-					Name:  dnsmessage.MustNewName(domain),
-					Type:  dnsmessage.TypeCNAME,
-					Class: dnsmessage.ClassINET,
-					TTL:   0,
-				},
-				dnsmessage.CNAMEResource{
-					CNAME: dnsmessage.MustNewName(domains[i+1]),
-				},
-			)
-		}
-	}
-
-	domain := domains[len(domains)-1]
-
-	switch addr.BitLen() {
-	case 32:
-		b.AResource(
-			dnsmessage.ResourceHeader{
-				Name:  dnsmessage.MustNewName(domain),
-				Type:  dnsmessage.TypeA,
-				Class: dnsmessage.ClassINET,
-				TTL:   0,
-			},
-			dnsmessage.AResource{
-				A: addr.As4(),
-			},
-		)
-	case 128:
-		b.AAAAResource(
-			dnsmessage.ResourceHeader{
-				Name:  dnsmessage.MustNewName(domain),
-				Type:  dnsmessage.TypeAAAA,
-				Class: dnsmessage.ClassINET,
-				TTL:   0,
-			},
-			dnsmessage.AAAAResource{
-				AAAA: addr.As16(),
-			},
-		)
-	default:
-		panic("invalid address length")
-	}
-	return must.Get(b.Finish())
-}
-
-func prefixEqual(a, b netip.Prefix) bool {
-	return a == b
-}
-
-func prefixCompare(a, b netip.Prefix) int {
-	if a.Addr().Compare(b.Addr()) == 0 {
-		return a.Bits() - b.Bits()
-	}
-	return a.Addr().Compare(b.Addr())
-}
-
-func prefixes(in ...string) []netip.Prefix {
-	toRet := make([]netip.Prefix, len(in))
-	for i, s := range in {
-		toRet[i] = netip.MustParsePrefix(s)
-	}
-	return toRet
-}
-
-func TestUpdateRouteRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		// nothing has yet been advertised
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.2/32"))
-		a.Wait(ctx)
-		// the routes passed to UpdateDomainsAndRoutes have been advertised
-		assertRoutes("simple update", prefixes("1.2.3.1/32", "1.2.3.2/32"), []netip.Prefix{})
-
-		// one route the same, one different
-		a.UpdateDomainsAndRoutes([]string{}, prefixes("1.2.3.1/32", "1.2.3.3/32"))
-		a.Wait(ctx)
-		// old behavior: routes are not removed, resulting routes are both old and new
-		// (we have dupe 1.2.3.1 routes because the test RouteAdvertiser doesn't have the deduplication
-		// the real one does)
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.1/32", "1.2.3.3/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior: routes are removed, resulting routes are new only
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.1/32", "1.2.3.3/32")
-			wantRemovedRoutes = prefixes("1.2.3.2/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateDomainRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("b.example.com.", "1.2.3.4"))
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestUpdateWildcardRouteRemoval(t *testing.T) {
-	for _, shouldStore := range []bool{false, true} {
-		ctx := context.Background()
-		rc := &appctest.RouteCollector{}
-
-		assertRoutes := func(prefix string, routes, removedRoutes []netip.Prefix) {
-			if !slices.Equal(routes, rc.Routes()) {
-				t.Fatalf("%s: (shouldStore=%t) routes want %v, got %v", prefix, shouldStore, routes, rc.Routes())
-			}
-			if !slices.Equal(removedRoutes, rc.RemovedRoutes()) {
-				t.Fatalf("%s: (shouldStore=%t) removedRoutes want %v, got %v", prefix, shouldStore, removedRoutes, rc.RemovedRoutes())
-			}
-		}
-
-		var a *AppConnector
-		if shouldStore {
-			a = NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-		} else {
-			a = NewAppConnector(t.Logf, rc, nil, nil)
-		}
-		assertRoutes("appc init", []netip.Prefix{}, []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com", "*.b.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// adding domains doesn't immediately cause any routes to be advertised
-		assertRoutes("update domains", []netip.Prefix{}, []netip.Prefix{})
-
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.1"))
-		a.ObserveDNSResponse(dnsResponse("a.example.com.", "1.2.3.2"))
-		a.ObserveDNSResponse(dnsResponse("1.b.example.com.", "1.2.3.3"))
-		a.ObserveDNSResponse(dnsResponse("2.b.example.com.", "1.2.3.4"))
-		a.Wait(ctx)
-		// observing dns responses causes routes to be advertised
-		assertRoutes("observed dns", prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32"), []netip.Prefix{})
-
-		a.UpdateDomainsAndRoutes([]string{"a.example.com"}, []netip.Prefix{})
-		a.Wait(ctx)
-		// old behavior, routes are not removed
-		wantRoutes := prefixes("1.2.3.1/32", "1.2.3.2/32", "1.2.3.3/32", "1.2.3.4/32")
-		wantRemovedRoutes := []netip.Prefix{}
-		if shouldStore {
-			// new behavior, routes are removed for *.b.example.com
-			wantRoutes = prefixes("1.2.3.1/32", "1.2.3.2/32")
-			wantRemovedRoutes = prefixes("1.2.3.3/32", "1.2.3.4/32")
-		}
-		assertRoutes("removal", wantRoutes, wantRemovedRoutes)
-	}
-}
-
-func TestRoutesWithout(t *testing.T) {
-	assert := func(msg string, got, want []netip.Prefix) {
-		if !slices.Equal(want, got) {
-			t.Errorf("%s: want %v, got %v", msg, want, got)
-		}
-	}
-
-	assert("empty routes", routesWithout([]netip.Prefix{}, []netip.Prefix{}), []netip.Prefix{})
-	assert("a empty", routesWithout([]netip.Prefix{}, prefixes("1.1.1.1/32", "1.1.1.2/32")), []netip.Prefix{})
-	assert("b empty", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), []netip.Prefix{}), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("no overlap", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.3/32", "1.1.1.4/32")), prefixes("1.1.1.1/32", "1.1.1.2/32"))
-	assert("a has fewer", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32"), prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32")), []netip.Prefix{})
-	assert("a has more", routesWithout(prefixes("1.1.1.1/32", "1.1.1.2/32", "1.1.1.3/32", "1.1.1.4/32"), prefixes("1.1.1.1/32", "1.1.1.3/32")), prefixes("1.1.1.2/32", "1.1.1.4/32"))
-}
-
-func TestRateLogger(t *testing.T) {
-	clock := tstest.Clock{}
-	wasCalled := false
-	rl := newRateLogger(func() time.Time { return clock.Now() }, 1*time.Second, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Millisecond)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Second)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-
-	wasCalled = false
-	rl = newRateLogger(func() time.Time { return clock.Now() }, 1*time.Hour, func(count int64, _ time.Time, _ int64) {
-		if count != 3 {
-			t.Fatalf("count for prev period: got %d, want 3", count)
-		}
-		wasCalled = true
-	})
-
-	for i := 0; i < 3; i++ {
-		clock.Advance(1 * time.Minute)
-		rl.update(0)
-		if wasCalled {
-			t.Fatalf("wasCalled: got true, want false")
-		}
-	}
-
-	clock.Advance(1 * time.Hour)
-	rl.update(0)
-	if !wasCalled {
-		t.Fatalf("wasCalled: got false, want true")
-	}
-}
-
-func TestRouteStoreMetrics(t *testing.T) {
-	metricStoreRoutes(1, 1)
-	metricStoreRoutes(1, 1)         // the 1 buckets value should be 2
-	metricStoreRoutes(5, 5)         // the 5 buckets value should be 1
-	metricStoreRoutes(6, 6)         // the 10 buckets value should be 1
-	metricStoreRoutes(10001, 10001) // the over buckets value should be 1
-	wanted := map[string]int64{
-		"appc_store_routes_n_routes_1":    2,
-		"appc_store_routes_rate_1":        2,
-		"appc_store_routes_n_routes_5":    1,
-		"appc_store_routes_rate_5":        1,
-		"appc_store_routes_n_routes_10":   1,
-		"appc_store_routes_rate_10":       1,
-		"appc_store_routes_n_routes_over": 1,
-		"appc_store_routes_rate_over":     1,
-	}
-	for _, x := range clientmetric.Metrics() {
-		if x.Value() != wanted[x.Name()] {
-			t.Errorf("%s: want: %d, got: %d", x.Name(), wanted[x.Name()], x.Value())
-		}
-	}
-}
-
-func TestMetricBucketsAreSorted(t *testing.T) {
-	if !slices.IsSorted(metricStoreRoutesRateBuckets) {
-		t.Errorf("metricStoreRoutesRateBuckets must be in order")
-	}
-	if !slices.IsSorted(metricStoreRoutesNBuckets) {
-		t.Errorf("metricStoreRoutesNBuckets must be in order")
-	}
-}

appc/appctest/appctest.go

@@ -1,50 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package appctest contains code to help test App Connectors.
-package appctest
-
-import (
-	"net/netip"
-	"slices"
-)
-
-// RouteCollector is a test helper that collects the list of routes advertised
-type RouteCollector struct {
-	routes        []netip.Prefix
-	removedRoutes []netip.Prefix
-}
-
-func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
-	rc.routes = append(rc.routes, pfx...)
-	return nil
-}
-
-func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
-	routes := rc.routes
-	rc.routes = rc.routes[:0]
-	for _, r := range routes {
-		if !slices.Contains(toRemove, r) {
-			rc.routes = append(rc.routes, r)
-		} else {
-			rc.removedRoutes = append(rc.removedRoutes, r)
-		}
-	}
-	return nil
-}
-
-// RemovedRoutes returns the list of routes that were removed.
-func (rc *RouteCollector) RemovedRoutes() []netip.Prefix {
-	return rc.removedRoutes
-}
-
-// Routes returns the ordered list of routes that were added, including
-// possible duplicates.
-func (rc *RouteCollector) Routes() []netip.Prefix {
-	return rc.routes
-}
-
-func (rc *RouteCollector) SetRoutes(routes []netip.Prefix) error {
-	rc.routes = routes
-	return nil
-}

atomicfile/atomicfile.go

@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 // Package atomicfile contains code related to writing to filesystems
 // atomically.
@@ -8,21 +9,16 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
-	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 
-// WriteFile writes data to filename+some suffix, then renames it into filename.
-// The perm argument is ignored on Windows. If the target filename already
-// exists but is not a regular file, WriteFile returns an error.
+// WriteFile writes data to filename+some suffix, then renames it
+// into filename.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	fi, err := os.Stat(filename)
-	if err == nil && !fi.Mode().IsRegular() {
-		return fmt.Errorf("%s already exists and is not a regular file", filename)
-	}
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}

atomicfile/atomicfile_test.go

@@ -1,47 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !js && !windows
-
-package atomicfile
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-)
-
-func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
-	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
-	// atomicfile.Write should likely not attempt to overwrite an irregular file
-	// such as a device node, socket, or named pipe.
-
-	const filename = "TestDoesNotOverwriteIrregularFiles"
-	var path string
-	// macOS private temp does not allow unix socket creation, but /tmp does.
-	if runtime.GOOS == "darwin" {
-		path = filepath.Join("/tmp", filename)
-		t.Cleanup(func() { os.Remove(path) })
-	} else {
-		path = filepath.Join(t.TempDir(), filename)
-	}
-
-	// The least troublesome thing to make that is not a file is a unix socket.
-	// Making a null device sadly requires root.
-	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer l.Close()
-
-	err = WriteFile(path, []byte("hello"), 0644)
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	}
-	if !strings.Contains(err.Error(), "is not a regular file") {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}

brew/.gitignore

@@ -0,0 +1 @@
+local/

brew/README.md

@@ -0,0 +1,102 @@
+# Tailscale Mac Homebrew Maintainer Guide
+
+
+***********
+*** WIP ***
+***********
+
+
+Homebrew packaging of the non-IPNExtension, unsandboxed tailscale{d} releases for macOS/darwin.
+    
+So the public can "brew install" tailscale and start it as a global boot daemon via brew services.
+
+
+## Platforms Supported
+
+These platform versions and permutations have been tested and are known to work well:
+
+| role        | brew                        | golang                | os                     | arch               | repo       |
+| ----------- | --------------------------- | --------------------- | ---------------------- | ------------------ | ---------- |
+| maintainer: | Homebrew 3.0.1-120-g5ca03ab | go1.15.8 darwin/amd64 | macOS Catalina 10.15.3 | Intel 64-bit       |            |
+|             |   w/ ruby 2.6.3p62          |                       | macOS Big Sur 11.x (?) | Apple M1 ARM64 (?) |            |
+|             |                             |                       |                        |                    |            |
+|             |                             |                       |                        |                    |            |
+| pkg target: | Homebrew 3.0.1-120-g5ca03ab | go1.15.8 darwin/amd64 | macOS Catalina 10.15.3 | Intel 64-bit       | tailscale: |
+|             |   w/ ruby 2.6.3p62          |                       | macOS Big Sur 11.x (?) | Apple M1 ARM64 (?) | 188bb14269 |
+|             |                             |                       |                        |                    | HEAD       |
+|             |                             |                       |                        |                    | likely 1.5 |
+
+
+## Directory Contents
+
+| type               | name                         | purpose                                                        |
+| ------------------ | ---------------------------- | -------------------------------------------------------------- |
+| formulae           | tailscale.rb                 | The default packaging "formula" in Ruby, based on a            |
+|                    |                              | a pinned commit from the tailscale/tailscale GitHub repo       |
+|                    |                              |                                                                |
+|                    | tailscale.*.rb               | Alternate formulae (mainly used for testing now,               |
+|                    |                              | and includes some variants based on tagged release source      |
+|                    |                              | tarballs, and local test standin candidates)                   |
+|                    |                              |                                                                |
+| maintainer scripts | vars.sh                      | role for brew like version/version.sh for build_dist.sh        |
+|                    | generate-formulae.sh         | regenerates all formulae (default, plus some alternates)       |
+|                    | generate-formula.sh          | generates formula from an embedded template, to stdout         |
+|                    | make-test-source-tarball.sh  |                                                                |
+|                    | serve-tarball.sh             |                                                                |
+|                    | dl-tarball-sha.sh            |                                                                |
+|                    | test.sh                      | tests all supported permutations                               |
+|                    | install-start-with-checks.sh | install test run for maintainer                                |
+|                    | up.sh                        |                                                                |
+|                    | status.sh                    |                                                                |
+|                    | stop-uninstall-wipe.sh       | closing counterpart to the install*.sh script                  |
+|                    | search-interesting.sh        | nice to keep these on maintainer's radar                       |
+|                    |                              |                                                                |
+| subdirs            | brew/local/                  | .gitignored tree created and used during brew maintenance work |
+
+
+## Use Cases
+
+For the ultimate endusers (ONLY ONCE READY & AVAIL)...
+
+```
+brew install tailscale
+sudo brew services start tailscale
+```
+
+TODO(mkramlich): add context, details, variants to the above
+
+For an early adopter who wants to try an unofficial sneak preview of a local brew install of the WIP formula:
+
+```
+git clone https://github.com/mkramlich/tailscale
+cd tailscale
+git switch mkramlich/macos-brew2
+brew install --formula brew/tailscale.rb # default formula draws from a recent good commit from tailscale/tailscale
+sudo brew services start tailscale
+# tailscaled is now running and registered as a global boot daemon (via launchctl/launchd)
+brew/up.sh # then do your auth
+# tailscaled is now authorized and providing normal service to your VPN
+```
+
+For maintainers...
+
+All scripts assume you are in the cloned repo root, just above brew/
+	(EXCEPT make-test-source-tarball.sh, TODO)
+
+To edit the formula source, regen and retest:
+
+```
+# modify the template fragments inside generate-formula.sh
+#   and/or the var values in brew/vars.sh or brew/generate-formulae.sh
+brew/generate-formulae.sh
+brew/serve-tarball.sh # ensure running in background; only needed for the local source tarball test in test.sh
+brew/test.sh # this is very WIP, but generally the goal is if it exits 0 then the tests are green
+```
+
+A brew audit of a formula candidate can fail and its possible for it to 'brew install' and tailscale start successfully. A clean brew audit is only required (or strongly recommended) for submission to the Homebrew Core repository.
+
+A "clean" brew doctor on the maintainer's host is not required, but its helpful to ensure no unnecessary problems arise with brew testing downstream. And helps ensure that no quirks of the maintainer's host cause the formula to "works on my box!" but then fail on other's machines. Majority of issues it reports will have no impact, but ideally it should be kept silent and exit 0.
+
+A quirk of brew is that it likes to autoupdate under the hood, in reaction to (and not strictly needed to carry out) the user's express commands. This can cause unexpected delays (especially if bandwidth is your bottleneck) during package maintainer testing workflows. And makes it a challenge to achieve perfectly strict idempotency and deterministic installs. It appears to be a known trade-off call made by the Homebrew tool devs.
+
+TODO(mkramlich): flesh out much further; topics: formula vs bottle, sudo vs not, prefix diffs, local vs public ts tap vs core, testing, submission and bumping

brew/dl-tarball-sha.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env sh
+set -eu
+
+eval $(brew/vars.sh)
+
+#URLBASE=https://github.com
+URLBASE=http://localhost
+TARBALL=v$TS_VER.tar.gz
+curl -OL $URLBASE/tailscale/tailscale/archive/$TARBALL
+shasum -a256 ./$TARBALL # TODO(mkramlich): not the proper point in lifecycle to calc this

brew/generate-formula.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+#set -u # TODO(mkramlich): recreate
+
+# TODO(mkramlich): in form where the url is a .git, the url can also have a tag arg, like: tag: "v1.5.0"
+
+cat <<TEMPLATE
+# typed: false
+# frozen_string_literal: true
+
+# Homebrew formula for Tailscale
+class Tailscale < Formula
+  desc "Easiest, secure, crossplatform WireGuard Go-based VPN w/oauth2, 2FA/SSO"
+  homepage "https://www.tailscale.com"
+TEMPLATE
+
+if [ "$FORMULA_TYPE" = "tarball" ]; then
+	cat <<TEMPLATE2
+  url "$URL"
+  sha256 "$SHA256"
+TEMPLATE2
+elif [ "$FORMULA_TYPE" = "commit" ]; then
+	cat <<TEMPLATE3
+  url "$URL",
+      revision: "$REVISION"
+  version "$VERSION" # TODO(mkramlich): WIP, so not necessarily; brew required a version
+TEMPLATE3
+else
+	exit 1
+fi
+
+cat <<TEMPLATE4
+  license "BSD-3-Clause"
+  head "$HEAD",
+       branch: "$BRANCH"
+
+  depends_on "go" => :build
+
+  def install
+    ENV["GOPATH"] = buildpath
+    tailscale_path = buildpath/"src/github.com/tailscale/tailscale"
+    tailscale_path.install buildpath.children
+    cd tailscale_path do
+      # build the exes with version strings equiv to the tailscale repo's build_dist.sh:
+      ldflags = prepare_ldflags
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscale"
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscaled"
+      bin.install "tailscale"
+      bin.install "tailscaled"
+    end
+  end
+
+  def prepare_ldflags
+    ver_props = prepare_ver_props
+    vl  = ver_props["VERSION_LONG"]
+    vs  = ver_props["VERSION_SHORT"]
+    vgh = ver_props["VERSION_GIT_HASH"]
+    vl  = "tailscale.com/version.Long=#{vl}"
+    vs  = "tailscale.com/version.Short=#{vs}"
+    vgh = "tailscale.com/version.GitCommit=#{vgh}"
+    "-X #{vl} -X #{vs} -X #{vgh}"
+  end
+
+  def prepare_ver_props
+    distvers = Utils.safe_popen_read("./version/version.sh")
+    lines = distvers.split("\n")
+    ver_props = {}
+    lines.each do |line|
+      parts = line.split("=")
+      key = parts.at(0)
+      val = parts.at(1).delete('"') # cuz version.sh emits each prop with double-quotes enclosing each val
+      # system "echo adding to ver_props for go builds: key #{key}, val #{val}"
+      ver_props[key] = val
+    end
+    ver_props
+  end
+
+  def post_install
+    (var/"run/tailscale").mkpath
+    (var/"lib/tailscale").mkpath
+  end
+
+  def caveats
+    <<~EOS
+      To have launchd start tailscale now and restart at boot:
+        sudo brew services start tailscale
+      NOTE: The caveat message below with 'restart at login' is incorrect, but we can't suppress it. Requires sudo.
+    EOS
+  end
+
+  plist_options manual: "sudo tailscaled --socket=#{HOMEBREW_PREFIX}/run/tailscale/tailscaled.sock --state=#{HOMEBREW_PREFIX}/lib/tailscale/tailscaled.state"
+
+  def plist
+    <<~EOS
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+        <dict>
+          <key>KeepAlive</key>
+          <dict>
+            <key>SuccessfulExit</key>
+            <false/>
+            <key>NetworkState</key>
+            <true/>
+          </dict>
+          <key>Label</key>
+          <string>#{plist_name}</string>
+          <key>ProgramArguments</key>
+          <array>
+            <string>#{opt_bin}/tailscaled</string>
+            <string>--socket=#{var}/run/tailscale/tailscaled.sock</string>
+            <string>--state=#{var}/lib/tailscale/tailscaled.state</string>
+          </array>
+          <key>RunAtLoad</key>
+          <true/>
+          <key>WorkingDirectory</key>
+          <string>#{var}/lib/tailscale</string>
+          <key>StandardErrorPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stderr.log</string>
+          <key>StandardOutPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stdout.log</string>
+        </dict>
+      </plist>
+    EOS
+  end
+
+  test do
+    system bin/"tailscale", "version"
+    system bin/"tailscaled", "-version"
+    system bin/"tailscale", "netcheck"
+  end
+end
+TEMPLATE4

brew/generate-formulae.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+set -eu
+
+eval $(brew/vars.sh)
+
+GIT_URL=https://github.com/tailscale/tailscale.git
+BRANCH=main
+VERSION=$TS_VER # TODO(mkramlich): WIP. do this right
+
+# default formula (pinned against a commmit in the Tailscale GitHub repo)
+FORMULA_TYPE=commit URL=$GIT_URL BRANCH=$BRANCH REVISION=$TS_COMMIT_PIN HEAD=$GIT_URL BRANCH=$BRANCH VERSION=$VERSION brew/generate-formula.sh > brew/tailscale.commit-pin.rb
+
+# alt formula using local HTTP source tarball of a release standin/mock
+FORMULA_TYPE=tarball URL="http://localhost:$TS_TARBALL_PORT/tailscale/tailscale/archive/v1.5.0.tar.gz" SHA256="a62caf2eb5c84d2d1775cd8a17eeb0e8ad3b8dbc9453399862d908227e0af721" HEAD=$GIT_URL BRANCH=$BRANCH VERSION=$VERSION brew/generate-formula.sh > brew/tailscale.tb-local.rb
+
+# alt formula using Tailscale GitHub HTTPS source tarball of a release tag -- the LATEST tag
+FORMULA_TYPE=tarball URL="https://github.com/tailscale/tailscale/archive/v1.4.4.tar.gz" SHA256="5312c6d075a32049912e0932a89269869def9ac8ea9d0fdccc6b41db60fc2d4c" HEAD=$GIT_URL BRANCH=$BRANCH VERSION=$VERSION brew/generate-formula.sh > brew/tailscale.tb-github.rb
+
+cp brew/tailscale{.commit-pin,}.rb

brew/install-start-with-checks.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env sh
+set -eu
+
+eval $(brew/vars.sh)
+
+echo
+echo SUDO is $SUDO
+
+echo
+echo versions...
+brew --version
+brew config
+go version
+echo maintainer VERSION.txt: `cat VERSION.TXT`
+echo maintainer script version/version.sh exec:
+version/version.sh # we don't truly use this (yet?), just print here as helpful info for later analysis
+# TODO(mkramlich) make distinction clear between maintainer script source ver and target package vers
+
+echo
+echo brew doctor...
+set +e # to turn -e off (relax this only for time being)
+brew doctor # TODO(mkramlich): for brew maintainer, best if have no findings and exit 0
+set -e # to turn back on
+
+echo
+echo audit formula...
+# requires Internet access for some audit checks:
+brew audit --strict --online --formula $TS_FORMULA # keep this run exit 0 (NOTE: Homebrew can be noisy if updates)
+
+echo
+echo installing...
+#brew install -v --build-from-source $TS_FORMULA
+brew install -v --formula $TS_FORMULA
+
+echo
+echo checking exe location and diffs...
+diff $TS_BIN/tailscale $TS_CELLAR/$TS_VER/bin/tailscale # TODO(mkramlich): FIXME in test case global,tb-github; want 1.5.0, got 1.4.4, SHOULD want 1.4.4 cuz 1.4.4 correct
+diff $TS_BIN/tailscaled $TS_CELLAR/$TS_VER/bin/tailscaled
+
+echo
+echo check if brew has formula...
+brew list tailscale
+
+echo
+echo check if installed formula matches orig...
+diff $TS_FORMULA $TS_CELLAR/$TS_VER/.$TS_FORMULA
+
+echo
+echo lint of the generated launchctl plist for homebrew tailscale...
+# should print "<filepath>: OK" and exit 0; brew services (or launchctl) below
+# might reject (or silently allow) any given !0 case so better to catch an issue
+# early/wider than not, and automate extra clues for maintainer
+plutil -lint $TS_CELLAR/$TS_VER/$TS_PLIST
+
+echo
+echo brew test before starting...
+brew test $TS_FORMULA
+
+echo
+echo starting...
+$SUDO brew services start tailscale
+
+echo
+echo pausing as tailscaled starts...
+sleep 8
+
+echo
+echo checking that our registered Global Daemons plist matches expected...
+diff $TS_CELLAR/$TS_VER/$TS_PLIST $INSTALLED_PLIST_DIR/$TS_PLIST
+
+echo
+echo brew service shows tailscale as started...
+$SUDO brew services list | grep tailscale
+
+echo
+echo launchctl lists tailscale...
+$SUDO launchctl list | grep tailscale
+
+echo
+echo tailscale version...
+$TS_BIN/tailscale --version # should be found, executable and exit 0
+
+echo
+echo tailscale netcheck...
+$TS_BIN/tailscale netcheck # should be found, executable and exit 0
+
+echo
+echo tailscale up \(and wait for human to do the auth dance if needed\)...
+brew/up.sh # this will block, displaying the auth url, if it needs to auth. then/or proceed once happy
+
+echo
+echo list all tailscale files installed or generated...
+$SUDO find $BREW | grep -i tailscale
+
+echo
+echo pausing to give tailscaled enough time to finish post-auth setup...
+sleep 15 # otherwise some of my early status pings sometimes fail (esp hello.ipn.dev; then work on all subsequent attempts)
+echo
+echo status...
+brew/status.sh

brew/make-test-source-tarball.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+set -eu
+
+# does not create an official release source tarball per GitHub. creates a standin for it, for brew test purposes only
+
+eval $(tailscale/brew/vars.sh) # TODO(mkramlich): doc the path deviance or automate away
+
+TARBALL_ARCHIVE=tailscale/brew/local/tarball-serve-root/tailscale/tailscale/archive
+
+mkdir -p $TARBALL_ARCHIVE
+
+TARBALL=$TARBALL_ARCHIVE/v$TS_VER.tar.gz
+
+# assume a repo is cloned at that dir tree location, and its file state is what we want
+echo making $TARBALL
+tar -czf $TARBALL tailscale-$TS_VER/.gitignore tailscale-$TS_VER/.github/* tailscale-$TS_VER/.gitattributes tailscale-$TS_VER/*
+shasum -a256 ./$TARBALL

brew/search-interesting.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+brew search tailscale
+brew search wireguard
+brew search vpn
+brew search golang

brew/serve-tarball.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+set -eu
+
+# only for Tailscale brew maintainer, to local-only serve a source tarball standin, during brew testing
+
+eval $(brew/vars.sh)
+
+python3 -m http.server --directory brew/local/tarball-serve-root --bind localhost $TS_TARBALL_PORT
+
+# why the above? during one formula/release test brew may expect to fetch a tarball from (w/version varying):
+#     http://localhost:$TS_TARBALL_PORT/tailscale/tailscale/archive/v$TS_VER.tar.gz
+# where $TS_VER is like 1.5.0
+# therefore under tarball-serve-root/ that file should be in:
+#     tailscale/tailscale/archive/

brew/status.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env sh
+set -u
+
+eval $(brew/vars.sh)
+
+# everything you see below is not expected to be rigorous, or decisive or even always relevant,
+# but gives useful data and a nice smoke test of a candidate install for the brew maintainer
+
+echo file checks \(exes, state, socket\)...
+ls -la $TS_BIN/tailscale*
+ls -l $TS_STATE
+ls -l $TS_SOCK
+
+echo
+$TS_BIN/tailscale version
+
+echo
+$TS_BIN/tailscale netcheck
+
+echo
+echo tailscale status:
+sudo $TS_BIN/tailscale -socket=$TS_SOCK status
+
+echo
+ifconfig -r en0
+
+# TODO(mkramlich): learn the utun<NUM> it picked and handle tun/gateway right everywhere below
+
+echo
+ifconfig -r utun5
+
+echo Routing\\n
+
+echo \(Destination        Gateway            Flags        Netif Expire\):
+netstat -r -n -f inet | grep utun
+
+echo IPv4 routes:
+netstat -r -n -f inet -ll
+echo IPv4 route stats:
+netstat -r -n -f inet -s
+echo IPv6 routes:
+netstat -r -n -f inet6 -ll
+echo IPv6 route stats:
+netstat -r -n -f inet6 -s
+
+echo
+echo checking if host IP forwarding is enabled...
+sysctl -a | grep forward
+
+echo
+echo pinging the TS login/coord server...
+ping -c1 login.tailscale.com # only to help rule out other issues during a brew test
+
+echo
+echo pinging the TS log server...
+ping -c1 log.tailscale.io
+
+echo
+echo pinging the common hello node by name...
+ping -c1 hello.ipn.dev # a nice smoke test
+echo ... by tailscale ping DNS...
+sudo $TS_BIN/tailscale -socket=$TS_SOCK ping -c 1 hello.ipn.dev
+echo ... by ping IPv4...
+ping -c1 100.101.102.103
+echo ... by tailscale ping IPv4...
+sudo $TS_BIN/tailscale -socket=$TS_SOCK ping -c 1 100.101.102.103
+echo ... by ping6 IPv6...
+ping6 -c1 fd7a:115c:a1e0:ab12:4843:cd96:6265:6667 # TODO(mkramlich): do right or drop
+
+# TODO(mkramlich): below is personal node Ts addr, so either drop or make overridable by maintainer
+echo
+echo pinging my android node...
+ping -c1 100.119.147.125
+sudo $TS_BIN/tailscale -socket=$TS_SOCK ping -c 1 100.119.147.125
+ping6 -c1 fd7a:115c:a1e0:ab12:4843:cd96:6277:937d
+
+echo
+echo check stderr log for any recent error, warn, fail, missing or weird...
+# NOTE we dont do a 'set -e' style fail assert on this error log tail here because this is for human consumption,
+# plus, not quite sure/ready about what specifc messages are scary enough to potentially fail a test
+#sudo grep -i -e error -e warn -e fail -e missing -e weird $TS_LOG_DIR/tailscaled-stderr.log
+sudo tail -100 $TS_LOG_DIR/tailscaled-stderr.log | grep -i -e error -e warn -e fail -e missing -e weird
+

brew/stop-uninstall-wipe.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env sh
+set -u # also -e?
+
+eval $(brew/vars.sh)
+
+echo
+echo SUDO is $SUDO
+
+echo
+echo stopping...
+$SUDO brew services stop tailscale
+$SUDO brew services list | grep tailscale
+ps -ef | grep tailscaled | grep -v "grep tailscaled" # TODO(mkramlich): do better
+# TODO(mkramlich): the installed plist is gone?
+
+echo
+echo uninstalling...
+brew uninstall --force tailscale
+$SUDO brew services list | grep tailscale
+
+echo
+echo deleting...
+$SUDO rm -rf $TS_CELLAR/$TS_VER
+$SUDO rm -f $BREW/var/lib/tailscale/*
+$SUDO rm -f $TS_LOG_DIR/*
+rmdir $BREW/var/lib/tailscale
+rmdir $TS_LOG_DIR
+rmdir $BREW/var/run/tailscale
+rm $BREW/opt/tailscale  # was symlink to $TS_CELLAR/$TS_VER
+rmdir $TS_CELLAR
+find $BREW | grep -i tailscale
+find /opt | grep -i tailscale
+# TODO(mkramlich): wipeout brew git checkout cache and/or add test for with-vs-without

brew/tailscale.commit-pin.rb

@@ -0,0 +1,110 @@
+# typed: false
+# frozen_string_literal: true
+
+# Homebrew formula for Tailscale
+class Tailscale < Formula
+  desc "Easiest, secure, crossplatform WireGuard Go-based VPN w/oauth2, 2FA/SSO"
+  homepage "https://www.tailscale.com"
+  url "https://github.com/tailscale/tailscale.git",
+      revision: "188bb142691c8b97673a9cb2aebd9f1521e9bb12"
+  version "1.5.0" # TODO(mkramlich): WIP, so not necessarily; brew required a version
+  license "BSD-3-Clause"
+  head "https://github.com/tailscale/tailscale.git",
+       branch: "main"
+
+  depends_on "go" => :build
+
+  def install
+    ENV["GOPATH"] = buildpath
+    tailscale_path = buildpath/"src/github.com/tailscale/tailscale"
+    tailscale_path.install buildpath.children
+    cd tailscale_path do
+      # build the exes with version strings equiv to the tailscale repo's build_dist.sh:
+      ldflags = prepare_ldflags
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscale"
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscaled"
+      bin.install "tailscale"
+      bin.install "tailscaled"
+    end
+  end
+
+  def prepare_ldflags
+    ver_props = prepare_ver_props
+    vl  = ver_props["VERSION_LONG"]
+    vs  = ver_props["VERSION_SHORT"]
+    vgh = ver_props["VERSION_GIT_HASH"]
+    vl  = "tailscale.com/version.Long=#{vl}"
+    vs  = "tailscale.com/version.Short=#{vs}"
+    vgh = "tailscale.com/version.GitCommit=#{vgh}"
+    "-X #{vl} -X #{vs} -X #{vgh}"
+  end
+
+  def prepare_ver_props
+    distvers = Utils.safe_popen_read("./version/version.sh")
+    lines = distvers.split("\n")
+    ver_props = {}
+    lines.each do |line|
+      parts = line.split("=")
+      key = parts.at(0)
+      val = parts.at(1).delete('"') # cuz version.sh emits each prop with double-quotes enclosing each val
+      # system "echo adding to ver_props for go builds: key #{key}, val #{val}"
+      ver_props[key] = val
+    end
+    ver_props
+  end
+
+  def post_install
+    (var/"run/tailscale").mkpath
+    (var/"lib/tailscale").mkpath
+  end
+
+  def caveats
+    <<~EOS
+      To have launchd start tailscale now and restart at boot:
+        sudo brew services start tailscale
+      NOTE: The caveat message below with 'restart at login' is incorrect, but we can't suppress it. Requires sudo.
+    EOS
+  end
+
+  plist_options manual: "sudo tailscaled --socket=#{HOMEBREW_PREFIX}/run/tailscale/tailscaled.sock --state=#{HOMEBREW_PREFIX}/lib/tailscale/tailscaled.state"
+
+  def plist
+    <<~EOS
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+        <dict>
+          <key>KeepAlive</key>
+          <dict>
+            <key>SuccessfulExit</key>
+            <false/>
+            <key>NetworkState</key>
+            <true/>
+          </dict>
+          <key>Label</key>
+          <string>#{plist_name}</string>
+          <key>ProgramArguments</key>
+          <array>
+            <string>#{opt_bin}/tailscaled</string>
+            <string>--socket=#{var}/run/tailscale/tailscaled.sock</string>
+            <string>--state=#{var}/lib/tailscale/tailscaled.state</string>
+          </array>
+          <key>RunAtLoad</key>
+          <true/>
+          <key>WorkingDirectory</key>
+          <string>#{var}/lib/tailscale</string>
+          <key>StandardErrorPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stderr.log</string>
+          <key>StandardOutPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stdout.log</string>
+        </dict>
+      </plist>
+    EOS
+  end
+
+  test do
+    system bin/"tailscale", "version"
+    system bin/"tailscaled", "-version"
+    system bin/"tailscale", "netcheck"
+  end
+end

brew/tailscale.rb

@@ -0,0 +1,110 @@
+# typed: false
+# frozen_string_literal: true
+
+# Homebrew formula for Tailscale
+class Tailscale < Formula
+  desc "Easiest, secure, crossplatform WireGuard Go-based VPN w/oauth2, 2FA/SSO"
+  homepage "https://www.tailscale.com"
+  url "https://github.com/tailscale/tailscale.git",
+      revision: "188bb142691c8b97673a9cb2aebd9f1521e9bb12"
+  version "1.5.0" # TODO(mkramlich): WIP, so not necessarily; brew required a version
+  license "BSD-3-Clause"
+  head "https://github.com/tailscale/tailscale.git",
+       branch: "main"
+
+  depends_on "go" => :build
+
+  def install
+    ENV["GOPATH"] = buildpath
+    tailscale_path = buildpath/"src/github.com/tailscale/tailscale"
+    tailscale_path.install buildpath.children
+    cd tailscale_path do
+      # build the exes with version strings equiv to the tailscale repo's build_dist.sh:
+      ldflags = prepare_ldflags
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscale"
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscaled"
+      bin.install "tailscale"
+      bin.install "tailscaled"
+    end
+  end
+
+  def prepare_ldflags
+    ver_props = prepare_ver_props
+    vl  = ver_props["VERSION_LONG"]
+    vs  = ver_props["VERSION_SHORT"]
+    vgh = ver_props["VERSION_GIT_HASH"]
+    vl  = "tailscale.com/version.Long=#{vl}"
+    vs  = "tailscale.com/version.Short=#{vs}"
+    vgh = "tailscale.com/version.GitCommit=#{vgh}"
+    "-X #{vl} -X #{vs} -X #{vgh}"
+  end
+
+  def prepare_ver_props
+    distvers = Utils.safe_popen_read("./version/version.sh")
+    lines = distvers.split("\n")
+    ver_props = {}
+    lines.each do |line|
+      parts = line.split("=")
+      key = parts.at(0)
+      val = parts.at(1).delete('"') # cuz version.sh emits each prop with double-quotes enclosing each val
+      # system "echo adding to ver_props for go builds: key #{key}, val #{val}"
+      ver_props[key] = val
+    end
+    ver_props
+  end
+
+  def post_install
+    (var/"run/tailscale").mkpath
+    (var/"lib/tailscale").mkpath
+  end
+
+  def caveats
+    <<~EOS
+      To have launchd start tailscale now and restart at boot:
+        sudo brew services start tailscale
+      NOTE: The caveat message below with 'restart at login' is incorrect, but we can't suppress it. Requires sudo.
+    EOS
+  end
+
+  plist_options manual: "sudo tailscaled --socket=#{HOMEBREW_PREFIX}/run/tailscale/tailscaled.sock --state=#{HOMEBREW_PREFIX}/lib/tailscale/tailscaled.state"
+
+  def plist
+    <<~EOS
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+        <dict>
+          <key>KeepAlive</key>
+          <dict>
+            <key>SuccessfulExit</key>
+            <false/>
+            <key>NetworkState</key>
+            <true/>
+          </dict>
+          <key>Label</key>
+          <string>#{plist_name}</string>
+          <key>ProgramArguments</key>
+          <array>
+            <string>#{opt_bin}/tailscaled</string>
+            <string>--socket=#{var}/run/tailscale/tailscaled.sock</string>
+            <string>--state=#{var}/lib/tailscale/tailscaled.state</string>
+          </array>
+          <key>RunAtLoad</key>
+          <true/>
+          <key>WorkingDirectory</key>
+          <string>#{var}/lib/tailscale</string>
+          <key>StandardErrorPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stderr.log</string>
+          <key>StandardOutPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stdout.log</string>
+        </dict>
+      </plist>
+    EOS
+  end
+
+  test do
+    system bin/"tailscale", "version"
+    system bin/"tailscaled", "-version"
+    system bin/"tailscale", "netcheck"
+  end
+end

brew/tailscale.tb-github.rb

@@ -0,0 +1,109 @@
+# typed: false
+# frozen_string_literal: true
+
+# Homebrew formula for Tailscale
+class Tailscale < Formula
+  desc "Easiest, secure, crossplatform WireGuard Go-based VPN w/oauth2, 2FA/SSO"
+  homepage "https://www.tailscale.com"
+  url "https://github.com/tailscale/tailscale/archive/v1.4.4.tar.gz"
+  sha256 "5312c6d075a32049912e0932a89269869def9ac8ea9d0fdccc6b41db60fc2d4c"
+  license "BSD-3-Clause"
+  head "https://github.com/tailscale/tailscale.git",
+       branch: "main"
+
+  depends_on "go" => :build
+
+  def install
+    ENV["GOPATH"] = buildpath
+    tailscale_path = buildpath/"src/github.com/tailscale/tailscale"
+    tailscale_path.install buildpath.children
+    cd tailscale_path do
+      # build the exes with version strings equiv to the tailscale repo's build_dist.sh:
+      ldflags = prepare_ldflags
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscale"
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscaled"
+      bin.install "tailscale"
+      bin.install "tailscaled"
+    end
+  end
+
+  def prepare_ldflags
+    ver_props = prepare_ver_props
+    vl  = ver_props["VERSION_LONG"]
+    vs  = ver_props["VERSION_SHORT"]
+    vgh = ver_props["VERSION_GIT_HASH"]
+    vl  = "tailscale.com/version.Long=#{vl}"
+    vs  = "tailscale.com/version.Short=#{vs}"
+    vgh = "tailscale.com/version.GitCommit=#{vgh}"
+    "-X #{vl} -X #{vs} -X #{vgh}"
+  end
+
+  def prepare_ver_props
+    distvers = Utils.safe_popen_read("./version/version.sh")
+    lines = distvers.split("\n")
+    ver_props = {}
+    lines.each do |line|
+      parts = line.split("=")
+      key = parts.at(0)
+      val = parts.at(1).delete('"') # cuz version.sh emits each prop with double-quotes enclosing each val
+      # system "echo adding to ver_props for go builds: key #{key}, val #{val}"
+      ver_props[key] = val
+    end
+    ver_props
+  end
+
+  def post_install
+    (var/"run/tailscale").mkpath
+    (var/"lib/tailscale").mkpath
+  end
+
+  def caveats
+    <<~EOS
+      To have launchd start tailscale now and restart at boot:
+        sudo brew services start tailscale
+      NOTE: The caveat message below with 'restart at login' is incorrect, but we can't suppress it. Requires sudo.
+    EOS
+  end
+
+  plist_options manual: "sudo tailscaled --socket=#{HOMEBREW_PREFIX}/run/tailscale/tailscaled.sock --state=#{HOMEBREW_PREFIX}/lib/tailscale/tailscaled.state"
+
+  def plist
+    <<~EOS
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+        <dict>
+          <key>KeepAlive</key>
+          <dict>
+            <key>SuccessfulExit</key>
+            <false/>
+            <key>NetworkState</key>
+            <true/>
+          </dict>
+          <key>Label</key>
+          <string>#{plist_name}</string>
+          <key>ProgramArguments</key>
+          <array>
+            <string>#{opt_bin}/tailscaled</string>
+            <string>--socket=#{var}/run/tailscale/tailscaled.sock</string>
+            <string>--state=#{var}/lib/tailscale/tailscaled.state</string>
+          </array>
+          <key>RunAtLoad</key>
+          <true/>
+          <key>WorkingDirectory</key>
+          <string>#{var}/lib/tailscale</string>
+          <key>StandardErrorPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stderr.log</string>
+          <key>StandardOutPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stdout.log</string>
+        </dict>
+      </plist>
+    EOS
+  end
+
+  test do
+    system bin/"tailscale", "version"
+    system bin/"tailscaled", "-version"
+    system bin/"tailscale", "netcheck"
+  end
+end

brew/tailscale.tb-local.rb

@@ -0,0 +1,109 @@
+# typed: false
+# frozen_string_literal: true
+
+# Homebrew formula for Tailscale
+class Tailscale < Formula
+  desc "Easiest, secure, crossplatform WireGuard Go-based VPN w/oauth2, 2FA/SSO"
+  homepage "https://www.tailscale.com"
+  url "http://localhost:8901/tailscale/tailscale/archive/v1.5.0.tar.gz"
+  sha256 "a62caf2eb5c84d2d1775cd8a17eeb0e8ad3b8dbc9453399862d908227e0af721"
+  license "BSD-3-Clause"
+  head "https://github.com/tailscale/tailscale.git",
+       branch: "main"
+
+  depends_on "go" => :build
+
+  def install
+    ENV["GOPATH"] = buildpath
+    tailscale_path = buildpath/"src/github.com/tailscale/tailscale"
+    tailscale_path.install buildpath.children
+    cd tailscale_path do
+      # build the exes with version strings equiv to the tailscale repo's build_dist.sh:
+      ldflags = prepare_ldflags
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscale"
+      system "go", "build", "-o", ".", "-tags", "xversion", "-ldflags", ldflags, "tailscale.com/cmd/tailscaled"
+      bin.install "tailscale"
+      bin.install "tailscaled"
+    end
+  end
+
+  def prepare_ldflags
+    ver_props = prepare_ver_props
+    vl  = ver_props["VERSION_LONG"]
+    vs  = ver_props["VERSION_SHORT"]
+    vgh = ver_props["VERSION_GIT_HASH"]
+    vl  = "tailscale.com/version.Long=#{vl}"
+    vs  = "tailscale.com/version.Short=#{vs}"
+    vgh = "tailscale.com/version.GitCommit=#{vgh}"
+    "-X #{vl} -X #{vs} -X #{vgh}"
+  end
+
+  def prepare_ver_props
+    distvers = Utils.safe_popen_read("./version/version.sh")
+    lines = distvers.split("\n")
+    ver_props = {}
+    lines.each do |line|
+      parts = line.split("=")
+      key = parts.at(0)
+      val = parts.at(1).delete('"') # cuz version.sh emits each prop with double-quotes enclosing each val
+      # system "echo adding to ver_props for go builds: key #{key}, val #{val}"
+      ver_props[key] = val
+    end
+    ver_props
+  end
+
+  def post_install
+    (var/"run/tailscale").mkpath
+    (var/"lib/tailscale").mkpath
+  end
+
+  def caveats
+    <<~EOS
+      To have launchd start tailscale now and restart at boot:
+        sudo brew services start tailscale
+      NOTE: The caveat message below with 'restart at login' is incorrect, but we can't suppress it. Requires sudo.
+    EOS
+  end
+
+  plist_options manual: "sudo tailscaled --socket=#{HOMEBREW_PREFIX}/run/tailscale/tailscaled.sock --state=#{HOMEBREW_PREFIX}/lib/tailscale/tailscaled.state"
+
+  def plist
+    <<~EOS
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+      <plist version="1.0">
+        <dict>
+          <key>KeepAlive</key>
+          <dict>
+            <key>SuccessfulExit</key>
+            <false/>
+            <key>NetworkState</key>
+            <true/>
+          </dict>
+          <key>Label</key>
+          <string>#{plist_name}</string>
+          <key>ProgramArguments</key>
+          <array>
+            <string>#{opt_bin}/tailscaled</string>
+            <string>--socket=#{var}/run/tailscale/tailscaled.sock</string>
+            <string>--state=#{var}/lib/tailscale/tailscaled.state</string>
+          </array>
+          <key>RunAtLoad</key>
+          <true/>
+          <key>WorkingDirectory</key>
+          <string>#{var}/lib/tailscale</string>
+          <key>StandardErrorPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stderr.log</string>
+          <key>StandardOutPath</key>
+          <string>#{var}/log/tailscale/tailscaled-stdout.log</string>
+        </dict>
+      </plist>
+    EOS
+  end
+
+  test do
+    system bin/"tailscale", "version"
+    system bin/"tailscaled", "-version"
+    system bin/"tailscale", "netcheck"
+  end
+end

brew/test.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+set -eu
+
+# TODO(mkramlich):
+#   dl-tarball-sha.sh
+#   make-test-source-tarball.sh
+
+
+echo test variant: global, tb-local
+#TODO(mkramlich): for the tb-local tests, server-tarball.sh should be running, with tarball in place
+cp brew/tailscale{.tb-local,}.rb
+# brew services (via launchd) start as a global boot daemon (in /Library/LaunchDaemons), running as root
+# TODO(mkramlich): confirm at reboot starts & works
+SUDO="sudo" INSTALLED_PLIST_DIR=/Library/LaunchDaemons brew/install-start-with-checks.sh
+SUDO="sudo" INSTALLED_PLIST_DIR=/Library/LaunchDaemons brew/stop-uninstall-wipe.sh
+
+
+echo test variant: global, tb-github
+cp brew/tailscale{.tb-github,}.rb
+# brew services (via launchd) start as a global boot daemon (in /Library/LaunchDaemons), running as root
+# TODO(mkramlich): confirm at reboot starts & works
+SUDO="sudo" INSTALLED_PLIST_DIR=/Library/LaunchDaemons brew/install-start-with-checks.sh
+SUDO="sudo" INSTALLED_PLIST_DIR=/Library/LaunchDaemons brew/stop-uninstall-wipe.sh
+
+
+echo test variant: global, commit-pin
+cp brew/tailscale{.commit-pin,}.rb
+# brew services (via launchd) start as a global boot daemon (in /Library/LaunchDaemons), running as root
+# TODO(mkramlich): confirm at reboot starts & works
+SUDO="sudo" INSTALLED_PLIST_DIR=/Library/LaunchDaemons brew/install-start-with-checks.sh
+SUDO="sudo" INSTALLED_PLIST_DIR=/Library/LaunchDaemons brew/stop-uninstall-wipe.sh
+
+
+#####################################
+
+# brew services (via launchd) start as a user login agent (in ~/Library/LaunchAgents), BUT runs as sudo
+# TODO(mkramlich): just a WIP POC, much lower priority than boot perm, might drop
+#SUDO="" INSTALLED_PLIST_DIR=~/Library/LaunchAgents brew/install-start-with-checks.sh
+#SUDO="" INSTALLED_PLIST_DIR=~/Library/LaunchAgents brew/stop-uninstall-wipe.sh

brew/up.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+set -eu
+
+eval $(brew/vars.sh)
+
+sudo $TS_BIN/tailscale -socket=$TS_SOCK up

brew/vars.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+set -eu
+
+# TODO(mkramlich): elim redundancy with or otherwise maybe take advantage of version/version.sh
+
+BREW=`brew --prefix` # because varies; /usr/local on Intel, /opt/homebrew on ARM64/M1/AppleSilicon
+
+# TODO(mkramlich): Cellar
+
+cat <<EOF
+TS_VER=1.5.0
+TS_COMMIT_PIN=188bb142691c8b97673a9cb2aebd9f1521e9bb12
+TS_BIN=$BREW/bin
+TS_SOCK=$BREW/var/run/tailscale/tailscaled.sock
+TS_STATE=$BREW/var/lib/tailscale/tailscaled.state
+TS_LOG_DIR=$BREW/var/log/tailscale
+TS_CELLAR=$BREW/Cellar/tailscale
+TS_PLIST=homebrew.mxcl.tailscale.plist
+TS_TARBALL_PORT=8901
+TS_FORMULA=brew/tailscale.rb
+BREW=$BREW
+INSTALLED_PLIST_DIR=/Library/LaunchDaemons
+EOF

build_dist.sh

@@ -8,45 +8,12 @@
 # If you're packaging Tailscale for a distro, please consider using
 # this script, or executing equivalent commands in your
 # distro-specific build system.
+#
+# Homebrew: if the version embed mechanism changes here, please
+# also change it in brew/generate-formula.sh, to keep identical.
 
 set -eu
 
-go="go"
-if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
-	go="./tool/go"
-fi
+eval $(./version/version.sh)
 
-eval `CGO_ENABLED=0 GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
-
-if [ "$1" = "shellvars" ]; then
-	cat <<EOF
-VERSION_MINOR="$VERSION_MINOR"
-VERSION_SHORT="$VERSION_SHORT"
-VERSION_LONG="$VERSION_LONG"
-VERSION_GIT_HASH="$VERSION_GIT_HASH"
-EOF
-	exit 0
-fi
-
-tags=""
-ldflags="-X tailscale.com/version.longStamp=${VERSION_LONG} -X tailscale.com/version.shortStamp=${VERSION_SHORT}"
-
-# build_dist.sh arguments must precede go build arguments.
-while [ "$#" -gt 1 ]; do
-	case "$1" in
-	--extra-small)
-		shift
-		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube,ts_omit_completion"
-		;;
-	--box)
-		shift
-		tags="${tags:+$tags,}ts_include_cli"
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"

build_docker.sh

@@ -1,84 +1,31 @@
 #!/usr/bin/env sh
+
 #
-# This script builds Tailscale container images using
-# github.com/tailscale/mkctr.
-# By default the images will be tagged with the current version and git
-# hash of this repository as produced by ./cmd/mkversion.
-# This is the image build mechanim used to build the official Tailscale
-# container images.
+# Runs `go build` with flags configured for docker distribution. All
+# it does differently from `go build` is burn git commit and version
+# information into the binaries inside docker, so that we can track down user
+# issues.
+#
+############################################################################
+#
+# WARNING: Tailscale is not yet officially supported in Docker,
+# Kubernetes, etc.
+#
+# It might work, but we don't regularly test it, and it's not as polished as
+# our currently supported platforms. This is provided for people who know
+# how Tailscale works and what they're doing.
+#
+# Our tracking bug for officially support container use cases is:
+#    https://github.com/tailscale/tailscale/issues/504
+#
+# Also, see the various bugs tagged "containers":
+#    https://github.com/tailscale/tailscale/labels/containers
+#
+############################################################################
 
 set -eu
 
-# Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH="$PWD"/tool:"$PATH"
+eval $(./version/version.sh)
 
-eval "$(./build_dist.sh shellvars)"
-
-DEFAULT_TARGET="client"
-DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_BASE="tailscale/alpine-base:3.18"
-
-PUSH="${PUSH:-false}"
-TARGET="${TARGET:-${DEFAULT_TARGET}}"
-TAGS="${TAGS:-${DEFAULT_TAGS}}"
-BASE="${BASE:-${DEFAULT_BASE}}"
-PLATFORM="${PLATFORM:-}" # default to all platforms
-
-case "$TARGET" in
-  client)
-    DEFAULT_REPOS="tailscale/tailscale"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="\
-        tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
-        tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
-        tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
-      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --gotags="ts_kube,ts_package_container" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      --target="${PLATFORM}" \
-      /usr/local/bin/containerboot
-    ;;
-  operator)
-    DEFAULT_REPOS="tailscale/k8s-operator"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
-      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      --target="${PLATFORM}" \
-      /usr/local/bin/operator
-    ;;
-  k8s-nameserver)
-    DEFAULT_REPOS="tailscale/k8s-nameserver"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="tailscale.com/cmd/k8s-nameserver:/usr/local/bin/k8s-nameserver" \
-      --ldflags=" \
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      --target="${PLATFORM}" \
-      /usr/local/bin/k8s-nameserver
-    ;;
-  *)
-    echo "unknown target: $TARGET"
-    exit 1
-    ;;
-esac
+GOFLAGS='-tags xversion -ldflags '"-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}"
+docker build --build-arg goflags_arg="'""${GOFLAGS}""'" -t tailscale:tailscale .

chirp/chirp.go

@@ -1,163 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package chirp implements a client to communicate with the BIRD Internet
-// Routing Daemon.
-package chirp
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-)
-
-const (
-	// Maximum amount of time we should wait when reading a response from BIRD.
-	responseTimeout = 10 * time.Second
-)
-
-// New creates a BIRDClient.
-func New(socket string) (*BIRDClient, error) {
-	return newWithTimeout(socket, responseTimeout)
-}
-
-func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
-	conn, err := net.Dial("unix", socket)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
-	}
-	defer func() {
-		if err != nil {
-			conn.Close()
-		}
-	}()
-
-	b := &BIRDClient{
-		socket:  socket,
-		conn:    conn,
-		scanner: bufio.NewScanner(conn),
-		timeNow: time.Now,
-		timeout: timeout,
-	}
-	// Read and discard the first line as that is the welcome message.
-	if _, err := b.readResponse(); err != nil {
-		return nil, err
-	}
-	return b, nil
-}
-
-// BIRDClient handles communication with the BIRD Internet Routing Daemon.
-type BIRDClient struct {
-	socket  string
-	conn    net.Conn
-	scanner *bufio.Scanner
-	timeNow func() time.Time
-	timeout time.Duration
-}
-
-// Close closes the underlying connection to BIRD.
-func (b *BIRDClient) Close() error { return b.conn.Close() }
-
-// DisableProtocol disables the provided protocol.
-func (b *BIRDClient) DisableProtocol(protocol string) error {
-	out, err := b.exec("disable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already disabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: disabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to disable %s: %v", protocol, out)
-}
-
-// EnableProtocol enables the provided protocol.
-func (b *BIRDClient) EnableProtocol(protocol string) error {
-	out, err := b.exec("enable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already enabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: enabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to enable %s: %v", protocol, out)
-}
-
-// BIRD CLI docs from https://bird.network.cz/?get_doc&v=20&f=prog-2.html#ss2.9
-
-// Each session of the CLI consists of a sequence of request and replies,
-// slightly resembling the FTP and SMTP protocols.
-// Requests are commands encoded as a single line of text,
-// replies are sequences of lines starting with a four-digit code
-// followed by either a space (if it's the last line of the reply) or
-// a minus sign (when the reply is going to continue with the next line),
-// the rest of the line contains a textual message semantics of which depends on the numeric code.
-// If a reply line has the same code as the previous one and it's a continuation line,
-// the whole prefix can be replaced by a single white space character.
-//
-// Reply codes starting with 0 stand for ‘action successfully completed’ messages,
-// 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
-
-func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
-	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
-		return "", err
-	}
-	if _, err := fmt.Fprintln(b.conn); err != nil {
-		return "", err
-	}
-	return b.readResponse()
-}
-
-// hasResponseCode reports whether the provided byte slice is
-// prefixed with a BIRD response code.
-// Equivalent regex: `^\d{4}[ -]`.
-func hasResponseCode(s []byte) bool {
-	if len(s) < 5 {
-		return false
-	}
-	for _, b := range s[:4] {
-		if '0' <= b && b <= '9' {
-			continue
-		}
-		return false
-	}
-	return s[4] == ' ' || s[4] == '-'
-}
-
-func (b *BIRDClient) readResponse() (string, error) {
-	// Set the read timeout before we start reading anything.
-	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-
-	var resp strings.Builder
-	var done bool
-	for !done {
-		if !b.scanner.Scan() {
-			if err := b.scanner.Err(); err != nil {
-				return "", err
-			}
-
-			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
-		}
-		out := b.scanner.Bytes()
-		if _, err := resp.Write(out); err != nil {
-			return "", err
-		}
-		if hasResponseCode(out) {
-			done = out[4] == ' '
-		}
-		if !done {
-			resp.WriteRune('\n')
-		}
-	}
-	return resp.String(), nil
-}

chirp/chirp_test.go

@@ -1,192 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-package chirp
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-)
-
-type fakeBIRD struct {
-	net.Listener
-	protocolsEnabled map[string]bool
-	sock             string
-}
-
-func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pe := make(map[string]bool)
-	for _, p := range protocols {
-		pe[p] = false
-	}
-	return &fakeBIRD{
-		Listener:         l,
-		protocolsEnabled: pe,
-		sock:             sock,
-	}
-}
-
-func (fb *fakeBIRD) listen() error {
-	for {
-		c, err := fb.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		go fb.handle(c)
-	}
-}
-
-func (fb *fakeBIRD) handle(c net.Conn) {
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-	sc := bufio.NewScanner(c)
-	for sc.Scan() {
-		cmd := sc.Text()
-		args := strings.Split(cmd, " ")
-		switch args[0] {
-		case "enable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if en {
-				fmt.Fprintf(c, "0010-%s: already enabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0011-%s: enabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = true
-		case "disable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if !en {
-				fmt.Fprintf(c, "0008-%s: already disabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0009-%s: disabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = false
-		}
-	}
-}
-
-func TestChirp(t *testing.T) {
-	fb := newFakeBIRD(t, "tailscale")
-	defer fb.Close()
-	go fb.listen()
-	c, err := New(fb.sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeeded", "rando")
-	}
-	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeeded", "rando")
-	}
-}
-
-type hangingListener struct {
-	net.Listener
-	t    *testing.T
-	done chan struct{}
-	wg   sync.WaitGroup
-	sock string
-}
-
-func newHangingListener(t *testing.T) *hangingListener {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &hangingListener{
-		Listener: l,
-		t:        t,
-		done:     make(chan struct{}),
-		sock:     sock,
-	}
-}
-
-func (hl *hangingListener) Stop() {
-	hl.Close()
-	close(hl.done)
-	hl.wg.Wait()
-}
-
-func (hl *hangingListener) listen() error {
-	for {
-		c, err := hl.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		hl.wg.Add(1)
-		go hl.handle(c)
-	}
-}
-
-func (hl *hangingListener) handle(c net.Conn) {
-	defer hl.wg.Done()
-
-	// Write our fake first line of response so that we get into the read loop
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-
-	ticker := time.NewTicker(2 * time.Second)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ticker.C:
-			hl.t.Logf("connection still hanging")
-		case <-hl.done:
-			return
-		}
-	}
-}
-
-func TestChirpTimeout(t *testing.T) {
-	fb := newHangingListener(t)
-	defer fb.Stop()
-	go fb.listen()
-
-	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = c.EnableProtocol("tailscale")
-	if err == nil {
-		t.Fatal("got err=nil, want timeout")
-	}
-	if !os.IsTimeout(err) {
-		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
-	}
-}

client/tailscale/acl.go

@@ -1,516 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// ACLRow defines a rule that grants access by a set of users or groups to a set
-// of servers and ports.
-// Only one of Src/Dst or Users/Ports may be specified.
-type ACLRow struct {
-	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Users  []string `json:"users,omitempty"`  // old name for src
-	Ports  []string `json:"ports,omitempty"`  // old name for dst
-	Src    []string `json:"src,omitempty"`
-	Dst    []string `json:"dst,omitempty"`
-}
-
-// ACLTest defines a test for your ACLs to prevent accidental exposure or
-// revoking of access to key servers and ports. Only one of Src or User may be
-// specified, and only one of Allow/Accept may be specified.
-type ACLTest struct {
-	Src    string   `json:"src,omitempty"`    // source
-	User   string   `json:"user,omitempty"`   // old name for source
-	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
-	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
-
-	Allow []string `json:"allow,omitempty"` // old name for accept
-}
-
-// NodeAttrGrant defines additional string attributes that apply to specific devices.
-type NodeAttrGrant struct {
-	// Target specifies which nodes the attributes apply to. The nodes can be a
-	// tag (tag:server), user (alice@example.com), group (group:kids), or *.
-	Target []string `json:"target,omitempty"`
-
-	// Attr are the attributes to set on Target(s).
-	Attr []string `json:"attr,omitempty"`
-}
-
-// ACLDetails contains all the details for an ACL.
-type ACLDetails struct {
-	Tests     []ACLTest           `json:"tests,omitempty"`
-	ACLs      []ACLRow            `json:"acls,omitempty"`
-	Groups    map[string][]string `json:"groups,omitempty"`
-	TagOwners map[string][]string `json:"tagowners,omitempty"`
-	Hosts     map[string]string   `json:"hosts,omitempty"`
-	NodeAttrs []NodeAttrGrant     `json:"nodeAttrs,omitempty"`
-}
-
-// ACL contains an ACLDetails and metadata.
-type ACL struct {
-	ACL  ACLDetails
-	ETag string // to check with version on server
-}
-
-// ACLHuJSON contains the HuJSON string of the ACL and metadata.
-type ACLHuJSON struct {
-	ACL      string
-	Warnings []string
-	ETag     string // to check with version on server
-}
-
-// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
-// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
-// comments.
-func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACL: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/json")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	acl = &ACL{
-		ACL:  aclDetails,
-		ETag: resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
-// it as a string.
-// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
-// changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/s/acl-format
-// https://github.com/tailscale/hujson
-func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	data := struct {
-		ACL      []byte   `json:"acl"`
-		Warnings []string `json:"warnings"`
-	}{}
-	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
-	}
-
-	acl = &ACLHuJSON{
-		ACL:      string(data.ACL),
-		Warnings: data.Warnings,
-		ETag:     resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLTestFailureSummary specifies a user for which ACL tests
-// failed and the related user-friendly error messages.
-//
-// ACLTestFailureSummary specifies the JSON format sent to the
-// JavaScript client to be rendered in the HTML.
-type ACLTestFailureSummary struct {
-	// User is the source ("src") value of the ACL test that failed.
-	// The name "user" is a legacy holdover from the original naming and
-	// is kept for compatibility but it may also contain any value
-	// that's valid in a ACL test "src" field.
-	User string `json:"user,omitempty"`
-
-	Errors   []string `json:"errors,omitempty"`
-	Warnings []string `json:"warnings,omitempty"`
-}
-
-// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
-type ACLTestError struct {
-	ErrResponse
-	Data []ACLTestFailureSummary `json:"data"`
-}
-
-func (e ACLTestError) Error() string {
-	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
-}
-
-func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, "", err
-	}
-
-	if avoidCollisions {
-		req.Header.Set("If-Match", etag)
-	}
-	req.Header.Set("Accept", acceptHeader)
-	req.Header.Set("Content-Type", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		// check if test error
-		var ate ACLTestError
-		if err := json.Unmarshal(b, &ate); err != nil {
-			return nil, "", err
-		}
-		ate.Status = resp.StatusCode
-		return nil, "", ate
-	}
-	return b, resp.Header.Get("ETag"), nil
-}
-
-// SetACL sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACL: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	res = &ACL{
-		ACL:  aclDetails,
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if the HuJSON is invalid.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
-		}
-	}()
-
-	postData := []byte(acl.ACL)
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
-	if err != nil {
-		return nil, err
-	}
-
-	res = &ACLHuJSON{
-		ACL:  string(b),
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// UserRuleMatch specifies the source users/groups/hosts that a rule targets
-// and the destination ports that they can access.
-// LineNumber is only useful for requests provided in HuJSON form.
-// While JSON requests will have LineNumber, the value is not useful.
-type UserRuleMatch struct {
-	Users      []string `json:"users"`
-	Ports      []string `json:"ports"`
-	LineNumber int      `json:"lineNumber"`
-
-	// Postures is a list of posture policies that are
-	// associated with this match. The rules can be looked
-	// up in the ACLPreviewResponse parent struct.
-	// The source of the list is from srcPosture on
-	// an ACL or Grant rule:
-	// https://tailscale.com/kb/1288/device-posture#posture-conditions
-	Postures []string `json:"postures"`
-}
-
-// ACLPreviewResponse is the response type of previewACLPostRequest
-type ACLPreviewResponse struct {
-	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
-	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
-	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-
-	// Postures is a map of postures and associated rules that apply
-	// to this preview.
-	// For more details about the posture mapping, see:
-	// https://tailscale.com/kb/1288/device-posture#postures
-	Postures map[string][]string `json:"postures,omitempty"`
-}
-
-// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
-type ACLPreview struct {
-	Matches []UserRuleMatch `json:"matches"`
-	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
-	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-
-	// Postures is a map of postures and associated rules that apply
-	// to this preview.
-	// For more details about the posture mapping, see:
-	// https://tailscale.com/kb/1288/device-posture#postures
-	Postures map[string][]string `json:"postures,omitempty"`
-}
-
-func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, err
-	}
-
-	q := req.URL.Query()
-	q.Add("type", previewType)
-	q.Add("previewFor", previewFor)
-	req.URL.RawQuery = q.Encode()
-
-	req.Header.Set("Content-Type", "application/hujson")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-	if err = json.Unmarshal(b, &res); err != nil {
-		return nil, err
-	}
-
-	return res, nil
-}
-
-// PreviewACLForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches:  b.Matches,
-		User:     b.PreviewFor,
-		Postures: b.Postures,
-	}, nil
-}
-
-// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.AddrPort) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches:  b.Matches,
-		IPPort:   b.PreviewFor,
-		Postures: b.Postures,
-	}, nil
-}
-
-// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches:  b.Matches,
-		User:     b.PreviewFor,
-		Postures: b.Postures,
-	}, nil
-}
-
-// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches:  b.Matches,
-		IPPort:   b.PreviewFor,
-		Postures: b.Postures,
-	}, nil
-}
-
-// ValidateACLJSON takes in the given source and destination (in this situation,
-// it is assumed that you are checking whether the source can connect to destination)
-// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
-// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
-// no test errors occur.
-func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
-		}
-	}()
-
-	tests := []ACLTest{{User: source, Allow: []string{dest}}}
-	postData, err := json.Marshal(tests)
-	if err != nil {
-		return nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Content-Type", "application/json")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
-	}
-
-	// The test ran without fail
-	if len(b) == 0 {
-		return nil, nil
-	}
-
-	var res ACLTestError
-	// The test returned errors.
-	if err = json.Unmarshal(b, &res); err != nil {
-		// failed to unmarshal
-		return nil, err
-	}
-	return &res, nil
-}

client/tailscale/apitype/apitype.go

@@ -1,59 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package apitype contains types for the Tailscale LocalAPI and control plane API.
-package apitype
-
-import "tailscale.com/tailcfg"
-
-// LocalAPIHost is the Host header value used by the LocalAPI.
-const LocalAPIHost = "local-tailscaled.sock"
-
-// WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
-// In successful whois responses, Node and UserProfile are never nil.
-type WhoIsResponse struct {
-	Node        *tailcfg.Node
-	UserProfile *tailcfg.UserProfile
-
-	// CapMap is a map of capabilities to their values.
-	// See tailcfg.PeerCapMap and tailcfg.PeerCapability for details.
-	CapMap tailcfg.PeerCapMap
-}
-
-// FileTarget is a node to which files can be sent, and the PeerAPI
-// URL base to do so via.
-type FileTarget struct {
-	Node *tailcfg.Node
-
-	// PeerAPI is the http://ip:port URL base of the node's PeerAPI,
-	// without any path (not even a single slash).
-	PeerAPIURL string
-}
-
-type WaitingFile struct {
-	Name string
-	Size int64
-}
-
-// SetPushDeviceTokenRequest is the body POSTed to the LocalAPI endpoint /set-device-token.
-type SetPushDeviceTokenRequest struct {
-	// PushDeviceToken is the iOS/macOS APNs device token (and any future Android equivalent).
-	PushDeviceToken string
-}
-
-// ReloadConfigResponse is the response to a LocalAPI reload-config request.
-//
-// There are three possible outcomes: (false, "") if no config mode in use,
-// (true, "") on success, or (false, "error message") on failure.
-type ReloadConfigResponse struct {
-	Reloaded bool   // whether the config was reloaded
-	Err      string // any error message
-}
-
-// ExitNodeSuggestionResponse is the response to a LocalAPI suggest-exit-node GET request.
-// It returns the StableNodeID, name, and location of a suggested exit node for the client making the request.
-type ExitNodeSuggestionResponse struct {
-	ID       tailcfg.StableNodeID
-	Name     string
-	Location tailcfg.LocationView `json:",omitempty"`
-}

client/tailscale/apitype/controltype.go

@@ -1,19 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package apitype
-
-type DNSConfig struct {
-	Resolvers          []DNSResolver            `json:"resolvers"`
-	FallbackResolvers  []DNSResolver            `json:"fallbackResolvers"`
-	Routes             map[string][]DNSResolver `json:"routes"`
-	Domains            []string                 `json:"domains"`
-	Nameservers        []string                 `json:"nameservers"`
-	Proxied            bool                     `json:"proxied"`
-	TempCorpIssue13969 string                   `json:"TempCorpIssue13969,omitempty"`
-}
-
-type DNSResolver struct {
-	Addr                string   `json:"addr"`
-	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
-}

client/tailscale/devices.go

@@ -1,288 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"net/http"
-	"net/url"
-
-	"tailscale.com/types/opt"
-)
-
-type GetDevicesResponse struct {
-	Devices []*Device `json:"devices"`
-}
-
-type DerpRegion struct {
-	Preferred           bool    `json:"preferred,omitempty"`
-	LatencyMilliseconds float64 `json:"latencyMs"`
-}
-
-type ClientConnectivity struct {
-	Endpoints             []string `json:"endpoints"`
-	DERP                  string   `json:"derp"`
-	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
-	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
-	DERPLatency    map[string]DerpRegion `json:"latency"`
-	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
-}
-
-type Device struct {
-	// Addresses is a list of the devices's Tailscale IP addresses.
-	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
-	Addresses []string `json:"addresses"`
-	DeviceID  string   `json:"id"`
-	NodeID    string   `json:"nodeId"`
-	User      string   `json:"user"`
-	Name      string   `json:"name"`
-	Hostname  string   `json:"hostname"`
-
-	ClientVersion     string   `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool     `json:"updateAvailable"` // Empty for external devices.
-	OS                string   `json:"os"`
-	Tags              []string `json:"tags"`
-	Created           string   `json:"created"` // Empty for external devices.
-	LastSeen          string   `json:"lastSeen"`
-	KeyExpiryDisabled bool     `json:"keyExpiryDisabled"`
-	Expires           string   `json:"expires"`
-	Authorized        bool     `json:"authorized"`
-	IsExternal        bool     `json:"isExternal"`
-	MachineKey        string   `json:"machineKey"` // Empty for external devices.
-	NodeKey           string   `json:"nodeKey"`
-
-	// BlocksIncomingConnections is configured via the device's
-	// Tailscale client preferences. This field is only reported
-	// to the API starting with Tailscale 1.3.x clients.
-	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
-
-	// The following fields are not included by default:
-
-	// EnabledRoutes are the previously-approved subnet routes
-	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
-	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
-	// AdvertisedRoutes are the subnets (both enabled and not enabled)
-	// being requested from the node.
-	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
-
-	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
-
-	// PostureIdentity contains extra identifiers collected from the device when
-	// the tailnet has the device posture identification features enabled. If
-	// Tailscale have attempted to collect this from the device but it has not
-	// opted in, PostureIdentity will have Disabled=true.
-	PostureIdentity *DevicePostureIdentity `json:"postureIdentity"`
-}
-
-type DevicePostureIdentity struct {
-	Disabled      bool     `json:"disabled,omitempty"`
-	SerialNumbers []string `json:"serialNumbers,omitempty"`
-}
-
-// DeviceFieldsOpts determines which fields should be returned in the response.
-//
-// Please only use DeviceAllFields and DeviceDefaultFields.
-// Other DeviceFieldsOpts are not supported.
-//
-// TODO: Support other DeviceFieldsOpts.
-// In the future, users should be able to create their own DeviceFieldsOpts
-// as valid arguments by setting the fields they want returned to a "non-nil"
-// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
-type DeviceFieldsOpts Device
-
-func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
-	if d == DeviceDefaultFields || d == nil {
-		return "default"
-	}
-	if d == DeviceAllFields {
-		return "all"
-	}
-
-	return ""
-}
-
-var (
-	DeviceAllFields = &DeviceFieldsOpts{}
-
-	// DeviceDefaultFields specifies that the following fields are returned:
-	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
-	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
-	//   MachineKey, NodeKey, BlocksIncomingConnections.
-	DeviceDefaultFields = &DeviceFieldsOpts{}
-)
-
-// Devices retrieves the list of devices for a tailnet.
-//
-// See the Device structure for the list of fields hidden for external devices.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Devices: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var devices GetDevicesResponse
-	err = json.Unmarshal(b, &devices)
-	return devices.Devices, err
-}
-
-// Device retrieved the details for a specific device.
-//
-// See the Device structure for the list of fields hidden for an external device.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Device: %w", err)
-		}
-	}()
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	err = json.Unmarshal(b, &device)
-	return device, err
-}
-
-// DeleteDevice deletes the specified device from the Client's tailnet.
-// NOTE: Only devices that belong to the Client's tailnet can be deleted.
-// Deleting external devices is not supported.
-func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("RESP: %di, path: %s", resp.StatusCode, path)
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// AuthorizeDevice marks a device as authorized.
-func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	return c.SetAuthorized(ctx, deviceID, true)
-}
-
-// SetAuthorized marks a device as authorized or not.
-func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
-	params := &struct {
-		Authorized bool `json:"authorized"`
-	}{Authorized: authorized}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
-
-// SetTags updates the ACL tags on a device.
-func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
-	params := &struct {
-		Tags []string `json:"tags"`
-	}{Tags: tags}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}

client/tailscale/dns.go

@@ -1,233 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// DNSNameServers is returned when retrieving the list of nameservers.
-// It is also the structure provided when setting nameservers.
-type DNSNameServers struct {
-	DNS []string `json:"dns"` // DNS name servers
-}
-
-// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
-//
-// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
-type DNSNameServersPostResponse struct {
-	DNS      []string `json:"dns"`      // DNS name servers
-	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-// DNSSearchpaths is the list of search paths for a given domain.
-type DNSSearchPaths struct {
-	SearchPaths []string `json:"searchPaths"` // DNS search paths
-}
-
-// DNSPreferences is the preferences set for a given tailnet.
-//
-// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
-// there must be at least one nameserver. When all nameservers are removed,
-// MagicDNS is disabled.
-type DNSPreferences struct {
-	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	data, err := json.Marshal(&postData)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-// DNSConfig retrieves the DNSConfig settings for a domain.
-func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp apitype.DNSConfig
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
-		}
-	}()
-	var dnsResp apitype.DNSConfig
-	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-// NameServers retrieves the list of nameservers set for a domain.
-func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.NameServers: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "nameservers")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSNameServers
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.DNS, err
-}
-
-// SetNameServers sets the list of nameservers for a tailnet to the list provided
-// by the user.
-//
-// It returns the new list of nameservers and the MagicDNS status in case it was
-// affected by the change. For example, removing all nameservers will turn off
-// MagicDNS.
-func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
-		}
-	}()
-	dnsReq := DNSNameServers{DNS: nameservers}
-	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// DNSPreferences retrieves the DNS preferences set for a tailnet.
-//
-// It returns the status of MagicDNS.
-func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "preferences")
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SetDNSPreferences sets the DNS preferences for a tailnet.
-//
-// MagicDNS can only be enabled when there is at least one nameserver provided.
-// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
-// unless explicitly enabled by a user again.
-func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
-		}
-	}()
-	dnsReq := DNSPreferences{MagicDNS: magicDNS}
-	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
-	if err != nil {
-		return
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SearchPaths retrieves the list of searchpaths set for a tailnet.
-func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "searchpaths")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp *DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
-
-// SetSearchPaths sets the list of searchpaths for a tailnet.
-func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
-		}
-	}()
-	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
-	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}

client/tailscale/example/servetls/servetls.go

@@ -1,28 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The servetls program shows how to run an HTTPS server
-// using a Tailscale cert via LetsEncrypt.
-package main
-
-import (
-	"crypto/tls"
-	"io"
-	"log"
-	"net/http"
-
-	"tailscale.com/client/tailscale"
-)
-
-func main() {
-	s := &http.Server{
-		TLSConfig: &tls.Config{
-			GetCertificate: tailscale.GetCertificate,
-		},
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
-		}),
-	}
-	log.Printf("Running TLS server on :443 ...")
-	log.Fatal(s.ListenAndServeTLS("", ""))
-}

client/tailscale/keys.go

@@ -1,166 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-)
-
-// Key represents a Tailscale API or auth key.
-type Key struct {
-	ID           string          `json:"id"`
-	Created      time.Time       `json:"created"`
-	Expires      time.Time       `json:"expires"`
-	Capabilities KeyCapabilities `json:"capabilities"`
-}
-
-// KeyCapabilities are the capabilities of a Key.
-type KeyCapabilities struct {
-	Devices KeyDeviceCapabilities `json:"devices,omitempty"`
-}
-
-// KeyDeviceCapabilities are the device-related capabilities of a Key.
-type KeyDeviceCapabilities struct {
-	Create KeyDeviceCreateCapabilities `json:"create"`
-}
-
-// KeyDeviceCreateCapabilities are the device creation capabilities of a Key.
-type KeyDeviceCreateCapabilities struct {
-	Reusable      bool     `json:"reusable"`
-	Ephemeral     bool     `json:"ephemeral"`
-	Preauthorized bool     `json:"preauthorized"`
-	Tags          []string `json:"tags,omitempty"`
-}
-
-// Keys returns the list of keys for the current user.
-func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var keys struct {
-		Keys []*Key `json:"keys"`
-	}
-	if err := json.Unmarshal(b, &keys); err != nil {
-		return nil, err
-	}
-	ret := make([]string, 0, len(keys.Keys))
-	for _, k := range keys.Keys {
-		ret = append(ret, k.ID)
-	}
-	return ret, nil
-}
-
-// CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. It returns the secret key itself, which cannot be retrieved again
-// later, and the key metadata.
-//
-// To create a key with a specific expiry, use CreateKeyWithExpiry.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
-	return c.CreateKeyWithExpiry(ctx, caps, 0)
-}
-
-// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
-//
-// The time is truncated to a whole number of seconds. If zero, that means no expiration.
-func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
-
-	// convert expirySeconds to an int64 (seconds)
-	expirySeconds := int64(expiry.Seconds())
-	if expirySeconds < 0 {
-		return "", nil, fmt.Errorf("expiry must be positive")
-	}
-	if expirySeconds == 0 && expiry != 0 {
-		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
-	}
-
-	keyRequest := struct {
-		Capabilities  KeyCapabilities `json:"capabilities"`
-		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
-	}{caps, int64(expirySeconds)}
-	bs, err := json.Marshal(keyRequest)
-	if err != nil {
-		return "", nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
-	if err != nil {
-		return "", nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return "", nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return "", nil, handleErrorResponse(b, resp)
-	}
-
-	var key struct {
-		Key
-		Secret string `json:"key"`
-	}
-	if err := json.Unmarshal(b, &key); err != nil {
-		return "", nil, err
-	}
-	return key.Secret, &key.Key, nil
-}
-
-// Key returns the metadata for the given key ID. Currently, capabilities are
-// only returned for auth keys, API keys only return general metadata.
-func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var key Key
-	if err := json.Unmarshal(b, &key); err != nil {
-		return nil, err
-	}
-	return &key, nil
-}
-
-// DeleteKey deletes the key with the given ID.
-func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}

client/tailscale/localclient_test.go

@@ -1,74 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"tailscale.com/tstest/deptest"
-	"tailscale.com/types/key"
-)
-
-func TestGetServeConfigFromJSON(t *testing.T) {
-	sc, err := getServeConfigFromJSON([]byte("null"))
-	if sc != nil {
-		t.Errorf("want nil for null")
-	}
-	if err != nil {
-		t.Errorf("reading null: %v", err)
-	}
-
-	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
-	if err != nil {
-		t.Errorf("reading object: %v", err)
-	} else if sc == nil {
-		t.Errorf("want non-nil for object")
-	} else if sc.TCP == nil {
-		t.Errorf("want non-nil TCP for object")
-	}
-}
-
-func TestWhoIsPeerNotFound(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(404)
-	}))
-	defer ts.Close()
-
-	lc := &LocalClient{
-		Dial: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			var std net.Dialer
-			return std.DialContext(ctx, network, ts.Listener.Addr().(*net.TCPAddr).String())
-		},
-	}
-	var k key.NodePublic
-	if err := k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")); err != nil {
-		t.Fatal(err)
-	}
-	res, err := lc.WhoIsNodeKey(context.Background(), k)
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-	res, err = lc.WhoIs(context.Background(), "1.2.3.4:5678")
-	if err != ErrPeerNotFound {
-		t.Errorf("got (%v, %v), want ErrPeerNotFound", res, err)
-	}
-}
-
-func TestDeps(t *testing.T) {
-	deptest.DepChecker{
-		BadDeps: map[string]string{
-			// Make sure we don't again accidentally bring in a dependency on
-			// drive or its transitive dependencies
-			"testing":                        "do not use testing package in production code",
-			"tailscale.com/drive/driveimpl":  "https://github.com/tailscale/tailscale/pull/10631",
-			"github.com/studio-b12/gowebdav": "https://github.com/tailscale/tailscale/pull/10631",
-		},
-	}.Check(t)
-}

client/tailscale/required_version.go

@@ -1,10 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !go1.21
-
-package tailscale
-
-func init() {
-	you_need_Go_1_21_to_compile_Tailscale()
-}

client/tailscale/routes.go

@@ -1,95 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// Routes contains the lists of subnet routes that are currently advertised by a device,
-// as well as the subnets that are enabled to be routed by the device.
-type Routes struct {
-	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
-}
-
-// Routes retrieves the list of subnet routes that have been enabled for a device.
-// The routes that are returned are not necessarily advertised by the device,
-// they have only been preapproved.
-func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Routes: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var sr Routes
-	err = json.Unmarshal(b, &sr)
-	return &sr, err
-}
-
-type postRoutesParams struct {
-	Routes []netip.Prefix `json:"routes"`
-}
-
-// SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by net/netip.ParsePrefix.
-// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
-// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
-		}
-	}()
-	params := &postRoutesParams{Routes: subnets}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return nil, err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var srr *Routes
-	if err := json.Unmarshal(b, &srr); err != nil {
-		return nil, err
-	}
-	return srr, err
-}

client/tailscale/tailnet.go

@@ -1,42 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"tailscale.com/util/httpm"
-)
-
-// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
-func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
-	if err != nil {
-		return err
-	}
-
-	c.setAuth(req)
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}

client/tailscale/tailscale.go

@@ -1,157 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-// Package tailscale contains Go clients for the Tailscale LocalAPI and
-// Tailscale control plane API.
-//
-// Warning: this package is in development and makes no API compatibility
-// promises as of 2022-04-29. It is subject to change at any time.
-package tailscale
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-)
-
-// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. It was added 2022-04-29 when it was moved to this git repo
-// and will be removed when the public API has settled.
-//
-// TODO(bradfitz): remove this after the we're happy with the public API.
-var I_Acknowledge_This_API_Is_Unstable = false
-
-// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
-
-const defaultAPIBase = "https://api.tailscale.com"
-
-// maxSize is the maximum read size (10MB) of responses from the server.
-const maxReadSize = 10 << 20
-
-// Client makes API calls to the Tailscale control plane API server.
-//
-// Use NewClient to instantiate one. Exported fields should be set before
-// the client is used and not changed thereafter.
-type Client struct {
-	// tailnet is the globally unique identifier for a Tailscale network, such
-	// as "example.com" or "user@gmail.com".
-	tailnet string
-	// auth is the authentication method to use for this client.
-	// nil means none, which generally won't work, but won't crash.
-	auth AuthMethod
-
-	// BaseURL optionally specifies an alternate API server to use.
-	// If empty, "https://api.tailscale.com" is used.
-	BaseURL string
-
-	// HTTPClient optionally specifies an alternate HTTP client to use.
-	// If nil, http.DefaultClient is used.
-	HTTPClient *http.Client
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-func (c *Client) baseURL() string {
-	if c.BaseURL != "" {
-		return c.BaseURL
-	}
-	return defaultAPIBase
-}
-
-// AuthMethod is the interface for API authentication methods.
-//
-// Most users will use AuthKey.
-type AuthMethod interface {
-	modifyRequest(req *http.Request)
-}
-
-// APIKey is an AuthMethod for NewClient that authenticates requests
-// using an authkey.
-type APIKey string
-
-func (ak APIKey) modifyRequest(req *http.Request) {
-	req.SetBasicAuth(string(ak), "")
-}
-
-func (c *Client) setAuth(r *http.Request) {
-	if c.auth != nil {
-		c.auth.modifyRequest(r)
-	}
-}
-
-// NewClient is a convenience method for instantiating a new Client.
-//
-// tailnet is the globally unique identifier for a Tailscale network, such
-// as "example.com" or "user@gmail.com".
-// If httpClient is nil, then http.DefaultClient is used.
-// "api.tailscale.com" is set as the BaseURL for the returned client
-// and can be changed manually by the user.
-func NewClient(tailnet string, auth AuthMethod) *Client {
-	return &Client{
-		tailnet: tailnet,
-		auth:    auth,
-	}
-}
-
-func (c *Client) Tailnet() string { return c.tailnet }
-
-// Do sends a raw HTTP request, after adding any authentication headers.
-func (c *Client) Do(req *http.Request) (*http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	return c.httpClient().Do(req)
-}
-
-// sendRequest add the authentication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	resp, err := c.httpClient().Do(req)
-	if err != nil {
-		return nil, resp, err
-	}
-	defer resp.Body.Close()
-
-	// Read response. Limit the response to 10MB.
-	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
-	if len(b) > maxReadSize {
-		err = errors.New("API response too large")
-	}
-	return b, resp, err
-}
-
-// ErrResponse is the HTTP error returned by the Tailscale server.
-type ErrResponse struct {
-	Status  int
-	Message string
-}
-
-func (e ErrResponse) Error() string {
-	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
-}
-
-// handleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
-	var errResp ErrResponse
-	if err := json.Unmarshal(b, &errResp); err != nil {
-		return err
-	}
-	errResp.Status = resp.StatusCode
-	return errResp
-}

client/web/assets.go

@@ -1,131 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"io"
-	"io/fs"
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"time"
-
-	prebuilt "github.com/tailscale/web-client-prebuilt"
-)
-
-var start = time.Now()
-
-func assetsHandler(devMode bool) (_ http.Handler, cleanup func()) {
-	if devMode {
-		// When in dev mode, proxy asset requests to the Vite dev server.
-		cleanup := startDevServer()
-		return devServerProxy(), cleanup
-	}
-
-	fsys := prebuilt.FS()
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		path := strings.TrimPrefix(r.URL.Path, "/")
-		f, err := openPrecompressedFile(w, r, path, fsys)
-		if err != nil {
-			// Rewrite request to just fetch index.html and let
-			// the frontend router handle it.
-			r = r.Clone(r.Context())
-			path = "index.html"
-			f, err = openPrecompressedFile(w, r, path, fsys)
-		}
-		if f == nil {
-			http.Error(w, err.Error(), http.StatusNotFound)
-			return
-		}
-		defer f.Close()
-
-		// fs.File does not claim to implement Seeker, but in practice it does.
-		fSeeker, ok := f.(io.ReadSeeker)
-		if !ok {
-			http.Error(w, "Not seekable", http.StatusInternalServerError)
-			return
-		}
-
-		if strings.HasPrefix(path, "assets/") {
-			// Aggressively cache static assets, since we cache-bust our assets with
-			// hashed filenames.
-			w.Header().Set("Cache-Control", "public, max-age=31535996")
-			w.Header().Set("Vary", "Accept-Encoding")
-		}
-
-		http.ServeContent(w, r, path, start, fSeeker)
-	}), nil
-}
-
-func openPrecompressedFile(w http.ResponseWriter, r *http.Request, path string, fs fs.FS) (fs.File, error) {
-	if f, err := fs.Open(path + ".gz"); err == nil {
-		w.Header().Set("Content-Encoding", "gzip")
-		return f, nil
-	}
-	return fs.Open(path) // fallback
-}
-
-// startDevServer starts the JS dev server that does on-demand rebuilding
-// and serving of web client JS and CSS resources.
-func startDevServer() (cleanup func()) {
-	root := gitRootDir()
-	webClientPath := filepath.Join(root, "client", "web")
-
-	yarn := filepath.Join(root, "tool", "yarn")
-	node := filepath.Join(root, "tool", "node")
-	vite := filepath.Join(webClientPath, "node_modules", ".bin", "vite")
-
-	log.Printf("installing JavaScript deps using %s...", yarn)
-	out, err := exec.Command(yarn, "--non-interactive", "-s", "--cwd", webClientPath, "install").CombinedOutput()
-	if err != nil {
-		log.Fatalf("error running tailscale web's yarn install: %v, %s", err, out)
-	}
-	log.Printf("starting JavaScript dev server...")
-	cmd := exec.Command(node, vite)
-	cmd.Dir = webClientPath
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Start(); err != nil {
-		log.Fatalf("Starting JS dev server: %v", err)
-	}
-	log.Printf("JavaScript dev server running as pid %d", cmd.Process.Pid)
-	return func() {
-		cmd.Process.Signal(os.Interrupt)
-		err := cmd.Wait()
-		log.Printf("JavaScript dev server exited: %v", err)
-	}
-}
-
-// devServerProxy returns a reverse proxy to the vite dev server.
-func devServerProxy() *httputil.ReverseProxy {
-	// We use Vite to develop on the web client.
-	// Vite starts up its own local server for development,
-	// which we proxy requests to from Server.ServeHTTP.
-	// Here we set up the proxy to Vite's server.
-	handleErr := func(w http.ResponseWriter, r *http.Request, err error) {
-		w.Header().Set("Content-Type", "text/plain")
-		w.WriteHeader(http.StatusBadGateway)
-		w.Write([]byte("The web client development server isn't running. " +
-			"Run `./tool/yarn --cwd client/web start` from " +
-			"the repo root to start the development server."))
-		w.Write([]byte("\n\nError: " + err.Error()))
-	}
-	viteTarget, _ := url.Parse("http://127.0.0.1:4000")
-	devProxy := httputil.NewSingleHostReverseProxy(viteTarget)
-	devProxy.ErrorHandler = handleErr
-	return devProxy
-}
-
-func gitRootDir() string {
-	top, err := exec.Command("git", "rev-parse", "--show-toplevel").Output()
-	if err != nil {
-		log.Fatalf("failed to find git top level (not in corp git?): %v", err)
-	}
-	return strings.TrimSpace(string(top))
-}

client/web/auth.go

@@ -1,339 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-	"slices"
-	"strings"
-	"time"
-
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-)
-
-const (
-	sessionCookieName   = "TS-Web-Session"
-	sessionCookieExpiry = time.Hour * 24 * 30 // 30 days
-)
-
-// browserSession holds data about a user's browser session
-// on the full management web client.
-type browserSession struct {
-	// ID is the unique identifier for the session.
-	// It is passed in the user's "TS-Web-Session" browser cookie.
-	ID            string
-	SrcNode       tailcfg.NodeID
-	SrcUser       tailcfg.UserID
-	AuthID        string // from tailcfg.WebClientAuthResponse
-	AuthURL       string // from tailcfg.WebClientAuthResponse
-	Created       time.Time
-	Authenticated bool
-}
-
-// isAuthorized reports true if the given session is authorized
-// to be used by its associated user to access the full management
-// web client.
-//
-// isAuthorized is true only when s.Authenticated is true (i.e.
-// the user has authenticated the session) and the session is not
-// expired.
-// 2023-10-05: Sessions expire by default 30 days after creation.
-func (s *browserSession) isAuthorized(now time.Time) bool {
-	switch {
-	case s == nil:
-		return false
-	case !s.Authenticated:
-		return false // awaiting auth
-	case s.isExpired(now):
-		return false // expired
-	}
-	return true
-}
-
-// isExpired reports true if s is expired.
-// 2023-10-05: Sessions expire by default 30 days after creation.
-func (s *browserSession) isExpired(now time.Time) bool {
-	return !s.Created.IsZero() && now.After(s.expires())
-}
-
-// expires reports when the given session expires.
-func (s *browserSession) expires() time.Time {
-	return s.Created.Add(sessionCookieExpiry)
-}
-
-var (
-	errNoSession          = errors.New("no-browser-session")
-	errNotUsingTailscale  = errors.New("not-using-tailscale")
-	errTaggedRemoteSource = errors.New("tagged-remote-source")
-	errTaggedLocalSource  = errors.New("tagged-local-source")
-	errNotOwner           = errors.New("not-owner")
-)
-
-// getSession retrieves the browser session associated with the request,
-// if one exists.
-//
-// An error is returned in any of the following cases:
-//
-//   - (errNotUsingTailscale) The request was not made over tailscale.
-//
-//   - (errNoSession) The request does not have a session.
-//
-//   - (errTaggedRemoteSource) The source is remote (another node) and tagged.
-//     Users must use their own user-owned devices to manage other nodes'
-//     web clients.
-//
-//   - (errTaggedLocalSource) The source is local (the same node) and tagged.
-//     Tagged nodes can only be remotely managed, allowing ACLs to dictate
-//     access to web clients.
-//
-//   - (errNotOwner) The source is not the owner of this client (if the
-//     client is user-owned). Only the owner is allowed to manage the
-//     node via the web client.
-//
-// If no error is returned, the browserSession is always non-nil.
-// getTailscaleBrowserSession does not check whether the session has been
-// authorized by the user. Callers can use browserSession.isAuthorized.
-//
-// The WhoIsResponse is always populated, with a non-nil Node and UserProfile,
-// unless getTailscaleBrowserSession reports errNotUsingTailscale.
-func (s *Server) getSession(r *http.Request) (*browserSession, *apitype.WhoIsResponse, *ipnstate.Status, error) {
-	whoIs, whoIsErr := s.lc.WhoIs(r.Context(), r.RemoteAddr)
-	status, statusErr := s.lc.StatusWithoutPeers(r.Context())
-	switch {
-	case whoIsErr != nil:
-		return nil, nil, status, errNotUsingTailscale
-	case statusErr != nil:
-		return nil, whoIs, nil, statusErr
-	case status.Self == nil:
-		return nil, whoIs, status, errors.New("missing self node in tailscale status")
-	case whoIs.Node.IsTagged() && whoIs.Node.StableID == status.Self.ID:
-		return nil, whoIs, status, errTaggedLocalSource
-	case whoIs.Node.IsTagged():
-		return nil, whoIs, status, errTaggedRemoteSource
-	case !status.Self.IsTagged() && status.Self.UserID != whoIs.UserProfile.ID:
-		return nil, whoIs, status, errNotOwner
-	}
-	srcNode := whoIs.Node.ID
-	srcUser := whoIs.UserProfile.ID
-
-	cookie, err := r.Cookie(sessionCookieName)
-	if errors.Is(err, http.ErrNoCookie) {
-		return nil, whoIs, status, errNoSession
-	} else if err != nil {
-		return nil, whoIs, status, err
-	}
-	v, ok := s.browserSessions.Load(cookie.Value)
-	if !ok {
-		return nil, whoIs, status, errNoSession
-	}
-	session := v.(*browserSession)
-	if session.SrcNode != srcNode || session.SrcUser != srcUser {
-		// In this case the browser cookie is associated with another tailscale node.
-		// Maybe the source browser's machine was logged out and then back in as a different node.
-		// Return errNoSession because there is no session for this user.
-		return nil, whoIs, status, errNoSession
-	} else if session.isExpired(s.timeNow()) {
-		// Session expired, remove from session map and return errNoSession.
-		s.browserSessions.Delete(session.ID)
-		return nil, whoIs, status, errNoSession
-	}
-	return session, whoIs, status, nil
-}
-
-// newSession creates a new session associated with the given source user/node,
-// and stores it back to the session cache. Creating of a new session includes
-// generating a new auth URL from the control server.
-func (s *Server) newSession(ctx context.Context, src *apitype.WhoIsResponse) (*browserSession, error) {
-	sid, err := s.newSessionID()
-	if err != nil {
-		return nil, err
-	}
-	session := &browserSession{
-		ID:      sid,
-		SrcNode: src.Node.ID,
-		SrcUser: src.UserProfile.ID,
-		Created: s.timeNow(),
-	}
-
-	if s.controlSupportsCheckMode(ctx) {
-		// control supports check mode, so get a new auth URL and return.
-		a, err := s.newAuthURL(ctx, src.Node.ID)
-		if err != nil {
-			return nil, err
-		}
-		session.AuthID = a.ID
-		session.AuthURL = a.URL
-	} else {
-		// control does not support check mode, so there is no additional auth we can do.
-		session.Authenticated = true
-	}
-
-	s.browserSessions.Store(sid, session)
-	return session, nil
-}
-
-// controlSupportsCheckMode returns whether the current control server supports web client check mode, to verify a user's identity.
-// We assume that only "tailscale.com" control servers support check mode.
-// This allows the web client to be used with non-standard control servers.
-// If an error occurs getting the control URL, this method returns true to fail closed.
-//
-// TODO(juanfont/headscale#1623): adjust or remove this when headscale supports check mode.
-func (s *Server) controlSupportsCheckMode(ctx context.Context) bool {
-	prefs, err := s.lc.GetPrefs(ctx)
-	if err != nil {
-		return true
-	}
-	controlURL, err := url.Parse(prefs.ControlURLOrDefault())
-	if err != nil {
-		return true
-	}
-	return strings.HasSuffix(controlURL.Host, ".tailscale.com")
-}
-
-// awaitUserAuth blocks until the given session auth has been completed
-// by the user on the control server, then updates the session cache upon
-// completion. An error is returned if control auth failed for any reason.
-func (s *Server) awaitUserAuth(ctx context.Context, session *browserSession) error {
-	if session.isAuthorized(s.timeNow()) {
-		return nil // already authorized
-	}
-	a, err := s.waitAuthURL(ctx, session.AuthID, session.SrcNode)
-	if err != nil {
-		// Clean up the session. Doing this on any error from control
-		// server to avoid the user getting stuck with a bad session
-		// cookie.
-		s.browserSessions.Delete(session.ID)
-		return err
-	}
-	if a.Complete {
-		session.Authenticated = a.Complete
-		s.browserSessions.Store(session.ID, session)
-	}
-	return nil
-}
-
-func (s *Server) newSessionID() (string, error) {
-	raw := make([]byte, 16)
-	for range 5 {
-		if _, err := rand.Read(raw); err != nil {
-			return "", err
-		}
-		cookie := "ts-web-" + base64.RawURLEncoding.EncodeToString(raw)
-		if _, ok := s.browserSessions.Load(cookie); !ok {
-			return cookie, nil
-		}
-	}
-	return "", errors.New("too many collisions generating new session; please refresh page")
-}
-
-// peerCapabilities holds information about what a source
-// peer is allowed to edit via the web UI.
-//
-// map value is true if the peer can edit the given feature.
-// Only capFeatures included in validCaps will be included.
-type peerCapabilities map[capFeature]bool
-
-// canEdit is true if the peerCapabilities grant edit access
-// to the given feature.
-func (p peerCapabilities) canEdit(feature capFeature) bool {
-	if p == nil {
-		return false
-	}
-	if p[capFeatureAll] {
-		return true
-	}
-	return p[feature]
-}
-
-// isEmpty is true if p is either nil or has no capabilities
-// with value true.
-func (p peerCapabilities) isEmpty() bool {
-	if p == nil {
-		return true
-	}
-	for _, v := range p {
-		if v == true {
-			return false
-		}
-	}
-	return true
-}
-
-type capFeature string
-
-const (
-	// The following values should not be edited.
-	// New caps can be added, but existing ones should not be changed,
-	// as these exact values are used by users in tailnet policy files.
-	//
-	// IMPORTANT: When adding a new cap, also update validCaps slice below.
-
-	capFeatureAll       capFeature = "*"         // grants peer management of all features
-	capFeatureSSH       capFeature = "ssh"       // grants peer SSH server management
-	capFeatureSubnets   capFeature = "subnets"   // grants peer subnet routes management
-	capFeatureExitNodes capFeature = "exitnodes" // grants peer ability to advertise-as and use exit nodes
-	capFeatureAccount   capFeature = "account"   // grants peer ability to turn on auto updates and log out of node
-)
-
-// validCaps contains the list of valid capabilities used in the web client.
-// Any capabilities included in a peer's grants that do not fall into this
-// list will be ignored.
-var validCaps []capFeature = []capFeature{
-	capFeatureAll,
-	capFeatureSSH,
-	capFeatureSubnets,
-	capFeatureExitNodes,
-	capFeatureAccount,
-}
-
-type capRule struct {
-	CanEdit []string `json:"canEdit,omitempty"` // list of features peer is allowed to edit
-}
-
-// toPeerCapabilities parses out the web ui capabilities from the
-// given whois response.
-func toPeerCapabilities(status *ipnstate.Status, whois *apitype.WhoIsResponse) (peerCapabilities, error) {
-	if whois == nil || status == nil {
-		return peerCapabilities{}, nil
-	}
-	if whois.Node.IsTagged() {
-		// We don't allow management *from* tagged nodes, so ignore caps.
-		// The web client auth flow relies on having a true user identity
-		// that can be verified through login.
-		return peerCapabilities{}, nil
-	}
-
-	if !status.Self.IsTagged() {
-		// User owned nodes are only ever manageable by the owner.
-		if status.Self.UserID != whois.UserProfile.ID {
-			return peerCapabilities{}, nil
-		} else {
-			return peerCapabilities{capFeatureAll: true}, nil // owner can edit all features
-		}
-	}
-
-	// For tagged nodes, we actually look at the granted capabilities.
-	caps := peerCapabilities{}
-	rules, err := tailcfg.UnmarshalCapJSON[capRule](whois.CapMap, tailcfg.PeerCapabilityWebUI)
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal capability: %v", err)
-	}
-	for _, c := range rules {
-		for _, f := range c.CanEdit {
-			cap := capFeature(strings.ToLower(f))
-			if slices.Contains(validCaps, cap) {
-				caps[cap] = true
-			}
-		}
-	}
-	return caps, nil
-}

client/web/build/index.html

@@ -1,29 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-  <head>
-    <title>Tailscale</title>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-    
-    <link rel="preload" as="font" href="./assets/Inter.var.latin-39e72c07.woff2" type="font/woff2" crossorigin />
-    <script type="module" crossorigin src="./assets/index-fd4af382.js"></script>
-    <link rel="stylesheet" href="./assets/index-218918fa.css">
-  </head>
-  <body class="px-2">
-    <noscript>
-      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
-      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
-    </noscript>
-    
-    <script>
-      window.addEventListener("load", () => {
-        if (!window.Tailscale) {
-          const rootEl = document.createElement("p")
-          rootEl.innerHTML = 'Tailscale was built without the web client. See <a href="https://github.com/tailscale/tailscale#building-the-web-client">Building the web client</a> for more information.'
-          document.body.append(rootEl)
-        }
-      });
-    </script>
-  </body>
-</html>

client/web/index.html

@@ -1,28 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-  <head>
-    <title>Tailscale</title>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-    <link rel="stylesheet" type="text/css" href="/src/index.css" />
-    <link rel="preload" as="font" href="/src/assets/fonts/Inter.var.latin.woff2" type="font/woff2" crossorigin />
-  </head>
-  <body class="px-2">
-    <noscript>
-      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
-      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
-    </noscript>
-    <script type="module" src="/src/index.tsx"></script>
-    <script>
-      // if this script is changed, also change hash in web.go
-      window.addEventListener("load", () => {
-        if (!window.Tailscale) {
-          const rootEl = document.createElement("p")
-          rootEl.innerHTML = 'Tailscale web interface is unavailable.';
-          document.body.append(rootEl)
-        }
-      })
-    </script>
-  </body>
-</html>

client/web/package.json

@@ -1,81 +0,0 @@
-{
-  "name": "webclient",
-  "version": "0.0.1",
-  "license": "BSD-3-Clause",
-  "engines": {
-    "node": "18.20.4",
-    "yarn": "1.22.19"
-  },
-  "type": "module",
-  "private": true,
-  "dependencies": {
-    "@radix-ui/react-collapsible": "^1.0.3",
-    "@radix-ui/react-dialog": "^1.0.5",
-    "@radix-ui/react-popover": "^1.0.6",
-    "classnames": "^2.3.1",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0",
-    "swr": "^2.2.4",
-    "wouter": "^2.11.0",
-    "zustand": "^4.4.7"
-  },
-  "devDependencies": {
-    "@types/node": "^18.16.1",
-    "@types/react": "^18.0.20",
-    "@types/react-dom": "^18.0.6",
-    "@vitejs/plugin-react-swc": "^3.6.0",
-    "autoprefixer": "^10.4.15",
-    "eslint": "^8.23.1",
-    "eslint-config-react-app": "^7.0.1",
-    "eslint-plugin-curly-quotes": "^1.0.4",
-    "jsdom": "^23.0.1",
-    "postcss": "^8.4.31",
-    "prettier": "^2.5.1",
-    "prettier-plugin-organize-imports": "^3.2.2",
-    "tailwindcss": "^3.3.3",
-    "typescript": "^5.3.3",
-    "vite": "^5.1.7",
-    "vite-plugin-svgr": "^4.2.0",
-    "vite-tsconfig-paths": "^3.5.0",
-    "vitest": "^1.3.1"
-  },
-  "resolutions": {
-    "@typescript-eslint/eslint-plugin": "^6.2.1",
-    "@typescript-eslint/parser": "^6.2.1"
-  },
-  "scripts": {
-    "build": "vite build",
-    "start": "vite",
-    "lint": "tsc --noEmit && eslint 'src/**/*.{ts,tsx,js,jsx}'",
-    "test": "vitest",
-    "format": "prettier --write 'src/**/*.{ts,tsx}'",
-    "format-check": "prettier --check 'src/**/*.{ts,tsx}'"
-  },
-  "eslintConfig": {
-    "extends": [
-      "react-app"
-    ],
-    "plugins": [
-      "curly-quotes",
-      "react-hooks"
-    ],
-    "rules": {
-      "curly-quotes/no-straight-quotes": "warn",
-      "react-hooks/rules-of-hooks": "error",
-      "react-hooks/exhaustive-deps": "error"
-    },
-    "settings": {
-      "projectRoot": "client/web/package.json"
-    }
-  },
-  "prettier": {
-    "semi": false,
-    "printWidth": 80
-  },
-  "postcss": {
-    "plugins": {
-      "tailwindcss": {},
-      "autoprefixer": {}
-    }
-  }
-}

client/web/qnap.go

@@ -1,127 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// qnap.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on QNAP.
-
-package web
-
-import (
-	"crypto/tls"
-	"encoding/xml"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-)
-
-// authorizeQNAP authenticates the logged-in QNAP user and verifies that they
-// are authorized to use the web client.
-// If the user is not authorized to use the client, an error is returned.
-func authorizeQNAP(r *http.Request) (authorized bool, err error) {
-	_, resp, err := qnapAuthn(r)
-	if err != nil {
-		return false, err
-	}
-	if resp.IsAdmin == 0 {
-		return false, errors.New("user is not an admin")
-	}
-
-	return true, nil
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
-	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
-	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
-	// SAN. See https://github.com/tailscale/tailscale/issues/6903
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	resp, err := client.Get(url)
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user, authResp, nil
-}

client/web/src/api.ts

@@ -1,377 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-import { useCallback } from "react"
-import useToaster from "src/hooks/toaster"
-import { ExitNode, NodeData, SubnetRoute } from "src/types"
-import { assertNever } from "src/utils/util"
-import { MutatorOptions, SWRConfiguration, useSWRConfig } from "swr"
-import { noExitNode, runAsExitNode } from "./hooks/exit-nodes"
-
-export const swrConfig: SWRConfiguration = {
-  fetcher: (url: string) => apiFetch(url, "GET"),
-  onError: (err, _) => console.error(err),
-}
-
-type APIType =
-  | { action: "up"; data: TailscaleUpData }
-  | { action: "logout" }
-  | { action: "new-auth-session"; data: AuthSessionNewData }
-  | { action: "update-prefs"; data: LocalPrefsData }
-  | { action: "update-routes"; data: SubnetRoute[] }
-  | { action: "update-exit-node"; data: ExitNode }
-
-/**
- * POST /api/up data
- */
-type TailscaleUpData = {
-  Reauthenticate?: boolean // force reauthentication
-  ControlURL?: string
-  AuthKey?: string
-}
-
-/**
- * GET /api/auth/session/new data
- */
-type AuthSessionNewData = {
-  authUrl: string
-}
-
-/**
- * PATCH /api/local/v0/prefs data
- */
-type LocalPrefsData = {
-  RunSSHSet?: boolean
-  RunSSH?: boolean
-}
-
-/**
- * POST /api/routes data
- */
-type RoutesData = {
-  SetExitNode?: boolean
-  SetRoutes?: boolean
-  UseExitNode?: string
-  AdvertiseExitNode?: boolean
-  AdvertiseRoutes?: string[]
-}
-
-/**
- * useAPI hook returns an api handler that can execute api calls
- * throughout the web client UI.
- */
-export function useAPI() {
-  const toaster = useToaster()
-  const { mutate } = useSWRConfig() // allows for global mutation
-
-  const handlePostError = useCallback(
-    (toast?: string) => (err: Error) => {
-      console.error(err)
-      toast && toaster.show({ variant: "danger", message: toast })
-      throw err
-    },
-    [toaster]
-  )
-
-  /**
-   * optimisticMutate wraps the SWR `mutate` function to apply some
-   * type-awareness with the following behavior:
-   *
-   *    1. `optimisticData` update is applied immediately on FetchDataType
-   *       throughout the web client UI.
-   *
-   *    2. `fetch` data mutation runs.
-   *
-   *    3. On completion, FetchDataType is revalidated to exactly reflect the
-   *       updated server state.
-   *
-   * The `key` argument is the useSWR key associated with the MutateDataType.
-   * All `useSWR(key)` consumers throughout the UI will see updates reflected.
-   */
-  const optimisticMutate = useCallback(
-    <MutateDataType, FetchDataType = any>(
-      key: string,
-      fetch: Promise<FetchDataType>,
-      optimisticData: (current: MutateDataType) => MutateDataType,
-      revalidate?: boolean // optionally specify whether to run final revalidation (step 3)
-    ): Promise<FetchDataType | undefined> => {
-      const options: MutatorOptions = {
-        /**
-         * populateCache is meant for use when the remote request returns back
-         * the updated data directly. i.e. When FetchDataType is the same as
-         * MutateDataType. Most of our data manipulation requests return a 200
-         * with empty data on success. We turn off populateCache so that the
-         * cache only gets updated after completion of the remote reqeust when
-         * the revalidation step runs.
-         */
-        populateCache: false,
-        optimisticData,
-        revalidate: revalidate,
-      }
-      return mutate(key, fetch, options)
-    },
-    [mutate]
-  )
-
-  const api = useCallback(
-    (t: APIType) => {
-      switch (t.action) {
-        /**
-         * "up" handles authenticating the machine to tailnet.
-         */
-        case "up":
-          return apiFetch<{ url?: string }>("/up", "POST", t.data)
-            .then((d) => d.url && window.open(d.url, "_blank")) // "up" login step
-            .then(() => incrementMetric("web_client_node_connect"))
-            .then(() => mutate("/data"))
-            .catch(handlePostError("Failed to login"))
-
-        /**
-         * "logout" handles logging the node out of tailscale, effectively
-         * expiring its node key.
-         */
-        case "logout":
-          // For logout, must increment metric before running api call,
-          // as tailscaled will be unreachable after the call completes.
-          incrementMetric("web_client_node_disconnect")
-          return apiFetch("/local/v0/logout", "POST").catch(
-            handlePostError("Failed to logout")
-          )
-
-        /**
-         * "new-auth-session" handles creating a new check mode session to
-         * authorize the viewing user to manage the node via the web client.
-         */
-        case "new-auth-session":
-          return apiFetch<AuthSessionNewData>("/auth/session/new", "GET").catch(
-            handlePostError("Failed to create new session")
-          )
-
-        /**
-         * "update-prefs" handles setting the node's tailscale prefs.
-         */
-        case "update-prefs": {
-          return optimisticMutate<NodeData>(
-            "/data",
-            apiFetch<LocalPrefsData>("/local/v0/prefs", "PATCH", t.data),
-            (old) => ({
-              ...old,
-              RunningSSHServer: t.data.RunSSHSet
-                ? Boolean(t.data.RunSSH)
-                : old.RunningSSHServer,
-            })
-          )
-            .then(
-              () =>
-                t.data.RunSSHSet &&
-                incrementMetric(
-                  t.data.RunSSH
-                    ? "web_client_ssh_enable"
-                    : "web_client_ssh_disable"
-                )
-            )
-            .catch(handlePostError("Failed to update node preference"))
-        }
-
-        /**
-         * "update-routes" handles setting the node's advertised routes.
-         */
-        case "update-routes": {
-          const body: RoutesData = {
-            SetRoutes: true,
-            AdvertiseRoutes: t.data.map((r) => r.Route),
-          }
-          return optimisticMutate<NodeData>(
-            "/data",
-            apiFetch<void>("/routes", "POST", body),
-            (old) => ({ ...old, AdvertisedRoutes: t.data })
-          )
-            .then(() => incrementMetric("web_client_advertise_routes_change"))
-            .catch(handlePostError("Failed to update routes"))
-        }
-
-        /**
-         * "update-exit-node" handles updating the node's state as either
-         * running as an exit node or using another node as an exit node.
-         */
-        case "update-exit-node": {
-          const id = t.data.ID
-          const body: RoutesData = {
-            SetExitNode: true,
-          }
-          if (id !== noExitNode.ID && id !== runAsExitNode.ID) {
-            body.UseExitNode = id
-          } else if (id === runAsExitNode.ID) {
-            body.AdvertiseExitNode = true
-          }
-          const metrics: MetricName[] = []
-          return optimisticMutate<NodeData>(
-            "/data",
-            apiFetch<void>("/routes", "POST", body),
-            (old) => {
-              // Only update metrics whose values have changed.
-              if (old.AdvertisingExitNode !== Boolean(body.AdvertiseExitNode)) {
-                metrics.push(
-                  body.AdvertiseExitNode
-                    ? "web_client_advertise_exitnode_enable"
-                    : "web_client_advertise_exitnode_disable"
-                )
-              }
-              if (Boolean(old.UsingExitNode) !== Boolean(body.UseExitNode)) {
-                metrics.push(
-                  body.UseExitNode
-                    ? "web_client_use_exitnode_enable"
-                    : "web_client_use_exitnode_disable"
-                )
-              }
-              return {
-                ...old,
-                UsingExitNode: Boolean(body.UseExitNode) ? t.data : undefined,
-                AdvertisingExitNode: Boolean(body.AdvertiseExitNode),
-                AdvertisingExitNodeApproved: Boolean(body.AdvertiseExitNode)
-                  ? true // gets updated in revalidation
-                  : old.AdvertisingExitNodeApproved,
-              }
-            },
-            false // skip final revalidation
-          )
-            .then(() => metrics.forEach((m) => incrementMetric(m)))
-            .catch(handlePostError("Failed to update exit node"))
-        }
-
-        default:
-          assertNever(t)
-      }
-    },
-    [handlePostError, mutate, optimisticMutate]
-  )
-
-  return api
-}
-
-let csrfToken: string
-let synoToken: string | undefined // required for synology API requests
-let unraidCsrfToken: string | undefined // required for unraid POST requests (#8062)
-
-/**
- * apiFetch wraps the standard JS fetch function with csrf header
- * management and param additions specific to the web client.
- *
- * apiFetch adds the `api` prefix to the request URL,
- * so endpoint should be provided without the `api` prefix
- * (i.e. provide `/data` rather than `api/data`).
- */
-export function apiFetch<T>(
-  endpoint: string,
-  method: "GET" | "POST" | "PATCH",
-  body?: any
-): Promise<T> {
-  const urlParams = new URLSearchParams(window.location.search)
-  const nextParams = new URLSearchParams()
-  if (synoToken) {
-    nextParams.set("SynoToken", synoToken)
-  } else {
-    const token = urlParams.get("SynoToken")
-    if (token) {
-      nextParams.set("SynoToken", token)
-    }
-  }
-  const search = nextParams.toString()
-  const url = `api${endpoint}${search ? `?${search}` : ""}`
-
-  var contentType: string
-  if (unraidCsrfToken && method === "POST") {
-    const params = new URLSearchParams()
-    params.append("csrf_token", unraidCsrfToken)
-    if (body) {
-      params.append("ts_data", JSON.stringify(body))
-    }
-    body = params.toString()
-    contentType = "application/x-www-form-urlencoded;charset=UTF-8"
-  } else {
-    body = body ? JSON.stringify(body) : undefined
-    contentType = "application/json"
-  }
-
-  return fetch(url, {
-    method: method,
-    headers: {
-      Accept: "application/json",
-      "Content-Type": contentType,
-      "X-CSRF-Token": csrfToken,
-    },
-    body: body,
-  })
-    .then((r) => {
-      updateCsrfToken(r)
-      if (!r.ok) {
-        return r.text().then((err) => {
-          throw new Error(err)
-        })
-      }
-      return r
-    })
-    .then((r) => {
-      if (r.headers.get("Content-Type") === "application/json") {
-        return r.json()
-      }
-    })
-    .then((r) => {
-      r?.UnraidToken && setUnraidCsrfToken(r.UnraidToken)
-      return r
-    })
-}
-
-function updateCsrfToken(r: Response) {
-  const tok = r.headers.get("X-CSRF-Token")
-  if (tok) {
-    csrfToken = tok
-  }
-}
-
-export function setSynoToken(token?: string) {
-  synoToken = token
-}
-
-function setUnraidCsrfToken(token?: string) {
-  unraidCsrfToken = token
-}
-
-/**
- * incrementMetric hits the client metrics local API endpoint to
- * increment the given counter metric by one.
- */
-export function incrementMetric(metricName: MetricName) {
-  const postData: MetricsPOSTData[] = [
-    {
-      Name: metricName,
-      Type: "counter",
-      Value: 1,
-    },
-  ]
-
-  apiFetch("/local/v0/upload-client-metrics", "POST", postData).catch(
-    (error) => {
-      console.error(error)
-    }
-  )
-}
-
-type MetricsPOSTData = {
-  Name: MetricName
-  Type: MetricType
-  Value: number
-}
-
-type MetricType = "counter" | "gauge"
-
-export type MetricName =
-  | "web_client_advertise_exitnode_enable"
-  | "web_client_advertise_exitnode_disable"
-  | "web_client_use_exitnode_enable"
-  | "web_client_use_exitnode_disable"
-  | "web_client_ssh_enable"
-  | "web_client_ssh_disable"
-  | "web_client_node_connect"
-  | "web_client_node_disconnect"
-  | "web_client_advertise_routes_change"

client/web/src/assets/icons/arrow-right.svg

@@ -1,4 +0,0 @@
-<svg width="24" height="25" viewBox="0 0 24 25" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M5 12.5H19" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M12 5.5L19 12.5L12 19.5" stroke="#706E6D" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>

client/web/src/assets/icons/arrow-up-circle.svg

@@ -1,5 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <path d="M12 22C17.5228 22 22 17.5228 22 12C22 6.47715 17.5228 2 12 2C6.47715 2 2 6.47715 2 12C2 17.5228 6.47715 22 12 22Z" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-  <path d="M16 12L12 8L8 12" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-  <path d="M12 16V8" stroke="black" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>

client/web/src/assets/icons/check-circle.svg

@@ -1,4 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M22 11.08V12C21.9988 14.1564 21.3005 16.2547 20.0093 17.9818C18.7182 19.709 16.9033 20.9725 14.8354 21.5839C12.7674 22.1953 10.5573 22.1219 8.53447 21.3746C6.51168 20.6273 4.78465 19.2461 3.61096 17.4371C2.43727 15.628 1.87979 13.4881 2.02168 11.3363C2.16356 9.18455 2.99721 7.13631 4.39828 5.49706C5.79935 3.85781 7.69279 2.71537 9.79619 2.24013C11.8996 1.7649 14.1003 1.98232 16.07 2.85999" stroke="#1EA672" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M22 4L12 14.01L9 11.01" stroke="#1EA672" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>

client/web/src/assets/icons/check.svg

@@ -1,3 +0,0 @@
-<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M16.6673 5L7.50065 14.1667L3.33398 10" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>

client/web/src/assets/icons/chevron-down.svg

@@ -1,3 +0,0 @@
-<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M5 7.5L10 12.5L15 7.5" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>

client/web/src/assets/icons/clock.svg

@@ -1,11 +0,0 @@
-<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_14876_118476)">
-<path d="M8.00065 14.6667C11.6825 14.6667 14.6673 11.6819 14.6673 8.00004C14.6673 4.31814 11.6825 1.33337 8.00065 1.33337C4.31875 1.33337 1.33398 4.31814 1.33398 8.00004C1.33398 11.6819 4.31875 14.6667 8.00065 14.6667Z" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M8 4V8L10.6667 9.33333" stroke="#706E6D" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"/>
-</g>
-<defs>
-<clipPath id="clip0_14876_118476">
-<rect width="16" height="16" fill="white"/>
-</clipPath>
-</defs>
-</svg>

client/web/src/assets/icons/copy.svg

@@ -1,4 +0,0 @@
-<svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M20 9H11C9.89543 9 9 9.89543 9 11V20C9 21.1046 9.89543 22 11 22H20C21.1046 22 22 21.1046 22 20V11C22 9.89543 21.1046 9 20 9Z" stroke="#292828" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-<path d="M5 15H4C3.46957 15 2.96086 14.7893 2.58579 14.4142C2.21071 14.0391 2 13.5304 2 13V4C2 3.46957 2.21071 2.96086 2.58579 2.58579C2.96086 2.21071 3.46957 2 4 2H13C13.5304 2 14.0391 2.21071 14.4142 2.58579C14.7893 2.96086 15 3.46957 15 4V5" stroke="#292828" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
-</svg>