all: replace UserVisibleError with vizerror package

Updates tailscale/corp#9025 Signed-off-by: Will Norris <will@tailscale.com>
licenses: update tailscale{,d} licenses
2023-02-16 11:22:24 -08:00 · 2023-02-16 18:01:08 +00:00 · 2023-02-15 13:59:22 +00:00 · 2023-02-14 23:48:42 +00:00 · 2023-02-14 23:39:08 +00:00 · 2023-02-14 23:06:58 +00:00
896 changed files with 11160 additions and 5786 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -12,7 +12,6 @@ body:
    attributes:
      label: What is the issue?
      description: What happened? What did you expect to happen?
-      placeholder: oh no
    validations:
      required: true
  - type: textarea
@@ -61,6 +60,13 @@ body:
      placeholder: e.g., 1.14.4
    validations:
      required: false
+  - type: textarea
+    id: other-software
+    attributes:
+      label: Other software
+      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
+    validations:
+      required: false
  - type: input
    id: bug-report
    attributes:
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,31 +0,0 @@
-name: CIFuzz
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  Fuzzing:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Build Fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        dry-run: false
-        language: go
-    - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: Upload Crash
-      uses: actions/upload-artifact@v3
-      if: failure() && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/cross-android.yml
+++ b/.github/workflows/cross-android.yml
@@ -1,55 +0,0 @@
-name: Android-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Android smoke build
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-      env:
-        GOOS: android
-        GOARCH: arm64
-      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -1,63 +0,0 @@
-name: Darwin-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: macOS build cmd
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: macOS build tests
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - name: iOS build most
-      env:
-        GOOS: ios
-        GOARCH: arm64
-      run: go install ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -1,57 +0,0 @@
-name: FreeBSD-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: FreeBSD build cmd
-      env:
-        GOOS: freebsd
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: FreeBSD build tests
-      env:
-        GOOS: freebsd
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-loong64.yml
+++ b/.github/workflows/cross-loong64.yml
@@ -1,57 +0,0 @@
-name: Loongnix-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Loongnix build cmd
-      env:
-        GOOS: linux
-        GOARCH: loong64
-      run: go build ./cmd/...
-
-    - name: Loongnix build tests
-      env:
-        GOOS: linux
-        GOARCH: loong64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -1,57 +0,0 @@
-name: OpenBSD-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: OpenBSD build cmd
-      env:
-        GOOS: openbsd
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: OpenBSD build tests
-      env:
-        GOOS: openbsd
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -1,58 +0,0 @@
-name: Wasm-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Wasm client build
-      env:
-        GOOS: js
-        GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
-    - name: tsconnect static build
-      # Use our custom Go toolchain, we set build tags (to control binary size)
-      # that depend on it.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -1,57 +0,0 @@
-name: Windows-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Windows build cmd
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: go build ./cmd/...
-
-    - name: Windows build tests
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -1,33 +0,0 @@
-name: depaware
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-
-    - name: depaware
-      run: go run github.com/tailscale/depaware --check
-        tailscale.com/cmd/tailscaled
-        tailscale.com/cmd/tailscale
-        tailscale.com/cmd/derper
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -1,42 +0,0 @@
-name: go generate
-
-on:
-  push:
-    branches:
-      - main
-      - "release-branch/*"
-  pull_request:
-    branches:
-      - "*"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: check 'go generate' is clean
-        run: |
-          if [[ "${{github.ref}}" == release-branch/* ]]
-          then
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          else
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          fi
-          go generate $pkgs
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
--- a/.github/workflows/go_mod_tidy.yml
+++ b/.github/workflows/go_mod_tidy.yml
@@ -1,35 +0,0 @@
-name: go mod tidy
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - "*"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: check 'go mod tidy' is clean
-        run: |
-          go mod tidy
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -1,45 +0,0 @@
-name: license
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-
-    - name: Run license checker
-      run: ./scripts/check_license_headers.sh .
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -1,67 +0,0 @@
-name: Linux race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Run tests and benchmarks with -race flag on linux
-      run: go test -race -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -1,77 +0,0 @@
-name: Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-22.04
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Build variants
-      run: |
-        go install --tags=ts_include_cli ./cmd/tailscaled
-        go install --tags=ts_omit_aws ./cmd/tailscaled
-
-    - name: Get QEMU
-      run: |
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-
-    - name: Run tests on linux
-      run: go test -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -1,67 +0,0 @@
-name: Linux 32-bit
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-      id: go
-
-    - name: Basic build
-      run: GOARCH=386 go build ./cmd/...
-
-    - name: Run tests on linux
-      run: GOARCH=386 go test -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -1,113 +0,0 @@
-name: static-analysis
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  gofmt:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-    - name: Run gofmt (goimports)
-      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  vet:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-    - name: Check out code
-      uses: actions/checkout@v3
-    - name: Run go vet
-      run: go vet ./...
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
-  staticcheck:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        goos: [linux, windows, darwin]
-        goarch: [amd64]
-        include:
-          - goos: windows
-            goarch: 386
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
-    - name: Print staticcheck version
-      run: "staticcheck -version"
-
-    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,388 @@
+# This is our main "CI tests" workflow. It runs everything that should run on
+# both PRs and merged commits, and for the latter reports failures to slack.
+name: CI
+
+env:
+  # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
+  # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
+  # ends up being unable to compile our code.
+  #
+  # When this happens, we want to disable the fuzz target until OSS-Fuzz catches
+  # up. However, we also don't want to forget to turn it back on when OSS-Fuzz
+  # can once again build our code.
+  #
+  # This variable toggles the fuzz job between two modes:
+  #  - false: we expect fuzzing to be happy, and should report failure if it's not.
+  #  - true: we expect fuzzing is broken, and should report failure if it start working.
+  TS_FUZZ_CURRENTLY_BROKEN: true
+
+on:
+  push:
+    branches:
+      - "main"
+      - "release-branch/*"
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  # For PRs, later CI runs preempt previous ones. e.g. a force push on a PR
+  # cancels running CI jobs and starts all new ones.
+  #
+  # For non-PR pushes, concurrency.group needs to be unique for every distinct
+  # CI run we want to have happen. Use run_id, which in practice means all
+  # non-PR CI runs will be allowed to run without preempting each other.
+  group: ${{ github.workflow }}-$${{ github.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          - goarch: amd64
+          - goarch: amd64
+            variant: race
+          - goarch: "386" # thanks yaml
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: build all
+      run: ./tool/go build ./...
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: build variant CLIs
+      run: |
+        ./build_dist.sh --extra-small ./cmd/tailscaled
+        ./build_dist.sh --box ./cmd/tailscaled
+        ./build_dist.sh --extra-small --box ./cmd/tailscaled
+        rm -f tailscaled
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: get qemu # for tstest/archtest
+      if: matrix.goarch == 'amd64' && matrix.variant == ''
+      run: |
+        sudo apt-get -y update
+        sudo apt-get -y install qemu-user
+    - name: build test wrapper
+      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
+    - name: test all
+      if: matrix.variant != 'race'
+      run: ./tool/go test -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: test all (race)
+      if: matrix.variant == 'race'
+      run: ./tool/go test -race -exec=/tmp/testwrapper -bench=. -benchtime=1x ./...
+      env:
+        GOARCH: ${{ matrix.goarch }}
+    - name: check that no tracked files changed
+      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
+    - name: check that no new files were added
+      run: |
+        # Note: The "error: pathspec..." you see below is normal!
+        # In the success case in which there are no new untracked files,
+        # git ls-files complains about the pathspec not matching anything.
+        # That's OK. It's not worth the effort to suppress. Please ignore it.
+        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
+        then
+          echo "Build/test created untracked files in the repo (file names above)."
+          exit 1
+        fi
+
+  windows:
+    runs-on: windows-2022
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: Restore Cache
+      uses: actions/cache@v3
+      with:
+        # Note: unlike the other setups, this is only grabbing the mod download
+        # cache, rather than the whole mod directory, as the download cache
+        # contains zips that can be unpacked in parallel faster than they can be
+        # fetched and extracted by tar
+        path: |
+          ~/go/pkg/mod/cache
+          ~\AppData\Local\go-build
+        # The -2- here should be incremented when the scheme of data to be
+        # cached changes (e.g. path above changes).
+        # TODO(raggi): add a go version here.
+        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
+    - name: test
+      # Don't use -bench=. -benchtime=1x.
+      # Somewhere in the layers (powershell?)
+      # the equals signs cause great confusion.
+      run: ./tool/go test -bench . -benchtime 1x ./...
+
+  vm:
+    runs-on: ["self-hosted", "linux", "vm"]
+    # VM tests run with some privileges, don't let them run on 3p PRs.
+    if: github.repository == 'tailscale/tailscale'
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: Run VM tests
+      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
+      env:
+        HOME: "/tmp"
+        TMPDIR: "/tmp"
+        XDB_CACHE_HOME: "/var/lib/ghrunner/cache"
+  
+  cross: # cross-compile checks, build only.
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        include:
+          # Note: linux/amd64 is not in this matrix, because that goos/goarch is
+          # tested more exhaustively in the 'test' job above.
+          - goos: linux
+            goarch: arm64
+          - goos: linux
+            goarch: "386" # thanks yaml
+          - goos: linux
+            goarch: loong64
+          # macOS
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          # Windows
+          - goos: windows
+            goarch: amd64
+          - goos: windows
+            goarch: arm64
+          # BSDs
+          - goos: freebsd
+            goarch: amd64
+          - goos: openbsd
+            goarch: amd64
+
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: build all
+      run: ./tool/go build ./cmd/...
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+        CGO_ENABLED: "0"
+    - name: build tests
+      run: ./tool/go test -exec=true ./...
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+        CGO_ENABLED: "0"
+
+  ios: # similar to cross above, but iOS can't build most of the repo. So, just
+       #make it build a few smoke packages.
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: build some
+      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
+      env:
+        GOOS: ios
+        GOARCH: arm64
+
+  android:
+    # similar to cross above, but android fails to build a few pieces of the
+    # repo. We should fix those pieces, they're small, but as a stepping stone,
+    # only test the subset of android that our past smoke test checked.
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
+      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
+      # some Android breakages early.
+      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
+    - name: build some
+      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
+      env:
+        GOOS: android
+        GOARCH: arm64
+
+  wasm: # builds tsconnect, which is the only wasm build we support
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: build tsconnect client
+      run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+      env:
+        GOOS: js
+        GOARCH: wasm
+    - name: build tsconnect server
+      # Note, no GOOS/GOARCH in env on this build step, we're running a build
+      # tool that handles the build itself.
+      run: |
+        ./tool/go run ./cmd/tsconnect --fast-compression build
+        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
+
+  fuzz:
+    # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
+    # of the file), so it's more complex than usual: the 'build fuzzers' step
+    # might fail, and depending on the value of 'TS_FUZZ_CURRENTLY_BROKEN', that
+    # might or might not be fine. The steps after the build figure out whether
+    # the success/failure is expected, and appropriately pass/fail the job
+    # overall accordingly.
+    #
+    # Practically, this means that all steps after 'build fuzzers' must have an
+    # explicit 'if' condition, because the default condition for steps is
+    # 'success()', meaning "only run this if no previous steps failed".
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-22.04
+    steps:
+    - name: build fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      # continue-on-error makes steps.build.conclusion be 'success' even if
+      # steps.build.outcome is 'failure'. This means this step does not
+      # contribute to the job's overall pass/fail evaluation.
+      continue-on-error: true
+      with:
+       oss-fuzz-project-name: 'tailscale'
+       dry-run: false
+       language: go
+    - name: report unexpectedly broken fuzz build
+      if: steps.build.outcome == 'failure' && env.TS_FUZZ_CURRENTLY_BROKEN != 'true'
+      run: |
+        echo "fuzzer build failed, see above for why"
+        echo "if the failure is due to OSS-Fuzz not being on the latest Go yet,"
+        echo "set TS_FUZZ_CURRENTLY_BROKEN=true in .github/workflows/test.yml"
+        echo "to temporarily disable fuzzing until OSS-Fuzz works again."
+        exit 1
+    - name: report unexpectedly working fuzz build
+      if: steps.build.outcome == 'success' && env.TS_FUZZ_CURRENTLY_BROKEN == 'true'
+      run: |
+        echo "fuzzer build succeeded, but we expect it to be broken"
+        echo "please set TS_FUZZ_CURRENTLY_BROKEN=false in .github/workflows/test.yml"
+        echo "to reenable fuzz testing"
+        exit 1
+    - name: run fuzzers
+      id: run
+      # Run the fuzzers whenever they're able to build, even if we're going to
+      # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
+      # value.
+      if: steps.build.outcome == 'success'
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'tailscale'
+        fuzz-seconds: 300
+        dry-run: false
+        language: go
+    - name: upload crash
+      uses: actions/upload-artifact@v3
+      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts
+
+  depaware:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: check depaware
+      run: |
+        export PATH=$(./tool/go env GOROOT)/bin:$PATH
+        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
+
+  go_generate:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: check that 'go generate' is clean
+      run: |
+        pkgs=$(./tool/go list ./... | grep -v dnsfallback)
+        ./tool/go generate $pkgs
+        echo
+        echo
+        git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
+
+  go_mod_tidy:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: check that 'go mod tidy' is clean
+      run: |
+        ./tool/go mod tidy
+        echo
+        echo
+        git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
+
+  licenses:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: check licenses
+      run: ./scripts/check_license_headers.sh .
+
+  staticcheck:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false # don't abort the entire matrix if one element fails
+      matrix:
+        goos: ["linux", "windows", "darwin"]
+        goarch: ["amd64"]
+        include:
+          - goos: "windows"
+            goarch: "386"
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+    - name: install staticcheck
+      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
+    - name: run staticcheck
+      run: |
+        export GOROOT=$(./tool/go env GOROOT)
+        export PATH=$GOROOT/bin:$PATH
+        staticcheck -- $(./tool/go list ./... | grep -v tempfork)
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+
+  notify_slack:
+    # Only notify slack for merged commits, not PR failures.
+    if: failure() && github.event_name == 'push'
+    # Any of these jobs failing causes a slack notification.
+    needs: 
+      - android
+      - test
+      - windows
+      - vm
+      - cross
+      - ios
+      - wasm
+      - fuzz
+      - depaware
+      - go_generate
+      - go_mod_tidy
+      - licenses
+      - staticcheck
+    runs-on: ubuntu-22.04
+    steps:
+    - name: notify  
+      uses: ruby/action-slack@v3.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "title": "Failure: ${{ github.workflow }}",
+              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
+              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
+              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
+              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -0,0 +1,49 @@
+name: update-flake
+
+on:
+  # run action when a change lands in the main branch which updates go.mod. Also
+  # allow manual triggering.
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - .github/workflows/update-flakes.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  tailscale:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Run update-flakes
+        run: ./update-flake.sh
+
+      - name: Get access token
+        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.LICENSING_APP_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        uses: peter-evans/create-pull-request@ad43dccb4d726ca8514126628bec209b8354b6dd #v4.1.4
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: Flakes Updater <noreply@tailscale.com>
+          committer: Flakes Updater <noreply@tailscale.com>
+          branch: flakes
+          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
+          title: "go.mod.sri: update SRI hash for go.mod changes"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          reviewers: danderson
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -1,51 +0,0 @@
-name: VM
-
-on:
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  ubuntu2004-LTS-cloud-base:
-    runs-on: [ self-hosted, linux, vm ]
-
-    if: "(github.repository == 'tailscale/tailscale') && !contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-      - name: Set GOPATH
-        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
-
-      - name: Checkout Code
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
-
-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-        env:
-          HOME: "/tmp"
-          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - uses: k0kubun/action-slack@v2.0.0
-        with:
-          payload: |
-            {
-              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                        "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                        "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        if: failure() && github.event_name == 'push'
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -1,67 +0,0 @@
-name: Windows
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-      - 'release-branch/*'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Install Go
-      uses: actions/setup-go@v3
-      with:
-        go-version-file: go.mod
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike some other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-
-    - name: Test
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -bench . -benchtime 1x ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/13
+++ b/13
@@ -1,6 +1,5 @@
-# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause

 ############################################################################
 #
@@ -32,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.19-alpine AS build-env
+FROM golang:1.20-alpine AS build-env

 WORKDIR /go/src/tailscale

@@ -63,9 +62,9 @@ ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

 RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.Long=$VERSION_LONG \
-      -X tailscale.com/version.Short=$VERSION_SHORT \
-      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
+      -X tailscale.com/version.longStamp=$VERSION_LONG \
+      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
+      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot

 FROM alpine:3.16
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,6 +1,5 @@
-# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause

 FROM alpine:3.16
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/3
+++ b/3
@@ -1,7 +1,6 @@
 BSD 3-Clause License

-Copyright (c) 2020 Tailscale & AUTHORS.
-All rights reserved.
+Copyright (c) 2020 Tailscale Inc & AUTHORS.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
--- a/8
+++ b/8
@@ -12,13 +12,17 @@ tidy:
 	./tool/go mod tidy

 updatedeps:
-	./tool/go run github.com/tailscale/depaware --update \
+	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
+	# it finds in its $$PATH is the right one.
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper

 depaware:
-	./tool/go run github.com/tailscale/depaware --check \
+	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
+	# it finds in its $$PATH is the right one.
+	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
 		tailscale.com/cmd/derper
--- a/README.md
+++ b/README.md
@@ -6,27 +6,41 @@ Private WireGuard® networks made easy

 ## Overview

-This repository contains all the open source Tailscale client code and
-the `tailscaled` daemon and `tailscale` CLI tool. The `tailscaled`
-daemon runs on Linux, Windows and [macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees on FreeBSD, OpenBSD, and Darwin. (The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code.)
+This repository contains the majority of Tailscale's open source code.
+Notably, it includes the `tailscaled` daemon and
+the `tailscale` CLI tool. The `tailscaled` daemon runs on Linux, Windows,
+[macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees
+on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's
+code, but this repo doesn't contain the mobile GUI code.

-The Android app is at https://github.com/tailscale/tailscale-android
+Other [Tailscale repos](https://github.com/orgs/tailscale/repositories) of note:

-The Synology package is at https://github.com/tailscale/tailscale-synology
+* the Android app is at https://github.com/tailscale/tailscale-android
+* the Synology package is at https://github.com/tailscale/tailscale-synology
+* the QNAP package is at https://github.com/tailscale/tailscale-qpkg
+* the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey
+
+For background on which parts of Tailscale are open source and why,
+see [https://tailscale.com/opensource/](https://tailscale.com/opensource/).

 ## Using

-We serve packages for a variety of distros at
-https://pkgs.tailscale.com .
+We serve packages for a variety of distros and platforms at
+[https://pkgs.tailscale.com](https://pkgs.tailscale.com/).

 ## Other clients

 The [macOS, iOS, and Windows clients](https://tailscale.com/download)
 use the code in this repository but additionally include small GUI
-wrappers that are not open source.
+wrappers. The GUI wrappers on non-open source platforms are themselves
+not open source.

 ## Building

+We always require the latest Go release, currently Go 1.20. (While we build
+releases with our [Go fork](https://github.com/tailscale/go/), its use is not
+required.)
+
 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```
@@ -43,8 +57,6 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.

-We require the latest Go release, currently Go 1.19.
-
 ## Bugs

 Please file any issues about this code or the hosted service on
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.35.0
+1.37.0
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Package atomicfile contains code related to writing to filesystems
 // atomically.
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -46,7 +46,7 @@ EOF
 fi

 tags=""
-ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"
+ldflags="-X tailscale.com/version.longStamp=${LONG} -X tailscale.com/version.shortStamp=${SHORT}"

 # build_dist.sh arguments must precede go build arguments.
 while [ "$#" -gt 1 ]; do
@@ -54,7 +54,7 @@ while [ "$#" -gt 1 ]; do
 	--extra-small)
 		shift
 		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap"
+		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
 		;;
 	--box)
 		shift
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -23,28 +23,29 @@ set -eu
 export PATH=$PWD/tool:$PATH

 eval $(./build_dist.sh shellvars)
-DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
-DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.16"
+
 DEFAULT_TARGET="client"
+DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
+DEFAULT_BASE="tailscale/alpine-base:3.16"

 PUSH="${PUSH:-false}"
-REPOS="${REPOS:-${DEFAULT_REPOS}}"
+TARGET="${TARGET:-${DEFAULT_TARGET}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
-TARGET="${TARGET:-${DEFAULT_TARGET}}"

 case "$TARGET" in
  client)
+    DEFAULT_REPOS="tailscale/tailscale"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
    go run github.com/tailscale/mkctr \
      --gopaths="\
        tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
        tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
        tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
      --ldflags="\
-        -X tailscale.com/version.Long=${VERSION_LONG} \
-        -X tailscale.com/version.Short=${VERSION_SHORT} \
-        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
      --repos="${REPOS}" \
@@ -52,12 +53,14 @@ case "$TARGET" in
      /usr/local/bin/containerboot
    ;;
  operator)
+    DEFAULT_REPOS="tailscale/k8s-operator"
+    REPOS="${REPOS:-${DEFAULT_REPOS}}"
    go run github.com/tailscale/mkctr \
      --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
      --ldflags="\
-        -X tailscale.com/version.Long=${VERSION_LONG} \
-        -X tailscale.com/version.Short=${VERSION_SHORT} \
-        -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+        -X tailscale.com/version.longStamp=${VERSION_LONG} \
+        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
+        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
      --base="${BASE}" \
      --tags="${TAGS}" \
      --repos="${REPOS}" \
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Package chirp implements a client to communicate with the BIRD Internet
 // Routing Daemon.
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
 package chirp

 import (
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Package apitype contains types for the Tailscale LocalAPI and control plane API.
 package apitype
@@ -33,3 +32,9 @@ type WaitingFile struct {
 	Name string
 	Size int64
 }
+
+// SetPushDeviceTokenRequest is the body POSTed to the LocalAPI endpoint /set-device-token.
+type SetPushDeviceTokenRequest struct {
+	// PushDeviceToken is the iOS/macOS APNs device token (and any future Android equivalent).
+	PushDeviceToken string
+}
--- a/client/tailscale/apitype/controltype.go
+++ b/client/tailscale/apitype/controltype.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package apitype

--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

--- a/client/tailscale/example/servetls/servetls.go
+++ b/client/tailscale/example/servetls/servetls.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The servetls program shows how to run an HTTPS server
 // using a Tailscale cert via LetsEncrypt.
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package tailscale

@@ -55,14 +54,14 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, handleErrorResponse(b, resp)
 	}

-	var keys []struct {
-		ID string `json:"id"`
+	var keys struct {
+		Keys []*Key `json:"keys"`
 	}
 	if err := json.Unmarshal(b, &keys); err != nil {
 		return nil, err
 	}
-	ret := make([]string, 0, len(keys))
-	for _, k := range keys {
+	ret := make([]string, 0, len(keys.Keys))
+	for _, k := range keys.Keys {
 		ret = append(ret, k.ID)
 	}
 	return ret, nil
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

@@ -114,6 +113,7 @@ func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string)
 //
 // DoLocalRequest may mutate the request to add Authorization headers.
 func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
+	req.Header.Set("Tailscale-Cap", strconv.Itoa(int(tailcfg.CurrentCapabilityVersion)))
 	lc.tsClientOnce.Do(func() {
 		lc.tsClient = &http.Client{
 			Transport: &http.Transport{
@@ -257,6 +257,23 @@ func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
 	return lc.get200(ctx, "/localapi/v0/metrics")
 }

+// TailDaemonLogs returns a stream the Tailscale daemon's logs as they arrive.
+// Close the context to stop the stream.
+func (lc *LocalClient) TailDaemonLogs(ctx context.Context) (io.Reader, error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+apitype.LocalAPIHost+"/localapi/v0/logtap", nil)
+	if err != nil {
+		return nil, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != 200 {
+		return nil, errors.New(res.Status)
+	}
+	return res.Body, nil
+}
+
 // Pprof returns a pprof profile of the Tailscale daemon.
 func (lc *LocalClient) Pprof(ctx context.Context, pprofType string, sec int) ([]byte, error) {
 	var secArg string
@@ -1002,6 +1019,36 @@ func (lc *LocalClient) DebugDERPRegion(ctx context.Context, regionIDOrCode strin
 	return decodeJSON[*ipnstate.DebugDERPRegionReport](body)
 }

+// DebugSetExpireIn marks the current node key to expire in d.
+//
+// This is meant primarily for debug and testing.
+func (lc *LocalClient) DebugSetExpireIn(ctx context.Context, d time.Duration) error {
+	v := url.Values{"expiry": {fmt.Sprint(time.Now().Add(d).Unix())}}
+	_, err := lc.send(ctx, "POST", "/localapi/v0/set-expiry-sooner?"+v.Encode(), 200, nil)
+	return err
+}
+
+// StreamDebugCapture streams a pcap-formatted packet capture.
+//
+// The provided context does not determine the lifetime of the
+// returned io.ReadCloser.
+func (lc *LocalClient) StreamDebugCapture(ctx context.Context) (io.ReadCloser, error) {
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://"+apitype.LocalAPIHost+"/localapi/v0/debug-capture", nil)
+	if err != nil {
+		return nil, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		res.Body.Close()
+		return nil, err
+	}
+	if res.StatusCode != 200 {
+		res.Body.Close()
+		return nil, errors.New(res.Status)
+	}
+	return res.Body, nil
+}
+
 // WatchIPNBus subscribes to the IPN notification bus. It returns a watcher
 // once the bus is connected successfully.
 //
--- a/client/tailscale/localclient_test.go
+++ b/client/tailscale/localclient_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -1,11 +1,10 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

-//go:build !go1.19
+//go:build !go1.20

 package tailscale

 func init() {
-	you_need_Go_1_19_to_compile_Tailscale()
+	you_need_Go_1_20_to_compile_Tailscale()
 }
--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

@@ -11,6 +10,8 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+
+	"tailscale.com/util/httpm"
 )

 // TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
@@ -22,7 +23,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 	}()

 	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
+	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
 	if err != nil {
 		return err
 	}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build go1.19

--- a/cmd/addlicense/main.go
+++ b/cmd/addlicense/main.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Program addlicense adds a license header to a file.
 // It is intended for use with 'go generate',
@@ -15,26 +14,24 @@ import (
 )

 var (
-	year = flag.Int("year", 0, "copyright year")
 	file = flag.String("file", "", "file to modify")
 )

 func usage() {
 	fmt.Fprintf(os.Stderr, `
-usage: addlicense -year YEAR -file FILE <subcommand args...>
+usage: addlicense -file FILE <subcommand args...>
 `[1:])

 	flag.PrintDefaults()
 	fmt.Fprintf(os.Stderr, `
-addlicense adds a Tailscale license to the beginning of file,
-using year as the copyright year.
+addlicense adds a Tailscale license to the beginning of file.

 It is intended for use with 'go generate', so it also runs a subcommand,
 which presumably creates the file.

 Sample usage:

-addlicense -year 2021 -file pull_strings.go stringer -type=pull
+addlicense -file pull_strings.go stringer -type=pull
 `[1:])
 	os.Exit(2)
 }
@@ -54,7 +51,7 @@ func main() {
 	check(err)
 	f, err := os.OpenFile(*file, os.O_TRUNC|os.O_WRONLY, 0644)
 	check(err)
-	_, err = fmt.Fprintf(f, license, *year)
+	_, err = fmt.Fprint(f, license)
 	check(err)
 	_, err = f.Write(b)
 	check(err)
@@ -70,8 +67,7 @@ func check(err error) {
 }

 var license = `
-// Copyright (c) %d Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 `[1:]
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Cloner is a tool to automate the creation of a Clone method.
 //
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build linux

--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build linux

@@ -12,7 +11,8 @@
 // As with most container things, configuration is passed through environment
 // variables. All configuration is optional.
 //
-//   - TS_AUTH_KEY: the authkey to use for login.
+//   - TS_AUTHKEY: the authkey to use for login.
+//   - TS_HOSTNAME: the hostname to request for the node.
 //   - TS_ROUTES: subnet routes to advertise.
 //   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
 //     destination.
@@ -42,7 +42,7 @@
 // TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir. The state dir should
 // be persistent storage.
 //
-// Additionally, if TS_AUTH_KEY is not set and the TS_KUBE_SECRET contains an
+// Additionally, if TS_AUTHKEY is not set and the TS_KUBE_SECRET contains an
 // "authkey" field, that key is used as the tailscale authkey.
 package main

@@ -73,7 +73,8 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	cfg := &settings{
-		AuthKey:         defaultEnv("TS_AUTH_KEY", ""),
+		AuthKey:         defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
+		Hostname:        defaultEnv("TS_HOSTNAME", ""),
 		Routes:          defaultEnv("TS_ROUTES", ""),
 		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
 		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
@@ -355,7 +356,11 @@ func tailscaledArgs(cfg *settings) []string {
 	args := []string{"--socket=" + cfg.Socket}
 	switch {
 	case cfg.InKubernetes && cfg.KubeSecret != "":
-		args = append(args, "--state=kube:"+cfg.KubeSecret, "--statedir=/tmp")
+		args = append(args, "--state=kube:"+cfg.KubeSecret)
+		if cfg.StateDir == "" {
+			cfg.StateDir = "/tmp"
+		}
+		fallthrough
 	case cfg.StateDir != "":
 		args = append(args, "--statedir="+cfg.StateDir)
 	default:
@@ -394,6 +399,9 @@ func tailscaleUp(ctx context.Context, cfg *settings) error {
 	if cfg.Routes != "" {
 		args = append(args, "--advertise-routes="+cfg.Routes)
 	}
+	if cfg.Hostname != "" {
+		args = append(args, "--hostname="+cfg.Hostname)
+	}
 	if cfg.ExtraArgs != "" {
 		args = append(args, strings.Fields(cfg.ExtraArgs)...)
 	}
@@ -522,6 +530,7 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefi
 // settings is all the configuration for containerboot.
 type settings struct {
 	AuthKey            string
+	Hostname           string
 	Routes             string
 	ProxyTo            string
 	DaemonExtraArgs    string
@@ -548,6 +557,15 @@ func defaultEnv(name, defVal string) string {
 	return defVal
 }

+func defaultEnvs(names []string, defVal string) string {
+	for _, name := range names {
+		if v, ok := os.LookupEnv(name); ok {
+			return v
+		}
+	}
+	return defVal
+}
+
 // defaultBool returns the boolean value of the given envvar name, or
 // defVal if unset or not a bool.
 func defaultBool(name string, defVal bool) bool {
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build linux

@@ -146,6 +145,24 @@ func TestContainerBoot(t *testing.T) {
 		{
 			// Userspace mode, ephemeral storage, authkey provided on every run.
 			Name: "authkey",
+			Env: map[string]string{
+				"TS_AUTHKEY": "tskey-key",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --authkey=tskey-key",
+					},
+				},
+				{
+					Notify: runningNotify,
+				},
+			},
+		},
+		{
+			// Userspace mode, ephemeral storage, authkey provided on every run.
+			Name: "authkey-old-flag",
 			Env: map[string]string{
 				"TS_AUTH_KEY": "tskey-key",
 			},
@@ -164,7 +181,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "authkey_disk_state",
 			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
 				"TS_STATE_DIR": filepath.Join(d, "tmp"),
 			},
 			Phases: []phase{
@@ -182,8 +199,8 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes",
 			Env: map[string]string{
-				"TS_AUTH_KEY": "tskey-key",
-				"TS_ROUTES":   "1.2.3.0/24,10.20.30.0/24",
+				"TS_AUTHKEY": "tskey-key",
+				"TS_ROUTES":  "1.2.3.0/24,10.20.30.0/24",
 			},
 			Phases: []phase{
 				{
@@ -204,7 +221,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes_kernel_ipv4",
 			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "1.2.3.0/24,10.20.30.0/24",
 				"TS_USERSPACE": "false",
 			},
@@ -227,7 +244,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes_kernel_ipv6",
 			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "::/64,1::/64",
 				"TS_USERSPACE": "false",
 			},
@@ -250,7 +267,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "routes_kernel_all_families",
 			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
 				"TS_ROUTES":    "::/64,1.2.3.0/24",
 				"TS_USERSPACE": "false",
 			},
@@ -273,7 +290,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "proxy",
 			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
 				"TS_USERSPACE": "false",
 			},
@@ -295,7 +312,7 @@ func TestContainerBoot(t *testing.T) {
 		{
 			Name: "authkey_once",
 			Env: map[string]string{
-				"TS_AUTH_KEY":  "tskey-key",
+				"TS_AUTHKEY":   "tskey-key",
 				"TS_AUTH_ONCE": "true",
 			},
 			Phases: []phase{
@@ -354,7 +371,7 @@ func TestContainerBoot(t *testing.T) {
 				// Explicitly set to an empty value, to override the default of "tailscale".
 				"TS_KUBE_SECRET": "",
 				"TS_STATE_DIR":   filepath.Join(d, "tmp"),
-				"TS_AUTH_KEY":    "tskey-key",
+				"TS_AUTHKEY":     "tskey-key",
 			},
 			KubeSecret: map[string]string{},
 			Phases: []phase{
@@ -376,7 +393,7 @@ func TestContainerBoot(t *testing.T) {
 			Env: map[string]string{
 				"KUBERNETES_SERVICE_HOST":       kube.Host,
 				"KUBERNETES_SERVICE_PORT_HTTPS": kube.Port,
-				"TS_AUTH_KEY":                   "tskey-key",
+				"TS_AUTHKEY":                    "tskey-key",
 			},
 			KubeSecret:    map[string]string{},
 			KubeDenyPatch: true,
@@ -532,6 +549,22 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "hostname",
+			Env: map[string]string{
+				"TS_HOSTNAME": "my-server",
+			},
+			Phases: []phase{
+				{
+					WantCmds: []string{
+						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking",
+						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock up --accept-dns=false --hostname=my-server",
+					},
+				}, {
+					Notify: runningNotify,
+				},
+			},
+		},
 	}

 	for _, test := range tests {
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -11,7 +11,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-  LW    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
@@ -34,6 +34,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
        tailscale.com/disco                                          from tailscale.com/derp
        tailscale.com/envknob                                        from tailscale.com/derp+
+        tailscale.com/health                                         from tailscale.com/net/tlsdial
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/client/tailscale
        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
@@ -64,12 +65,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
+        tailscale.com/types/lazy                                     from tailscale.com/version+
        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/ipn
-        tailscale.com/types/ptr                                      from tailscale.com/hostinfo
+        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
@@ -78,10 +80,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
+        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/mak                                       from tailscale.com/syncs
+        tailscale.com/util/mak                                       from tailscale.com/syncs+
+        tailscale.com/util/multierr                                  from tailscale.com/health
+        tailscale.com/util/set                                       from tailscale.com/health
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
+        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -95,7 +100,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/hkdf                                     from crypto/tls
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
@@ -133,6 +138,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509
+        crypto/ecdh                                                  from crypto/ecdsa+
        crypto/ecdsa                                                 from crypto/tls+
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The derper binary is a simple DERP server.
 package main // import "tailscale.com/cmd/derper"
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

@@ -17,7 +16,6 @@ import (
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/strs"
 )

 func startMesh(s *derp.Server) error {
@@ -51,7 +49,7 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		}
 		var d net.Dialer
 		var r net.Resolver
-		if base, ok := strs.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
+		if base, ok := strings.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
 			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
 			defer cancel()
 			vpcHost := base + "-vpc.tailscale.com"
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -1,74 +1,46 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The derpprobe binary probes derpers.
-package main // import "tailscale.com/cmd/derper/derpprobe"
+package main

 import (
-	"bytes"
-	"context"
-	crand "crypto/rand"
-	"crypto/x509"
-	"encoding/json"
-	"errors"
+	"expvar"
 	"flag"
 	"fmt"
 	"html"
 	"io"
 	"log"
-	"net"
 	"net/http"
-	"os"
 	"sort"
-	"strings"
-	"sync"
 	"time"

-	"tailscale.com/derp"
-	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/stun"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
+	"tailscale.com/prober"
+	"tailscale.com/tsweb"
 )

 var (
 	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
 	listen     = flag.String("listen", ":8030", "HTTP listen address")
 	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-)
-
-// certReissueAfter is the time after which we expect all certs to be
-// reissued, at minimum.
-//
-// This is currently set to the date of the LetsEncrypt ALPN revocation event of Jan 2022:
-// https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449
-//
-// If there's another revocation event, bump this again.
-var certReissueAfter = time.Unix(1643226768, 0)
-
-var (
-	mu            sync.Mutex
-	state         = map[nodePair]pairStatus{}
-	lastDERPMap   *tailcfg.DERPMap
-	lastDERPMapAt time.Time
-	certs         = map[string]*x509.Certificate{}
+	interval   = flag.Duration("interval", 15*time.Second, "probe interval")
 )

 func main() {
 	flag.Parse()

-	// proactively load the DERP map. Nothing terrible happens if this fails, so we ignore
-	// the error. The Slack bot will print a notification that the DERP map was empty.
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	_, _ = getDERPMap(ctx)
+	p := prober.New().WithSpread(true).WithOnce(*probeOnce)
+	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
+	if err != nil {
+		log.Fatal(err)
+	}
+	p.Run("derpmap-probe", *interval, nil, dp.ProbeMap)

 	if *probeOnce {
-		log.Printf("Starting probe (may take up to 1m)")
-		probe()
-		log.Printf("Probe results:")
-		st := getOverallStatus()
+		log.Printf("Waiting for all probes (may take up to 1m)")
+		p.Wait()
+
+		st := getOverallStatus(p)
 		for _, s := range st.good {
 			log.Printf("good: %s", s)
 		}
@@ -78,15 +50,11 @@ func main() {
 		return
 	}

-	go probeLoop()
-	go slackLoop()
-	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
-}
-
-func setCert(name string, cert *x509.Certificate) {
-	mu.Lock()
-	defer mu.Unlock()
-	certs[name] = cert
+	mux := http.NewServeMux()
+	tsweb.Debugger(mux)
+	expvar.Publish("derpprobe", p.Expvar())
+	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
+	log.Fatal(http.ListenAndServe(*listen, mux))
 }

 type overallStatus struct {
@@ -101,471 +69,43 @@ func (st *overallStatus) addGoodf(format string, a ...any) {
 	st.good = append(st.good, fmt.Sprintf(format, a...))
 }

-func getOverallStatus() (o overallStatus) {
-	mu.Lock()
-	defer mu.Unlock()
-	if lastDERPMap == nil {
-		o.addBadf("no DERP map")
-		return
-	}
-	now := time.Now()
-	if age := now.Sub(lastDERPMapAt); age > time.Minute {
-		o.addBadf("DERPMap hasn't been successfully refreshed in %v", age.Round(time.Second))
-	}
-
-	addPairMeta := func(pair nodePair) {
-		st, ok := state[pair]
-		age := now.Sub(st.at).Round(time.Second)
-		switch {
-		case !ok:
-			o.addBadf("no state for %v", pair)
-		case st.err != nil:
-			o.addBadf("%v: %v", pair, st.err)
-		case age > 90*time.Second:
-			o.addBadf("%v: update is %v old", pair, age)
-		default:
-			o.addGoodf("%v: %v, %v ago", pair, st.latency.Round(time.Millisecond), age)
-		}
-	}
-
-	for _, reg := range sortedRegions(lastDERPMap) {
-		for _, from := range reg.Nodes {
-			addPairMeta(nodePair{"UDP", from.Name})
-			for _, to := range reg.Nodes {
-				addPairMeta(nodePair{from.Name, to.Name})
-			}
-		}
-	}
-
-	var subjs []string
-	for k := range certs {
-		subjs = append(subjs, k)
-	}
-	sort.Strings(subjs)
-
-	soon := time.Now().Add(14 * 24 * time.Hour) // in 2 weeks; autocert does 30 days by default
-	for _, s := range subjs {
-		cert := certs[s]
-		if cert.NotBefore.Before(certReissueAfter) {
-			o.addBadf("cert %q needs reissuing; NotBefore=%v", s, cert.NotBefore.Format(time.RFC3339))
+func getOverallStatus(p *prober.Prober) (o overallStatus) {
+	for p, i := range p.ProbeInfo() {
+		if i.End.IsZero() {
+			// Do not show probes that have not finished yet.
 			continue
 		}
-		if cert.NotAfter.Before(soon) {
-			o.addBadf("cert %q expiring soon (%v); wasn't auto-refreshed", s, cert.NotAfter.Format(time.RFC3339))
-			continue
+		if i.Result {
+			o.addGoodf("%s: %s", p, i.Latency)
+		} else {
+			o.addBadf("%s: %s", p, i.Error)
 		}
-		o.addGoodf("cert %q good %v - %v", s, cert.NotBefore.Format(time.RFC3339), cert.NotAfter.Format(time.RFC3339))
 	}

+	sort.Strings(o.bad)
+	sort.Strings(o.good)
 	return
 }

-func serve(w http.ResponseWriter, r *http.Request) {
-	st := getOverallStatus()
-	summary := "All good"
-	if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
-		// This will generate an alert and page a human.
-		// It also ends up in Slack, but as part of the alert handling pipeline not
-		// because we generated a Slack notification from here.
-		w.WriteHeader(500)
-		summary = fmt.Sprintf("%d problems", len(st.bad))
-	}
-
-	io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
-	fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
-	for _, s := range st.bad {
-		fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
-	}
-	for _, s := range st.good {
-		fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
-	}
-	io.WriteString(w, "</ul></body></html>\n")
-}
-
-func notifySlack(text string) error {
-	type SlackRequestBody struct {
-		Text string `json:"text"`
-	}
-
-	slackBody, err := json.Marshal(SlackRequestBody{Text: text})
-	if err != nil {
-		return err
-	}
-
-	webhookUrl := os.Getenv("SLACK_WEBHOOK")
-	if webhookUrl == "" {
-		return errors.New("No SLACK_WEBHOOK configured")
-	}
-
-	req, err := http.NewRequest("POST", webhookUrl, bytes.NewReader(slackBody))
-	if err != nil {
-		return err
-	}
-	req.Header.Add("Content-Type", "application/json")
-
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != 200 {
-		return errors.New(resp.Status)
-	}
-
-	body, _ := io.ReadAll(resp.Body)
-	if string(body) != "ok" {
-		return errors.New("Non-ok response returned from Slack")
-	}
-	return nil
-}
-
-// We only page a human if it looks like there is a significant outage across multiple regions.
-// To Slack, we report all failures great and small.
-func slackLoop() {
-	inBadState := false
-	for {
-		time.Sleep(time.Second * 30)
-		st := getOverallStatus()
-
-		if len(st.bad) > 0 && !inBadState {
-			err := notifySlack(strings.Join(st.bad, "\n"))
-			if err == nil {
-				inBadState = true
-			} else {
-				log.Printf("%d problems, notify Slack failed: %v", len(st.bad), err)
-			}
+func serveFunc(p *prober.Prober) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		st := getOverallStatus(p)
+		summary := "All good"
+		if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
+			// Returning a 500 allows monitoring this server externally and configuring
+			// an alert on HTTP response code.
+			w.WriteHeader(500)
+			summary = fmt.Sprintf("%d problems", len(st.bad))
 		}

-		if len(st.bad) == 0 && inBadState {
-			err := notifySlack("All DERPs recovered.")
-			if err == nil {
-				inBadState = false
-			}
+		io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
+		fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
+		for _, s := range st.bad {
+			fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
 		}
+		for _, s := range st.good {
+			fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
+		}
+		io.WriteString(w, "</ul></body></html>\n")
 	}
 }
-
-func sortedRegions(dm *tailcfg.DERPMap) []*tailcfg.DERPRegion {
-	ret := make([]*tailcfg.DERPRegion, 0, len(dm.Regions))
-	for _, r := range dm.Regions {
-		ret = append(ret, r)
-	}
-	sort.Slice(ret, func(i, j int) bool { return ret[i].RegionID < ret[j].RegionID })
-	return ret
-}
-
-type nodePair struct {
-	from string // DERPNode.Name, or "UDP" for a STUN query to 'to'
-	to   string // DERPNode.Name
-}
-
-func (p nodePair) String() string { return fmt.Sprintf("(%s→%s)", p.from, p.to) }
-
-type pairStatus struct {
-	err     error
-	latency time.Duration
-	at      time.Time
-}
-
-func setDERPMap(dm *tailcfg.DERPMap) {
-	mu.Lock()
-	defer mu.Unlock()
-	lastDERPMap = dm
-	lastDERPMapAt = time.Now()
-}
-
-func setState(p nodePair, latency time.Duration, err error) {
-	mu.Lock()
-	defer mu.Unlock()
-	st := pairStatus{
-		err:     err,
-		latency: latency,
-		at:      time.Now(),
-	}
-	state[p] = st
-	if err != nil {
-		log.Printf("%+v error: %v", p, err)
-	} else {
-		log.Printf("%+v: %v", p, latency.Round(time.Millisecond))
-	}
-}
-
-func probeLoop() {
-	ticker := time.NewTicker(15 * time.Second)
-	for {
-		err := probe()
-		if err != nil {
-			log.Printf("probe: %v", err)
-		}
-		<-ticker.C
-	}
-}
-
-func probe() error {
-	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
-	defer cancel()
-	dm, err := getDERPMap(ctx)
-	if err != nil {
-		return err
-	}
-
-	var wg sync.WaitGroup
-	wg.Add(len(dm.Regions))
-	for _, reg := range dm.Regions {
-		reg := reg
-		go func() {
-			defer wg.Done()
-			for _, from := range reg.Nodes {
-				latency, err := probeUDP(ctx, dm, from)
-				setState(nodePair{"UDP", from.Name}, latency, err)
-				for _, to := range reg.Nodes {
-					latency, err := probeNodePair(ctx, dm, from, to)
-					setState(nodePair{from.Name, to.Name}, latency, err)
-				}
-			}
-		}()
-	}
-
-	wg.Wait()
-	return ctx.Err()
-}
-
-func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (latency time.Duration, err error) {
-	pc, err := net.ListenPacket("udp", ":0")
-	if err != nil {
-		return 0, err
-	}
-	defer pc.Close()
-	uc := pc.(*net.UDPConn)
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-
-	for _, ipStr := range []string{n.IPv4, n.IPv6} {
-		if ipStr == "" {
-			continue
-		}
-		port := n.STUNPort
-		if port == -1 {
-			continue
-		}
-		if port == 0 {
-			port = 3478
-		}
-		for {
-			ip := net.ParseIP(ipStr)
-			_, err := uc.WriteToUDP(req, &net.UDPAddr{IP: ip, Port: port})
-			if err != nil {
-				return 0, err
-			}
-			buf := make([]byte, 1500)
-			uc.SetReadDeadline(time.Now().Add(2 * time.Second))
-			t0 := time.Now()
-			n, _, err := uc.ReadFromUDP(buf)
-			d := time.Since(t0)
-			if err != nil {
-				if ctx.Err() != nil {
-					return 0, fmt.Errorf("timeout reading from %v: %v", ip, err)
-				}
-				if d < time.Second {
-					return 0, fmt.Errorf("error reading from %v: %v", ip, err)
-				}
-				time.Sleep(100 * time.Millisecond)
-				continue
-			}
-			txBack, _, err := stun.ParseResponse(buf[:n])
-			if err != nil {
-				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
-			}
-			if txBack != tx {
-				return 0, fmt.Errorf("read wrong tx back from %v", ip)
-			}
-			if latency == 0 || d < latency {
-				latency = d
-			}
-			break
-		}
-	}
-	return latency, nil
-}
-
-func probeNodePair(ctx context.Context, dm *tailcfg.DERPMap, from, to *tailcfg.DERPNode) (latency time.Duration, err error) {
-	// The passed in context is a minute for the whole region. The
-	// idea is that each node pair in the region will be done
-	// serially and regularly in the future, reusing connections
-	// (at least in the happy path). For now they don't reuse
-	// connections and probe at most once every 15 seconds. We
-	// bound the duration of a single node pair within a region
-	// so one bad one can't starve others.
-	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-
-	fromc, err := newConn(ctx, dm, from)
-	if err != nil {
-		return 0, err
-	}
-	defer fromc.Close()
-	toc, err := newConn(ctx, dm, to)
-	if err != nil {
-		return 0, err
-	}
-	defer toc.Close()
-
-	// Wait a bit for from's node to hear about to existing on the
-	// other node in the region, in the case where the two nodes
-	// are different.
-	if from.Name != to.Name {
-		time.Sleep(100 * time.Millisecond) // pretty arbitrary
-	}
-
-	// Make a random packet
-	pkt := make([]byte, 8)
-	crand.Read(pkt)
-
-	t0 := time.Now()
-
-	// Send the random packet.
-	sendc := make(chan error, 1)
-	go func() {
-		sendc <- fromc.Send(toc.SelfPublicKey(), pkt)
-	}()
-	select {
-	case <-ctx.Done():
-		return 0, fmt.Errorf("timeout sending via %q: %w", from.Name, ctx.Err())
-	case err := <-sendc:
-		if err != nil {
-			return 0, fmt.Errorf("error sending via %q: %w", from.Name, err)
-		}
-	}
-
-	// Receive the random packet.
-	recvc := make(chan any, 1) // either derp.ReceivedPacket or error
-	go func() {
-		for {
-			m, err := toc.Recv()
-			if err != nil {
-				recvc <- err
-				return
-			}
-			switch v := m.(type) {
-			case derp.ReceivedPacket:
-				recvc <- v
-			default:
-				log.Printf("%v: ignoring Recv frame type %T", to.Name, v)
-				// Loop.
-			}
-		}
-	}()
-	select {
-	case <-ctx.Done():
-		return 0, fmt.Errorf("timeout receiving from %q: %w", to.Name, ctx.Err())
-	case v := <-recvc:
-		if err, ok := v.(error); ok {
-			return 0, fmt.Errorf("error receiving from %q: %w", to.Name, err)
-		}
-		p := v.(derp.ReceivedPacket)
-		if p.Source != fromc.SelfPublicKey() {
-			return 0, fmt.Errorf("got data packet from unexpected source, %v", p.Source)
-		}
-		if !bytes.Equal(p.Data, pkt) {
-			return 0, fmt.Errorf("unexpected data packet %q", p.Data)
-		}
-	}
-	return time.Since(t0), nil
-}
-
-func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (*derphttp.Client, error) {
-	priv := key.NewNode()
-	dc := derphttp.NewRegionClient(priv, log.Printf, func() *tailcfg.DERPRegion {
-		rid := n.RegionID
-		return &tailcfg.DERPRegion{
-			RegionID:   rid,
-			RegionCode: fmt.Sprintf("%s-%s", dm.Regions[rid].RegionCode, n.Name),
-			RegionName: dm.Regions[rid].RegionName,
-			Nodes:      []*tailcfg.DERPNode{n},
-		}
-	})
-	dc.IsProber = true
-	err := dc.Connect(ctx)
-	if err != nil {
-		return nil, err
-	}
-	cs, ok := dc.TLSConnectionState()
-	if !ok {
-		dc.Close()
-		return nil, errors.New("no TLS state")
-	}
-	if len(cs.PeerCertificates) == 0 {
-		dc.Close()
-		return nil, errors.New("no peer certificates")
-	}
-	if cs.ServerName != n.HostName {
-		dc.Close()
-		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
-	}
-	setCert(cs.ServerName, cs.PeerCertificates[0])
-
-	errc := make(chan error, 1)
-	go func() {
-		m, err := dc.Recv()
-		if err != nil {
-			errc <- err
-			return
-		}
-		switch m.(type) {
-		case derp.ServerInfoMessage:
-			errc <- nil
-		default:
-			errc <- fmt.Errorf("unexpected first message type %T", errc)
-		}
-	}()
-	select {
-	case err := <-errc:
-		if err != nil {
-			go dc.Close()
-			return nil, err
-		}
-	case <-ctx.Done():
-		go dc.Close()
-		return nil, fmt.Errorf("timeout waiting for ServerInfoMessage: %w", ctx.Err())
-	}
-	return dc, nil
-}
-
-var httpOrFileClient = &http.Client{Transport: httpOrFileTransport()}
-
-func httpOrFileTransport() http.RoundTripper {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.RegisterProtocol("file", http.NewFileTransport(http.Dir("/")))
-	return tr
-}
-
-func getDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", *derpMapURL, nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := httpOrFileClient.Do(req)
-	if err != nil {
-		mu.Lock()
-		defer mu.Unlock()
-		if lastDERPMap != nil && time.Since(lastDERPMapAt) < 10*time.Minute {
-			// Assume that control is restarting and use
-			// the same one for a bit.
-			return lastDERPMap, nil
-		}
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != 200 {
-		return nil, fmt.Errorf("fetching %s: %s", *derpMapURL, res.Status)
-	}
-	dm := new(tailcfg.DERPMap)
-	if err := json.NewDecoder(res.Body).Decode(dm); err != nil {
-		return nil, fmt.Errorf("decoding %s JSON: %v", *derpMapURL, err)
-	}
-	setDERPMap(dm)
-	return dm, nil
-}
--- a/cmd/get-authkey/.gitignore
+++ b/cmd/get-authkey/.gitignore
@@ -0,0 +1 @@
+get-authkey
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@@ -0,0 +1,76 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// get-authkey allocates an authkey using an OAuth API client
+// https://tailscale.com/kb/1215/oauth-clients/ and prints it
+// to stdout for scripts to capture and use.
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/client/tailscale"
+)
+
+func main() {
+	// Required to use our client API. We're fine with the instability since the
+	// client lives in the same repo as this code.
+	tailscale.I_Acknowledge_This_API_Is_Unstable = true
+
+	reusable := flag.Bool("reusable", false, "allocate a reusable authkey")
+	ephemeral := flag.Bool("ephemeral", false, "allocate an ephemeral authkey")
+	preauth := flag.Bool("preauth", true, "set the authkey as pre-authorized")
+	tags := flag.String("tags", "", "comma-separated list of tags to apply to the authkey")
+	flag.Parse()
+
+	clientId := os.Getenv("TS_API_CLIENT_ID")
+	clientSecret := os.Getenv("TS_API_CLIENT_SECRET")
+	if clientId == "" || clientSecret == "" {
+		log.Fatal("TS_API_CLIENT_ID and TS_API_CLIENT_SECRET must be set")
+	}
+
+	if *tags == "" {
+		log.Fatal("at least one tag must be specified")
+	}
+
+	baseUrl := os.Getenv("TS_BASE_URL")
+	if baseUrl == "" {
+		baseUrl = "https://api.tailscale.com"
+	}
+
+	credentials := clientcredentials.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		TokenURL:     baseUrl + "/api/v2/oauth/token",
+		Scopes:       []string{"device"},
+	}
+
+	ctx := context.Background()
+	tsClient := tailscale.NewClient("-", nil)
+	tsClient.HTTPClient = credentials.Client(ctx)
+	tsClient.BaseURL = baseUrl
+
+	caps := tailscale.KeyCapabilities{
+		Devices: tailscale.KeyDeviceCapabilities{
+			Create: tailscale.KeyDeviceCreateCapabilities{
+				Reusable:      *reusable,
+				Ephemeral:     *ephemeral,
+				Preauthorized: *preauth,
+				Tags:          strings.Split(*tags, ","),
+			},
+		},
+	}
+
+	authkey, _, err := tsClient.CreateKey(ctx, caps)
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+
+	fmt.Println(authkey)
+}
--- a/cmd/gitops-pusher/cache.go
+++ b/cmd/gitops-pusher/cache.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Command gitops-pusher allows users to use a GitOps flow for managing Tailscale ACLs.
 //
@@ -23,6 +22,7 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/tailscale/hujson"
+	"tailscale.com/util/httpm"
 )

 var (
@@ -235,7 +235,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 	}
 	defer fin.Close()

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), fin)
+	req, err := http.NewRequestWithContext(ctx, httpm.POST, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), fin)
 	if err != nil {
 		return err
 	}
@@ -275,7 +275,7 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 		return err
 	}

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl/validate", *apiServer, tailnet), bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, httpm.POST, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl/validate", *apiServer, tailnet), bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -347,7 +347,7 @@ type ACLTestErrorDetail struct {
 }

 func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
+	req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {
 		return "", err
 	}
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The hello binary runs hello.ts.net.
 package main // import "tailscale.com/cmd/hello"
--- a/cmd/k8s-operator/manifests/authproxy-rbac.yaml
+++ b/cmd/k8s-operator/manifests/authproxy-rbac.yaml
@@ -0,0 +1,24 @@
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tailscale-auth-proxy
+rules:
+- apiGroups: [""]
+  resources: ["users"]
+  verbs: ["impersonate"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tailscale-auth-proxy
+subjects:
+- kind: ServiceAccount
+  name: operator
+  namespace: tailscale
+roleRef:
+  kind: ClusterRole
+  name: tailscale-auth-proxy
+  apiGroup: rbac.authorization.k8s.io
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@@ -1,6 +1,5 @@
-# Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause

 apiVersion: v1
 kind: Namespace
@@ -125,7 +124,7 @@ spec:
          secretName: operator-oauth
      containers:
        - name: operator
-          image: tailscale/k8s-operator:latest
+          image: tailscale/k8s-operator:unstable
          resources:
            requests:
              cpu: 500m
@@ -146,9 +145,11 @@ spec:
            - name: CLIENT_SECRET_FILE
              value: /oauth/client_secret
            - name: PROXY_IMAGE
-              value: tailscale/tailscale:latest
+              value: tailscale/tailscale:unstable
            - name: PROXY_TAGS
              value: tag:k8s
+            - name: AUTH_PROXY
+              value: "false"
          volumeMounts:
          - name: oauth
            mountPath: /oauth
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // tailscale-operator provides a way to expose services running in a Kubernetes
 // cluster to your Tailnet.
@@ -26,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -43,6 +43,7 @@ import (
 	"tailscale.com/ipn/store/kubestore"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/dnsname"
 )

 func main() {
@@ -51,15 +52,16 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	var (
-		hostname         = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
-		kubeSecret       = defaultEnv("OPERATOR_SECRET", "")
-		operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
-		tsNamespace      = defaultEnv("OPERATOR_NAMESPACE", "")
-		tslogging        = defaultEnv("OPERATOR_LOGGING", "info")
-		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
-		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
-		image            = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		tags             = defaultEnv("PROXY_TAGS", "tag:k8s")
+		hostname           = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
+		kubeSecret         = defaultEnv("OPERATOR_SECRET", "")
+		operatorTags       = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
+		tsNamespace        = defaultEnv("OPERATOR_NAMESPACE", "")
+		tslogging          = defaultEnv("OPERATOR_LOGGING", "info")
+		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
+		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
+		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
+		shouldRunAuthProxy = defaultEnv("AUTH_PROXY", "false")
 	)

 	var opts []kzap.Opts
@@ -164,14 +166,6 @@ waitOnline:
 		time.Sleep(time.Second)
 	}

-	sr := &ServiceReconciler{
-		tsClient:          tsClient,
-		defaultTags:       strings.Split(tags, ","),
-		operatorNamespace: tsNamespace,
-		proxyImage:        image,
-		logger:            zlog.Named("service-reconciler"),
-	}
-
 	// For secrets and statefulsets, we only get permission to touch the objects
 	// in the controller's own namespace. This cannot be expressed by
 	// .Watches(...) below, instead you have to add a per-type field selector to
@@ -181,7 +175,8 @@ waitOnline:
 	nsFilter := cache.ObjectSelector{
 		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
 	}
-	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{
+	restConfig := config.GetConfigOrDie()
+	mgr, err := manager.New(restConfig, manager.Options{
 		NewCache: cache.BuilderWithOptions(cache.Options{
 			SelectorsByObject: map[client.Object]cache.ObjectSelector{
 				&corev1.Secret{}:      nsFilter,
@@ -193,6 +188,15 @@ waitOnline:
 		startlog.Fatalf("could not create manager: %v", err)
 	}

+	sr := &ServiceReconciler{
+		Client:            mgr.GetClient(),
+		tsClient:          tsClient,
+		defaultTags:       strings.Split(tags, ","),
+		operatorNamespace: tsNamespace,
+		proxyImage:        image,
+		logger:            zlog.Named("service-reconciler"),
+	}
+
 	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
@@ -221,6 +225,17 @@ waitOnline:
 	}

 	startlog.Infof("Startup complete, operator running")
+	if shouldRunAuthProxy == "true" {
+		rc, err := rest.TransportFor(restConfig)
+		if err != nil {
+			startlog.Fatalf("could not get rest transport: %v", err)
+		}
+		authProxyListener, err := s.Listen("tcp", ":443")
+		if err != nil {
+			startlog.Fatalf("could not listen on :443: %v", err)
+		}
+		go runAuthProxy(lc, authProxyListener, rc, zlog.Named("auth-proxy").Infof)
+	}
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
 		startlog.Fatalf("could not start manager: %v", err)
 	}
@@ -234,8 +249,9 @@ const (

 	FinalizerName = "tailscale.com/finalizer"

-	AnnotationExpose = "tailscale.com/expose"
-	AnnotationTags   = "tailscale.com/tags"
+	AnnotationExpose   = "tailscale.com/expose"
+	AnnotationTags     = "tailscale.com/tags"
+	AnnotationHostname = "tailscale.com/hostname"
 )

 // ServiceReconciler is a simple ControllerManagedBy example implementation.
@@ -369,6 +385,11 @@ func (a *ServiceReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 // This function adds a finalizer to svc, ensuring that we can handle orderly
 // deprovisioning later.
 func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, svc *corev1.Service) error {
+	hostname, err := nameForService(svc)
+	if err != nil {
+		return err
+	}
+
 	if !slices.Contains(svc.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -395,7 +416,7 @@ func (a *ServiceReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 	if err != nil {
 		return fmt.Errorf("failed to create or get API key secret: %w", err)
 	}
-	_, err = a.reconcileSTS(ctx, logger, svc, hsvc, secretName)
+	_, err = a.reconcileSTS(ctx, logger, svc, hsvc, secretName, hostname)
 	if err != nil {
 		return fmt.Errorf("failed to reconcile statefulset: %w", err)
 	}
@@ -557,7 +578,7 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 //go:embed manifests/proxy.yaml
 var proxyYaml []byte

-func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, parentSvc, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
+func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, parentSvc, headlessSvc *corev1.Service, authKeySecret, hostname string) (*appsv1.StatefulSet, error) {
 	var ss appsv1.StatefulSet
 	if err := yaml.Unmarshal(proxyYaml, &ss); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal proxy spec: %w", err)
@@ -572,6 +593,10 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 		corev1.EnvVar{
 			Name:  "TS_KUBE_SECRET",
 			Value: authKeySecret,
+		},
+		corev1.EnvVar{
+			Name:  "TS_HOSTNAME",
+			Value: hostname,
 		})
 	ss.ObjectMeta = metav1.ObjectMeta{
 		Name:      headlessSvc.Name,
@@ -591,11 +616,6 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }

-func (a *ServiceReconciler) InjectClient(c client.Client) error {
-	a.Client = c
-	return nil
-}
-
 // ptrObject is a type constraint for pointer types that implement
 // client.Object.
 type ptrObject[T any] interface {
@@ -683,3 +703,13 @@ func defaultEnv(envName, defVal string) string {
 	}
 	return v
 }
+
+func nameForService(svc *corev1.Service) (string, error) {
+	if h, ok := svc.Annotations[AnnotationHostname]; ok {
+		if err := dnsname.ValidLabel(h); err != nil {
+			return "", fmt.Errorf("invalid Tailscale hostname %q: %w", h, err)
+		}
+		return h, nil
+	}
+	return svc.Namespace + "-" + svc.Name, nil
+}
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package main

@@ -66,7 +65,7 @@ func TestLoadBalancerClass(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -187,7 +186,7 @@ func TestAnnotations(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -284,7 +283,7 @@ func TestAnnotationIntoLB(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -328,7 +327,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@@ -400,7 +399,7 @@ func TestLBIntoAnnotation(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -457,7 +456,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -481,6 +480,108 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectEqual(t, fc, want)
 }

+func TestCustomHostname(t *testing.T) {
+	fc := fake.NewFakeClient()
+	ft := &fakeTSClient{}
+	zl, err := zap.NewDevelopment()
+	if err != nil {
+		t.Fatal(err)
+	}
+	sr := &ServiceReconciler{
+		Client:            fc,
+		tsClient:          ft,
+		defaultTags:       []string{"tag:k8s"},
+		operatorNamespace: "operator-ns",
+		proxyImage:        "tailscale/tailscale",
+		logger:            zl.Sugar(),
+	}
+
+	// Create a service that we should manage, and check that the initial round
+	// of objects looks right.
+	mustCreate(t, fc, &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			// The apiserver is supposed to set the UID, but the fake client
+			// doesn't. So, set it explicitly because other code later depends
+			// on it being set.
+			UID: types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose":   "true",
+				"tailscale.com/hostname": "reindeer-flotilla",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	})
+
+	expectReconciled(t, sr, "default", "test")
+
+	fullName, shortName := findGenName(t, fc, "default", "test")
+
+	expectEqual(t, fc, expectedSecret(fullName))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
+	want := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test",
+			Namespace:  "default",
+			Finalizers: []string{"tailscale.com/finalizer"},
+			UID:        types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/expose":   "true",
+				"tailscale.com/hostname": "reindeer-flotilla",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+
+	// Turn the service back into a ClusterIP service, which should make the
+	// operator clean up.
+	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
+		delete(s.ObjectMeta.Annotations, "tailscale.com/expose")
+	})
+	// synchronous StatefulSet deletion triggers a requeue. But, the StatefulSet
+	// didn't create any child resources since this is all faked, so the
+	// deletion goes through immediately.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	// Second time around, the rest of cleanup happens.
+	expectReconciled(t, sr, "default", "test")
+	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
+	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
+	want = &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+			UID:       types.UID("1234-UID"),
+			Annotations: map[string]string{
+				"tailscale.com/hostname": "reindeer-flotilla",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: "10.20.30.40",
+			Type:      corev1.ServiceTypeClusterIP,
+		},
+	}
+	expectEqual(t, fc, want)
+}
+
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -529,7 +630,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }

-func expectedSTS(stsName, secretName string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@@ -578,6 +679,7 @@ func expectedSTS(stsName, secretName string) *appsv1.StatefulSet {
 								{Name: "TS_AUTH_ONCE", Value: "true"},
 								{Name: "TS_DEST_IP", Value: "10.20.30.40"},
 								{Name: "TS_KUBE_SECRET", Value: secretName},
+								{Name: "TS_HOSTNAME", Value: hostname},
 							},
 							SecurityContext: &corev1.SecurityContext{
 								Capabilities: &corev1.Capabilities{
--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@@ -0,0 +1,80 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"strings"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/types/logger"
+)
+
+type whoIsKey struct{}
+
+// authProxy is an http.Handler that authenticates requests using the Tailscale
+// LocalAPI and then proxies them to the Kubernetes API.
+type authProxy struct {
+	logf logger.Logf
+	lc   *tailscale.LocalClient
+	rp   *httputil.ReverseProxy
+}
+
+func (h *authProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	who, err := h.lc.WhoIs(r.Context(), r.RemoteAddr)
+	if err != nil {
+		h.logf("failed to authenticate caller: %v", err)
+		http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
+		return
+	}
+	r = r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
+	h.rp.ServeHTTP(w, r)
+}
+
+func runAuthProxy(lc *tailscale.LocalClient, ls net.Listener, rt http.RoundTripper, logf logger.Logf) {
+	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
+	if err != nil {
+		log.Fatalf("runAuthProxy: failed to parse URL %v", err)
+	}
+	ap := &authProxy{
+		logf: logf,
+		lc:   lc,
+		rp: &httputil.ReverseProxy{
+			Director: func(r *http.Request) {
+				// Replace the request with the user's identity.
+				who := r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
+				r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
+
+				// Remove all authentication headers.
+				r.Header.Del("Authorization")
+				r.Header.Del("Impersonate-Group")
+				r.Header.Del("Impersonate-Uid")
+				for k := range r.Header {
+					if strings.HasPrefix(k, "Impersonate-Extra-") {
+						r.Header.Del(k)
+					}
+				}
+
+				// Replace the URL with the Kubernetes APIServer.
+				r.URL.Scheme = u.Scheme
+				r.URL.Host = u.Host
+			},
+			Transport: rt,
+		},
+	}
+	if err := http.Serve(tls.NewListener(ls, &tls.Config{
+		GetCertificate: lc.GetCertificate,
+	}), ap); err != nil {
+		log.Fatalf("runAuthProxy: failed to serve %v", err)
+	}
+}
--- a/cmd/mkmanifest/main.go
+++ b/cmd/mkmanifest/main.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The mkmanifest command is a simple helper utility to create a '.syso' file
 // that contains a Windows manifest file.
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // mkpkg builds the Tailscale rpm and deb packages.
 package main
@@ -58,6 +57,7 @@ func main() {
 	postrm := flag.String("postrm", "", "debian postrm script path")
 	replaces := flag.String("replaces", "", "package which this package replaces, if any")
 	depends := flag.String("depends", "", "comma-separated list of packages this package depends on")
+	recommends := flag.String("recommends", "", "comma-separated list of packages this package recommends")
 	flag.Parse()

 	filesMap, err := parseFiles(*files)
@@ -93,6 +93,9 @@ func main() {
 	if len(*depends) != 0 {
 		info.Overridables.Depends = strings.Split(*depends, ",")
 	}
+	if len(*recommends) != 0 {
+		info.Overridables.Recommends = strings.Split(*recommends, ",")
+	}
 	if *replaces != "" {
 		info.Overridables.Replaces = []string{*replaces}
 		info.Overridables.Conflicts = []string{*replaces}
--- a/cmd/nardump/nardump.go
+++ b/cmd/nardump/nardump.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // nardump is like nix-store --dump, but in Go, writing a NAR
 // file (tar-like, but focused on being reproducible) to stdout
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // netlogfmt parses a stream of JSON log messages from stdin and
 // formats the network traffic logs produced by "tailscale.com/wgengine/netlog"
--- a/cmd/nginx-auth/README.md
+++ b/cmd/nginx-auth/README.md
@@ -129,7 +129,7 @@ the `Expected-Tailnet` header to your auth request:
 ```nginx
 location /auth {
  # ...
-  proxy_set_header Expected-Tailnet "tailscale.com";
+  proxy_set_header Expected-Tailnet "tailnet012345.ts.net";
 }
 ```

@@ -146,6 +146,8 @@ generic "forbidden" error page:
 </html>
 ```

+You can get the tailnet name from [the admin panel](https://login.tailscale.com/admin/dns).
+
 ## Building

 Install `cmd/mkpkg`:
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build linux

--- a/cmd/pgproxy/pgproxy.go
+++ b/cmd/pgproxy/pgproxy.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The pgproxy server is a proxy for the Postgres wire protocol.
 package main
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The printdep command is a build system tool for printing out information
 // about dependencies.
@@ -19,7 +18,6 @@ import (
 var (
 	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
 	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
-	goToolchainSRI = flag.Bool("go-sri", false, "print the SRI hash of the Tailscale Go toolchain")
 	alpine         = flag.Bool("alpine", false, "print the tag of alpine docker image")
 )

@@ -33,23 +31,11 @@ func main() {
 		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
 	}
 	if *goToolchainURL {
-		var suffix string
-		switch runtime.GOARCH {
-		case "amd64":
-			// None
-		case "arm64":
-			suffix = "-" + runtime.GOARCH
-		default:
-			log.Fatalf("unsupported GOARCH %q", runtime.GOARCH)
-		}
 		switch runtime.GOOS {
 		case "linux", "darwin":
 		default:
 			log.Fatalf("unsupported GOOS %q", runtime.GOOS)
 		}
-		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
-	}
-	if *goToolchainSRI {
-		fmt.Println(strings.TrimSpace(ts.GoToolchainSRI))
+		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s-%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, runtime.GOARCH)
 	}
 }
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // proxy-to-grafana is a reverse proxy which identifies users based on their
 // originating Tailscale identity and maps them to corresponding Grafana
--- a/cmd/speedtest/speedtest.go
+++ b/cmd/speedtest/speedtest.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Program speedtest provides the speedtest command. The reason to keep it separate from
 // the normal tailscale cli is because it is not yet ready to go in the tailscale binary.
--- a/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
+++ b/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // ssh-auth-none-demo is a demo SSH server that's meant to run on the
 // public internet (at 188.166.70.128 port 2222) and
--- a/cmd/stunc/stunc.go
+++ b/cmd/stunc/stunc.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Command stunc makes a STUN request to a STUN server and prints the result.
 package main
--- a/cmd/sync-containers/main.go
+++ b/cmd/sync-containers/main.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // The sync-containers command synchronizes container image tags from one
 // registry to another.
@@ -24,6 +23,7 @@ import (
 	"strings"

 	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/authn/github"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -47,8 +47,9 @@ func main() {
 		log.Fatalf("--dst is required")
 	}

+	keychain := authn.NewMultiKeychain(authn.DefaultKeychain, github.Keychain)
 	opts := []remote.Option{
-		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+		remote.WithAuthFromKeychain(keychain),
 		remote.WithContext(context.Background()),
 	}

@@ -84,6 +85,15 @@ func main() {
 		log.Printf("%d tags to remove: %s\n", len(remove), strings.Join(remove, ", "))
 		log.Printf("Not removing any tags for safety.\n")
 	}
+
+	var wellKnown = [...]string{"latest", "stable"}
+	for _, tag := range wellKnown {
+		if needsUpdate(*src, *dst, tag) {
+			if err := copyTag(*src, *dst, tag, opts...); err != nil {
+				log.Printf("Updating tag %q: progress error: %v", tag, err)
+			}
+		}
+	}
 }

 func copyTag(srcStr, dstStr, tag string, opts ...remote.Option) error {
@@ -177,3 +187,26 @@ func diffTags(src, dst []string) (add, remove []string) {
 	sort.Strings(remove)
 	return add, remove
 }
+
+func needsUpdate(srcStr, dstStr, tag string) bool {
+	src, err := name.ParseReference(fmt.Sprintf("%s:%s", srcStr, tag))
+	if err != nil {
+		return false
+	}
+	dst, err := name.ParseReference(fmt.Sprintf("%s:%s", dstStr, tag))
+	if err != nil {
+		return false
+	}
+
+	srcDesc, err := remote.Get(src)
+	if err != nil {
+		return false
+	}
+
+	dstDesc, err := remote.Get(dst)
+	if err != nil {
+		return true
+	}
+
+	return srcDesc.Digest != dstDesc.Digest
+}
--- a/cmd/tailscale/cli/authenticode_windows.go
+++ b/cmd/tailscale/cli/authenticode_windows.go
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved.
+ */
+
+package cli
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+func init() {
+	verifyAuthenticode = verifyAuthenticodeWindows
+}
+
+func verifyAuthenticodeWindows(path string) error {
+	path16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return err
+	}
+	data := &windows.WinTrustData{
+		Size:             uint32(unsafe.Sizeof(windows.WinTrustData{})),
+		UIChoice:         windows.WTD_UI_NONE,
+		RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
+		UnionChoice:      windows.WTD_CHOICE_FILE,
+		StateAction:      windows.WTD_STATEACTION_VERIFY,
+		FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{
+			Size:     uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})),
+			FilePath: path16,
+		}),
+	}
+	err = windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
+	data.StateAction = windows.WTD_STATEACTION_CLOSE
+	windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
+	return err
+}
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 // Package cli contains the cmd/tailscale CLI code in a package that can be included
 // in other wrapper binaries such as the Mac and Windows clients.
@@ -15,7 +14,6 @@ import (
 	"log"
 	"os"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"text/tabwriter"
@@ -48,52 +46,6 @@ func outln(a ...any) {
 	fmt.Fprintln(Stdout, a...)
 }

-// ActLikeCLI reports whether a GUI application should act like the
-// CLI based on os.Args, GOOS, the context the process is running in
-// (pty, parent PID), etc.
-func ActLikeCLI() bool {
-	// This function is only used on macOS.
-	if runtime.GOOS != "darwin" {
-		return false
-	}
-
-	// Escape hatch to let people force running the macOS
-	// GUI Tailscale binary as the CLI.
-	if v, _ := strconv.ParseBool(os.Getenv("TAILSCALE_BE_CLI")); v {
-		return true
-	}
-
-	// If our parent is launchd, we're definitely not
-	// being run as a CLI.
-	if os.Getppid() == 1 {
-		return false
-	}
-
-	// Xcode adds the -NSDocumentRevisionsDebugMode flag on execution.
-	// If present, we are almost certainly being run as a GUI.
-	for _, arg := range os.Args {
-		if arg == "-NSDocumentRevisionsDebugMode" {
-			return false
-		}
-	}
-
-	// Looking at the environment of the GUI Tailscale app (ps eww
-	// $PID), empirically none of these environment variables are
-	// present. But all or some of these should be present with
-	// Terminal.all and bash or zsh.
-	for _, e := range []string{
-		"SHLVL",
-		"TERM",
-		"TERM_PROGRAM",
-		"PS1",
-	} {
-		if os.Getenv(e) != "" {
-			return true
-		}
-	}
-	return false
-}
-
 func newFlagSet(name string) *flag.FlagSet {
 	onError := flag.ExitOnError
 	if runtime.GOOS == "js" {
@@ -196,6 +148,10 @@ change in the future.
 		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
 	case slices.Contains(args, "serve"):
 		rootCmd.Subcommands = append(rootCmd.Subcommands, serveCmd)
+	case slices.Contains(args, "update"):
+		rootCmd.Subcommands = append(rootCmd.Subcommands, updateCmd)
+	case slices.Contains(args, "configure"):
+		rootCmd.Subcommands = append(rootCmd.Subcommands, configureCmd)
 	}
 	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/cmd/tailscale/cli/configure-kube.go
+++ b/cmd/tailscale/cli/configure-kube.go
@@ -0,0 +1,152 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+//go:build !ts_omit_kube
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"golang.org/x/exp/slices"
+	"k8s.io/client-go/util/homedir"
+	"sigs.k8s.io/yaml"
+)
+
+func init() {
+	configureCmd.Subcommands = append(configureCmd.Subcommands, configureKubeconfigCmd)
+}
+
+var configureKubeconfigCmd = &ffcli.Command{
+	Name:       "kubeconfig",
+	ShortHelp:  "Configure kubeconfig to use Tailscale",
+	ShortUsage: "kubeconfig <hostname-or-fqdn>",
+	LongHelp: strings.TrimSpace(`
+Run this command to configure your kubeconfig to use Tailscale for authentication to a Kubernetes cluster.
+
+The hostname argument should be set to the Tailscale hostname of the peer running as an auth proxy in the cluster.
+`),
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("kubeconfig")
+		return fs
+	})(),
+	Exec: runConfigureKubeconfig,
+}
+
+func runConfigureKubeconfig(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return errors.New("unknown arguments")
+	}
+	hostOrFQDN := args[0]
+
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return err
+	}
+	if st.BackendState != "Running" {
+		return errors.New("Tailscale is not running")
+	}
+	targetFQDN, ok := nodeDNSNameFromArg(st, hostOrFQDN)
+	if !ok {
+		return fmt.Errorf("no peer found with hostname %q", hostOrFQDN)
+	}
+	targetFQDN = strings.TrimSuffix(targetFQDN, ".")
+	confPath := filepath.Join(homedir.HomeDir(), ".kube", "config")
+	if err := setKubeconfigForPeer(targetFQDN, confPath); err != nil {
+		return err
+	}
+	printf("kubeconfig configured for %q\n", hostOrFQDN)
+	return nil
+}
+
+// appendOrSetNamed finds a map with a "name" key matching name in dst, and
+// replaces it with val. If no such map is found, val is appended to dst.
+func appendOrSetNamed(dst []any, name string, val map[string]any) []any {
+	if got := slices.IndexFunc(dst, func(m any) bool {
+		if m, ok := m.(map[string]any); ok {
+			return m["name"] == name
+		}
+		return false
+	}); got != -1 {
+		dst[got] = val
+	} else {
+		dst = append(dst, val)
+	}
+	return dst
+}
+
+var errInvalidKubeconfig = errors.New("invalid kubeconfig")
+
+func updateKubeconfig(cfgYaml []byte, fqdn string) ([]byte, error) {
+	var cfg map[string]any
+	if len(cfgYaml) > 0 {
+		if err := yaml.Unmarshal(cfgYaml, &cfg); err != nil {
+			return nil, errInvalidKubeconfig
+		}
+	}
+	if cfg == nil {
+		cfg = map[string]any{
+			"apiVersion": "v1",
+			"kind":       "Config",
+		}
+	} else if cfg["apiVersion"] != "v1" || cfg["kind"] != "Config" {
+		return nil, errInvalidKubeconfig
+	}
+
+	var clusters []any
+	if cm, ok := cfg["clusters"]; ok {
+		clusters = cm.([]any)
+	}
+	cfg["clusters"] = appendOrSetNamed(clusters, fqdn, map[string]any{
+		"name": fqdn,
+		"cluster": map[string]string{
+			"server": "https://" + fqdn,
+		},
+	})
+
+	var users []any
+	if um, ok := cfg["users"]; ok {
+		users = um.([]any)
+	}
+	cfg["users"] = appendOrSetNamed(users, "tailscale-auth", map[string]any{
+		// We just need one of these, and can reuse it for all clusters.
+		"name": "tailscale-auth",
+		"user": map[string]string{
+			// We do not use the token, but if we do not set anything here
+			// kubectl will prompt for a username and password.
+			"token": "unused",
+		},
+	})
+
+	var contexts []any
+	if cm, ok := cfg["contexts"]; ok {
+		contexts = cm.([]any)
+	}
+	cfg["contexts"] = appendOrSetNamed(contexts, fqdn, map[string]any{
+		"name": fqdn,
+		"context": map[string]string{
+			"cluster": fqdn,
+			"user":    "tailscale-auth",
+		},
+	})
+	cfg["current-context"] = fqdn
+	return yaml.Marshal(cfg)
+}
+
+func setKubeconfigForPeer(fqdn, filePath string) error {
+	b, err := os.ReadFile(filePath)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	b, err = updateKubeconfig(b, fqdn)
+	if err != nil {
+		return err
+	}
+	return os.WriteFile(filePath, b, 0600)
+}
--- a/cmd/tailscale/cli/configure-kube_test.go
+++ b/cmd/tailscale/cli/configure-kube_test.go
@@ -0,0 +1,196 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+//go:build !ts_omit_kube
+
+package cli
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestKubeconfig(t *testing.T) {
+	const fqdn = "foo.tail-scale.ts.net"
+	tests := []struct {
+		name    string
+		in      string
+		want    string
+		wantErr error
+	}{
+		{
+			name: "invalid-yaml",
+			in: `apiVersion: v1
+kind: ,asdf`,
+			wantErr: errInvalidKubeconfig,
+		},
+		{
+			name: "invalid-cfg",
+			in: `apiVersion: v1
+kind: Pod`,
+			wantErr: errInvalidKubeconfig,
+		},
+		{
+			name: "empty",
+			in:   "",
+			want: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://foo.tail-scale.ts.net
+  name: foo.tail-scale.ts.net
+contexts:
+- context:
+    cluster: foo.tail-scale.ts.net
+    user: tailscale-auth
+  name: foo.tail-scale.ts.net
+current-context: foo.tail-scale.ts.net
+kind: Config
+users:
+- name: tailscale-auth
+  user:
+    token: unused`,
+		},
+		{
+			name: "already-configured",
+			in: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://foo.tail-scale.ts.net
+  name: foo.tail-scale.ts.net
+contexts:
+- context:
+    cluster: foo.tail-scale.ts.net
+    user: tailscale-auth
+  name: foo.tail-scale.ts.net
+kind: Config
+current-context: foo.tail-scale.ts.net
+users:
+- name: tailscale-auth
+  user:
+    token: unused`,
+			want: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://foo.tail-scale.ts.net
+  name: foo.tail-scale.ts.net
+contexts:
+- context:
+    cluster: foo.tail-scale.ts.net
+    user: tailscale-auth
+  name: foo.tail-scale.ts.net
+current-context: foo.tail-scale.ts.net
+kind: Config
+users:
+- name: tailscale-auth
+  user:
+    token: unused`,
+		},
+		{
+			name: "other-cluster",
+			in: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://192.168.1.1:8443
+  name: some-cluster
+contexts:
+- context:
+    cluster: some-cluster
+    user: some-auth
+  name: some-cluster
+kind: Config
+current-context: some-cluster
+users:
+- name: some-auth
+  user:
+    token: asdfasdf`,
+			want: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://192.168.1.1:8443
+  name: some-cluster
+- cluster:
+    server: https://foo.tail-scale.ts.net
+  name: foo.tail-scale.ts.net
+contexts:
+- context:
+    cluster: some-cluster
+    user: some-auth
+  name: some-cluster
+- context:
+    cluster: foo.tail-scale.ts.net
+    user: tailscale-auth
+  name: foo.tail-scale.ts.net
+current-context: foo.tail-scale.ts.net
+kind: Config
+users:
+- name: some-auth
+  user:
+    token: asdfasdf
+- name: tailscale-auth
+  user:
+    token: unused`,
+		},
+		{
+			name: "already-using-tailscale",
+			in: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://bar.tail-scale.ts.net
+  name: bar.tail-scale.ts.net
+contexts:
+- context:
+    cluster: bar.tail-scale.ts.net
+    user: tailscale-auth
+  name: bar.tail-scale.ts.net
+kind: Config
+current-context: bar.tail-scale.ts.net
+users:
+- name: tailscale-auth
+  user:
+    token: unused`,
+			want: `apiVersion: v1
+clusters:
+- cluster:
+    server: https://bar.tail-scale.ts.net
+  name: bar.tail-scale.ts.net
+- cluster:
+    server: https://foo.tail-scale.ts.net
+  name: foo.tail-scale.ts.net
+contexts:
+- context:
+    cluster: bar.tail-scale.ts.net
+    user: tailscale-auth
+  name: bar.tail-scale.ts.net
+- context:
+    cluster: foo.tail-scale.ts.net
+    user: tailscale-auth
+  name: foo.tail-scale.ts.net
+current-context: foo.tail-scale.ts.net
+kind: Config
+users:
+- name: tailscale-auth
+  user:
+    token: unused`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := updateKubeconfig([]byte(tt.in), fqdn)
+			if err != nil {
+				if err != tt.wantErr {
+					t.Fatalf("updateKubeconfig() error = %v, wantErr %v", err, tt.wantErr)
+				}
+				return
+			} else if tt.wantErr != nil {
+				t.Fatalf("updateKubeconfig() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			got = bytes.TrimSpace(got)
+			want := []byte(strings.TrimSpace(tt.want))
+			if d := cmp.Diff(want, got); d != "" {
+				t.Errorf("Kubeconfig() mismatch (-want +got):\n%s", d)
+			}
+		})
+	}
+}
--- a/cmd/tailscale/cli/configure-synology.go
+++ b/cmd/tailscale/cli/configure-synology.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

@@ -19,9 +18,23 @@ import (
 	"tailscale.com/version/distro"
 )

+// configureHostCmd is the "tailscale configure-host" command which was once
+// used to configure Synology devices, but is now a compatibility alias to
+// "tailscale configure synology".
 var configureHostCmd = &ffcli.Command{
 	Name:      "configure-host",
-	Exec:      runConfigureHost,
+	Exec:      runConfigureSynology,
+	ShortHelp: synologyConfigureCmd.ShortHelp,
+	LongHelp:  synologyConfigureCmd.LongHelp,
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("configure-host")
+		return fs
+	})(),
+}
+
+var synologyConfigureCmd = &ffcli.Command{
+	Name:      "synology",
+	Exec:      runConfigureSynology,
 	ShortHelp: "Configure Synology to enable more Tailscale features",
 	LongHelp: strings.TrimSpace(`
 The 'configure-host' command is intended to run at boot as root
@@ -31,14 +44,12 @@ permission to use it.
 See: https://tailscale.com/kb/1152/synology-outbound/
 `),
 	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure-host")
+		fs := newFlagSet("synology")
 		return fs
 	})(),
 }

-var configureHostArgs struct{}
-
-func runConfigureHost(ctx context.Context, args []string) error {
+func runConfigureSynology(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
--- a/cmd/tailscale/cli/configure.go
+++ b/cmd/tailscale/cli/configure.go
@@ -0,0 +1,38 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package cli
+
+import (
+	"context"
+	"flag"
+	"runtime"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/version/distro"
+)
+
+var configureCmd = &ffcli.Command{
+	Name:      "configure",
+	ShortHelp: "Configure the host to enable more Tailscale features",
+	LongHelp: strings.TrimSpace(`
+The 'configure' command is intended to provide a way to configure different
+services on the host to enable more Tailscale features.
+`),
+	FlagSet: (func() *flag.FlagSet {
+		fs := newFlagSet("configure")
+		return fs
+	})(),
+	Subcommands: configureSubcommands(),
+	Exec: func(ctx context.Context, args []string) error {
+		return flag.ErrHelp
+	},
+}
+
+func configureSubcommands() (out []*ffcli.Command) {
+	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
+		out = append(out, synologyConfigureCmd)
+	}
+	return out
+}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

@@ -21,6 +20,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"os/exec"
 	"runtime"
 	"strconv"
 	"strings"
@@ -40,7 +40,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/must"
-	"tailscale.com/util/strs"
+	"tailscale.com/wgengine/capture"
 )

 var debugCmd = &ffcli.Command{
@@ -76,6 +76,17 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDaemonGoroutines,
 			ShortHelp: "print tailscaled's goroutines",
 		},
+		{
+			Name:      "daemon-logs",
+			Exec:      runDaemonLogs,
+			ShortHelp: "watch tailscaled's server logs",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("daemon-logs")
+				fs.IntVar(&daemonLogsArgs.verbose, "verbose", 0, "verbosity level")
+				fs.BoolVar(&daemonLogsArgs.time, "time", false, "include client time")
+				return fs
+			})(),
+		},
 		{
 			Name:      "metrics",
 			Exec:      runDaemonMetrics,
@@ -134,6 +145,7 @@ var debugCmd = &ffcli.Command{
 				fs := newFlagSet("watch-ipn")
 				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
 				fs.BoolVar(&watchIPNArgs.initial, "initial", false, "include initial status")
+				fs.BoolVar(&watchIPNArgs.showPrivateKey, "show-private-key", false, "include node private key in printed netmap")
 				return fs
 			})(),
 		},
@@ -154,6 +166,16 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
+		{
+			Name:      "set-expire",
+			Exec:      runSetExpire,
+			ShortHelp: "manipulate node key expiry for testing",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("set-expire")
+				fs.DurationVar(&setExpireArgs.in, "in", 0, "if non-zero, set node key to expire this duration from now")
+				return fs
+			})(),
+		},
 		{
 			Name:      "dev-store-set",
 			Exec:      runDevStoreSet,
@@ -169,6 +191,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDebugDERP,
 			ShortHelp: "test a DERP configuration",
 		},
+		{
+			Name:      "capture",
+			Exec:      runCapture,
+			ShortHelp: "streams pcaps for debugging",
+			FlagSet: (func() *flag.FlagSet {
+				fs := newFlagSet("capture")
+				fs.StringVar(&captureArgs.outFile, "o", "", "path to stream the pcap (or - for stdout), leave empty to start wireshark")
+				return fs
+			})(),
+		},
 	},
 }

@@ -238,7 +270,7 @@ func runDebug(ctx context.Context, args []string) error {
 			e.Encode(wfs)
 			return nil
 		}
-		if name, ok := strs.CutPrefix(debugArgs.file, "delete:"); ok {
+		if name, ok := strings.CutPrefix(debugArgs.file, "delete:"); ok {
 			return localClient.DeleteWaitingFile(ctx, name)
 		}
 		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
@@ -319,8 +351,9 @@ func runPrefs(ctx context.Context, args []string) error {
 }

 var watchIPNArgs struct {
-	netmap  bool
-	initial bool
+	netmap         bool
+	initial        bool
+	showPrivateKey bool
 }

 func runWatchIPN(ctx context.Context, args []string) error {
@@ -328,6 +361,9 @@ func runWatchIPN(ctx context.Context, args []string) error {
 	if watchIPNArgs.initial {
 		mask = ipn.NotifyInitialState | ipn.NotifyInitialPrefs | ipn.NotifyInitialNetMap
 	}
+	if !watchIPNArgs.showPrivateKey {
+		mask |= ipn.NotifyNoPrivateKeys
+	}
 	watcher, err := localClient.WatchIPNBus(ctx, mask)
 	if err != nil {
 		return err
@@ -414,6 +450,39 @@ func runDaemonGoroutines(ctx context.Context, args []string) error {
 	return nil
 }

+var daemonLogsArgs struct {
+	verbose int
+	time    bool
+}
+
+func runDaemonLogs(ctx context.Context, args []string) error {
+	logs, err := localClient.TailDaemonLogs(ctx)
+	if err != nil {
+		return err
+	}
+	d := json.NewDecoder(logs)
+	for {
+		var line struct {
+			Text    string `json:"text"`
+			Verbose int    `json:"v"`
+			Time    string `json:"client_time"`
+		}
+		err := d.Decode(&line)
+		if err != nil {
+			return err
+		}
+		line.Text = strings.TrimSpace(line.Text)
+		if line.Text == "" || line.Verbose > daemonLogsArgs.verbose {
+			continue
+		}
+		if daemonLogsArgs.time {
+			fmt.Printf("%s %s\n", line.Time, line.Text)
+		} else {
+			fmt.Println(line.Text)
+		}
+	}
+}
+
 var metricsArgs struct {
 	watch bool
 }
@@ -665,3 +734,58 @@ func runDebugDERP(ctx context.Context, args []string) error {
 	fmt.Printf("%s\n", must.Get(json.MarshalIndent(st, "", " ")))
 	return nil
 }
+
+var setExpireArgs struct {
+	in time.Duration
+}
+
+func runSetExpire(ctx context.Context, args []string) error {
+	if len(args) != 0 || setExpireArgs.in == 0 {
+		return errors.New("usage --in=<duration>")
+	}
+	return localClient.DebugSetExpireIn(ctx, setExpireArgs.in)
+}
+
+var captureArgs struct {
+	outFile string
+}
+
+func runCapture(ctx context.Context, args []string) error {
+	stream, err := localClient.StreamDebugCapture(ctx)
+	if err != nil {
+		return err
+	}
+	defer stream.Close()
+
+	switch captureArgs.outFile {
+	case "-":
+		fmt.Fprintln(os.Stderr, "Press Ctrl-C to stop the capture.")
+		_, err = io.Copy(os.Stdout, stream)
+		return err
+	case "":
+		lua, err := os.CreateTemp("", "ts-dissector")
+		if err != nil {
+			return err
+		}
+		defer os.Remove(lua.Name())
+		lua.Write([]byte(capture.DissectorLua))
+		if err := lua.Close(); err != nil {
+			return err
+		}
+
+		wireshark := exec.CommandContext(ctx, "wireshark", "-X", "lua_script:"+lua.Name(), "-k", "-i", "-")
+		wireshark.Stdin = stream
+		wireshark.Stdout = os.Stdout
+		wireshark.Stderr = os.Stderr
+		return wireshark.Run()
+	}
+
+	f, err := os.OpenFile(captureArgs.outFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	fmt.Fprintln(os.Stderr, "Press Ctrl-C to stop the capture.")
+	_, err = io.Copy(f, stream)
+	return err
+}
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build linux || windows || darwin

@@ -8,11 +7,13 @@ package cli

 import (
 	"fmt"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"

 	ps "github.com/mitchellh/go-ps"
+	"tailscale.com/version/distro"
 )

 // fixTailscaledConnectError is called when the local tailscaled has
@@ -47,9 +48,27 @@ func fixTailscaledConnectError(origErr error) error {
 		case "darwin":
 			return fmt.Errorf("failed to connect to local Tailscale service; is Tailscale running?")
 		case "linux":
-			return fmt.Errorf("failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)")
+			var hint string
+			if isSystemdSystem() {
+				hint = " (sudo systemctl start tailscaled ?)"
+			}
+			return fmt.Errorf("failed to connect to local tailscaled; it doesn't appear to be running%s", hint)
 		}
 		return fmt.Errorf("failed to connect to local tailscaled process; it doesn't appear to be running")
 	}
 	return fmt.Errorf("failed to connect to local tailscaled (which appears to be running as %v, pid %v). Got error: %w", foundProc.Executable(), foundProc.Pid(), origErr)
 }
+
+// isSystemdSystem reports whether the current machine uses systemd
+// and in particular whether the systemctl command is available.
+func isSystemdSystem() bool {
+	if runtime.GOOS != "linux" {
+		return false
+	}
+	switch distro.Get() {
+	case distro.QNAP, distro.Gokrazy, distro.Synology:
+		return false
+	}
+	_, err := exec.LookPath("systemctl")
+	return err == nil
+}
--- a/cmd/tailscale/cli/diag_other.go
+++ b/cmd/tailscale/cli/diag_other.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 //go:build !linux && !windows && !darwin

--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

@@ -32,7 +31,6 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/quarantine"
-	"tailscale.com/util/strs"
 	"tailscale.com/version"
 )

@@ -91,7 +89,7 @@ func runCp(ctx context.Context, args []string) error {
 		return errors.New("usage: tailscale file cp <files...> <target>:")
 	}
 	files, target := args[:len(args)-1], args[len(args)-1]
-	target, ok := strs.CutSuffix(target, ":")
+	target, ok := strings.CutSuffix(target, ":")
 	if !ok {
 		return fmt.Errorf("final argument to 'tailscale file cp' must end in colon")
 	}
--- a/cmd/tailscale/cli/id-token.go
+++ b/cmd/tailscale/cli/id-token.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/cmd/tailscale/cli/licenses.go
+++ b/cmd/tailscale/cli/licenses.go
@@ -1,6 +1,5 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause

 package cli

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .35.0
 .37.0