cmd/testwrapper: wip idea

Signed-off-by: Paul Scott <paul@tailscale.com>
2025-02-18 08:29:55 -08:00
171 changed files with 1408 additions and 7904 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -55,7 +55,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -31,9 +31,9 @@ jobs:
          cache: false

      - name: golangci-lint
-        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        uses: golangci/golangci-lint-action@2e788936b09dd82dc280e845628a40d2ba6b204c # v6.3.1
        with:
-          version: v1.64
+          version: v1.60

          # Show only new issues if it's a pull request.
          only-new-issues: true
--- a/.github/workflows/natlab-integrationtest.yml
+++ b/.github/workflows/natlab-integrationtest.yml
@@ -1,27 +0,0 @@
-# Run some natlab integration tests.
-# See https://github.com/tailscale/tailscale/issues/13038
-name: "natlab-integrationtest"
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-on:
-  pull_request:
-    paths:
-      - "tstest/integration/nat/nat_test.go"
-jobs:
-  natlab-integrationtest:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Install qemu
-        run: |
-          sudo rm /var/lib/man-db/auto-update
-          sudo apt-get -y update
-          sudo apt-get -y remove man-db
-          sudo apt-get install -y qemu-system-x86 qemu-utils
-      - name: Run natlab integration tests
-        run: |
-          ./tool/go test -v -run=^TestEasyEasy$ -timeout=3m -count=1 ./tstest/integration/nat  --run-vm-tests
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -79,7 +79,7 @@ jobs:
    - name: checkout
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
        # Note: unlike the other setups, this is only grabbing the mod download
        # cache, rather than the whole mod directory, as the download cache
@@ -139,11 +139,7 @@ jobs:
          echo "Build/test created untracked files in the repo (file names above)."
          exit 1
        fi
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete
+
  windows:
    runs-on: windows-2022
    steps:
@@ -157,7 +153,7 @@ jobs:
        cache: false

    - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
        # Note: unlike the other setups, this is only grabbing the mod download
        # cache, rather than the whole mod directory, as the download cache
@@ -180,11 +176,6 @@ jobs:
      # Somewhere in the layers (powershell?)
      # the equals signs cause great confusion.
      run: go test ./... -bench . -benchtime 1x -run "^$"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete

  privileged:
    runs-on: ubuntu-22.04
@@ -263,7 +254,7 @@ jobs:
    - name: checkout
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
        # Note: unlike the other setups, this is only grabbing the mod download
        # cache, rather than the whole mod directory, as the download cache
@@ -292,11 +283,6 @@ jobs:
        GOOS: ${{ matrix.goos }}
        GOARCH: ${{ matrix.goarch }}
        CGO_ENABLED: "0"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete

  ios: # similar to cross above, but iOS can't build most of the repo. So, just
       #make it build a few smoke packages.
@@ -333,7 +319,7 @@ jobs:
    - name: checkout
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
        # Note: unlike the other setups, this is only grabbing the mod download
        # cache, rather than the whole mod directory, as the download cache
@@ -356,11 +342,6 @@ jobs:
        GOARCH: ${{ matrix.goarch }}
        GOARM: ${{ matrix.goarm }}
        CGO_ENABLED: "0"
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete

  android:
    # similar to cross above, but android fails to build a few pieces of the
@@ -386,7 +367,7 @@ jobs:
    - name: checkout
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Restore Cache
-      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
      with:
        # Note: unlike the other setups, this is only grabbing the mod download
        # cache, rather than the whole mod directory, as the download cache
@@ -413,11 +394,6 @@ jobs:
      run: |
        ./tool/go run ./cmd/tsconnect --fast-compression build
        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-    - name: Tidy cache
-      shell: bash
-      run: |
-        find $(go env GOCACHE) -type f -mmin +90 -delete
-        find $(go env GOMODCACHE)/cache -type f -mmin +90 -delete

  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
    runs-on: ubuntu-22.04
@@ -485,7 +461,7 @@ jobs:
      run: |
        echo "artifacts_path=$(realpath .)" >> $GITHUB_ENV
    - name: upload crash
-      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
      with:
        name: artifacts
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -36,7 +36,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
--- a/.github/workflows/update-webclient-prebuilt.yml
+++ b/.github/workflows/update-webclient-prebuilt.yml
@@ -35,7 +35,7 @@ jobs:

      - name: Send pull request
        id: pull-request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f #v7.0.6
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: OSS Updater <noreply+oss-updater@tailscale.com>
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -26,11 +26,16 @@ issues:

 # Per-linter settings are contained in this top-level key
 linters-settings:
+  # Enable all rules by default; we don't use invisible unicode runes.
+  bidichk:
+
  gofmt:
    rewrite-rules:
      - pattern: 'interface{}'
        replacement: 'any'

+  goimports:
+
  govet:
    # Matches what we use in corp as of 2023-12-07
    enable:
@@ -73,6 +78,8 @@ linters-settings:
          # analyzer doesn't support type declarations
          #- github.com/tailscale/tailscale/types/logger.Logf

+  misspell:
+
  revive:
    enable-all-rules: false
    ignore-generated-header: true
--- a/2
+++ b/2
@@ -27,7 +27,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.24-alpine AS build-env
+FROM golang:1.23-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/appc/appconnector.go
+++ b/appc/appconnector.go
@@ -289,11 +289,9 @@ func (e *AppConnector) updateDomains(domains []string) {
 				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
 			}
 		}
-		e.queue.Add(func() {
-			if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-				e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
-			}
-		})
+		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+			e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
+		}
 	}

 	e.logf("handling domains: %v and wildcards: %v", slicesx.MapKeys(e.domains), e.wildcards)
@@ -312,6 +310,11 @@ func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
 		return
 	}

+	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+		e.logf("failed to advertise routes: %v: %v", routes, err)
+		return
+	}
+
 	var toRemove []netip.Prefix

 	// If we're storing routes and know e.controlRoutes is a good
@@ -335,14 +338,9 @@ nextRoute:
 		}
 	}

-	e.queue.Add(func() {
-		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-			e.logf("failed to advertise routes: %v: %v", routes, err)
-		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-		}
-	})
+	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+	}

 	e.controlRoutes = routes
 	if err := e.storeRoutesLocked(); err != nil {
--- a/appc/appconnector_test.go
+++ b/appc/appconnector_test.go
@@ -8,7 +8,6 @@ import (
 	"net/netip"
 	"reflect"
 	"slices"
-	"sync/atomic"
 	"testing"
 	"time"

@@ -87,7 +86,6 @@ func TestUpdateRoutes(t *testing.T) {

 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
 		a.updateRoutes(routes)
-		a.Wait(ctx)

 		slices.SortFunc(rc.Routes(), prefixCompare)
 		rc.SetRoutes(slices.Compact(rc.Routes()))
@@ -107,7 +105,6 @@ func TestUpdateRoutes(t *testing.T) {
 }

 func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	ctx := context.Background()
 	for _, shouldStore := range []bool{false, true} {
 		rc := &appctest.RouteCollector{}
 		var a *AppConnector
@@ -120,7 +117,6 @@ func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
 		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
 		a.updateRoutes(routes)
-		a.Wait(ctx)

 		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
 			t.Fatalf("got %v, want %v", rc.Routes(), routes)
@@ -640,57 +636,3 @@ func TestMetricBucketsAreSorted(t *testing.T) {
 		t.Errorf("metricStoreRoutesNBuckets must be in order")
 	}
 }
-
-// TestUpdateRoutesDeadlock is a regression test for a deadlock in
-// LocalBackend<->AppConnector interaction. When using real LocalBackend as the
-// routeAdvertiser, calls to Advertise/UnadvertiseRoutes can end up calling
-// back into AppConnector via authReconfig. If everything is called
-// synchronously, this results in a deadlock on AppConnector.mu.
-func TestUpdateRoutesDeadlock(t *testing.T) {
-	ctx := context.Background()
-	rc := &appctest.RouteCollector{}
-	a := NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
-
-	advertiseCalled := new(atomic.Bool)
-	unadvertiseCalled := new(atomic.Bool)
-	rc.AdvertiseCallback = func() {
-		// Call something that requires a.mu to be held.
-		a.DomainRoutes()
-		advertiseCalled.Store(true)
-	}
-	rc.UnadvertiseCallback = func() {
-		// Call something that requires a.mu to be held.
-		a.DomainRoutes()
-		unadvertiseCalled.Store(true)
-	}
-
-	a.updateDomains([]string{"example.com"})
-	a.Wait(ctx)
-
-	// Trigger rc.AdveriseRoute.
-	a.updateRoutes(
-		[]netip.Prefix{
-			netip.MustParsePrefix("127.0.0.1/32"),
-			netip.MustParsePrefix("127.0.0.2/32"),
-		},
-	)
-	a.Wait(ctx)
-	// Trigger rc.UnadveriseRoute.
-	a.updateRoutes(
-		[]netip.Prefix{
-			netip.MustParsePrefix("127.0.0.1/32"),
-		},
-	)
-	a.Wait(ctx)
-
-	if !advertiseCalled.Load() {
-		t.Error("AdvertiseRoute was not called")
-	}
-	if !unadvertiseCalled.Load() {
-		t.Error("UnadvertiseRoute was not called")
-	}
-
-	if want := []netip.Prefix{netip.MustParsePrefix("127.0.0.1/32")}; !slices.Equal(slices.Compact(rc.Routes()), want) {
-		t.Fatalf("got %v, want %v", rc.Routes(), want)
-	}
-}
--- a/appc/appctest/appctest.go
+++ b/appc/appctest/appctest.go
@@ -11,22 +11,12 @@ import (

 // RouteCollector is a test helper that collects the list of routes advertised
 type RouteCollector struct {
-	// AdvertiseCallback (optional) is called synchronously from
-	// AdvertiseRoute.
-	AdvertiseCallback func()
-	// UnadvertiseCallback (optional) is called synchronously from
-	// UnadvertiseRoute.
-	UnadvertiseCallback func()
-
 	routes        []netip.Prefix
 	removedRoutes []netip.Prefix
 }

 func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
 	rc.routes = append(rc.routes, pfx...)
-	if rc.AdvertiseCallback != nil {
-		rc.AdvertiseCallback()
-	}
 	return nil
 }

@@ -40,9 +30,6 @@ func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
 			rc.removedRoutes = append(rc.removedRoutes, r)
 		}
 	}
-	if rc.UnadvertiseCallback != nil {
-		rc.UnadvertiseCallback()
-	}
 	return nil
 }

--- a/client/systray/systray.go
+++ b/client/systray/systray.go
@@ -72,11 +72,6 @@ type Menu struct {
 	curProfile  ipn.LoginProfile
 	allProfiles []ipn.LoginProfile

-	// readonly is whether the systray app is running in read-only mode.
-	// This is set if LocalAPI returns a permission error,
-	// typically because the user needs to run `tailscale set --operator=$USER`.
-	readonly bool
-
 	bgCtx    context.Context // ctx for background tasks not involving menu item clicks
 	bgCancel context.CancelFunc

@@ -158,8 +153,6 @@ func (menu *Menu) updateState() {
 	defer menu.mu.Unlock()
 	menu.init()

-	menu.readonly = false
-
 	var err error
 	menu.status, err = menu.lc.Status(menu.bgCtx)
 	if err != nil {
@@ -167,9 +160,6 @@ func (menu *Menu) updateState() {
 	}
 	menu.curProfile, menu.allProfiles, err = menu.lc.ProfileStatus(menu.bgCtx)
 	if err != nil {
-		if local.IsAccessDeniedError(err) {
-			menu.readonly = true
-		}
 		log.Print(err)
 	}
 }
@@ -192,15 +182,6 @@ func (menu *Menu) rebuild() {

 	systray.ResetMenu()

-	if menu.readonly {
-		const readonlyMsg = "No permission to manage Tailscale.\nSee tailscale.com/s/cli-operator"
-		m := systray.AddMenuItem(readonlyMsg, "")
-		onClick(ctx, m, func(_ context.Context) {
-			webbrowser.Open("https://tailscale.com/s/cli-operator")
-		})
-		systray.AddSeparator()
-	}
-
 	menu.connect = systray.AddMenuItem("Connect", "")
 	menu.disconnect = systray.AddMenuItem("Disconnect", "")
 	menu.disconnect.Hide()
@@ -241,35 +222,28 @@ func (menu *Menu) rebuild() {
 		setAppIcon(disconnected)
 	}

-	if menu.readonly {
-		menu.connect.Disable()
-		menu.disconnect.Disable()
-	}
-
 	account := "Account"
 	if pt := profileTitle(menu.curProfile); pt != "" {
 		account = pt
 	}
-	if !menu.readonly {
-		accounts := systray.AddMenuItem(account, "")
-		setRemoteIcon(accounts, menu.curProfile.UserProfile.ProfilePicURL)
-		time.Sleep(newMenuDelay)
-		for _, profile := range menu.allProfiles {
-			title := profileTitle(profile)
-			var item *systray.MenuItem
-			if profile.ID == menu.curProfile.ID {
-				item = accounts.AddSubMenuItemCheckbox(title, "", true)
-			} else {
-				item = accounts.AddSubMenuItem(title, "")
-			}
-			setRemoteIcon(item, profile.UserProfile.ProfilePicURL)
-			onClick(ctx, item, func(ctx context.Context) {
-				select {
-				case <-ctx.Done():
-				case menu.accountsCh <- profile.ID:
-				}
-			})
+	accounts := systray.AddMenuItem(account, "")
+	setRemoteIcon(accounts, menu.curProfile.UserProfile.ProfilePicURL)
+	time.Sleep(newMenuDelay)
+	for _, profile := range menu.allProfiles {
+		title := profileTitle(profile)
+		var item *systray.MenuItem
+		if profile.ID == menu.curProfile.ID {
+			item = accounts.AddSubMenuItemCheckbox(title, "", true)
+		} else {
+			item = accounts.AddSubMenuItem(title, "")
 		}
+		setRemoteIcon(item, profile.UserProfile.ProfilePicURL)
+		onClick(ctx, item, func(ctx context.Context) {
+			select {
+			case <-ctx.Done():
+			case menu.accountsCh <- profile.ID:
+			}
+		})
 	}

 	if menu.status != nil && menu.status.Self != nil && len(menu.status.Self.TailscaleIPs) > 0 {
@@ -281,9 +255,7 @@ func (menu *Menu) rebuild() {
 	}
 	systray.AddSeparator()

-	if !menu.readonly {
-		menu.rebuildExitNodeMenu(ctx)
-	}
+	menu.rebuildExitNodeMenu(ctx)

 	if menu.status != nil {
 		menu.more = systray.AddMenuItem("More settings", "")
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"net/url"
 )

 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -84,7 +83,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 		}
 	}()

-	path := c.BuildTailnetURL("acl")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -98,7 +97,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	// Otherwise, try to decode the response.
@@ -127,7 +126,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		}
 	}()

-	path := c.BuildTailnetURL("acl", url.Values{"details": {"1"}})
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -139,7 +138,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	}

 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	data := struct {
@@ -147,7 +146,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		Warnings []string `json:"warnings"`
 	}{}
 	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, fmt.Errorf("json.Unmarshal %q: %w", b, err)
+		return nil, err
 	}

 	acl = &ACLHuJSON{
@@ -185,7 +184,7 @@ func (e ACLTestError) Error() string {
 }

 func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := c.BuildTailnetURL("acl")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, "", err
@@ -329,7 +328,7 @@ type ACLPreview struct {
 }

 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := c.BuildTailnetURL("acl", "preview")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, err
@@ -351,7 +350,7 @@ func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, preview
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}
 	if err = json.Unmarshal(b, &res); err != nil {
 		return nil, err
@@ -489,7 +488,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		return nil, err
 	}

-	path := c.BuildTailnetURL("acl", "validate")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
 	if err != nil {
 		return nil, err
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -131,7 +131,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 		}
 	}()

-	path := c.BuildTailnetURL("devices")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -149,7 +149,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	var devices GetDevicesResponse
@@ -188,7 +188,7 @@ func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFiel
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	err = json.Unmarshal(b, &device)
@@ -221,7 +221,7 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 	return nil
 }
@@ -253,7 +253,7 @@ func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}

 	return nil
@@ -281,7 +281,7 @@ func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}

 	return nil
--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -44,7 +44,7 @@ type DNSPreferences struct {
 }

 func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := c.BuildTailnetURL("dns", endpoint)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -57,14 +57,14 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	return b, nil
 }

 func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := c.BuildTailnetURL("dns", endpoint)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {
 		return nil, err
@@ -84,7 +84,7 @@ func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData a
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	return b, nil
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@@ -40,7 +40,7 @@ type KeyDeviceCreateCapabilities struct {

 // Keys returns the list of keys for the current user.
 func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := c.BuildTailnetURL("keys")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -51,7 +51,7 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	var keys struct {
@@ -99,7 +99,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}

-	path := c.BuildTailnetURL("keys")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
 	if err != nil {
 		return "", nil, err
@@ -110,7 +110,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return "", nil, HandleErrorResponse(b, resp)
+		return "", nil, handleErrorResponse(b, resp)
 	}

 	var key struct {
@@ -126,7 +126,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 // Key returns the metadata for the given key ID. Currently, capabilities are
 // only returned for auth keys, API keys only return general metadata.
 func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := c.BuildTailnetURL("keys", id)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -137,7 +137,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	var key Key
@@ -149,7 +149,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {

 // DeleteKey deletes the key with the given ID.
 func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := c.BuildTailnetURL("keys", id)
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
 	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
 	if err != nil {
 		return err
@@ -160,7 +160,7 @@ func (c *Client) DeleteKey(ctx context.Context, id string) error {
 		return err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}
 	return nil
 }
--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -44,7 +44,7 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	var sr Routes
@@ -84,7 +84,7 @@ func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
+		return nil, handleErrorResponse(b, resp)
 	}

 	var srr *Routes
--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/url"

 	"tailscale.com/util/httpm"
 )
@@ -21,7 +22,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 		}
 	}()

-	path := c.BuildTailnetURL("tailnet")
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
 	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
 	if err != nil {
 		return err
@@ -34,7 +35,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 	}

 	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
+		return handleErrorResponse(b, resp)
 	}

 	return nil
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -17,8 +17,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
-	"path"
 )

 // I_Acknowledge_This_API_Is_Unstable must be set true to use this package
@@ -65,46 +63,6 @@ func (c *Client) httpClient() *http.Client {
 	return http.DefaultClient
 }

-// BuildURL builds a url to http(s)://<apiserver>/api/v2/<slash-separated-pathElements>
-// using the given pathElements. It url escapes each path element, so the
-// caller doesn't need to worry about that. The last item of pathElements can
-// be of type url.Values to add a query string to the URL.
-//
-// For example, BuildURL(devices, 5) with the default server URL would result in
-// https://api.tailscale.com/api/v2/devices/5.
-func (c *Client) BuildURL(pathElements ...any) string {
-	elem := make([]string, 1, len(pathElements)+1)
-	elem[0] = "/api/v2"
-	var query string
-	for i, pathElement := range pathElements {
-		if uv, ok := pathElement.(url.Values); ok && i == len(pathElements)-1 {
-			query = uv.Encode()
-		} else {
-			elem = append(elem, url.PathEscape(fmt.Sprint(pathElement)))
-		}
-	}
-	url := c.baseURL() + path.Join(elem...)
-	if query != "" {
-		url += "?" + query
-	}
-	return url
-}
-
-// BuildTailnetURL builds a url to http(s)://<apiserver>/api/v2/tailnet/<tailnet>/<slash-separated-pathElements>
-// using the given pathElements. It url escapes each path element, so the
-// caller doesn't need to worry about that. The last item of pathElements can
-// be of type url.Values to add a query string to the URL.
-//
-// For example, BuildTailnetURL(policy, validate) with the default server URL and a tailnet of "example.com"
-// would result in https://api.tailscale.com/api/v2/tailnet/example.com/policy/validate.
-func (c *Client) BuildTailnetURL(pathElements ...any) string {
-	allElements := make([]any, 2, len(pathElements)+2)
-	allElements[0] = "tailnet"
-	allElements[1] = c.tailnet
-	allElements = append(allElements, pathElements...)
-	return c.BuildURL(allElements...)
-}
-
 func (c *Client) baseURL() string {
 	if c.BaseURL != "" {
 		return c.BaseURL
@@ -192,14 +150,12 @@ func (e ErrResponse) Error() string {
 	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
 }

-// HandleErrorResponse decodes the error message from the server and returns
+// handleErrorResponse decodes the error message from the server and returns
 // an ErrResponse from it.
-//
-// Deprecated: use tailscale.com/client/tailscale/v2 instead.
-func HandleErrorResponse(b []byte, resp *http.Response) error {
+func handleErrorResponse(b []byte, resp *http.Response) error {
 	var errResp ErrResponse
 	if err := json.Unmarshal(b, &errResp); err != nil {
-		return fmt.Errorf("json.Unmarshal %q: %w", b, err)
+		return err
 	}
 	errResp.Status = resp.StatusCode
 	return errResp
--- a/client/tailscale/tailscale_test.go
+++ b/client/tailscale/tailscale_test.go
@@ -1,86 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"net/url"
-	"testing"
-)
-
-func TestClientBuildURL(t *testing.T) {
-	c := Client{BaseURL: "http://127.0.0.1:1234"}
-	for _, tt := range []struct {
-		desc     string
-		elements []any
-		want     string
-	}{
-		{
-			desc:     "single-element",
-			elements: []any{"devices"},
-			want:     "http://127.0.0.1:1234/api/v2/devices",
-		},
-		{
-			desc:     "multiple-elements",
-			elements: []any{"tailnet", "example.com"},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com",
-		},
-		{
-			desc:     "escape-element",
-			elements: []any{"tailnet", "example dot com?foo=bar"},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example%20dot%20com%3Ffoo=bar`,
-		},
-		{
-			desc:     "url.Values",
-			elements: []any{"tailnet", "example.com", "acl", url.Values{"details": {"1"}}},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
-		},
-	} {
-		t.Run(tt.desc, func(t *testing.T) {
-			got := c.BuildURL(tt.elements...)
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestClientBuildTailnetURL(t *testing.T) {
-	c := Client{
-		BaseURL: "http://127.0.0.1:1234",
-		tailnet: "example.com",
-	}
-	for _, tt := range []struct {
-		desc     string
-		elements []any
-		want     string
-	}{
-		{
-			desc:     "single-element",
-			elements: []any{"devices"},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices",
-		},
-		{
-			desc:     "multiple-elements",
-			elements: []any{"devices", 123},
-			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices/123",
-		},
-		{
-			desc:     "escape-element",
-			elements: []any{"foo bar?baz=qux"},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/foo%20bar%3Fbaz=qux`,
-		},
-		{
-			desc:     "url.Values",
-			elements: []any{"acl", url.Values{"details": {"1"}}},
-			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
-		},
-	} {
-		t.Run(tt.desc, func(t *testing.T) {
-			got := c.BuildTailnetURL(tt.elements...)
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -203,9 +203,35 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	}
 	s.assetsHandler, s.assetsCleanup = assetsHandler(s.devMode)

-	var metric string
-	s.apiHandler, metric = s.modeAPIHandler(s.mode)
-	s.apiHandler = s.withCSRF(s.apiHandler)
+	var metric string // clientmetric to report on startup
+
+	// Create handler for "/api" requests with CSRF protection.
+	// We don't require secure cookies, since the web client is regularly used
+	// on network appliances that are served on local non-https URLs.
+	// The client is secured by limiting the interface it listens on,
+	// or by authenticating requests before they reach the web client.
+	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
+
+	// signal to the CSRF middleware that the request is being served over
+	// plaintext HTTP to skip TLS-only header checks.
+	withSetPlaintext := func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			r = csrf.PlaintextHTTPRequest(r)
+			h.ServeHTTP(w, r)
+		})
+	}
+
+	switch s.mode {
+	case LoginServerMode:
+		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveLoginAPI)))
+		metric = "web_login_client_initialization"
+	case ReadOnlyServerMode:
+		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveLoginAPI)))
+		metric = "web_readonly_client_initialization"
+	case ManageServerMode:
+		s.apiHandler = csrfProtect(withSetPlaintext(http.HandlerFunc(s.serveAPI)))
+		metric = "web_client_initialization"
+	}

 	// Don't block startup on reporting metric.
 	// Report in separate go routine with 5 second timeout.
@@ -218,39 +244,6 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 	return s, nil
 }

-func (s *Server) withCSRF(h http.Handler) http.Handler {
-	csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-
-	// ref https://github.com/tailscale/tailscale/pull/14822
-	// signal to the CSRF middleware that the request is being served over
-	// plaintext HTTP to skip TLS-only header checks.
-	withSetPlaintext := func(h http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			r = csrf.PlaintextHTTPRequest(r)
-			h.ServeHTTP(w, r)
-		})
-	}
-
-	// NB: the order of the withSetPlaintext and csrfProtect calls is important
-	// to ensure that we signal to the CSRF middleware that the request is being
-	// served over plaintext HTTP and not over TLS as it presumes by default.
-	return withSetPlaintext(csrfProtect(h))
-}
-
-func (s *Server) modeAPIHandler(mode ServerMode) (http.Handler, string) {
-	switch mode {
-	case LoginServerMode:
-		return http.HandlerFunc(s.serveLoginAPI), "web_login_client_initialization"
-	case ReadOnlyServerMode:
-		return http.HandlerFunc(s.serveLoginAPI), "web_readonly_client_initialization"
-	case ManageServerMode:
-		return http.HandlerFunc(s.serveAPI), "web_client_initialization"
-	default: // invalid mode
-		log.Fatalf("invalid mode: %v", mode)
-	}
-	return nil, ""
-}
-
 func (s *Server) Shutdown() {
 	s.logf("web.Server: shutting down")
 	if s.assetsCleanup != nil {
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/http/cookiejar"
 	"net/http/httptest"
 	"net/netip"
 	"net/url"
@@ -21,7 +20,6 @@ import (
 	"time"

 	"github.com/google/go-cmp/cmp"
-	"github.com/gorilla/csrf"
 	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
@@ -1479,83 +1477,3 @@ func mockWaitAuthURL(_ context.Context, id string, src tailcfg.NodeID) (*tailcfg
 		return nil, errors.New("unknown id")
 	}
 }
-
-func TestCSRFProtect(t *testing.T) {
-	s := &Server{}
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("GET /test/csrf-token", func(w http.ResponseWriter, r *http.Request) {
-		token := csrf.Token(r)
-		_, err := io.WriteString(w, token)
-		if err != nil {
-			t.Fatal(err)
-		}
-	})
-	mux.HandleFunc("POST /test/csrf-protected", func(w http.ResponseWriter, r *http.Request) {
-		_, err := io.WriteString(w, "ok")
-		if err != nil {
-			t.Fatal(err)
-		}
-	})
-	h := s.withCSRF(mux)
-	ser := httptest.NewServer(h)
-	defer ser.Close()
-
-	jar, err := cookiejar.New(nil)
-	if err != nil {
-		t.Fatalf("unable to construct cookie jar: %v", err)
-	}
-
-	client := ser.Client()
-	client.Jar = jar
-
-	// make GET request to populate cookie jar
-	resp, err := client.Get(ser.URL + "/test/csrf-token")
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-	tokenBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("unable to read body: %v", err)
-	}
-
-	csrfToken := strings.TrimSpace(string(tokenBytes))
-	if csrfToken == "" {
-		t.Fatal("empty csrf token")
-	}
-
-	// make a POST request without the CSRF header; ensure it fails
-	resp, err = client.Post(ser.URL+"/test/csrf-protected", "text/plain", nil)
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	if resp.StatusCode != http.StatusForbidden {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-
-	// make a POST request with the CSRF header; ensure it succeeds
-	req, err := http.NewRequest("POST", ser.URL+"/test/csrf-protected", nil)
-	if err != nil {
-		t.Fatalf("error building request: %v", err)
-	}
-	req.Header.Set("X-CSRF-Token", csrfToken)
-	resp, err = client.Do(req)
-	if err != nil {
-		t.Fatalf("unable to make request: %v", err)
-	}
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("unexpected status: %v", resp.Status)
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		t.Fatalf("unable to read body: %v", err)
-	}
-	if string(out) != "ok" {
-		t.Fatalf("unexpected body: %q", out)
-	}
-}
--- a/cmd/containerboot/serve.go
+++ b/cmd/containerboot/serve.go
@@ -35,8 +35,6 @@ func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan
 	var tickChan <-chan time.Time
 	var eventChan <-chan fsnotify.Event
 	if w, err := fsnotify.NewWatcher(); err != nil {
-		// Creating a new fsnotify watcher would fail for example if inotify was not able to create a new file descriptor.
-		// See https://github.com/tailscale/tailscale/issues/15081
 		log.Printf("serve proxy: failed to create fsnotify watcher, timer-only mode: %v", err)
 		ticker := time.NewTicker(5 * time.Second)
 		defer ticker.Stop()
--- a/cmd/containerboot/tailscaled.go
+++ b/cmd/containerboot/tailscaled.go
@@ -173,14 +173,11 @@ func tailscaleSet(ctx context.Context, cfg *settings) error {
 func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Client, errCh chan<- error) {
 	var (
 		tickChan          <-chan time.Time
-		eventChan         <-chan fsnotify.Event
-		errChan           <-chan error
 		tailscaledCfgDir  = filepath.Dir(path)
 		prevTailscaledCfg []byte
 	)
-	if w, err := fsnotify.NewWatcher(); err != nil {
-		// Creating a new fsnotify watcher would fail for example if inotify was not able to create a new file descriptor.
-		// See https://github.com/tailscale/tailscale/issues/15081
+	w, err := fsnotify.NewWatcher()
+	if err != nil {
 		log.Printf("tailscaled config watch: failed to create fsnotify watcher, timer-only mode: %v", err)
 		ticker := time.NewTicker(5 * time.Second)
 		defer ticker.Stop()
@@ -191,8 +188,6 @@ func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Cl
 			errCh <- fmt.Errorf("failed to add fsnotify watch: %w", err)
 			return
 		}
-		eventChan = w.Events
-		errChan = w.Errors
 	}
 	b, err := os.ReadFile(path)
 	if err != nil {
@@ -210,11 +205,11 @@ func watchTailscaledConfigChanges(ctx context.Context, path string, lc *local.Cl
 		select {
 		case <-ctx.Done():
 			return
-		case err := <-errChan:
+		case err := <-w.Errors:
 			errCh <- fmt.Errorf("watcher error: %w", err)
 			return
 		case <-tickChan:
-		case event := <-eventChan:
+		case event := <-w.Events:
 			if event.Name != toWatch {
 				continue
 			}
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -4,28 +4,16 @@
 package main

 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/json"
-	"encoding/pem"
 	"errors"
 	"fmt"
-	"log"
-	"math/big"
 	"net"
 	"net/http"
-	"os"
 	"path/filepath"
 	"regexp"
-	"time"

 	"golang.org/x/crypto/acme/autocert"
-	"tailscale.com/tailcfg"
 )

 var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
@@ -77,18 +65,8 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	crtPath := filepath.Join(certdir, keyname+".crt")
 	keyPath := filepath.Join(certdir, keyname+".key")
 	cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-	hostnameIP := net.ParseIP(hostname) // or nil if hostname isn't an IP address
 	if err != nil {
-		// If the hostname is an IP address, automatically create a
-		// self-signed certificate for it.
-		var certp *tls.Certificate
-		if os.IsNotExist(err) && hostnameIP != nil {
-			certp, err = createSelfSignedIPCert(crtPath, keyPath, hostname)
-		}
-		if err != nil {
-			return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
-		}
-		cert = *certp
+		return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
 	}
 	// ensure hostname matches with the certificate
 	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
@@ -98,18 +76,6 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	if err := x509Cert.VerifyHostname(hostname); err != nil {
 		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
 	}
-	if hostnameIP != nil {
-		// If the hostname is an IP address, print out information on how to
-		// confgure this in the derpmap.
-		dn := &tailcfg.DERPNode{
-			Name:     "custom",
-			RegionID: 900,
-			HostName: hostname,
-			CertName: fmt.Sprintf("sha256-raw:%-02x", sha256.Sum256(x509Cert.Raw)),
-		}
-		dnJSON, _ := json.Marshal(dn)
-		log.Printf("Using self-signed certificate for IP address %q. Configure it in DERPMap using: (https://tailscale.com/s/custom-derp)\n  %s", hostname, dnJSON)
-	}
 	return &manualCertManager{
 		cert:       &cert,
 		hostname:   hostname,
@@ -143,69 +109,3 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
 	return fallback
 }
-
-func createSelfSignedIPCert(crtPath, keyPath, ipStr string) (*tls.Certificate, error) {
-	ip := net.ParseIP(ipStr)
-	if ip == nil {
-		return nil, fmt.Errorf("invalid IP address: %s", ipStr)
-	}
-
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate EC private key: %v", err)
-	}
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, fmt.Errorf("failed to generate serial number: %v", err)
-	}
-
-	now := time.Now()
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: ipStr,
-		},
-		NotBefore: now,
-		NotAfter:  now.AddDate(1, 0, 0), // expires in 1 year; a bit over that is rejected by macOS etc
-
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	// Set the IP as a SAN.
-	template.IPAddresses = []net.IP{ip}
-
-	// Create the self-signed certificate.
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create certificate: %v", err)
-	}
-
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-
-	keyBytes, err := x509.MarshalECPrivateKey(priv)
-	if err != nil {
-		return nil, fmt.Errorf("unable to marshal EC private key: %v", err)
-	}
-
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes})
-
-	if err := os.MkdirAll(filepath.Dir(crtPath), 0700); err != nil {
-		return nil, fmt.Errorf("failed to create directory for certificate: %v", err)
-	}
-	if err := os.WriteFile(crtPath, certPEM, 0644); err != nil {
-		return nil, fmt.Errorf("failed to write certificate to %s: %v", crtPath, err)
-	}
-	if err := os.WriteFile(keyPath, keyPEM, 0600); err != nil {
-		return nil, fmt.Errorf("failed to write key to %s: %v", keyPath, err)
-	}
-
-	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create tls.Certificate: %v", err)
-	}
-	return &tlsCert, nil
-}
--- a/cmd/derper/cert_test.go
+++ b/cmd/derper/cert_test.go
@@ -4,29 +4,19 @@
 package main

 import (
-	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"fmt"
 	"math/big"
 	"net"
-	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
-
-	"tailscale.com/derp"
-	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/netmon"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 )

 // Verify that in --certmode=manual mode, we can use a bare IP address
@@ -105,66 +95,3 @@ func TestCertIP(t *testing.T) {
 		t.Fatalf("GetCertificate returned nil")
 	}
 }
-
-// Test that we can dial a raw IP without using a hostname and without a WebPKI
-// cert, validating the cert against the signature of the cert in the DERP map's
-// DERPNode.
-//
-// See https://github.com/tailscale/tailscale/issues/11776.
-func TestPinnedCertRawIP(t *testing.T) {
-	td := t.TempDir()
-	cp, err := NewManualCertManager(td, "127.0.0.1")
-	if err != nil {
-		t.Fatalf("NewManualCertManager: %v", err)
-	}
-
-	cert, err := cp.TLSConfig().GetCertificate(&tls.ClientHelloInfo{
-		ServerName: "127.0.0.1",
-	})
-	if err != nil {
-		t.Fatalf("GetCertificate: %v", err)
-	}
-
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("Listen: %v", err)
-	}
-	defer ln.Close()
-
-	ds := derp.NewServer(key.NewNode(), t.Logf)
-
-	derpHandler := derphttp.Handler(ds)
-	mux := http.NewServeMux()
-	mux.Handle("/derp", derpHandler)
-
-	var hs http.Server
-	hs.Handler = mux
-	hs.TLSConfig = cp.TLSConfig()
-	go hs.ServeTLS(ln, "", "")
-
-	lnPort := ln.Addr().(*net.TCPAddr).Port
-
-	reg := &tailcfg.DERPRegion{
-		RegionID: 900,
-		Nodes: []*tailcfg.DERPNode{
-			{
-				RegionID: 900,
-				HostName: "127.0.0.1",
-				CertName: fmt.Sprintf("sha256-raw:%-02x", sha256.Sum256(cert.Leaf.Raw)),
-				DERPPort: lnPort,
-			},
-		},
-	}
-
-	netMon := netmon.NewStatic()
-	dc := derphttp.NewRegionClient(key.NewNode(), t.Logf, netMon, func() *tailcfg.DERPRegion {
-		return reg
-	})
-	defer dc.Close()
-
-	_, connClose, _, err := dc.DialRegionTLS(context.Background(), reg)
-	if err != nil {
-		t.Fatalf("DialRegionTLS: %v", err)
-	}
-	defer connClose.Close()
-}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -191,11 +191,13 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
   W    golang.org/x/exp/constraints                                 from tailscale.com/util/winutil
        golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/setting+
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -228,7 +230,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509
@@ -237,58 +239,31 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
        crypto/internal/boring                                       from crypto/aes+
        crypto/internal/boring/bbig                                  from crypto/ecdsa+
        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
        crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from golang.org/x/crypto/acme+
-        crypto/tls/internal/fips140tls                               from crypto/tls
        crypto/x509                                                  from crypto/tls+
   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
+        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -309,22 +284,23 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        html                                                         from net/http/pprof+
        html/template                                                from tailscale.com/cmd/derper
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall+
+        internal/asan                                                from syscall
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
        internal/godebug                                             from crypto/tls+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime+
+        internal/goexperiment                                        from runtime
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall+
+        internal/msan                                                from syscall
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
@@ -334,20 +310,17 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        internal/reflectlite                                         from context+
        internal/runtime/atomic                                      from internal/runtime/exithook+
        internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
   L    internal/runtime/syscall                                     from runtime+
        internal/singleflight                                        from net
        internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
   W    internal/syscall/windows/registry                            from mime+
   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
        internal/testlog                                             from os
        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
   L    io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -359,7 +332,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
        math/rand                                                    from github.com/mdlayher/netlink+
-        math/rand/v2                                                 from crypto/ecdsa+
+        math/rand/v2                                                 from internal/concurrent+
        mime                                                         from github.com/prometheus/common/expfmt+
        mime/multipart                                               from net/http
        mime/quotedprintable                                         from mime/multipart
@@ -372,7 +345,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
        os/exec                                                      from github.com/coreos/go-iptables/iptables+
        os/signal                                                    from tailscale.com/cmd/derper
   W    os/user                                                      from tailscale.com/util/winutil+
@@ -381,8 +354,10 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
        regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/fips140+
+        runtime                                                      from crypto/internal/nistec+
        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
@@ -392,7 +367,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        strings                                                      from bufio+
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
-        syscall                                                      from crypto/internal/sysrand+
+        syscall                                                      from crypto/rand+
        text/tabwriter                                               from runtime/pprof
        text/template                                                from html/template
        text/template/parse                                          from html/template+
@@ -402,4 +377,3 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
        unsafe                                                       from bytes+
-        weak                                                         from unique
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -63,7 +63,6 @@ var (
 	hostname    = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443. When --certmode=manual, this can be an IP address to avoid SNI checks")
 	runSTUN     = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
 	runDERP     = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
-	flagHome    = flag.String("home", "", "what to serve at the root path. It may be left empty (the default, for a default homepage), \"blank\" for a blank page, or a URL to redirect to")

 	meshPSKFile     = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
 	meshWith        = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list. If an entry contains a slash, the second part names a hostname to be used when dialing the target.")
@@ -72,13 +71,10 @@ var (
 	secretsCacheDir = flag.String("secrets-cache-dir", defaultSetecCacheDir(), "directory to cache setec secrets in (required if --secrets-url is set)")
 	bootstrapDNS    = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
 	unpublishedDNS  = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list. If an entry contains a slash, the second part names a DNS record to poll for its TXT record with a `0` to `100` value for rollout percentage.")
-
 	verifyClients   = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 	verifyClientURL = flag.String("verify-client-url", "", "if non-empty, an admission controller URL for permitting client connections; see tailcfg.DERPAdmitClientRequest")
 	verifyFailOpen  = flag.Bool("verify-client-url-fail-open", true, "whether we fail open if --verify-client-url is unreachable")

-	socket = flag.String("socket", "", "optional alternate path to tailscaled socket (only relevant when using --verify-clients)")
-
 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")

@@ -196,7 +192,6 @@ func main() {

 	s := derp.NewServer(cfg.PrivateKey, log.Printf)
 	s.SetVerifyClient(*verifyClients)
-	s.SetTailscaledSocketPath(*socket)
 	s.SetVerifyClientURL(*verifyClientURL)
 	s.SetVerifyClientURLFailOpen(*verifyFailOpen)
 	s.SetTCPWriteTimeout(*tcpWriteTimeout)
@@ -255,11 +250,6 @@ func main() {
 	}
 	expvar.Publish("derp", s.ExpVar())

-	handleHome, ok := getHomeHandler(*flagHome)
-	if !ok {
-		log.Fatalf("unknown --home value %q", *flagHome)
-	}
-
 	mux := http.NewServeMux()
 	if *runDERP {
 		derpHandler := derphttp.Handler(s)
@@ -280,7 +270,19 @@ func main() {
 	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tsweb.AddBrowserHeaders(w)
-		handleHome.ServeHTTP(w, r)
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(200)
+		err := homePageTemplate.Execute(w, templateData{
+			ShowAbuseInfo: validProdHostname.MatchString(*hostname),
+			Disabled:      !*runDERP,
+			AllowDebug:    tsweb.AllowDebugAccess(r),
+		})
+		if err != nil {
+			if r.Context().Err() == nil {
+				log.Printf("homePageTemplate.Execute: %v", err)
+			}
+			return
+		}
 	}))
 	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tsweb.AddBrowserHeaders(w)
@@ -322,9 +324,6 @@ func main() {
 		Control:   ktimeout.UserTimeout(*tcpUserTimeout),
 		KeepAlive: *tcpKeepAlive,
 	}
-	// As of 2025-02-19, MPTCP does not support TCP_USER_TIMEOUT socket option
-	// set in ktimeout.UserTimeout above.
-	lc.SetMultipathTCP(false)

 	quietLogger := log.New(logger.HTTPServerLogFilter{Inner: log.Printf}, "", 0)
 	httpsrv := &http.Server{
@@ -573,35 +572,3 @@ var homePageTemplate = template.Must(template.New("home").Parse(`<html><body>
 </body>
 </html>
 `))
-
-// getHomeHandler returns a handler for the home page based on a flag string
-// as documented on the --home flag.
-func getHomeHandler(val string) (_ http.Handler, ok bool) {
-	if val == "" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			w.WriteHeader(200)
-			err := homePageTemplate.Execute(w, templateData{
-				ShowAbuseInfo: validProdHostname.MatchString(*hostname),
-				Disabled:      !*runDERP,
-				AllowDebug:    tsweb.AllowDebugAccess(r),
-			})
-			if err != nil {
-				if r.Context().Err() == nil {
-					log.Printf("homePageTemplate.Execute: %v", err)
-				}
-				return
-			}
-		}), true
-	}
-	if val == "blank" {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			w.WriteHeader(200)
-		}), true
-	}
-	if strings.HasPrefix(val, "http://") || strings.HasPrefix(val, "https://") {
-		return http.RedirectHandler(val, http.StatusFound), true
-	}
-	return nil, false
-}
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -13,7 +13,6 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
 	"log"
 	"net/http"
 	"os"
@@ -406,8 +405,7 @@ func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		errorDetails, _ := io.ReadAll(resp.Body)
-		return "", fmt.Errorf("wanted HTTP status code %d but got %d: %#q", want, got, string(errorDetails))
+		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}

 	return Shuck(resp.Header.Get("ETag")), nil
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -20,7 +20,6 @@ import (

 	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/tailcfg"
 )

 var (
@@ -135,10 +134,6 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 	if who == nil {
 		return ""
 	}
-	vals, err := tailcfg.UnmarshalNodeCapJSON[string](who.Node.CapMap, tailcfg.NodeAttrNativeIPV4)
-	if err == nil && len(vals) > 0 {
-		return vals[0]
-	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
 			return nodeIP.Addr().String()
--- a/cmd/k8s-operator/depaware.txt
+++ b/cmd/k8s-operator/depaware.txt
@@ -814,7 +814,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/k8s-operator
        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
        tailscale.com/ipn                                            from tailscale.com/client/local+
-        tailscale.com/ipn/auditlog                                   from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
     💣 tailscale.com/ipn/desktop                                    from tailscale.com/ipn/ipnlocal+
     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
@@ -905,7 +904,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/tstime/rate                                    from tailscale.com/derp+
        tailscale.com/tsweb/varz                                     from tailscale.com/util/usermetric
        tailscale.com/types/appctype                                 from tailscale.com/ipn/ipnlocal
-        tailscale.com/types/bools                                    from tailscale.com/tsnet
        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/types/empty                                    from tailscale.com/ipn+
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -999,13 +997,14 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ipn/ipnlocal
  LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -1056,7 +1055,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509+
@@ -1065,54 +1064,27 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
        crypto/internal/boring                                       from crypto/aes+
        crypto/internal/boring/bbig                                  from crypto/ecdsa+
        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
        crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls+
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
-        crypto/tls/internal/fips140tls                               from crypto/tls
        crypto/x509                                                  from crypto/tls+
   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
@@ -1120,7 +1092,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        database/sql/driver                                          from database/sql+
   W    debug/dwarf                                                  from debug/pe
   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from github.com/tailscale/web-client-prebuilt+
+        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/gob+
        encoding/asn1                                                from crypto/x509+
        encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -1140,6 +1112,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        go/build/constraint                                          from go/parser
        go/doc                                                       from k8s.io/apimachinery/pkg/runtime
        go/doc/comment                                               from go/doc
+        go/internal/typeparams                                       from go/parser
        go/parser                                                    from k8s.io/apimachinery/pkg/runtime
        go/scanner                                                   from go/ast+
        go/token                                                     from go/ast+
@@ -1151,23 +1124,24 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall+
+        internal/asan                                                from syscall
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
        internal/godebug                                             from archive/tar+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime+
+        internal/goexperiment                                        from runtime
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
        internal/lazyregexp                                          from go/doc
-        internal/msan                                                from syscall+
+        internal/msan                                                from syscall
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
@@ -1177,21 +1151,18 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        internal/reflectlite                                         from context+
        internal/runtime/atomic                                      from internal/runtime/exithook+
        internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
   L    internal/runtime/syscall                                     from runtime+
        internal/saferio                                             from debug/pe+
        internal/singleflight                                        from net
        internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
   W    internal/syscall/windows/registry                            from mime+
   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
        internal/testlog                                             from os
        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -1220,7 +1191,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        net/netip                                                    from github.com/gaissmai/bart+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
        net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
        os/signal                                                    from sigs.k8s.io/controller-runtime/pkg/manager/signals
        os/user                                                      from archive/tar+
@@ -1231,6 +1202,8 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        regexp/syntax                                                from regexp
        runtime                                                      from archive/tar+
        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
@@ -1250,4 +1223,3 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
        unsafe                                                       from bytes+
-        weak                                                         from unique
--- a/cmd/k8s-operator/egress-services.go
+++ b/cmd/k8s-operator/egress-services.go
@@ -630,11 +630,7 @@ func tailnetTargetFromSvc(svc *corev1.Service) egressservices.TailnetTarget {

 func portMap(p corev1.ServicePort) egressservices.PortMap {
 	// TODO (irbekrm): out of bounds check?
-	return egressservices.PortMap{
-		Protocol:   string(p.Protocol),
-		MatchPort:  uint16(p.TargetPort.IntVal),
-		TargetPort: uint16(p.Port),
-	}
+	return egressservices.PortMap{Protocol: string(p.Protocol), MatchPort: uint16(p.TargetPort.IntVal), TargetPort: uint16(p.Port)}
 }

 func isEgressSvcForProxyGroup(obj client.Object) bool {
--- a/cmd/k8s-operator/ingress-for-pg.go
+++ b/cmd/k8s-operator/ingress-for-pg.go
@@ -15,9 +15,6 @@ import (
 	"slices"
 	"strings"
 	"sync"
-	"time"
-
-	"math/rand/v2"

 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
@@ -29,7 +26,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	tsoperator "tailscale.com/k8s-operator"
@@ -56,9 +53,9 @@ const (

 var gaugePGIngressResources = clientmetric.NewGauge(kubetypes.MetricIngressPGResourceCount)

-// HAIngressReconciler is a controller that reconciles Tailscale Ingresses
-// should be exposed on an ingress ProxyGroup (in HA mode).
-type HAIngressReconciler struct {
+// IngressPGReconciler is a controller that reconciles Tailscale Ingresses should be exposed on an ingress ProxyGroup
+// (in HA mode).
+type IngressPGReconciler struct {
 	client.Client

 	recorder    record.EventRecorder
@@ -68,7 +65,6 @@ type HAIngressReconciler struct {
 	tsNamespace string
 	lc          localClient
 	defaultTags []string
-	operatorID  string // stableID of the operator's Tailscale device

 	mu sync.Mutex // protects following
 	// managedIngresses is a set of all ingress resources that we're currently
@@ -76,29 +72,20 @@ type HAIngressReconciler struct {
 	managedIngresses set.Slice[types.UID]
 }

-// Reconcile reconciles Ingresses that should be exposed over Tailscale in HA
-// mode (on a ProxyGroup). It looks at all Ingresses with
-// tailscale.com/proxy-group annotation. For each such Ingress, it ensures that
-// a VIPService named after the hostname of the Ingress exists and is up to
-// date. It also ensures that the serve config for the ingress ProxyGroup is
-// updated to route traffic for the VIPService to the Ingress's backend
-// Services.  Ingress hostname change also results in the VIPService for the
-// previous hostname being cleaned up and a new VIPService being created for the
-// new hostname.
-// HA Ingresses support multi-cluster Ingress setup.
-// Each VIPService contains a list of owner references that uniquely identify
-// the Ingress resource and the operator.  When an Ingress that acts as a
-// backend is being deleted, the corresponding VIPService is only deleted if the
-// only owner reference that it contains is for this Ingress. If other owner
-// references are found, then cleanup operation only removes this Ingress' owner
-// reference.
-func (r *HAIngressReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
-	logger := r.logger.With("Ingress", req.NamespacedName)
+// Reconcile reconciles Ingresses that should be exposed over Tailscale in HA mode (on a ProxyGroup). It looks at all
+// Ingresses with tailscale.com/proxy-group annotation. For each such Ingress, it ensures that a VIPService named after
+// the hostname of the Ingress exists and is up to date. It also ensures that the serve config for the ingress
+// ProxyGroup is updated to route traffic for the VIPService to the Ingress's backend Services.
+// When an Ingress is deleted or unexposed, the VIPService and the associated serve config are cleaned up.
+// Ingress hostname change also results in the VIPService for the previous hostname being cleaned up and a new VIPService
+// being created for the new hostname.
+func (a *IngressPGReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
+	logger := a.logger.With("Ingress", req.NamespacedName)
 	logger.Debugf("starting reconcile")
 	defer logger.Debugf("reconcile finished")

 	ing := new(networkingv1.Ingress)
-	err = r.Get(ctx, req.NamespacedName, ing)
+	err = a.Get(ctx, req.NamespacedName, ing)
 	if apierrors.IsNotFound(err) {
 		// Request object not found, could have been deleted after reconcile request.
 		logger.Debugf("Ingress not found, assuming it was deleted")
@@ -112,70 +99,56 @@ func (r *HAIngressReconciler) Reconcile(ctx context.Context, req reconcile.Reque
 	hostname := hostnameForIngress(ing)
 	logger = logger.With("hostname", hostname)

-	// needsRequeue is set to true if the underlying VIPService has changed as a result of this reconcile. If that
-	// is the case, we reconcile the Ingress one more time to ensure that concurrent updates to the VIPService in a
-	// multi-cluster Ingress setup have not resulted in another actor overwriting our VIPService update.
-	needsRequeue := false
-	if !ing.DeletionTimestamp.IsZero() || !r.shouldExpose(ing) {
-		needsRequeue, err = r.maybeCleanup(ctx, hostname, ing, logger)
-	} else {
-		needsRequeue, err = r.maybeProvision(ctx, hostname, ing, logger)
+	if !ing.DeletionTimestamp.IsZero() || !a.shouldExpose(ing) {
+		return res, a.maybeCleanup(ctx, hostname, ing, logger)
 	}
-	if err != nil {
-		return res, err
-	}
-	if needsRequeue {
-		res = reconcile.Result{RequeueAfter: requeueInterval()}
+
+	if err := a.maybeProvision(ctx, hostname, ing, logger); err != nil {
+		return res, fmt.Errorf("failed to provision: %w", err)
 	}
 	return res, nil
 }

-// maybeProvision ensures that a VIPService for this Ingress exists and is up to date and that the serve config for the
-// corresponding ProxyGroup contains the Ingress backend's definition.
-// If a VIPService does not exist, it will be created.
-// If a VIPService exists, but only with owner references from other operator instances, an owner reference for this
-// operator instance is added.
-// If a VIPService exists, but does not have an owner reference from any operator, we error
-// out assuming that this is an owner reference created by an unknown actor.
-// Returns true if the operation resulted in a VIPService update.
-func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) (svcsChanged bool, err error) {
-	if err := validateIngressClass(ctx, r.Client); err != nil {
+// maybeProvision ensures that the VIPService and serve config for the Ingress are created or updated.
+func (a *IngressPGReconciler) maybeProvision(ctx context.Context, hostname string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+	if err := validateIngressClass(ctx, a.Client); err != nil {
 		logger.Infof("error validating tailscale IngressClass: %v.", err)
-		return false, nil
+		return nil
 	}
+
 	// Get and validate ProxyGroup readiness
 	pgName := ing.Annotations[AnnotationProxyGroup]
 	if pgName == "" {
 		logger.Infof("[unexpected] no ProxyGroup annotation, skipping VIPService provisioning")
-		return false, nil
+		return nil
 	}
-	logger = logger.With("ProxyGroup", pgName)
-
 	pg := &tsapi.ProxyGroup{}
-	if err := r.Get(ctx, client.ObjectKey{Name: pgName}, pg); err != nil {
+	if err := a.Get(ctx, client.ObjectKey{Name: pgName}, pg); err != nil {
 		if apierrors.IsNotFound(err) {
 			logger.Infof("ProxyGroup %q does not exist", pgName)
-			return false, nil
+			return nil
 		}
-		return false, fmt.Errorf("getting ProxyGroup %q: %w", pgName, err)
+		return fmt.Errorf("getting ProxyGroup %q: %w", pgName, err)
 	}
 	if !tsoperator.ProxyGroupIsReady(pg) {
-		logger.Infof("ProxyGroup %q is not (yet) ready", pgName)
-		return false, nil
+		// TODO(irbekrm): we need to reconcile ProxyGroup Ingresses on ProxyGroup changes to not miss the status update
+		// in this case.
+		logger.Infof("ProxyGroup %q is not ready", pgName)
+		return nil
 	}

 	// Validate Ingress configuration
-	if err := r.validateIngress(ctx, ing, pg); err != nil {
+	if err := a.validateIngress(ing, pg); err != nil {
 		logger.Infof("invalid Ingress configuration: %v", err)
-		r.recorder.Event(ing, corev1.EventTypeWarning, "InvalidIngressConfiguration", err.Error())
-		return false, nil
+		a.recorder.Event(ing, corev1.EventTypeWarning, "InvalidIngressConfiguration", err.Error())
+		return nil
 	}

-	if !IsHTTPSEnabledOnTailnet(r.tsnetServer) {
-		r.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
+	if !IsHTTPSEnabledOnTailnet(a.tsnetServer) {
+		a.recorder.Event(ing, corev1.EventTypeWarning, "HTTPSNotEnabled", "HTTPS is not enabled on the tailnet; ingress may not work")
 	}

-	logger = logger.With("proxy-group", pg.Name)
+	logger = logger.With("proxy-group", pg)

 	if !slices.Contains(ing.Finalizers, FinalizerNamePG) {
 		// This log line is printed exactly once during initial provisioning,
@@ -184,78 +157,64 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		// multi-reconcile operation is underway.
 		logger.Infof("exposing Ingress over tailscale")
 		ing.Finalizers = append(ing.Finalizers, FinalizerNamePG)
-		if err := r.Update(ctx, ing); err != nil {
-			return false, fmt.Errorf("failed to add finalizer: %w", err)
+		if err := a.Update(ctx, ing); err != nil {
+			return fmt.Errorf("failed to add finalizer: %w", err)
 		}
-		r.mu.Lock()
-		r.managedIngresses.Add(ing.UID)
-		gaugePGIngressResources.Set(int64(r.managedIngresses.Len()))
-		r.mu.Unlock()
+		a.mu.Lock()
+		a.managedIngresses.Add(ing.UID)
+		gaugePGIngressResources.Set(int64(a.managedIngresses.Len()))
+		a.mu.Unlock()
 	}

-	// 1. Ensure that if Ingress' hostname has changed, any VIPService
-	// resources corresponding to the old hostname are cleaned up.
-	// In practice, this function will ensure that any VIPServices that are
-	// associated with the provided ProxyGroup and no longer owned by an
-	// Ingress are cleaned up. This is fine- it is not expensive and ensures
-	// that in edge cases (a single update changed both hostname and removed
-	// ProxyGroup annotation) the VIPService is more likely to be
-	// (eventually) removed.
-	svcsChanged, err = r.maybeCleanupProxyGroup(ctx, pgName, logger)
-	if err != nil {
-		return false, fmt.Errorf("failed to cleanup VIPService resources for ProxyGroup: %w", err)
+	// 1. Ensure that if Ingress' hostname has changed, any VIPService resources corresponding to the old hostname
+	// are cleaned up.
+	// In practice, this function will ensure that any VIPServices that are associated with the provided ProxyGroup
+	// and no longer owned by an Ingress are cleaned up. This is fine- it is not expensive and ensures that in edge
+	// cases (a single update changed both hostname and removed ProxyGroup annotation) the VIPService is more likely
+	// to be (eventually) removed.
+	if err := a.maybeCleanupProxyGroup(ctx, pgName, logger); err != nil {
+		return fmt.Errorf("failed to cleanup VIPService resources for ProxyGroup: %w", err)
 	}

-	// 2. Ensure that there isn't a VIPService with the same hostname
-	// already created and not owned by this Ingress.
-	// TODO(irbekrm): perhaps in future we could have record names being
-	// stored on VIPServices. I am not certain if there might not be edge
-	// cases (custom domains, etc?) where attempting to determine the DNS
-	// name of the VIPService in this way won't be incorrect.
-	tcd, err := r.tailnetCertDomain(ctx)
+	// 2. Ensure that there isn't a VIPService with the same hostname already created and not owned by this Ingress.
+	// TODO(irbekrm): perhaps in future we could have record names being stored on VIPServices. I am not certain if
+	// there might not be edge cases (custom domains, etc?) where attempting to determine the DNS name of the
+	// VIPService in this way won't be incorrect.
+	tcd, err := a.tailnetCertDomain(ctx)
 	if err != nil {
-		return false, fmt.Errorf("error determining DNS name base: %w", err)
+		return fmt.Errorf("error determining DNS name base: %w", err)
 	}
 	dnsName := hostname + "." + tcd
 	serviceName := tailcfg.ServiceName("svc:" + hostname)
-	existingVIPSvc, err := r.tsClient.GetVIPService(ctx, serviceName)
-	// TODO(irbekrm): here and when creating the VIPService, verify if the
-	// error is not terminal (and therefore should not be reconciled). For
-	// example, if the hostname is already a hostname of a Tailscale node,
-	// the GET here will fail.
+	existingVIPSvc, err := a.tsClient.getVIPService(ctx, serviceName)
+	// TODO(irbekrm): here and when creating the VIPService, verify if the error is not terminal (and therefore
+	// should not be reconciled). For example, if the hostname is already a hostname of a Tailscale node, the GET
+	// here will fail.
 	if err != nil {
 		errResp := &tailscale.ErrResponse{}
 		if ok := errors.As(err, errResp); ok && errResp.Status != http.StatusNotFound {
-			return false, fmt.Errorf("error getting VIPService %q: %w", hostname, err)
+			return fmt.Errorf("error getting VIPService %q: %w", hostname, err)
 		}
 	}
-	// Generate the VIPService comment for new or existing VIPService. This
-	// checks and ensures that VIPService's owner references are updated for
-	// this Ingress and errors if that is not possible (i.e. because it
-	// appears that the VIPService has been created by a non-operator
-	// actor).
-	svcComment, err := r.ownerRefsComment(existingVIPSvc)
-	if err != nil {
-		const instr = "To proceed, you can either manually delete the existing VIPService or choose a different MagicDNS name at `.spec.tls.hosts[0] in the Ingress definition"
-		msg := fmt.Sprintf("error ensuring ownership of VIPService %s: %v. %s", hostname, err, instr)
-		logger.Warn(msg)
-		r.recorder.Event(ing, corev1.EventTypeWarning, "InvalidVIPService", msg)
-		return false, nil
+	if existingVIPSvc != nil && !isVIPServiceForIngress(existingVIPSvc, ing) {
+		logger.Infof("VIPService %q for MagicDNS name %q  already exists, but is not owned by this Ingress. Please delete it manually and recreate this Ingress to proceed or create an Ingress for a different MagicDNS name", hostname, dnsName)
+		a.recorder.Event(ing, corev1.EventTypeWarning, "ConflictingVIPServiceExists", fmt.Sprintf("VIPService %q for MagicDNS name %q already exists, but is not owned by this Ingress. Please delete it manually to proceed or create an Ingress for a different MagicDNS name", hostname, dnsName))
+		return nil
 	}

-	// 3. Ensure that the serve config for the ProxyGroup contains the VIPService.
-	cm, cfg, err := r.proxyGroupServeConfig(ctx, pgName)
+	// 3. Ensure that the serve config for the ProxyGroup contains the VIPService
+	cm, cfg, err := a.proxyGroupServeConfig(ctx, pgName)
 	if err != nil {
-		return false, fmt.Errorf("error getting Ingress serve config: %w", err)
+		return fmt.Errorf("error getting Ingress serve config: %w", err)
 	}
 	if cm == nil {
 		logger.Infof("no Ingress serve config ConfigMap found, unable to update serve config. Ensure that ProxyGroup is healthy.")
-		return svcsChanged, nil
+		return nil
 	}
 	ep := ipn.HostPort(fmt.Sprintf("%s:443", dnsName))
-	handlers, err := handlersForIngress(ctx, ing, r.Client, r.recorder, dnsName, logger)
+	handlers, err := handlersForIngress(ctx, ing, a.Client, a.recorder, dnsName, logger)
 	if err != nil {
-		return false, fmt.Errorf("failed to get handlers for Ingress: %w", err)
+		return fmt.Errorf("failed to get handlers for Ingress: %w", err)
 	}
 	ingCfg := &ipn.ServiceConfig{
 		TCP: map[uint16]*ipn.TCPPortHandler{
@@ -291,16 +250,16 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		mak.Set(&cfg.Services, serviceName, ingCfg)
 		cfgBytes, err := json.Marshal(cfg)
 		if err != nil {
-			return false, fmt.Errorf("error marshaling serve config: %w", err)
+			return fmt.Errorf("error marshaling serve config: %w", err)
 		}
 		mak.Set(&cm.BinaryData, serveConfigKey, cfgBytes)
-		if err := r.Update(ctx, cm); err != nil {
-			return false, fmt.Errorf("error updating serve config: %w", err)
+		if err := a.Update(ctx, cm); err != nil {
+			return fmt.Errorf("error updating serve config: %w", err)
 		}
 	}

 	// 4. Ensure that the VIPService exists and is up to date.
-	tags := r.defaultTags
+	tags := a.defaultTags
 	if tstr, ok := ing.Annotations[AnnotationTags]; ok {
 		tags = strings.Split(tstr, ",")
 	}
@@ -310,37 +269,26 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		vipPorts = append(vipPorts, "80")
 	}

-	vipSvc := &tailscale.VIPService{
+	vipSvc := &VIPService{
 		Name:    serviceName,
 		Tags:    tags,
 		Ports:   vipPorts,
-		Comment: svcComment,
+		Comment: fmt.Sprintf(VIPSvcOwnerRef, ing.UID),
 	}
 	if existingVIPSvc != nil {
 		vipSvc.Addrs = existingVIPSvc.Addrs
 	}
-	// TODO(irbekrm): right now if two Ingress resources attempt to apply different VIPService configs (different
-	// tags, or HTTP endpoint settings) we can end up reconciling those in a loop. We should detect when an Ingress
-	// with the same generation number has been reconciled ~more than N times and stop attempting to apply updates.
 	if existingVIPSvc == nil ||
 		!reflect.DeepEqual(vipSvc.Tags, existingVIPSvc.Tags) ||
-		!reflect.DeepEqual(vipSvc.Ports, existingVIPSvc.Ports) ||
-		!strings.EqualFold(vipSvc.Comment, existingVIPSvc.Comment) {
+		!reflect.DeepEqual(vipSvc.Ports, existingVIPSvc.Ports) {
 		logger.Infof("Ensuring VIPService %q exists and is up to date", hostname)
-		if err := r.tsClient.CreateOrUpdateVIPService(ctx, vipSvc); err != nil {
-			return false, fmt.Errorf("error creating VIPService: %w", err)
+		if err := a.tsClient.createOrUpdateVIPService(ctx, vipSvc); err != nil {
+			logger.Infof("error creating VIPService: %v", err)
+			return fmt.Errorf("error creating VIPService: %w", err)
 		}
 	}

-	// 5. Update tailscaled's AdvertiseServices config, which should add the VIPService
-	// IPs to the ProxyGroup Pods' AllowedIPs in the next netmap update if approved.
-	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg.Name, serviceName, true, logger); err != nil {
-		return false, fmt.Errorf("failed to update tailscaled config: %w", err)
-	}
-
-	// TODO(irbekrm): check that the replicas are ready to route traffic for the VIPService before updating Ingress
-	// status.
-	// 6. Update Ingress status
+	// 5. Update Ingress status
 	oldStatus := ing.Status.DeepCopy()
 	ports := []networkingv1.IngressPortStatus{
 		{
@@ -361,29 +309,30 @@ func (r *HAIngressReconciler) maybeProvision(ctx context.Context, hostname strin
 		},
 	}
 	if apiequality.Semantic.DeepEqual(oldStatus, ing.Status) {
-		return svcsChanged, nil
+		return nil
 	}
-	if err := r.Status().Update(ctx, ing); err != nil {
-		return false, fmt.Errorf("failed to update Ingress status: %w", err)
+	if err := a.Status().Update(ctx, ing); err != nil {
+		return fmt.Errorf("failed to update Ingress status: %w", err)
 	}
-	return svcsChanged, nil
+	return nil
 }

-// VIPServices that are associated with the provided ProxyGroup and no longer managed this operator's instance are deleted, if not owned by other operator instances, else the owner reference is cleaned up.
-// Returns true if the operation resulted in existing VIPService updates (owner reference removal).
-func (r *HAIngressReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyGroupName string, logger *zap.SugaredLogger) (svcsChanged bool, err error) {
+// maybeCleanupProxyGroup ensures that if an Ingress hostname has changed, any VIPService resources created for the
+// Ingress' ProxyGroup corresponding to the old hostname are cleaned up. A run of this function will ensure that any
+// VIPServices that are associated with the provided ProxyGroup and no longer owned by an Ingress are cleaned up.
+func (a *IngressPGReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyGroupName string, logger *zap.SugaredLogger) error {
 	// Get serve config for the ProxyGroup
-	cm, cfg, err := r.proxyGroupServeConfig(ctx, proxyGroupName)
+	cm, cfg, err := a.proxyGroupServeConfig(ctx, proxyGroupName)
 	if err != nil {
-		return false, fmt.Errorf("getting serve config: %w", err)
+		return fmt.Errorf("getting serve config: %w", err)
 	}
 	if cfg == nil {
-		return false, nil // ProxyGroup does not have any VIPServices
+		return nil // ProxyGroup does not have any VIPServices
 	}

 	ingList := &networkingv1.IngressList{}
-	if err := r.List(ctx, ingList); err != nil {
-		return false, fmt.Errorf("listing Ingresses: %w", err)
+	if err := a.List(ctx, ingList); err != nil {
+		return fmt.Errorf("listing Ingresses: %w", err)
 	}
 	serveConfigChanged := false
 	// For each VIPService in serve config...
@@ -400,24 +349,25 @@ func (r *HAIngressReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyG

 		if !found {
 			logger.Infof("VIPService %q is not owned by any Ingress, cleaning up", vipServiceName)
-
-			// Delete the VIPService from control if necessary.
-			svc, _ := r.tsClient.GetVIPService(ctx, vipServiceName)
-			if svc != nil && isVIPServiceForAnyIngress(svc) {
+			svc, err := a.getVIPService(ctx, vipServiceName, logger)
+			if err != nil {
+				errResp := &tailscale.ErrResponse{}
+				if errors.As(err, &errResp) && errResp.Status == http.StatusNotFound {
+					delete(cfg.Services, vipServiceName)
+					serveConfigChanged = true
+					continue
+				}
+				return err
+			}
+			if isVIPServiceForAnyIngress(svc) {
 				logger.Infof("cleaning up orphaned VIPService %q", vipServiceName)
-				svcsChanged, err = r.cleanupVIPService(ctx, vipServiceName, logger)
-				if err != nil {
+				if err := a.tsClient.deleteVIPService(ctx, vipServiceName); err != nil {
 					errResp := &tailscale.ErrResponse{}
 					if !errors.As(err, &errResp) || errResp.Status != http.StatusNotFound {
-						return false, fmt.Errorf("deleting VIPService %q: %w", vipServiceName, err)
+						return fmt.Errorf("deleting VIPService %q: %w", vipServiceName, err)
 					}
 				}
 			}
-
-			// Make sure the VIPService is not advertised in tailscaled or serve config.
-			if err = r.maybeUpdateAdvertiseServicesConfig(ctx, proxyGroupName, vipServiceName, false, logger); err != nil {
-				return false, fmt.Errorf("failed to update tailscaled config services: %w", err)
-			}
 			delete(cfg.Services, vipServiceName)
 			serveConfigChanged = true
 		}
@@ -426,81 +376,74 @@ func (r *HAIngressReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyG
 	if serveConfigChanged {
 		cfgBytes, err := json.Marshal(cfg)
 		if err != nil {
-			return false, fmt.Errorf("marshaling serve config: %w", err)
+			return fmt.Errorf("marshaling serve config: %w", err)
 		}
 		mak.Set(&cm.BinaryData, serveConfigKey, cfgBytes)
-		if err := r.Update(ctx, cm); err != nil {
-			return false, fmt.Errorf("updating serve config: %w", err)
+		if err := a.Update(ctx, cm); err != nil {
+			return fmt.Errorf("updating serve config: %w", err)
 		}
 	}
-	return svcsChanged, nil
+	return nil
 }

 // maybeCleanup ensures that any resources, such as a VIPService created for this Ingress, are cleaned up when the
-// Ingress is being deleted or is unexposed. The cleanup is safe for a multi-cluster setup- the VIPService is only
-// deleted if it does not contain any other owner references. If it does the cleanup only removes the owner reference
-// corresponding to this Ingress.
-func (r *HAIngressReconciler) maybeCleanup(ctx context.Context, hostname string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) (svcChanged bool, err error) {
+// Ingress is being deleted or is unexposed.
+func (a *IngressPGReconciler) maybeCleanup(ctx context.Context, hostname string, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
 	logger.Debugf("Ensuring any resources for Ingress are cleaned up")
 	ix := slices.Index(ing.Finalizers, FinalizerNamePG)
 	if ix < 0 {
 		logger.Debugf("no finalizer, nothing to do")
-		return false, nil
+		a.mu.Lock()
+		defer a.mu.Unlock()
+		a.managedIngresses.Remove(ing.UID)
+		gaugePGIngressResources.Set(int64(a.managedIngresses.Len()))
+		return nil
+	}
+
+	// 1. Check if there is a VIPService created for this Ingress.
+	pg := ing.Annotations[AnnotationProxyGroup]
+	cm, cfg, err := a.proxyGroupServeConfig(ctx, pg)
+	if err != nil {
+		return fmt.Errorf("error getting ProxyGroup serve config: %w", err)
+	}
+	serviceName := tailcfg.ServiceName("svc:" + hostname)
+	// VIPService is always first added to serve config and only then created in the Tailscale API, so if it is not
+	// found in the serve config, we can assume that there is no VIPService. TODO(irbekrm): once we have ingress
+	// ProxyGroup, we will probably add currently exposed VIPServices to its status. At that point, we can use the
+	// status rather than checking the serve config each time.
+	if cfg == nil || cfg.Services == nil || cfg.Services[serviceName] == nil {
+		return nil
 	}
 	logger.Infof("Ensuring that VIPService %q configuration is cleaned up", hostname)

-	// Ensure that if cleanup succeeded Ingress finalizers are removed.
-	defer func() {
-		if err != nil {
-			return
-		}
-		if e := r.deleteFinalizer(ctx, ing, logger); err != nil {
-			err = errors.Join(err, e)
-		}
-	}()
-
-	// 1. Check if there is a VIPService associated with this Ingress.
-	pg := ing.Annotations[AnnotationProxyGroup]
-	cm, cfg, err := r.proxyGroupServeConfig(ctx, pg)
-	if err != nil {
-		return false, fmt.Errorf("error getting ProxyGroup serve config: %w", err)
-	}
-	serviceName := tailcfg.ServiceName("svc:" + hostname)
-
-	// VIPService is always first added to serve config and only then created in the Tailscale API, so if it is not
-	// found in the serve config, we can assume that there is no VIPService. (If the serve config does not exist at
-	// all, it is possible that the ProxyGroup has been deleted before cleaning up the Ingress, so carry on with
-	// cleanup).
-	if cfg != nil && cfg.Services != nil && cfg.Services[serviceName] == nil {
-		return false, nil
+	// 2. Delete the VIPService.
+	if err := a.deleteVIPServiceIfExists(ctx, serviceName, ing, logger); err != nil {
+		return fmt.Errorf("error deleting VIPService: %w", err)
 	}

-	// 2. Clean up the VIPService resources.
-	svcChanged, err = r.cleanupVIPService(ctx, serviceName, logger)
-	if err != nil {
-		return false, fmt.Errorf("error deleting VIPService: %w", err)
-	}
-	if cfg == nil || cfg.Services == nil { // user probably deleted the ProxyGroup
-		return svcChanged, nil
-	}
-
-	// 3. Unadvertise the VIPService in tailscaled config.
-	if err = r.maybeUpdateAdvertiseServicesConfig(ctx, pg, serviceName, false, logger); err != nil {
-		return false, fmt.Errorf("failed to update tailscaled config services: %w", err)
-	}
-
-	// 4. Remove the VIPService from the serve config for the ProxyGroup.
+	// 3. Remove the VIPService from the serve config for the ProxyGroup.
 	logger.Infof("Removing VIPService %q from serve config for ProxyGroup %q", hostname, pg)
 	delete(cfg.Services, serviceName)
 	cfgBytes, err := json.Marshal(cfg)
 	if err != nil {
-		return false, fmt.Errorf("error marshaling serve config: %w", err)
+		return fmt.Errorf("error marshaling serve config: %w", err)
 	}
 	mak.Set(&cm.BinaryData, serveConfigKey, cfgBytes)
-	return svcChanged, r.Update(ctx, cm)
+	if err := a.Update(ctx, cm); err != nil {
+		return fmt.Errorf("error updating ConfigMap %q: %w", cm.Name, err)
+	}
+
+	if err := a.deleteFinalizer(ctx, ing, logger); err != nil {
+		return fmt.Errorf("failed to remove finalizer: %w", err)
+	}
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.managedIngresses.Remove(ing.UID)
+	gaugePGIngressResources.Set(int64(a.managedIngresses.Len()))
+	return nil
 }

-func (r *HAIngressReconciler) deleteFinalizer(ctx context.Context, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+func (a *IngressPGReconciler) deleteFinalizer(ctx context.Context, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
 	found := false
 	ing.Finalizers = slices.DeleteFunc(ing.Finalizers, func(f string) bool {
 		found = true
@@ -511,13 +454,9 @@ func (r *HAIngressReconciler) deleteFinalizer(ctx context.Context, ing *networki
 	}
 	logger.Debug("ensure %q finalizer is removed", FinalizerNamePG)

-	if err := r.Update(ctx, ing); err != nil {
+	if err := a.Update(ctx, ing); err != nil {
 		return fmt.Errorf("failed to remove finalizer %q: %w", FinalizerNamePG, err)
 	}
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.managedIngresses.Remove(ing.UID)
-	gaugePGIngressResources.Set(int64(r.managedIngresses.Len()))
 	return nil
 }

@@ -525,15 +464,15 @@ func pgIngressCMName(pg string) string {
 	return fmt.Sprintf("%s-ingress-config", pg)
 }

-func (r *HAIngressReconciler) proxyGroupServeConfig(ctx context.Context, pg string) (cm *corev1.ConfigMap, cfg *ipn.ServeConfig, err error) {
+func (a *IngressPGReconciler) proxyGroupServeConfig(ctx context.Context, pg string) (cm *corev1.ConfigMap, cfg *ipn.ServeConfig, err error) {
 	name := pgIngressCMName(pg)
 	cm = &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: r.tsNamespace,
+			Namespace: a.tsNamespace,
 		},
 	}
-	if err := r.Get(ctx, client.ObjectKeyFromObject(cm), cm); err != nil && !apierrors.IsNotFound(err) {
+	if err := a.Get(ctx, client.ObjectKeyFromObject(cm), cm); err != nil && !apierrors.IsNotFound(err) {
 		return nil, nil, fmt.Errorf("error retrieving ingress serve config ConfigMap %s: %v", name, err)
 	}
 	if apierrors.IsNotFound(err) {
@@ -553,16 +492,16 @@ type localClient interface {
 }

 // tailnetCertDomain returns the base domain (TCD) of the current tailnet.
-func (r *HAIngressReconciler) tailnetCertDomain(ctx context.Context) (string, error) {
-	st, err := r.lc.StatusWithoutPeers(ctx)
+func (a *IngressPGReconciler) tailnetCertDomain(ctx context.Context) (string, error) {
+	st, err := a.lc.StatusWithoutPeers(ctx)
 	if err != nil {
 		return "", fmt.Errorf("error getting tailscale status: %w", err)
 	}
 	return st.CurrentTailnet.MagicDNSSuffix, nil
 }

-// shouldExpose returns true if the Ingress should be exposed over Tailscale in HA mode (on a ProxyGroup).
-func (r *HAIngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
+// shouldExpose returns true if the Ingress should be exposed over Tailscale in HA mode (on a ProxyGroup)
+func (a *IngressPGReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	isTSIngress := ing != nil &&
 		ing.Spec.IngressClassName != nil &&
 		*ing.Spec.IngressClassName == tailscaleIngressClassName
@@ -570,7 +509,26 @@ func (r *HAIngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return isTSIngress && pgAnnot != ""
 }

-func isVIPServiceForAnyIngress(svc *tailscale.VIPService) bool {
+func (a *IngressPGReconciler) getVIPService(ctx context.Context, name tailcfg.ServiceName, logger *zap.SugaredLogger) (*VIPService, error) {
+	svc, err := a.tsClient.getVIPService(ctx, name)
+	if err != nil {
+		errResp := &tailscale.ErrResponse{}
+		if ok := errors.As(err, errResp); ok && errResp.Status != http.StatusNotFound {
+			logger.Infof("error getting VIPService %q: %v", name, err)
+			return nil, fmt.Errorf("error getting VIPService %q: %w", name, err)
+		}
+	}
+	return svc, nil
+}
+
+func isVIPServiceForIngress(svc *VIPService, ing *networkingv1.Ingress) bool {
+	if svc == nil || ing == nil {
+		return false
+	}
+	return strings.EqualFold(svc.Comment, fmt.Sprintf(VIPSvcOwnerRef, ing.UID))
+}
+
+func isVIPServiceForAnyIngress(svc *VIPService) bool {
 	if svc == nil {
 		return false
 	}
@@ -583,7 +541,7 @@ func isVIPServiceForAnyIngress(svc *tailscale.VIPService) bool {
 // - The derived hostname is a valid DNS label
 // - The referenced ProxyGroup exists and is of type 'ingress'
 // - Ingress' TLS block is invalid
-func (r *HAIngressReconciler) validateIngress(ctx context.Context, ing *networkingv1.Ingress, pg *tsapi.ProxyGroup) error {
+func (a *IngressPGReconciler) validateIngress(ing *networkingv1.Ingress, pg *tsapi.ProxyGroup) error {
 	var errs []error

 	// Validate tags if present
@@ -619,66 +577,26 @@ func (r *HAIngressReconciler) validateIngress(ctx context.Context, ing *networki
 		errs = append(errs, fmt.Errorf("ProxyGroup %q is not ready", pg.Name))
 	}

-	// It is invalid to have multiple Ingress resources for the same VIPService in one cluster.
-	ingList := &networkingv1.IngressList{}
-	if err := r.List(ctx, ingList); err != nil {
-		errs = append(errs, fmt.Errorf("[unexpected] error listing Ingresses: %w", err))
-		return errors.Join(errs...)
-	}
-	for _, i := range ingList.Items {
-		if r.shouldExpose(&i) && hostnameForIngress(&i) == hostname && i.Name != ing.Name {
-			errs = append(errs, fmt.Errorf("found duplicate Ingress %q for hostname %q - multiple Ingresses for the same hostname in the same cluster are not allowed", i.Name, hostname))
-		}
-	}
 	return errors.Join(errs...)
 }

-// cleanupVIPService deletes any VIPService by the provided name if it is not owned by operator instances other than this one.
-// If a VIPService is found, but contains other owner references, only removes this operator's owner reference.
-// If a VIPService by the given name is not found or does not contain this operator's owner reference, do nothing.
-// It returns true if an existing VIPService was updated to remove owner reference, as well as any error that occurred.
-func (r *HAIngressReconciler) cleanupVIPService(ctx context.Context, name tailcfg.ServiceName, logger *zap.SugaredLogger) (updated bool, _ error) {
-	svc, err := r.tsClient.GetVIPService(ctx, name)
+// deleteVIPServiceIfExists attempts to delete the VIPService if it exists and is owned by the given Ingress.
+func (a *IngressPGReconciler) deleteVIPServiceIfExists(ctx context.Context, name tailcfg.ServiceName, ing *networkingv1.Ingress, logger *zap.SugaredLogger) error {
+	svc, err := a.getVIPService(ctx, name, logger)
 	if err != nil {
-		errResp := &tailscale.ErrResponse{}
-		if ok := errors.As(err, errResp); ok && errResp.Status == http.StatusNotFound {
-			return false, nil
-		}
+		return fmt.Errorf("error getting VIPService: %w", err)
+	}

-		return false, fmt.Errorf("error getting VIPService: %w", err)
+	// isVIPServiceForIngress handles nil svc, so we don't need to check it here
+	if !isVIPServiceForIngress(svc, ing) {
+		return nil
 	}
-	if svc == nil {
-		return false, nil
-	}
-	c, err := parseComment(svc)
-	if err != nil {
-		return false, fmt.Errorf("error parsing VIPService comment")
-	}
-	if c == nil || len(c.OwnerRefs) == 0 {
-		return false, nil
-	}
-	// Comparing with the operatorID only means that we will not be able to
-	// clean up VIPServices in cases where the operator was deleted from the
-	// cluster before deleting the Ingress. Perhaps the comparison could be
-	// 'if or.OperatorID === r.operatorID || or.ingressUID == r.ingressUID'.
-	ix := slices.IndexFunc(c.OwnerRefs, func(or OwnerRef) bool {
-		return or.OperatorID == r.operatorID
-	})
-	if ix == -1 {
-		return false, nil
-	}
-	if len(c.OwnerRefs) == 1 {
-		logger.Infof("Deleting VIPService %q", name)
-		return false, r.tsClient.DeleteVIPService(ctx, name)
-	}
-	c.OwnerRefs = slices.Delete(c.OwnerRefs, ix, ix+1)
+
 	logger.Infof("Deleting VIPService %q", name)
-	json, err := json.Marshal(c)
-	if err != nil {
-		return false, fmt.Errorf("error marshalling updated VIPService owner reference: %w", err)
+	if err = a.tsClient.deleteVIPService(ctx, name); err != nil {
+		return fmt.Errorf("error deleting VIPService: %w", err)
 	}
-	svc.Comment = string(json)
-	return true, r.tsClient.CreateOrUpdateVIPService(ctx, svc)
+	return nil
 }

 // isHTTPEndpointEnabled returns true if the Ingress has been configured to expose an HTTP endpoint to tailnet.
@@ -688,126 +606,3 @@ func isHTTPEndpointEnabled(ing *networkingv1.Ingress) bool {
 	}
 	return ing.Annotations[annotationHTTPEndpoint] == "enabled"
 }
-
-func (a *HAIngressReconciler) maybeUpdateAdvertiseServicesConfig(ctx context.Context, pgName string, serviceName tailcfg.ServiceName, shouldBeAdvertised bool, logger *zap.SugaredLogger) (err error) {
-	logger.Debugf("Updating ProxyGroup tailscaled configs to advertise service %q: %v", serviceName, shouldBeAdvertised)
-
-	// Get all config Secrets for this ProxyGroup.
-	secrets := &corev1.SecretList{}
-	if err := a.List(ctx, secrets, client.InNamespace(a.tsNamespace), client.MatchingLabels(pgSecretLabels(pgName, "config"))); err != nil {
-		return fmt.Errorf("failed to list config Secrets: %w", err)
-	}
-
-	for _, secret := range secrets.Items {
-		var updated bool
-		for fileName, confB := range secret.Data {
-			var conf ipn.ConfigVAlpha
-			if err := json.Unmarshal(confB, &conf); err != nil {
-				return fmt.Errorf("error unmarshalling ProxyGroup config: %w", err)
-			}
-
-			// Update the services to advertise if required.
-			idx := slices.Index(conf.AdvertiseServices, serviceName.String())
-			isAdvertised := idx >= 0
-			switch {
-			case isAdvertised == shouldBeAdvertised:
-				// Already up to date.
-				continue
-			case isAdvertised:
-				// Needs to be removed.
-				conf.AdvertiseServices = slices.Delete(conf.AdvertiseServices, idx, idx+1)
-			case shouldBeAdvertised:
-				// Needs to be added.
-				conf.AdvertiseServices = append(conf.AdvertiseServices, serviceName.String())
-			}
-
-			// Update the Secret.
-			confB, err := json.Marshal(conf)
-			if err != nil {
-				return fmt.Errorf("error marshalling ProxyGroup config: %w", err)
-			}
-			mak.Set(&secret.Data, fileName, confB)
-			updated = true
-		}
-
-		if updated {
-			if err := a.Update(ctx, &secret); err != nil {
-				return fmt.Errorf("error updating ProxyGroup config Secret: %w", err)
-			}
-		}
-	}
-
-	return nil
-}
-
-// OwnerRef is an owner reference that uniquely identifies a Tailscale
-// Kubernetes operator instance.
-type OwnerRef struct {
-	// OperatorID is the stable ID of the operator's Tailscale device.
-	OperatorID string `json:"operatorID,omitempty"`
-}
-
-// comment is the content of the VIPService.Comment field.
-type comment struct {
-	// OwnerRefs is a list of owner references that identify all operator
-	// instances that manage this VIPService.
-	OwnerRefs []OwnerRef `json:"ownerRefs,omitempty"`
-}
-
-// ownerRefsComment return VIPService Comment that includes owner reference for this
-// operator instance for the provided VIPService. If the VIPService is nil, a
-// new comment with owner ref is returned. If the VIPService is not nil, the
-// existing comment is returned with the owner reference added, if not already
-// present. If the VIPService is not nil, but does not contain a comment we
-// return an error as this likely means that the VIPService was created by
-// somthing other than a Tailscale Kubernetes operator.
-func (r *HAIngressReconciler) ownerRefsComment(svc *tailscale.VIPService) (string, error) {
-	ref := OwnerRef{
-		OperatorID: r.operatorID,
-	}
-	if svc == nil {
-		c := &comment{OwnerRefs: []OwnerRef{ref}}
-		json, err := json.Marshal(c)
-		if err != nil {
-			return "", fmt.Errorf("[unexpected] unable to marshal VIPService comment contents: %w, please report this", err)
-		}
-		return string(json), nil
-	}
-	c, err := parseComment(svc)
-	if err != nil {
-		return "", fmt.Errorf("error parsing existing VIPService comment: %w", err)
-	}
-	if c == nil || len(c.OwnerRefs) == 0 {
-		return "", fmt.Errorf("VIPService %s exists, but does not contain Comment field with owner references- not proceeding as this is likely a resource created by something other than a Tailscale Kubernetes Operator", svc.Name)
-	}
-	if slices.Contains(c.OwnerRefs, ref) { // up to date
-		return svc.Comment, nil
-	}
-	c.OwnerRefs = append(c.OwnerRefs, ref)
-	json, err := json.Marshal(c)
-	if err != nil {
-		return "", fmt.Errorf("error marshalling updated owner references: %w", err)
-	}
-	return string(json), nil
-}
-
-// parseComment returns VIPService comment or nil if none found or not matching the expected format.
-func parseComment(vipSvc *tailscale.VIPService) (*comment, error) {
-	if vipSvc.Comment == "" {
-		return nil, nil
-	}
-	c := &comment{}
-	if err := json.Unmarshal([]byte(vipSvc.Comment), c); err != nil {
-		return nil, fmt.Errorf("error parsing VIPService Comment field %q: %w", vipSvc.Comment, err)
-	}
-	return c, nil
-}
-
-// requeueInterval returns a time duration between 5 and 10 minutes, which is
-// the period of time after which an HA Ingress, whose VIPService has been newly
-// created or changed, needs to be requeued. This is to protect against
-// VIPService owner references being overwritten as a result of concurrent
-// updates during multi-clutster Ingress create/update operations.
-func requeueInterval() time.Duration {
-	return time.Duration(rand.N(5)+5) * time.Minute
-}
--- a/cmd/k8s-operator/ingress-for-pg_test.go
+++ b/cmd/k8s-operator/ingress-for-pg_test.go
@@ -8,7 +8,6 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"maps"
 	"reflect"
 	"testing"
@@ -23,10 +22,8 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/ptr"
@@ -66,7 +63,6 @@ func TestIngressPGReconciler(t *testing.T) {
 	expectReconciled(t, ingPGR, "default", "test-ingress")
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})
-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})

 	mustUpdate(t, fc, "default", "test-ingress", func(ing *networkingv1.Ingress) {
 		ing.Annotations["tailscale.com/tags"] = "tag:custom,tag:test"
@@ -74,7 +70,7 @@ func TestIngressPGReconciler(t *testing.T) {
 	expectReconciled(t, ingPGR, "default", "test-ingress")

 	// Verify VIPService uses custom tags
-	vipSvc, err := ft.GetVIPService(context.Background(), "svc:my-svc")
+	vipSvc, err := ft.getVIPService(context.Background(), "svc:my-svc")
 	if err != nil {
 		t.Fatalf("getting VIPService: %v", err)
 	}
@@ -126,8 +122,6 @@ func TestIngressPGReconciler(t *testing.T) {
 	verifyServeConfig(t, fc, "svc:my-svc", false)
 	verifyVIPService(t, ft, "svc:my-svc", []string{"443"})

-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc", "svc:my-other-svc"})
-
 	// Delete second Ingress
 	if err := fc.Delete(context.Background(), ing2); err != nil {
 		t.Fatalf("deleting second Ingress: %v", err)
@@ -157,8 +151,6 @@ func TestIngressPGReconciler(t *testing.T) {
 		t.Error("second Ingress service config was not cleaned up")
 	}

-	verifyTailscaledConfig(t, fc, []string{"svc:my-svc"})
-
 	// Delete the first Ingress and verify cleanup
 	if err := fc.Delete(context.Background(), ing); err != nil {
 		t.Fatalf("deleting Ingress: %v", err)
@@ -183,7 +175,6 @@ func TestIngressPGReconciler(t *testing.T) {
 	if len(cfg.Services) > 0 {
 		t.Error("serve config not cleaned up")
 	}
-	verifyTailscaledConfig(t, fc, nil)
 }

 func TestValidateIngress(t *testing.T) {
@@ -191,15 +182,6 @@ func TestValidateIngress(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-ingress",
 			Namespace: "default",
-			Annotations: map[string]string{
-				AnnotationProxyGroup: "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"test"}},
-			},
 		},
 	}

@@ -223,11 +205,10 @@ func TestValidateIngress(t *testing.T) {
 	}

 	tests := []struct {
-		name         string
-		ing          *networkingv1.Ingress
-		pg           *tsapi.ProxyGroup
-		existingIngs []networkingv1.Ingress
-		wantErr      string
+		name    string
+		ing     *networkingv1.Ingress
+		pg      *tsapi.ProxyGroup
+		wantErr string
 	}{
 		{
 			name: "valid_ingress_with_hostname",
@@ -317,38 +298,12 @@ func TestValidateIngress(t *testing.T) {
 			},
 			wantErr: "ProxyGroup \"test-pg\" is not ready",
 		},
-		{
-			name: "duplicate_hostname",
-			ing:  baseIngress,
-			pg:   readyProxyGroup,
-			existingIngs: []networkingv1.Ingress{{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "existing-ingress",
-					Namespace: "default",
-					Annotations: map[string]string{
-						AnnotationProxyGroup: "test-pg",
-					},
-				},
-				Spec: networkingv1.IngressSpec{
-					IngressClassName: ptr.To("tailscale"),
-					TLS: []networkingv1.IngressTLS{
-						{Hosts: []string{"test"}},
-					},
-				},
-			}},
-			wantErr: `found duplicate Ingress "existing-ingress" for hostname "test" - multiple Ingresses for the same hostname in the same cluster are not allowed`,
-		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			fc := fake.NewClientBuilder().
-				WithScheme(tsapi.GlobalScheme).
-				WithObjects(tt.ing).
-				WithLists(&networkingv1.IngressList{Items: tt.existingIngs}).
-				Build()
-			r := &HAIngressReconciler{Client: fc}
-			err := r.validateIngress(context.Background(), tt.ing, tt.pg)
+			r := &IngressPGReconciler{}
+			err := r.validateIngress(tt.ing, tt.pg)
 			if (err == nil && tt.wantErr != "") || (err != nil && err.Error() != tt.wantErr) {
 				t.Errorf("validateIngress() error = %v, wantErr %v", err, tt.wantErr)
 			}
@@ -443,7 +398,7 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {

 func verifyVIPService(t *testing.T, ft *fakeTSClient, serviceName string, wantPorts []string) {
 	t.Helper()
-	vipSvc, err := ft.GetVIPService(context.Background(), tailcfg.ServiceName(serviceName))
+	vipSvc, err := ft.getVIPService(context.Background(), tailcfg.ServiceName(serviceName))
 	if err != nil {
 		t.Fatalf("getting VIPService %q: %v", serviceName, err)
 	}
@@ -509,28 +464,8 @@ func verifyServeConfig(t *testing.T, fc client.Client, serviceName string, wantH
 	}
 }

-func verifyTailscaledConfig(t *testing.T, fc client.Client, expectedServices []string) {
-	var expected string
-	if expectedServices != nil {
-		expectedServicesJSON, err := json.Marshal(expectedServices)
-		if err != nil {
-			t.Fatalf("marshaling expected services: %v", err)
-		}
-		expected = fmt.Sprintf(`,"AdvertiseServices":%s`, expectedServicesJSON)
-	}
-	expectEqual(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pgConfigSecretName("test-pg", 0),
-			Namespace: "operator-ns",
-			Labels:    pgSecretLabels("test-pg", "config"),
-		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): []byte(fmt.Sprintf(`{"Version":""%s}`, expected)),
-		},
-	})
-}
-
-func setupIngressTest(t *testing.T) (*HAIngressReconciler, client.Client, *fakeTSClient) {
+func setupIngressTest(t *testing.T) (*IngressPGReconciler, client.Client, *fakeTSClient) {
+	t.Helper()

 	tsIngressClass := &networkingv1.IngressClass{
 		ObjectMeta: metav1.ObjectMeta{Name: "tailscale"},
@@ -559,21 +494,9 @@ func setupIngressTest(t *testing.T) (*HAIngressReconciler, client.Client, *fakeT
 		},
 	}

-	// Pre-create a config Secret for the ProxyGroup
-	pgCfgSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pgConfigSecretName("test-pg", 0),
-			Namespace: "operator-ns",
-			Labels:    pgSecretLabels("test-pg", "config"),
-		},
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): []byte("{}"),
-		},
-	}
-
 	fc := fake.NewClientBuilder().
 		WithScheme(tsapi.GlobalScheme).
-		WithObjects(pg, pgCfgSecret, pgConfigMap, tsIngressClass).
+		WithObjects(pg, pgConfigMap, tsIngressClass).
 		WithStatusSubresource(pg).
 		Build()

@@ -588,9 +511,9 @@ func setupIngressTest(t *testing.T) (*HAIngressReconciler, client.Client, *fakeT
 	if err := fc.Status().Update(context.Background(), pg); err != nil {
 		t.Fatal(err)
 	}
-	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}

 	ft := &fakeTSClient{}
+	fakeTsnetServer := &fakeTSNetServer{certDomains: []string{"foo.com"}}
 	zl, err := zap.NewDevelopment()
 	if err != nil {
 		t.Fatal(err)
@@ -604,12 +527,12 @@ func setupIngressTest(t *testing.T) (*HAIngressReconciler, client.Client, *fakeT
 		},
 	}

-	ingPGR := &HAIngressReconciler{
+	ingPGR := &IngressPGReconciler{
 		Client:      fc,
 		tsClient:    ft,
+		tsnetServer: fakeTsnetServer,
 		defaultTags: []string{"tag:k8s"},
 		tsNamespace: "operator-ns",
-		tsnetServer: fakeTsnetServer,
 		logger:      zl.Sugar(),
 		recorder:    record.NewFakeRecorder(10),
 		lc:          lc,
@@ -617,87 +540,3 @@ func setupIngressTest(t *testing.T) (*HAIngressReconciler, client.Client, *fakeT

 	return ingPGR, fc, ft
 }
-
-func TestIngressPGReconciler_MultiCluster(t *testing.T) {
-	ingPGR, fc, ft := setupIngressTest(t)
-	ingPGR.operatorID = "operator-1"
-
-	// Create initial Ingress
-	ing := &networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{Kind: "Ingress", APIVersion: "networking.k8s.io/v1"},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-ingress",
-			Namespace: "default",
-			UID:       types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/proxy-group": "test-pg",
-			},
-		},
-		Spec: networkingv1.IngressSpec{
-			IngressClassName: ptr.To("tailscale"),
-			TLS: []networkingv1.IngressTLS{
-				{Hosts: []string{"my-svc"}},
-			},
-		},
-	}
-	mustCreate(t, fc, ing)
-
-	// Simulate existing VIPService from another cluster
-	existingVIPSvc := &tailscale.VIPService{
-		Name:    "svc:my-svc",
-		Comment: `{"ownerrefs":[{"operatorID":"operator-2"}]}`,
-	}
-	ft.vipServices = map[tailcfg.ServiceName]*tailscale.VIPService{
-		"svc:my-svc": existingVIPSvc,
-	}
-
-	// Verify reconciliation adds our operator reference
-	expectReconciled(t, ingPGR, "default", "test-ingress")
-
-	vipSvc, err := ft.GetVIPService(context.Background(), "svc:my-svc")
-	if err != nil {
-		t.Fatalf("getting VIPService: %v", err)
-	}
-	if vipSvc == nil {
-		t.Fatal("VIPService not found")
-	}
-
-	c := &comment{}
-	if err := json.Unmarshal([]byte(vipSvc.Comment), c); err != nil {
-		t.Fatalf("parsing comment: %v", err)
-	}
-
-	wantOwnerRefs := []OwnerRef{
-		{OperatorID: "operator-2"},
-		{OperatorID: "operator-1"},
-	}
-	if !reflect.DeepEqual(c.OwnerRefs, wantOwnerRefs) {
-		t.Errorf("incorrect owner refs\ngot:  %+v\nwant: %+v", c.OwnerRefs, wantOwnerRefs)
-	}
-
-	// Delete the Ingress and verify VIPService still exists with one owner ref
-	if err := fc.Delete(context.Background(), ing); err != nil {
-		t.Fatalf("deleting Ingress: %v", err)
-	}
-	expectRequeue(t, ingPGR, "default", "test-ingress")
-
-	vipSvc, err = ft.GetVIPService(context.Background(), "svc:my-svc")
-	if err != nil {
-		t.Fatalf("getting VIPService after deletion: %v", err)
-	}
-	if vipSvc == nil {
-		t.Fatal("VIPService was incorrectly deleted")
-	}
-
-	c = &comment{}
-	if err := json.Unmarshal([]byte(vipSvc.Comment), c); err != nil {
-		t.Fatalf("parsing comment after deletion: %v", err)
-	}
-
-	wantOwnerRefs = []OwnerRef{
-		{OperatorID: "operator-2"},
-	}
-	if !reflect.DeepEqual(c.OwnerRefs, wantOwnerRefs) {
-		t.Errorf("incorrect owner refs after deletion\ngot:  %+v\nwant: %+v", c.OwnerRefs, wantOwnerRefs)
-	}
-}
--- a/cmd/k8s-operator/ingress.go
+++ b/cmd/k8s-operator/ingress.go
@@ -73,7 +73,6 @@ func (a *IngressReconciler) Reconcile(ctx context.Context, req reconcile.Request
 		return reconcile.Result{}, fmt.Errorf("failed to get ing: %w", err)
 	}
 	if !ing.DeletionTimestamp.IsZero() || !a.shouldExpose(ing) {
-		// TODO(irbekrm): this message is confusing if the Ingress is an HA Ingress
 		logger.Debugf("ingress is being deleted or should not be exposed, cleaning up")
 		return reconcile.Result{}, a.maybeCleanup(ctx, logger, ing)
 	}
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -9,7 +9,6 @@ package main

 import (
 	"context"
-	"fmt"
 	"net/http"
 	"os"
 	"regexp"
@@ -40,7 +39,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/local"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -337,10 +335,6 @@ func runReconcilers(opts reconcilerOpts) {
 	if err != nil {
 		startlog.Fatalf("could not get local client: %v", err)
 	}
-	id, err := id(context.Background(), lc)
-	if err != nil {
-		startlog.Fatalf("error determining stable ID of the operator's Tailscale device: %v", err)
-	}
 	ingressProxyGroupFilter := handler.EnqueueRequestsFromMapFunc(ingressesFromIngressProxyGroup(mgr.GetClient(), opts.log))
 	err = builder.
 		ControllerManagedBy(mgr).
@@ -348,7 +342,7 @@ func runReconcilers(opts reconcilerOpts) {
 		Named("ingress-pg-reconciler").
 		Watches(&corev1.Service{}, handler.EnqueueRequestsFromMapFunc(serviceHandlerForIngressPG(mgr.GetClient(), startlog))).
 		Watches(&tsapi.ProxyGroup{}, ingressProxyGroupFilter).
-		Complete(&HAIngressReconciler{
+		Complete(&IngressPGReconciler{
 			recorder:    eventRecorder,
 			tsClient:    opts.tsClient,
 			tsnetServer: opts.tsServer,
@@ -356,7 +350,6 @@ func runReconcilers(opts reconcilerOpts) {
 			Client:      mgr.GetClient(),
 			logger:      opts.log.Named("ingress-pg-reconciler"),
 			lc:          lc,
-			operatorID:  id,
 			tsNamespace: opts.tailscaleNamespace,
 		})
 	if err != nil {
@@ -1269,14 +1262,3 @@ func hasProxyGroupAnnotation(obj client.Object) bool {
 	ing := obj.(*networkingv1.Ingress)
 	return ing.Annotations[AnnotationProxyGroup] != ""
 }
-
-func id(ctx context.Context, lc *local.Client) (string, error) {
-	st, err := lc.StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", fmt.Errorf("error getting tailscale status: %w", err)
-	}
-	if st.Self == nil {
-		return "", fmt.Errorf("unexpected: device's status does not contain node's metadata")
-	}
-	return string(st.Self.ID), nil
-}
--- a/cmd/k8s-operator/proxygroup.go
+++ b/cmd/k8s-operator/proxygroup.go
@@ -452,7 +452,7 @@ func (r *ProxyGroupReconciler) ensureConfigSecretsCreated(ctx context.Context, p
 	for i := range pgReplicas(pg) {
 		cfgSecret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:            pgConfigSecretName(pg.Name, i),
+				Name:            fmt.Sprintf("%s-%d-config", pg.Name, i),
 				Namespace:       r.tsNamespace,
 				Labels:          pgSecretLabels(pg.Name, "config"),
 				OwnerReferences: pgOwnerReference(pg),
@@ -596,35 +596,10 @@ func pgTailscaledConfig(pg *tsapi.ProxyGroup, class *tsapi.ProxyClass, idx int32
 		conf.AuthKey = key
 	}
 	capVerConfigs := make(map[tailcfg.CapabilityVersion]ipn.ConfigVAlpha)
-
-	// AdvertiseServices config is set by ingress-pg-reconciler, so make sure we
-	// don't overwrite it here.
-	if err := copyAdvertiseServicesConfig(conf, oldSecret, 106); err != nil {
-		return nil, err
-	}
 	capVerConfigs[106] = *conf
 	return capVerConfigs, nil
 }

-func copyAdvertiseServicesConfig(conf *ipn.ConfigVAlpha, oldSecret *corev1.Secret, capVer tailcfg.CapabilityVersion) error {
-	if oldSecret == nil {
-		return nil
-	}
-
-	oldConfB := oldSecret.Data[tsoperator.TailscaledConfigFileName(capVer)]
-	if len(oldConfB) == 0 {
-		return nil
-	}
-
-	var oldConf ipn.ConfigVAlpha
-	if err := json.Unmarshal(oldConfB, &oldConf); err != nil {
-		return fmt.Errorf("error unmarshalling existing config: %w", err)
-	}
-	conf.AdvertiseServices = oldConf.AdvertiseServices
-
-	return nil
-}
-
 func (r *ProxyGroupReconciler) validate(_ *tsapi.ProxyGroup) error {
 	return nil
 }
--- a/cmd/k8s-operator/proxygroup_specs.go
+++ b/cmd/k8s-operator/proxygroup_specs.go
@@ -73,7 +73,7 @@ func pgStatefulSet(pg *tsapi.ProxyGroup, namespace, image, tsFirewallMode string
 				Name: fmt.Sprintf("tailscaledconfig-%d", i),
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
-						SecretName: pgConfigSecretName(pg.Name, i),
+						SecretName: fmt.Sprintf("%s-%d-config", pg.Name, i),
 					},
 				},
 			})
@@ -236,8 +236,8 @@ func pgRole(pg *tsapi.ProxyGroup, namespace string) *rbacv1.Role {
 				ResourceNames: func() (secrets []string) {
 					for i := range pgReplicas(pg) {
 						secrets = append(secrets,
-							pgConfigSecretName(pg.Name, i),   // Config with auth key.
-							fmt.Sprintf("%s-%d", pg.Name, i), // State.
+							fmt.Sprintf("%s-%d-config", pg.Name, i), // Config with auth key.
+							fmt.Sprintf("%s-%d", pg.Name, i),        // State.
 						)
 					}
 					return secrets
@@ -349,10 +349,6 @@ func pgReplicas(pg *tsapi.ProxyGroup) int32 {
 	return 2
 }

-func pgConfigSecretName(pgName string, i int32) string {
-	return fmt.Sprintf("%s-%d-config", pgName, i)
-}
-
 func pgEgressCMName(pg string) string {
 	return fmt.Sprintf("%s-egress-config", pg)
 }
--- a/cmd/k8s-operator/proxygroup_test.go
+++ b/cmd/k8s-operator/proxygroup_test.go
@@ -24,7 +24,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/kube/kubetypes"
@@ -447,79 +446,6 @@ func TestProxyGroupTypes(t *testing.T) {
 	})
 }

-func TestIngressAdvertiseServicesConfigPreserved(t *testing.T) {
-	fc := fake.NewClientBuilder().
-		WithScheme(tsapi.GlobalScheme).
-		Build()
-	reconciler := &ProxyGroupReconciler{
-		tsNamespace: tsNamespace,
-		proxyImage:  testProxyImage,
-		Client:      fc,
-		l:           zap.Must(zap.NewDevelopment()).Sugar(),
-		tsClient:    &fakeTSClient{},
-		clock:       tstest.NewClock(tstest.ClockOpts{}),
-	}
-
-	existingServices := []string{"svc1", "svc2"}
-	existingConfigBytes, err := json.Marshal(ipn.ConfigVAlpha{
-		AdvertiseServices: existingServices,
-		Version:           "should-get-overwritten",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	const pgName = "test-ingress"
-	mustCreate(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      pgConfigSecretName(pgName, 0),
-			Namespace: tsNamespace,
-		},
-		// Write directly to Data because the fake client doesn't copy the write-only
-		// StringData field across to Data for us.
-		Data: map[string][]byte{
-			tsoperator.TailscaledConfigFileName(106): existingConfigBytes,
-		},
-	})
-
-	mustCreate(t, fc, &tsapi.ProxyGroup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: pgName,
-			UID:  "test-ingress-uid",
-		},
-		Spec: tsapi.ProxyGroupSpec{
-			Type:     tsapi.ProxyGroupTypeIngress,
-			Replicas: ptr.To[int32](1),
-		},
-	})
-	expectReconciled(t, reconciler, "", pgName)
-
-	expectedConfigBytes, err := json.Marshal(ipn.ConfigVAlpha{
-		// Preserved.
-		AdvertiseServices: existingServices,
-
-		// Everything else got updated in the reconcile:
-		Version:      "alpha0",
-		AcceptDNS:    "false",
-		AcceptRoutes: "false",
-		Locked:       "false",
-		Hostname:     ptr.To(fmt.Sprintf("%s-%d", pgName, 0)),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	expectEqual(t, fc, &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:            pgConfigSecretName(pgName, 0),
-			Namespace:       tsNamespace,
-			ResourceVersion: "2",
-		},
-		StringData: map[string]string{
-			tsoperator.TailscaledConfigFileName(106): string(expectedConfigBytes),
-		},
-	}, omitSecretData)
-}
-
 func verifyProxyGroupCounts(t *testing.T, r *ProxyGroupReconciler, wantIngress, wantEgress int) {
 	t.Helper()
 	if r.ingressProxyGroups.Len() != wantIngress {
@@ -575,7 +501,7 @@ func expectProxyGroupResources(t *testing.T, fc client.WithWatch, pg *tsapi.Prox
 		for i := range pgReplicas(pg) {
 			expectedSecrets = append(expectedSecrets,
 				fmt.Sprintf("%s-%d", pg.Name, i),
-				pgConfigSecretName(pg.Name, i),
+				fmt.Sprintf("%s-%d-config", pg.Name, i),
 			)
 		}
 	}
@@ -620,11 +546,3 @@ func addNodeIDToStateSecrets(t *testing.T, fc client.WithWatch, pg *tsapi.ProxyG
 		})
 	}
 }
-
-// The operator mostly writes to StringData and reads from Data, but the fake
-// client doesn't copy StringData across to Data on write. When comparing actual
-// vs expected Secrets, use this function to only check what the operator writes
-// to StringData.
-func omitSecretData(secret *corev1.Secret) {
-	secret.Data = nil
-}
--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -28,7 +28,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/internal/client/tailscale"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
@@ -768,7 +768,7 @@ type fakeTSClient struct {
 	sync.Mutex
 	keyRequests []tailscale.KeyCapabilities
 	deleted     []string
-	vipServices map[tailcfg.ServiceName]*tailscale.VIPService
+	vipServices map[tailcfg.ServiceName]*VIPService
 }
 type fakeTSNetServer struct {
 	certDomains []string
@@ -875,7 +875,7 @@ func removeAuthKeyIfExistsModifier(t *testing.T) func(s *corev1.Secret) {
 	}
 }

-func (c *fakeTSClient) GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error) {
+func (c *fakeTSClient) getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices == nil {
@@ -888,17 +888,17 @@ func (c *fakeTSClient) GetVIPService(ctx context.Context, name tailcfg.ServiceNa
 	return svc, nil
 }

-func (c *fakeTSClient) CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error {
+func (c *fakeTSClient) createOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices == nil {
-		c.vipServices = make(map[tailcfg.ServiceName]*tailscale.VIPService)
+		c.vipServices = make(map[tailcfg.ServiceName]*VIPService)
 	}
 	c.vipServices[svc.Name] = svc
 	return nil
 }

-func (c *fakeTSClient) DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
+func (c *fakeTSClient) deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices != nil {
--- a/cmd/k8s-operator/tsclient.go
+++ b/cmd/k8s-operator/tsclient.go
@@ -6,13 +6,19 @@
 package main

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
+	"net/http"
+	"net/url"
 	"os"

 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/httpm"
 )

 // defaultTailnet is a value that can be used in Tailscale API calls instead of tailnet name to indicate that the API
@@ -39,14 +45,141 @@ func newTSClient(ctx context.Context, clientIDPath, clientSecretPath string) (ts
 	c := tailscale.NewClient(defaultTailnet, nil)
 	c.UserAgent = "tailscale-k8s-operator"
 	c.HTTPClient = credentials.Client(ctx)
-	return c, nil
+	tsc := &tsClientImpl{
+		Client:  c,
+		baseURL: defaultBaseURL,
+		tailnet: defaultTailnet,
+	}
+	return tsc, nil
 }

 type tsClient interface {
 	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
 	Device(ctx context.Context, deviceID string, fields *tailscale.DeviceFieldsOpts) (*tailscale.Device, error)
 	DeleteDevice(ctx context.Context, nodeStableID string) error
-	GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error)
-	CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error
-	DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
+	getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error)
+	createOrUpdateVIPService(ctx context.Context, svc *VIPService) error
+	deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
+}
+
+type tsClientImpl struct {
+	*tailscale.Client
+	baseURL string
+	tailnet string
+}
+
+// VIPService is a Tailscale VIPService with Tailscale API JSON representation.
+type VIPService struct {
+	// Name is a VIPService name in form svc:<leftmost-label-of-service-DNS-name>.
+	Name tailcfg.ServiceName `json:"name,omitempty"`
+	// Addrs are the IP addresses of the VIP Service. There are two addresses:
+	// the first is IPv4 and the second is IPv6.
+	// When creating a new VIP Service, the IP addresses are optional: if no
+	// addresses are specified then they will be selected. If an IPv4 address is
+	// specified at index 0, then that address will attempt to be used. An IPv6
+	// address can not be specified upon creation.
+	Addrs []string `json:"addrs,omitempty"`
+	// Comment is an optional text string for display in the admin panel.
+	Comment string `json:"comment,omitempty"`
+	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
+	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
+	Ports []string `json:"ports,omitempty"`
+	// Tags are optional ACL tags that will be applied to the VIPService.
+	Tags []string `json:"tags,omitempty"`
+}
+
+// GetVIPServiceByName retrieves a VIPService by its name. It returns 404 if the VIPService is not found.
+func (c *tsClientImpl) getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(name.String()))
+	req, err := http.NewRequestWithContext(ctx, httpm.GET, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("error making Tailsale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+	svc := &VIPService{}
+	if err := json.Unmarshal(b, svc); err != nil {
+		return nil, err
+	}
+	return svc, nil
+}
+
+// createOrUpdateVIPService creates or updates a VIPService by its name. Caller must ensure that, if the
+// VIPService already exists, the VIPService is fetched first to ensure that any auto-allocated IP addresses are not
+// lost during the update. If the VIPService was created without any IP addresses explicitly set (so that they were
+// auto-allocated by Tailscale) any subsequent request to this function that does not set any IP addresses will error.
+func (c *tsClientImpl) createOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
+	data, err := json.Marshal(svc)
+	if err != nil {
+		return err
+	}
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(svc.Name.String()))
+	req, err := http.NewRequestWithContext(ctx, httpm.PUT, path, bytes.NewBuffer(data))
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// DeleteVIPServiceByName deletes a VIPService by its name. It returns an error if the VIPService
+// does not exist or if the deletion fails.
+func (c *tsClientImpl) deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(name.String()))
+	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// sendRequest add the authentication key to the request and sends it. It
+// receives the response and reads up to 10MB of it.
+func (c *tsClientImpl) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
+	resp, err := c.Do(req)
+	if err != nil {
+		return nil, resp, fmt.Errorf("error actually doing request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	// Read response
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		err = fmt.Errorf("error reading response body: %v", err)
+	}
+	return b, resp, err
+}
+
+// handleErrorResponse decodes the error message from the server and returns
+// an ErrResponse from it.
+func handleErrorResponse(b []byte, resp *http.Response) error {
+	var errResp tailscale.ErrResponse
+	if err := json.Unmarshal(b, &errResp); err != nil {
+		return err
+	}
+	errResp.Status = resp.StatusCode
+	return errResp
 }
--- a/cmd/natc/natc.go
+++ b/cmd/natc/natc.go
@@ -41,8 +41,6 @@ import (
 	"tailscale.com/wgengine/netstack"
 )

-var ErrNoIPsAvailable = errors.New("no IPs available")
-
 func main() {
 	hostinfo.SetApp("natc")
 	if !envknob.UseWIPCode() {
@@ -279,14 +277,14 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 	defer cancel()
 	who, err := c.lc.WhoIs(ctx, remoteAddr.String())
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): WhoIs failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: WhoIs failed: %v\n", err)
 		return
 	}

 	var msg dnsmessage.Message
 	err = msg.Unpack(buf)
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): dnsmessage unpack failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: dnsmessage unpack failed: %v\n ", err)
 		return
 	}

@@ -299,19 +297,19 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 			case dnsmessage.TypeAAAA, dnsmessage.TypeA:
 				dstAddrs, err := lookupDestinationIP(q.Name.String())
 				if err != nil {
-					log.Printf("HandleDNS(remote=%s): lookup destination failed: %v\n", remoteAddr.String(), err)
+					log.Printf("HandleDNS: lookup destination failed: %v\n ", err)
 					return
 				}
 				if c.ignoreDestination(dstAddrs) {
 					bs, err := dnsResponse(&msg, dstAddrs)
 					// TODO (fran): treat as SERVFAIL
 					if err != nil {
-						log.Printf("HandleDNS(remote=%s): generate ignore response failed: %v\n", remoteAddr.String(), err)
+						log.Printf("HandleDNS: generate ignore response failed: %v\n", err)
 						return
 					}
 					_, err = pc.WriteTo(bs, remoteAddr)
 					if err != nil {
-						log.Printf("HandleDNS(remote=%s): write failed: %v\n", remoteAddr.String(), err)
+						log.Printf("HandleDNS: write failed: %v\n", err)
 					}
 					return
 				}
@@ -324,7 +322,7 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 	resp, err := c.generateDNSResponse(&msg, who.Node.ID)
 	// TODO (fran): treat as SERVFAIL
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): connector handling failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: connector handling failed: %v\n", err)
 		return
 	}
 	// TODO (fran): treat as NXDOMAIN
@@ -334,7 +332,7 @@ func (c *connector) handleDNS(pc net.PacketConn, buf []byte, remoteAddr *net.UDP
 	// This connector handled the DNS request
 	_, err = pc.WriteTo(resp, remoteAddr)
 	if err != nil {
-		log.Printf("HandleDNS(remote=%s): write failed: %v\n", remoteAddr.String(), err)
+		log.Printf("HandleDNS: write failed: %v\n", err)
 	}
 }

@@ -531,9 +529,6 @@ func (ps *perPeerState) ipForDomain(domain string) ([]netip.Addr, error) {
 		return addrs, nil
 	}
 	addrs := ps.assignAddrsLocked(domain)
-	if addrs == nil {
-		return nil, ErrNoIPsAvailable
-	}
 	return addrs, nil
 }

@@ -580,9 +575,6 @@ func (ps *perPeerState) assignAddrsLocked(domain string) []netip.Addr {
 		ps.addrToDomain = &bart.Table[string]{}
 	}
 	v4 := ps.unusedIPv4Locked()
-	if !v4.IsValid() {
-		return nil
-	}
 	as16 := ps.c.v6ULA.Addr().As16()
 	as4 := v4.As4()
 	copy(as16[12:], as4[:])
--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -88,11 +88,13 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http
        golang.org/x/net/http/httpproxy                              from net/http
@@ -114,7 +116,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509
@@ -122,59 +124,32 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        crypto/ecdsa                                                 from crypto/tls+
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls
+        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
        crypto/internal/boring                                       from crypto/aes+
        crypto/internal/boring/bbig                                  from crypto/ecdsa+
        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
        crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from net/http+
-        crypto/tls/internal/fips140tls                               from crypto/tls
        crypto/x509                                                  from crypto/tls
   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509
-        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
+        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
        encoding/base32                                              from github.com/go-json-experiment/json
@@ -194,22 +169,23 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        hash/maphash                                                 from go4.org/mem
        html                                                         from net/http/pprof+
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall+
+        internal/asan                                                from syscall
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
        internal/godebug                                             from crypto/tls+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime+
+        internal/goexperiment                                        from runtime
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall+
+        internal/msan                                                from syscall
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
@@ -219,20 +195,17 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        internal/reflectlite                                         from context+
        internal/runtime/atomic                                      from internal/runtime/exithook+
        internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
   L    internal/runtime/syscall                                     from runtime+
        internal/singleflight                                        from net
        internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
        internal/syscall/execenv                                     from os
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
   W    internal/syscall/windows/registry                            from mime+
   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
        internal/testlog                                             from os
        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
        iter                                                         from maps+
@@ -243,7 +216,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
        math/rand                                                    from math/big+
-        math/rand/v2                                                 from crypto/ecdsa+
+        math/rand/v2                                                 from internal/concurrent+
        mime                                                         from github.com/prometheus/common/expfmt+
        mime/multipart                                               from net/http
        mime/quotedprintable                                         from mime/multipart
@@ -256,15 +229,17 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
        os/signal                                                    from tailscale.com/cmd/stund
        path                                                         from github.com/prometheus/client_golang/prometheus/internal+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
        regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/fips140+
+        runtime                                                      from crypto/internal/nistec+
        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
        runtime/trace                                                from net/http/pprof
@@ -274,7 +249,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        strings                                                      from bufio+
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
-        syscall                                                      from crypto/internal/sysrand+
+        syscall                                                      from crypto/rand+
        text/tabwriter                                               from runtime/pprof
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
@@ -282,4 +257,3 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
        unsafe                                                       from bytes+
-        weak                                                         from unique
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -195,13 +195,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
   W    golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
        golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/internal/metrics+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -245,7 +246,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509
@@ -254,61 +255,34 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
        crypto/internal/boring                                       from crypto/aes+
        crypto/internal/boring/bbig                                  from crypto/ecdsa+
        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
        crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/miekg/dns+
-        crypto/tls/internal/fips140tls                               from crypto/tls
        crypto/x509                                                  from crypto/tls+
   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
  DW    database/sql/driver                                          from github.com/google/uuid
   W    debug/dwarf                                                  from debug/pe
   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from github.com/peterbourgon/ff/v3+
+        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/gob+
        encoding/asn1                                                from crypto/x509+
        encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -333,22 +307,23 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall+
+        internal/asan                                                from syscall
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
        internal/godebug                                             from archive/tar+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime+
+        internal/goexperiment                                        from runtime
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall+
+        internal/msan                                                from syscall
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
@@ -357,21 +332,18 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        internal/reflectlite                                         from context+
        internal/runtime/atomic                                      from internal/runtime/exithook+
        internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
   L    internal/runtime/syscall                                     from runtime+
        internal/saferio                                             from debug/pe+
        internal/singleflight                                        from net
        internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
   W    internal/syscall/windows/registry                            from mime+
   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
        internal/testlog                                             from os
        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -397,7 +369,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/netip                                                    from go4.org/netipx+
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
        os/exec                                                      from github.com/coreos/go-iptables/iptables+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
        os/user                                                      from archive/tar+
@@ -408,6 +380,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        regexp/syntax                                                from regexp
        runtime                                                      from archive/tar+
        runtime/debug                                                from tailscale.com+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        slices                                                       from tailscale.com/client/web+
        sort                                                         from compress/flate+
        strconv                                                      from archive/tar+
@@ -424,4 +398,3 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
        unsafe                                                       from bytes+
-        weak                                                         from unique
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -271,7 +271,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
        tailscale.com/ipn                                            from tailscale.com/client/local+
-        tailscale.com/ipn/auditlog                                   from tailscale.com/ipn/ipnlocal+
        tailscale.com/ipn/conffile                                   from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/ipn/desktop                                    from tailscale.com/cmd/tailscaled+
     💣 tailscale.com/ipn/ipnauth                                    from tailscale.com/ipn/ipnlocal+
@@ -450,13 +449,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
+        golang.org/x/crypto/hkdf                                     from crypto/tls+
        golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
        golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
  LD    golang.org/x/crypto/ssh                                      from github.com/pkg/sftp+
  LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
        golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -504,7 +504,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/internal/hpke+
+        crypto/aes                                                   from crypto/ecdsa+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
        crypto/dsa                                                   from crypto/x509+
@@ -513,61 +513,34 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/ed25519                                               from crypto/tls+
        crypto/elliptic                                              from crypto/ecdsa+
        crypto/hmac                                                  from crypto/tls+
+        crypto/internal/alias                                        from crypto/aes+
+        crypto/internal/bigmod                                       from crypto/ecdsa+
        crypto/internal/boring                                       from crypto/aes+
        crypto/internal/boring/bbig                                  from crypto/ecdsa+
        crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
-        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
-        crypto/internal/fips140/aes                                  from crypto/aes+
-        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
-        crypto/internal/fips140/alias                                from crypto/cipher+
-        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
-        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
-        crypto/internal/fips140/ecdh                                 from crypto/ecdh
-        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
-        crypto/internal/fips140/ed25519                              from crypto/ed25519
-        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
-        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
-        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
-        crypto/internal/fips140/hmac                                 from crypto/hmac+
-        crypto/internal/fips140/mlkem                                from crypto/tls
-        crypto/internal/fips140/nistec                               from crypto/elliptic+
-        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
-        crypto/internal/fips140/rsa                                  from crypto/rsa
-        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
-        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
-        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
-        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
-        crypto/internal/fips140/tls12                                from crypto/tls
-        crypto/internal/fips140/tls13                                from crypto/tls
-        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
-        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
-        crypto/internal/fips140hash                                  from crypto/ecdsa+
-        crypto/internal/fips140only                                  from crypto/cipher+
+        crypto/internal/edwards25519                                 from crypto/ed25519
+        crypto/internal/edwards25519/field                           from crypto/ecdh+
        crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/impl                                         from crypto/internal/fips140/aes+
+        crypto/internal/mlkem768                                     from crypto/tls
+        crypto/internal/nistec                                       from crypto/ecdh+
+        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
        crypto/internal/randutil                                     from crypto/dsa+
-        crypto/internal/sysrand                                      from crypto/internal/entropy+
        crypto/md5                                                   from crypto/tls+
        crypto/rand                                                  from crypto/ed25519+
        crypto/rc4                                                   from crypto/tls+
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
-        crypto/sha3                                                  from crypto/internal/fips140hash
        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/cipher+
+        crypto/subtle                                                from crypto/aes+
        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
-        crypto/tls/internal/fips140tls                               from crypto/tls
        crypto/x509                                                  from crypto/tls+
   D    crypto/x509/internal/macos                                   from crypto/x509
        crypto/x509/pkix                                             from crypto/x509+
  DW    database/sql/driver                                          from github.com/google/uuid
   W    debug/dwarf                                                  from debug/pe
   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from github.com/tailscale/web-client-prebuilt+
+        embed                                                        from crypto/internal/nistec+
        encoding                                                     from encoding/gob+
        encoding/asn1                                                from crypto/x509+
        encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -589,22 +562,23 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        html                                                         from html/template+
        html/template                                                from github.com/gorilla/csrf
        internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall+
+        internal/asan                                                from syscall
        internal/bisect                                              from internal/godebug
        internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/cipher+
+        internal/byteorder                                           from crypto/aes+
        internal/chacha8rand                                         from math/rand/v2+
+        internal/concurrent                                          from unique
        internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
+        internal/cpu                                                 from crypto/aes+
        internal/filepathlite                                        from os+
        internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/internal/fips140deps/cpu+
+        internal/goarch                                              from crypto/aes+
        internal/godebug                                             from archive/tar+
        internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime+
+        internal/goexperiment                                        from runtime
        internal/goos                                                from crypto/x509+
        internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall+
+        internal/msan                                                from syscall
        internal/nettrace                                            from net+
        internal/oserror                                             from io/fs+
        internal/poll                                                from net+
@@ -614,21 +588,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        internal/reflectlite                                         from context+
        internal/runtime/atomic                                      from internal/runtime/exithook+
        internal/runtime/exithook                                    from runtime
-        internal/runtime/maps                                        from reflect+
-        internal/runtime/math                                        from internal/runtime/maps+
-        internal/runtime/sys                                         from crypto/subtle+
   L    internal/runtime/syscall                                     from runtime+
        internal/saferio                                             from debug/pe+
        internal/singleflight                                        from net
        internal/stringslite                                         from embed+
-        internal/sync                                                from sync+
        internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
-   W    internal/syscall/windows                                     from crypto/internal/sysrand+
+  LD    internal/syscall/unix                                        from crypto/rand+
+   W    internal/syscall/windows                                     from crypto/rand+
   W    internal/syscall/windows/registry                            from mime+
   W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
        internal/testlog                                             from os
        internal/unsafeheader                                        from internal/reflectlite+
+        internal/weak                                                from unique
        io                                                           from archive/tar+
        io/fs                                                        from archive/tar+
        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -655,7 +626,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net/netip                                                    from github.com/tailscale/wireguard-go/conn+
        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
        net/url                                                      from crypto/x509+
-        os                                                           from crypto/internal/sysrand+
+        os                                                           from crypto/rand+
        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
        os/signal                                                    from tailscale.com/cmd/tailscaled
        os/user                                                      from archive/tar+
@@ -666,6 +637,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        regexp/syntax                                                from regexp
        runtime                                                      from archive/tar+
        runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
+        runtime/internal/math                                        from runtime
+        runtime/internal/sys                                         from runtime
        runtime/pprof                                                from net/http/pprof+
        runtime/trace                                                from net/http/pprof
        slices                                                       from tailscale.com/appc+
@@ -684,4 +657,3 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        unicode/utf8                                                 from bufio+
        unique                                                       from net/netip
        unsafe                                                       from bytes+
-        weak                                                         from unique
--- a/cmd/testwrapper/flakytest/flakytest.go
+++ b/cmd/testwrapper/flakytest/flakytest.go
@@ -7,14 +7,10 @@
 package flakytest

 import (
-	"fmt"
 	"os"
-	"path"
 	"regexp"
-	"sync"
+	"strings"
 	"testing"
-
-	"tailscale.com/util/mak"
 )

 // FlakyTestLogMessage is a sentinel value that is printed to stderr when a
@@ -29,11 +25,6 @@ const FlakeAttemptEnv = "TS_TESTWRAPPER_ATTEMPT"

 var issueRegexp = regexp.MustCompile(`\Ahttps://github\.com/tailscale/[a-zA-Z0-9_.-]+/issues/\d+\z`)

-var (
-	rootFlakesMu sync.Mutex
-	rootFlakes   map[string]bool
-)
-
 // Mark sets the current test as a flaky test, such that if it fails, it will
 // be retried a few times on failure. issue must be a GitHub issue that tracks
 // the status of the flaky test being marked, of the format:
@@ -47,27 +38,14 @@ func Mark(t testing.TB, issue string) {
 		// We're being run under cmd/testwrapper so send our sentinel message
 		// to stderr. (We avoid doing this when the env is absent to avoid
 		// spamming people running tests without the wrapper)
-		fmt.Fprintf(os.Stderr, "%s: %s\n", FlakyTestLogMessage, issue)
+		t.Cleanup(func() {
+			if t.Failed() {
+				// FIXME: this won't catch panics because t.Failed() won't yet
+				// be correctly set. https://github.com/golang/go/issues/49929
+				root, _, _ := strings.Cut(t.Name(), "/")
+				t.Logf("flakytest: retry: %s %s", root, strings.Join(os.Args, " "))
+			}
+		})
 	}
 	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
-
-	// Record the root test name as flakey.
-	rootFlakesMu.Lock()
-	defer rootFlakesMu.Unlock()
-	mak.Set(&rootFlakes, t.Name(), true)
-}
-
-// Marked reports whether the current test or one of its parents was marked flaky.
-func Marked(t testing.TB) bool {
-	n := t.Name()
-	for {
-		if rootFlakes[n] {
-			return true
-		}
-		n = path.Dir(n)
-		if n == "." || n == "/" {
-			break
-		}
-	}
-	return false
 }
--- a/cmd/testwrapper/flakytest/flakytest_test.go
+++ b/cmd/testwrapper/flakytest/flakytest_test.go
@@ -42,48 +42,31 @@ func TestFlakeRun(t *testing.T) {
 	}
 }

-func TestMarked_Root(t *testing.T) {
-	Mark(t, "https://github.com/tailscale/tailscale/issues/0")
-
-	t.Run("child", func(t *testing.T) {
-		t.Run("grandchild", func(t *testing.T) {
-			if got, want := Marked(t), true; got != want {
-				t.Fatalf("Marked(t) = %t, want %t", got, want)
-			}
-		})
-
-		if got, want := Marked(t), true; got != want {
-			t.Fatalf("Marked(t) = %t, want %t", got, want)
-		}
-	})
-
-	if got, want := Marked(t), true; got != want {
-		t.Fatalf("Marked(t) = %t, want %t", got, want)
+// TestFlakePanic is a test that panics when run in the testwrapper
+// for the first time, but succeeds on the second run.
+// It's used to test whether the testwrapper retries flaky tests.
+func TestFlakeExit(t *testing.T) {
+	Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
+	e := os.Getenv(FlakeAttemptEnv)
+	if e == "" {
+		t.Skip("not running in testwrapper")
+	}
+	if e == "1" {
+		t.Log("First run in testwrapper, failing so exiting so test is retried. This is expected.")
+		os.Exit(0)
 	}
 }

-func TestMarked_Subtest(t *testing.T) {
-	t.Run("flaky", func(t *testing.T) {
-		Mark(t, "https://github.com/tailscale/tailscale/issues/0")
-
-		t.Run("child", func(t *testing.T) {
-			t.Run("grandchild", func(t *testing.T) {
-				if got, want := Marked(t), true; got != want {
-					t.Fatalf("Marked(t) = %t, want %t", got, want)
-				}
-			})
-
-			if got, want := Marked(t), true; got != want {
-				t.Fatalf("Marked(t) = %t, want %t", got, want)
-			}
-		})
-
-		if got, want := Marked(t), true; got != want {
-			t.Fatalf("Marked(t) = %t, want %t", got, want)
-		}
-	})
-
-	if got, want := Marked(t), false; got != want {
-		t.Fatalf("Marked(t) = %t, want %t", got, want)
+// TestFlakePanic is a test that panics when run in the testwrapper
+// for the first time, but succeeds on the second run.
+// It's used to test whether the testwrapper retries flaky tests.
+func TestFlakePanic(t *testing.T) {
+	Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
+	e := os.Getenv(FlakeAttemptEnv)
+	if e == "" {
+		t.Skip("not running in testwrapper")
+	}
+	if e == "1" {
+		panic("First run in testwrapper, failing so that test is retried. This is expected.")
 	}
 }
--- a/cmd/testwrapper/testwrapper.go
+++ b/cmd/testwrapper/testwrapper.go
@@ -10,7 +10,6 @@ package main
 import (
 	"bufio"
 	"bytes"
-	"cmp"
 	"context"
 	"encoding/json"
 	"errors"
@@ -60,12 +59,11 @@ type packageTests struct {
 }

 type goTestOutput struct {
-	Time       time.Time
-	Action     string
-	ImportPath string
-	Package    string
-	Test       string
-	Output     string
+	Time    time.Time
+	Action  string
+	Package string
+	Test    string
+	Output  string
 }

 var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
@@ -113,54 +111,45 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, goTestArgs, te
 	for s.Scan() {
 		var goOutput goTestOutput
 		if err := json.Unmarshal(s.Bytes(), &goOutput); err != nil {
-			return fmt.Errorf("failed to parse go test output %q: %w", s.Bytes(), err)
+			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
+				break
+			}
+
+			// `go test -json` outputs invalid JSON when a build fails.
+			// In that case, discard the the output and start reading again.
+			// The build error will be printed to stderr.
+			// See: https://github.com/golang/go/issues/35169
+			if _, ok := err.(*json.SyntaxError); ok {
+				fmt.Println(s.Text())
+				continue
+			}
+			panic(err)
 		}
-		pkg := cmp.Or(
-			goOutput.Package,
-			"build:"+goOutput.ImportPath, // can be "./cmd" while Package is "tailscale.com/cmd" so use separate namespace
-		)
+		pkg := goOutput.Package
 		pkgTests := resultMap[pkg]
 		if pkgTests == nil {
-			pkgTests = map[string]*testAttempt{
-				"": {}, // Used for start time and build logs.
-			}
+			pkgTests = make(map[string]*testAttempt)
 			resultMap[pkg] = pkgTests
 		}
 		if goOutput.Test == "" {
 			switch goOutput.Action {
 			case "start":
-				pkgTests[""].start = goOutput.Time
-			case "build-output":
-				pkgTests[""].logs.WriteString(goOutput.Output)
-			case "build-fail", "fail", "pass", "skip":
+				pkgTests[""] = &testAttempt{start: goOutput.Time}
+			case "fail", "pass", "skip":
 				for _, test := range pkgTests {
 					if test.testName != "" && test.outcome == "" {
 						test.outcome = "fail"
 						ch <- test
 					}
 				}
-				outcome := goOutput.Action
-				if outcome == "build-fail" {
-					outcome = "fail"
-				}
-				pkgTests[""].logs.WriteString(goOutput.Output)
 				ch <- &testAttempt{
 					pkg:         goOutput.Package,
-					outcome:     outcome,
+					outcome:     goOutput.Action,
 					start:       pkgTests[""].start,
 					end:         goOutput.Time,
-					logs:        pkgTests[""].logs,
 					pkgFinished: true,
 				}
-			case "output":
-				// Capture all output from the package except for the final
-				// "FAIL    tailscale.io/control    0.684s" line, as
-				// printPkgOutcome will output a similar line
-				if !strings.HasPrefix(goOutput.Output, fmt.Sprintf("FAIL\t%s\t", goOutput.Package)) {
-					pkgTests[""].logs.WriteString(goOutput.Output)
-				}
 			}
-
 			continue
 		}
 		testName := goOutput.Test
@@ -202,7 +191,7 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, goTestArgs, te
 	return nil
 }

-func main() {
+func _main() {
 	goTestArgs, packages, testArgs, err := splitArgs(os.Args[1:])
 	if err != nil {
 		log.Fatal(err)
@@ -226,9 +215,6 @@ func main() {
 	}
 	toRun := []*nextRun{firstRun}
 	printPkgOutcome := func(pkg, outcome string, attempt int, runtime time.Duration) {
-		if pkg == "" {
-			return // We reach this path on a build error.
-		}
 		if outcome == "skip" {
 			fmt.Printf("?\t%s [skipped/no tests] \n", pkg)
 			return
@@ -259,7 +245,6 @@ func main() {
 			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\nflakytest failures JSON: %s\n\n", thisRun.attempt, j)
 		}

-		fatalFailures := make(map[string]struct{}) // pkg.Test key
 		toRetry := make(map[string][]*testAttempt) // pkg -> tests to retry
 		for _, pt := range thisRun.tests {
 			ch := make(chan *testAttempt)
@@ -285,11 +270,6 @@ func main() {
 						// when a package times out.
 						failed = true
 					}
-					if testingVerbose || tr.outcome == "fail" {
-						// Output package-level output which is where e.g.
-						// panics outside tests will be printed
-						io.Copy(os.Stdout, &tr.logs)
-					}
 					printPkgOutcome(tr.pkg, tr.outcome, thisRun.attempt, tr.end.Sub(tr.start))
 					continue
 				}
@@ -302,24 +282,11 @@ func main() {
 				if tr.isMarkedFlaky {
 					toRetry[tr.pkg] = append(toRetry[tr.pkg], tr)
 				} else {
-					fatalFailures[tr.pkg+"."+tr.testName] = struct{}{}
 					failed = true
 				}
 			}
 			if failed {
 				fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
-
-				// Print the list of non-flakytest failures.
-				// We will later analyze the retried GitHub Action runs to see
-				// if non-flakytest failures succeeded upon retry. This will
-				// highlight tests which are flaky but not yet flagged as such.
-				if len(fatalFailures) > 0 {
-					tests := slicesx.MapKeys(fatalFailures)
-					sort.Strings(tests)
-					j, _ := json.Marshal(tests)
-					fmt.Printf("non-flakytest failures: %s\n", j)
-				}
-				fmt.Println()
 				os.Exit(1)
 			}

--- a/cmd/testwrapper/testwrapper2.go
+++ b/cmd/testwrapper/testwrapper2.go
@@ -0,0 +1,239 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"slices"
+	"strconv"
+	"strings"
+	"sync"
+
+	"tailscale.com/cmd/testwrapper/flakytest"
+	"tailscale.com/util/mak"
+)
+
+func main() {
+	log.SetFlags(log.Lshortfile)
+	log.SetPrefix("testwrapper: ")
+
+	// Build go args: test [-work] ...
+	var workdir string
+	var args = []string{"test"}
+	if !slices.Contains(args, "-work") && !slices.Contains(args, "--work") {
+		args = append(args, "-work")
+		defer func() {
+			if workdir != "" {
+				// Clean up the WORK directory as the user didn't want it.
+				if err := os.RemoveAll(workdir); err != nil {
+					log.Printf("error removing workdir: %s", err)
+				}
+			}
+		}()
+	}
+	args = append(args, os.Args[1:]...)
+
+	// Run go test.
+	attempt := 1
+	r, xerr := run("go", args, []string{attemptenv(attempt)}, os.Stdout, os.Stderr)
+	if nonexecerr(xerr) {
+		log.Fatal("go test: ", xerr)
+	}
+
+	// Check whether anything needs retried.
+	log.Printf("failures: builds=%d tests=%d retryable=%d", r.buildFailures, r.testFailures, r.testFailuresRetryable)
+	if r.buildFailures > 0 || r.testFailuresRetryable == 0 || r.testFailures > r.testFailuresRetryable {
+		exit(xerr)
+	}
+
+	// Retry tests we found.
+	const maxAttempts = 3
+	for cmd := range r.retryCmds {
+		pkg := strings.TrimSuffix(cmdPkg(cmd), ".test")
+		for {
+			attempt++
+			p := r.retryCmds[cmd]
+			log.Printf("attempt %d: %s %s", attempt, pkg, strings.Join(p.tests, " "))
+
+			// Retry the test by invoking the built pkg.test binary directly.
+			pr, xerr := run(
+				cmd,
+				append(p.args, "-test.run=^"+strings.Join(p.tests, "$|^")+"$"),
+				[]string{attemptenv(attempt)},
+				os.Stdout, os.Stdout, // go test copies all underlying pkg.test output to stdout
+			)
+			if nonexecerr(xerr) {
+				log.Fatalf("%s: %s", cmd, xerr)
+			}
+			if code, _ := exitcode(xerr); code == 0 {
+				break // all tests passed.
+			}
+
+			if attempt == maxAttempts {
+				log.Fatalf("failed %d times: %s %s", attempt, pkg, strings.Join(p.tests, " "))
+			}
+
+			// Try again with the new failure instructions. Hopefully with fewer
+			// failed tests...
+			r.retryCmds[cmd] = pr.retryCmds[cmd]
+		}
+	}
+}
+
+// attemptenv returns the environment variable value K=V used to signal
+// [flakytest] that it's in a test environment.
+func attemptenv(attempt int) string {
+	return flakytest.FlakeAttemptEnv + "=" + strconv.Itoa(attempt)
+}
+
+type testRun struct {
+	workDir string
+
+	buildFailures         int
+	testFailures          int
+	testFailuresRetryable int
+
+	retryCmds map[string]pkgRetry // cmd path => retry instructions
+}
+
+type pkgRetry struct {
+	cmd   string
+	args  []string
+	tests []string
+}
+
+// run executes prog with args and environ, writing output to stdout and stderr
+// and returns the error from [exec.Cmd.Wait], along with information parsed
+// from the output about how many builds or tests failed and how to retry them.
+func run(prog string, args []string, environ []string, stdout, stderr io.Writer) (r testRun, _ error) {
+	cmd := exec.Command(prog, args...)
+	cmd.Env = append(os.Environ(), environ...)
+	cmdout, err := cmd.StdoutPipe()
+	if err != nil {
+		log.Fatalf("StdoutPipe: %s", err)
+	}
+	cmderr, err := cmd.StderrPipe()
+	if err != nil {
+		log.Fatalf("StderrPipe: %s", err)
+	}
+	if err := cmd.Start(); err != nil {
+		log.Fatalf("Start: %s", err)
+	}
+
+	var wg sync.WaitGroup
+
+	// Read WORK= from first line of stderr. We retain this so we can clean it
+	// when testwrapper ends.
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		err := readthrulines(cmderr, stderr, func(line string) {
+			if r.workDir == "" {
+				if w, ok := strings.CutPrefix(line, "WORK="); ok {
+					r.workDir = w
+				}
+			}
+		})
+		if err != nil {
+			log.Fatalf("reading stderr: %s", err)
+		}
+	}()
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		err := readthrulines(cmdout, stdout, func(line string) {
+			if strings.HasPrefix(line, "--- FAIL: Test") {
+				r.testFailures++
+				return
+			}
+			if strings.HasPrefix(line, "FAIL\t") && strings.HasSuffix(line, "[build failed]") {
+				r.buildFailures++
+				return
+			}
+			if _, args, ok := strings.Cut(line, "flakytest: retry:"); ok {
+				wargs := strings.Split(strings.TrimSpace(args), " ")
+				if len(wargs) < 2 {
+					log.Printf("failed to retry log line %q", line)
+					return
+				}
+				test, cmd, args := wargs[0], wargs[1], wargs[2:]
+
+				p := r.retryCmds[cmd]
+				p.cmd = cmd
+				p.args = args
+				p.tests = append(p.tests, test)
+				mak.Set(&r.retryCmds, cmd, p)
+				r.testFailuresRetryable++
+				return
+			}
+		})
+		if err != nil {
+			log.Fatalf("reading stdout: %s", err)
+		}
+	}()
+
+	wg.Wait()
+	xerr := cmd.Wait()
+	return r, xerr
+}
+
+// exit calls os.Exit with the exit code for err.
+func exit(err error) {
+	code, _ := exitcode(err)
+	os.Exit(code)
+}
+
+// nonexecerr reports whether err is an error which prevented a program executing.
+func nonexecerr(err error) bool {
+	if err == nil {
+		return false
+	}
+	xe := &exec.ExitError{}
+	return !errors.As(err, &xe) || xe.ExitCode() < 0
+}
+
+// exitcode returns a representative error code for err. If err has an
+// ExitCode() int method, its exit code is returned.
+func exitcode(err error) (code int, ok bool) {
+	if xe := (interface{ ExitCode() int })(nil); errors.As(err, &xe) {
+		return xe.ExitCode(), true
+	}
+	if err != nil {
+		return 1, false
+	}
+	return 0, false
+}
+
+// readthrulines copies r to w, calling f with each line of text.
+func readthrulines(r io.Reader, w io.Writer, f func(line string)) error {
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		f(line)
+		io.WriteString(w, line)
+		io.WriteString(w, "\n")
+	}
+	return s.Err()
+}
+
+// cmdPkg will return the package of the binary that was built. From Go 1.24 on,
+// this will return the full package path followed by the ".test" from the
+// autogenerated main test pkg. For earlier Go versions return base(exe).
+func cmdPkg(exe string) string {
+	v, _ := exec.Command("go", "version", "-m", exe).Output()
+	_, vp, ok := bytes.Cut(v, []byte("\n\tpath\t"))
+	if ok {
+		p, _, _ := bytes.Cut(vp, []byte("\n"))
+		p = bytes.TrimSpace(p)
+		if len(p) > 0 {
+			return string(p)
+		}
+	}
+	return filepath.Base(exe)
+}
--- a/cmd/testwrapper/testwrapper_test.go
+++ b/cmd/testwrapper/testwrapper_test.go
@@ -11,7 +11,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
-	"strings"
 	"sync"
 	"testing"
 )
@@ -155,24 +154,24 @@ func TestBuildError(t *testing.T) {
 		t.Fatalf("writing package: %s", err)
 	}

-	wantErr := "builderror_test.go:3:1: expected declaration, found derp\nFAIL"
+	buildErr := []byte("builderror_test.go:3:1: expected declaration, found derp\nFAIL	command-line-arguments [setup failed]")

 	// Confirm `go test` exits with code 1.
 	goOut, err := exec.Command("go", "test", testfile).CombinedOutput()
 	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("go test %s: got exit code %d, want 1 (err: %v)", testfile, code, err)
+		t.Fatalf("go test %s: expected error with exit code 0 but got: %v", testfile, err)
 	}
-	if !strings.Contains(string(goOut), wantErr) {
-		t.Fatalf("go test %s: got output %q, want output containing %q", testfile, goOut, wantErr)
+	if !bytes.Contains(goOut, buildErr) {
+		t.Fatalf("go test %s: expected build error containing %q but got:\n%s", testfile, buildErr, goOut)
 	}

 	// Confirm `testwrapper` exits with code 1.
 	twOut, err := cmdTestwrapper(t, testfile).CombinedOutput()
 	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("testwrapper %s: got exit code %d, want 1 (err: %v)", testfile, code, err)
+		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v", testfile, err)
 	}
-	if !strings.Contains(string(twOut), wantErr) {
-		t.Fatalf("testwrapper %s: got output %q, want output containing %q", testfile, twOut, wantErr)
+	if !bytes.Contains(twOut, buildErr) {
+		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, twOut)
 	}

 	if testing.Verbose() {
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -176,10 +176,6 @@ func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
 // wasm_exec.js runtime helper library from the Go toolchain.
 func setupEsbuildWasmExecJS(build esbuild.PluginBuild) {
 	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
-	if _, err := os.Stat(wasmExecSrcPath); os.IsNotExist(err) {
-		// Go 1.24+ location:
-		wasmExecSrcPath = filepath.Join(runtime.GOROOT(), "lib", "wasm", "wasm_exec.js")
-	}
 	build.OnResolve(esbuild.OnResolveOptions{
 		Filter: "./wasm_exec$",
 	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
--- a/cmd/tsidp/Dockerfile
+++ b/cmd/tsidp/Dockerfile
@@ -1,41 +0,0 @@
-# Build stage
-FROM golang:alpine AS builder
-
-# Install build dependencies
-RUN apk add --no-cache git
-
-# Set working directory
-WORKDIR /src
-
-# Copy only go.mod and go.sum first to leverage Docker caching
-COPY go.mod go.sum ./
-RUN go mod download
-
-# Copy the entire repository
-COPY . .
-
-# Build the tsidp binary
-RUN go build -o /bin/tsidp ./cmd/tsidp
-
-# Final stage
-FROM alpine:latest
-
-# Create necessary directories
-RUN mkdir -p /var/lib/tsidp
-
-# Copy binary from builder stage
-COPY --from=builder /bin/tsidp /app/tsidp
-
-# Set working directory
-WORKDIR /app
-
-# Environment variables
-ENV TAILSCALE_USE_WIP_CODE=1 \
-    TS_HOSTNAME=tsidp \
-    TS_STATE_DIR=/var/lib/tsidp
-
-# Expose the default port
-EXPOSE 443
-
-# Run the application
-ENTRYPOINT ["/app/tsidp"]
--- a/cmd/tsidp/README.md
+++ b/cmd/tsidp/README.md
@@ -1,100 +0,0 @@
-# `tsidp` - Tailscale OpenID Connect (OIDC) Identity Provider
-
-[![status: experimental](https://img.shields.io/badge/status-experimental-blue)](https://tailscale.com/kb/1167/release-stages/#experimental)
-
-`tsidp` is an OIDC Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication in applications that support OpenID Connect, enabling single sign-on (SSO) capabilities within your tailnet.
-
-## Prerequisites
-
- A Tailscale network (tailnet) with magicDNS and HTTPS enabled
- A Tailscale authentication key from your tailnet
- Docker installed on your system
-
-## Installation using Docker
-
-1. **Build the Docker Image**
-
-   The Dockerfile uses a multi-stage build process to:
-   - Build the `tsidp` binary from source
-   - Create a minimal Alpine-based image with just the necessary components
-
-   ```bash
-   # Clone the Tailscale repository
-   git clone https://github.com/tailscale/tailscale.git
-   cd tailscale
-   ```
-
-   ```bash
-   # Build the Docker image
-   docker build -t tsidp:latest -f cmd/tsidp/Dockerfile .
-   ```
-
-2. **Run the Container**
-
-   Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key.
-
-   ```bash
-   docker run -d \
-     --name `tsidp` \
-     -p 443:443 \
-     -e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \
-     -e TS_HOSTNAME=tsidp \
-     -v tsidp-data:/var/lib/tsidp \
-     tsidp:latest
-   ```
-
-3. **Verify Installation**
-   ```bash
-   docker logs tsidp
-   ```
-
-   Visit `https://tsidp.tailnet.ts.net` to confirm the service is running.
-
-## Usage Example: Proxmox Integration
-
-Here's how to configure Proxmox to use `tsidp` for authentication:
-
-1. In Proxmox, navigate to Datacenter > Realms > Add OpenID Connect Server
-
-2. Configure the following settings:
-   - Issuer URL: `https://idp.velociraptor.ts.net`
-   - Realm: `tailscale` (or your preferred name)
-   - Client ID: `unused`
-   - Client Key: `unused`
-   - Default: `true`
-   - Autocreate users: `true`
-   - Username claim: `email`
-
-3. Set up user permissions:
-   - Go to Datacenter > Permissions > Groups
-   - Create a new group (e.g., "tsadmins")
-   - Click Permissions in the sidebar
-   - Add Group Permission
-   - Set Path to `/` for full admin access or scope as needed
-   - Set the group and role
-   - Add Tailscale-authenticated users to the group
-
-## Configuration Options
-
-The `tsidp` server supports several command-line flags:
-
- `--verbose`: Enable verbose logging
- `--port`: Port to listen on (default: 443)
- `--local-port`: Allow requests from localhost
- `--use-local-tailscaled`: Use local tailscaled instead of tsnet
- `--dir`: tsnet state directory
-
-## Environment Variables
-
- `TS_AUTHKEY`: Your Tailscale authentication key (required)
- `TS_HOSTNAME`: Hostname for the `tsidp` server (default: "idp")
- `TS_STATE_DIR`: State directory (default: "/var/lib/tsidp")
- `TAILSCALE_USE_WIP_CODE`: Enable work-in-progress code (default: "1")
-
-## Support
-
-This is an [experimental](https://tailscale.com/kb/1167/release-stages#experimental), work in progress feature. For issues or questions, file issues on the [GitHub repository](https://github.com/tailscale/tailscale)
-
-## License
-
-BSD-3-Clause License. See [LICENSE](../../LICENSE) for details.
--- a/cmd/tsidp/tsidp.go
+++ b/cmd/tsidp/tsidp.go
@@ -11,7 +11,6 @@ import (
 	"context"
 	crand "crypto/rand"
 	"crypto/rsa"
-	"crypto/subtle"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
@@ -346,9 +345,7 @@ func (ar *authRequest) allowRelyingParty(r *http.Request, lc *local.Client) erro
 			clientID = r.FormValue("client_id")
 			clientSecret = r.FormValue("client_secret")
 		}
-		clientIDcmp := subtle.ConstantTimeCompare([]byte(clientID), []byte(ar.funnelRP.ID))
-		clientSecretcmp := subtle.ConstantTimeCompare([]byte(clientSecret), []byte(ar.funnelRP.Secret))
-		if clientIDcmp != 1 || clientSecretcmp != 1 {
+		if ar.funnelRP.ID != clientID || ar.funnelRP.Secret != clientSecret {
 			return fmt.Errorf("tsidp: invalid client credentials")
 		}
 		return nil
@@ -765,18 +762,6 @@ var (
 )

 func (s *idpServer) serveOpenIDConfig(w http.ResponseWriter, r *http.Request) {
-	h := w.Header()
-	h.Set("Access-Control-Allow-Origin", "*")
-	h.Set("Access-Control-Allow-Method", "GET, OPTIONS")
-	// allow all to prevent errors from client sending their own bespoke headers
-	// and having the server reject the request.
-	h.Set("Access-Control-Allow-Headers", "*")
-
-	// early return for pre-flight OPTIONS requests.
-	if r.Method == "OPTIONS" {
-		w.WriteHeader(http.StatusOK)
-		return
-	}
 	if r.URL.Path != oidcConfigPath {
 		http.Error(w, "tsidp: not found", http.StatusNotFound)
 		return
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -119,7 +119,6 @@ type Auto struct {
 	updateCh      chan struct{} // readable when we should inform the server of a change
 	observer      Observer      // called to update Client status; always non-nil
 	observerQueue execqueue.ExecQueue
-	shutdownFn    func() // to be called prior to shutdown or nil

 	unregisterHealthWatch func()

@@ -190,7 +189,6 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 		mapDone:    make(chan struct{}),
 		updateDone: make(chan struct{}),
 		observer:   opts.Observer,
-		shutdownFn: opts.Shutdown,
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
 	c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto, opts.Logf)
@@ -757,7 +755,6 @@ func (c *Auto) Shutdown() {
 		return
 	}
 	c.logf("client.Shutdown ...")
-	shutdownFn := c.shutdownFn

 	direct := c.direct
 	c.closed = true
@@ -770,10 +767,6 @@ func (c *Auto) Shutdown() {
 	c.unpauseWaiters = nil
 	c.mu.Unlock()

-	if shutdownFn != nil {
-		shutdownFn()
-	}
-
 	c.unregisterHealthWatch()
 	<-c.authDone
 	<-c.mapDone
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -4,8 +4,6 @@
 package controlclient

 import (
-	"errors"
-	"fmt"
 	"io"
 	"reflect"
 	"slices"
@@ -149,42 +147,3 @@ func TestCanSkipStatus(t *testing.T) {
 		t.Errorf("Status fields = %q; this code was only written to handle fields %q", f, want)
 	}
 }
-
-func TestRetryableErrors(t *testing.T) {
-	errorTests := []struct {
-		err  error
-		want bool
-	}{
-		{errNoNoiseClient, true},
-		{errNoNodeKey, true},
-		{fmt.Errorf("%w: %w", errNoNoiseClient, errors.New("no noise")), true},
-		{fmt.Errorf("%w: %w", errHTTPPostFailure, errors.New("bad post")), true},
-		{fmt.Errorf("%w: %w", errNoNodeKey, errors.New("not node key")), true},
-		{errBadHTTPResponse(429, "too may requests"), true},
-		{errBadHTTPResponse(500, "internal server eror"), true},
-		{errBadHTTPResponse(502, "bad gateway"), true},
-		{errBadHTTPResponse(503, "service unavailable"), true},
-		{errBadHTTPResponse(504, "gateway timeout"), true},
-		{errBadHTTPResponse(1234, "random error"), false},
-	}
-
-	for _, tt := range errorTests {
-		t.Run(tt.err.Error(), func(t *testing.T) {
-			if isRetryableErrorForTest(tt.err) != tt.want {
-				t.Fatalf("retriable: got %v, want %v", tt.err, tt.want)
-			}
-		})
-	}
-}
-
-type retryableForTest interface {
-	Retryable() bool
-}
-
-func isRetryableErrorForTest(err error) bool {
-	var ae retryableForTest
-	if errors.As(err, &ae) {
-		return ae.Retryable()
-	}
-	return false
-}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -156,11 +156,6 @@ type Options struct {
 	// If we receive a new DialPlan from the server, this value will be
 	// updated.
 	DialPlan ControlDialPlanner
-
-	// Shutdown is an optional function that will be called before client shutdown is
-	// attempted. It is used to allow the client to clean up any resources or complete any
-	// tasks that are dependent on a live client.
-	Shutdown func()
 }

 // ControlDialPlanner is the interface optionally supplied when creating a
@@ -1260,7 +1255,6 @@ type devKnobs struct {
 	DumpNetMapsVerbose func() bool
 	ForceProxyDNS      func() bool
 	StripEndpoints     func() bool // strip endpoints from control (only use disco messages)
-	StripHomeDERP      func() bool // strip Home DERP from control
 	StripCaps          func() bool // strip all local node's control-provided capabilities
 }

@@ -1272,7 +1266,6 @@ func initDevKnob() devKnobs {
 		DumpRegister:       envknob.RegisterBool("TS_DEBUG_REGISTER"),
 		ForceProxyDNS:      envknob.RegisterBool("TS_DEBUG_PROXY_DNS"),
 		StripEndpoints:     envknob.RegisterBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripHomeDERP:      envknob.RegisterBool("TS_DEBUG_STRIP_HOME_DERP"),
 		StripCaps:          envknob.RegisterBool("TS_DEBUG_STRIP_CAPS"),
 	}
 }
@@ -1667,11 +1660,11 @@ func (c *Auto) SetDeviceAttrs(ctx context.Context, attrs tailcfg.AttrUpdate) err
 func (c *Direct) SetDeviceAttrs(ctx context.Context, attrs tailcfg.AttrUpdate) error {
 	nc, err := c.getNoiseClient()
 	if err != nil {
-		return fmt.Errorf("%w: %w", errNoNoiseClient, err)
+		return err
 	}
 	nodeKey, ok := c.GetPersist().PublicNodeKeyOK()
 	if !ok {
-		return errNoNodeKey
+		return errors.New("no node key")
 	}
 	if c.panicOnUse {
 		panic("tainted client")
@@ -1702,47 +1695,6 @@ func (c *Direct) SetDeviceAttrs(ctx context.Context, attrs tailcfg.AttrUpdate) e
 	return nil
 }

-// SendAuditLog implements [auditlog.Transport] by sending an audit log synchronously to the control plane.
-//
-// See docs on [tailcfg.AuditLogRequest] and [auditlog.Logger] for background.
-func (c *Auto) SendAuditLog(ctx context.Context, auditLog tailcfg.AuditLogRequest) (err error) {
-	return c.direct.sendAuditLog(ctx, auditLog)
-}
-
-func (c *Direct) sendAuditLog(ctx context.Context, auditLog tailcfg.AuditLogRequest) (err error) {
-	nc, err := c.getNoiseClient()
-	if err != nil {
-		return fmt.Errorf("%w: %w", errNoNoiseClient, err)
-	}
-
-	nodeKey, ok := c.GetPersist().PublicNodeKeyOK()
-	if !ok {
-		return errNoNodeKey
-	}
-
-	req := &tailcfg.AuditLogRequest{
-		Version: tailcfg.CurrentCapabilityVersion,
-		NodeKey: nodeKey,
-		Action:  auditLog.Action,
-		Details: auditLog.Details,
-	}
-
-	if c.panicOnUse {
-		panic("tainted client")
-	}
-
-	res, err := nc.post(ctx, "/machine/audit-log", nodeKey, req)
-	if err != nil {
-		return fmt.Errorf("%w: %w", errHTTPPostFailure, err)
-	}
-	defer res.Body.Close()
-	if res.StatusCode != 200 {
-		all, _ := io.ReadAll(res.Body)
-		return errBadHTTPResponse(res.StatusCode, string(all))
-	}
-	return nil
-}
-
 func addLBHeader(req *http.Request, nodeKey key.NodePublic) {
 	if !nodeKey.IsZero() {
 		req.Header.Add(tailcfg.LBHeader, nodeKey.String())
--- a/control/controlclient/errors.go
+++ b/control/controlclient/errors.go
@@ -1,51 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package controlclient
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-)
-
-// apiResponseError is an error type that can be returned by controlclient
-// api requests.
-//
-// It wraps an underlying error and a flag for clients to query if the
-// error is retryable via the Retryable() method.
-type apiResponseError struct {
-	err       error
-	retryable bool
-}
-
-// Error implements [error].
-func (e *apiResponseError) Error() string {
-	return e.err.Error()
-}
-
-// Retryable reports whether the error is retryable.
-func (e *apiResponseError) Retryable() bool {
-	return e.retryable
-}
-
-func (e *apiResponseError) Unwrap() error { return e.err }
-
-var (
-	errNoNodeKey       = &apiResponseError{errors.New("no node key"), true}
-	errNoNoiseClient   = &apiResponseError{errors.New("no noise client"), true}
-	errHTTPPostFailure = &apiResponseError{errors.New("http failure"), true}
-)
-
-func errBadHTTPResponse(code int, msg string) error {
-	retryable := false
-	switch code {
-	case http.StatusTooManyRequests,
-		http.StatusInternalServerError,
-		http.StatusBadGateway,
-		http.StatusServiceUnavailable,
-		http.StatusGatewayTimeout:
-		retryable = true
-	}
-	return &apiResponseError{fmt.Errorf("http error %d: %s", code, msg), retryable}
-}
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -240,9 +240,6 @@ func upgradeNode(n *tailcfg.Node) {
 		}
 		n.LegacyDERPString = ""
 	}
-	if DevKnob.StripHomeDERP() {
-		n.HomeDERP = 0
-	}

 	if n.AllowedIPs == nil {
 		n.AllowedIPs = slices.Clone(n.Addresses)
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -137,7 +137,6 @@ type Server struct {
 	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate
 	dupPolicy   dupPolicy
 	debug       bool
-	localClient local.Client

 	// Counters:
 	packetsSent, bytesSent     expvar.Int
@@ -486,16 +485,6 @@ func (s *Server) SetVerifyClientURLFailOpen(v bool) {
 	s.verifyClientsURLFailOpen = v
 }

-// SetTailscaledSocketPath sets the unix socket path to use to talk to
-// tailscaled if client verification is enabled.
-//
-// If unset or set to the empty string, the default path for the operating
-// system is used.
-func (s *Server) SetTailscaledSocketPath(path string) {
-	s.localClient.Socket = path
-	s.localClient.UseSocketOnly = path != ""
-}
-
 // SetTCPWriteTimeout sets the timeout for writing to connected clients.
 // This timeout does not apply to mesh connections.
 // Defaults to 2 seconds.
@@ -1331,6 +1320,8 @@ func (c *sclient) requestMeshUpdate() {
 	}
 }

+var localClient local.Client
+
 // isMeshPeer reports whether the client is a trusted mesh peer
 // node in the DERP region.
 func (s *Server) isMeshPeer(info *clientInfo) bool {
@@ -1349,7 +1340,7 @@ func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, inf

 	// tailscaled-based verification:
 	if s.verifyClientsLocalTailscaled {
-		_, err := s.localClient.WhoIsNodeKey(ctx, clientKey)
+		_, err := localClient.WhoIsNodeKey(ctx, clientKey)
 		if err == tailscale.ErrPeerNotFound {
 			return fmt.Errorf("peer %v not authorized (not found in local tailscaled)", clientKey)
 		}
@@ -2249,7 +2240,7 @@ func (s *Server) ConsistencyCheck() error {
 func (s *Server) checkVerifyClientsLocalTailscaled() error {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
-	status, err := s.localClient.StatusWithoutPeers(ctx)
+	status, err := localClient.StatusWithoutPeers(ctx)
 	if err != nil {
 		return fmt.Errorf("localClient.Status: %w", err)
 	}
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -652,11 +652,7 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 			tlsConf.VerifyConnection = nil
 		}
 		if node.CertName != "" {
-			if suf, ok := strings.CutPrefix(node.CertName, "sha256-raw:"); ok {
-				tlsdial.SetConfigExpectedCertHash(tlsConf, suf)
-			} else {
-				tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
-			}
+			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
 	}
 	return tls.Client(nc, tlsConf)
@@ -670,7 +666,7 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
 	tcpConn, node, err := c.dialRegion(ctx, reg)
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("dialRegion(%d): %w", reg.RegionID, err)
+		return nil, nil, nil, err
 	}
 	done := make(chan bool) // unbuffered
 	defer close(done)
@@ -745,17 +741,6 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e

 	nwait := 0
 	startDial := func(dstPrimary, proto string) {
-		dst := cmp.Or(dstPrimary, n.HostName)
-
-		// If dialing an IP address directly, check its address family
-		// and bail out before incrementing nwait.
-		if ip, err := netip.ParseAddr(dst); err == nil {
-			if proto == "tcp4" && ip.Is6() ||
-				proto == "tcp6" && ip.Is4() {
-				return
-			}
-		}
-
 		nwait++
 		go func() {
 			if proto == "tcp4" && c.preferIPv6() {
@@ -770,6 +755,7 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 					// Start v4 dial
 				}
 			}
+			dst := cmp.Or(dstPrimary, n.HostName)
 			port := "443"
 			if !c.useHTTPS() {
 				port = "3340"
--- a/docs/windows/policy/en-US/tailscale.adml
+++ b/docs/windows/policy/en-US/tailscale.adml
@@ -109,14 +109,6 @@ If you enable this policy setting, users will not be allowed to disconnect Tails
 If necessary, it can be used along with Unattended Mode to keep Tailscale connected regardless of whether a user is logged in. This can be used to facilitate remote access to a device or ensure connectivity to a Domain Controller before a user logs in.

 If you disable or don't configure this policy setting, users will be allowed to disconnect Tailscale at their will.]]></string>
-            <string id="ReconnectAfter">Configure automatic reconnect delay</string>
-            <string id="ReconnectAfter_Help"><![CDATA[This policy setting controls when Tailscale will attempt to reconnect automatically after a user disconnects it. It helps users remain connected most of the time and retain access to corporate resources without preventing them from temporarily disconnecting Tailscale. To configure whether and when Tailscale can be disconnected, see the "Restrict users from disconnecting Tailscale (always-on mode)" policy setting.
-
-If you enable this policy setting, you can specify how long Tailscale will wait before attempting to reconnect after a user disconnects. The value should be specified as a Go duration: for example, 30s, 5m, or 1h30m. If the value is left blank, or if the specified duration is zero, Tailscale will not attempt to reconnect automatically.
-
-If you disable or don't configure this policy setting, Tailscale will only reconnect if a user chooses to or if required by a different policy setting.
-
-Refer to https://pkg.go.dev/time#ParseDuration for information about the supported duration strings.]]></string>
            <string id="ExitNodeAllowLANAccess">Allow Local Network Access when an Exit Node is in use</string>
            <string id="ExitNodeAllowLANAccess_Help"><![CDATA[This policy can be used to require that the Allow Local Network Access setting is configured a certain way.

@@ -288,12 +280,6 @@ See https://tailscale.com/kb/1315/mdm-keys#set-your-organization-name for more d
                <text>The options below allow configuring exceptions where disconnecting Tailscale is permitted.</text>
                <dropdownList refId="AlwaysOn_OverrideWithReason" noSort="true" defaultItem="0">Disconnects with reason:</dropdownList>
            </presentation>
-            <presentation id="ReconnectAfter">
-                <text>The delay must be a valid Go duration string, such as 30s, 5m, or 1h30m, all without spaces or any other symbols.</text>
-                <textBox refId="ReconnectAfterDelay">
-                    <label>Reconnect after:</label>
-                </textBox>
-            </presentation>
            <presentation id="ExitNodeID">
                <textBox refId="ExitNodeIDPrompt">
                    <label>Exit Node:</label>
--- a/docs/windows/policy/tailscale.admx
+++ b/docs/windows/policy/tailscale.admx
@@ -156,13 +156,6 @@
        </enum>
      </elements>
    </policy>
-    <policy name="ReconnectAfter" class="Machine" displayName="$(string.ReconnectAfter)" explainText="$(string.ReconnectAfter_Help)" presentation="$(presentation.ReconnectAfter)" key="Software\Policies\Tailscale">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="SINCE_V1_82" />
-      <elements>
-        <text id="ReconnectAfterDelay" valueName="ReconnectAfter" required="true" />
-      </elements>
-    </policy>
    <policy name="ExitNodeAllowLANAccess" class="Machine" displayName="$(string.ExitNodeAllowLANAccess)" explainText="$(string.ExitNodeAllowLANAccess_Help)" key="Software\Policies\Tailscale" valueName="ExitNodeAllowLANAccess">
      <parentCategory ref="Settings_Category" />
      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -417,23 +417,6 @@ func App() string {
 	return ""
 }

-// IsCertShareReadOnlyMode returns true if this replica should never attempt to
-// issue or renew TLS credentials for any of the HTTPS endpoints that it is
-// serving. It should only return certs found in its cert store.  Currently,
-// this is used by the Kubernetes Operator's HA Ingress via VIPServices, where
-// multiple Ingress proxy instances serve the same HTTPS endpoint with a shared
-// TLS credentials. The TLS credentials should only be issued by one of the
-// replicas.
-// For HTTPS Ingress the operator and containerboot ensure
-// that read-only replicas will not be serving the HTTPS endpoints before there
-// is a shared cert available.
-func IsCertShareReadOnlyMode() bool {
-	m := String("TS_CERT_SHARE_MODE")
-	return m == modeRO
-}
-
-const modeRO = "ro"
-
 // CrashOnUnexpected reports whether the Tailscale client should panic
 // on unexpected conditions. If TS_DEBUG_CRASH_ON_UNEXPECTED is set, that's
 // used. Otherwise the default value is true for unstable builds.
--- a/flake.nix
+++ b/flake.nix
@@ -130,4 +130,4 @@
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-SiUkN6BQK1IQmLfkfPetzvYqRu9ENK6+6txtGxegF5Y=
+# nix-direnv cache busting line: sha256-xO1DuLWi6/lpA9ubA2ZYVJM+CkVNA5IaVGZxX9my0j0=
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module tailscale.com

-go 1.24.0
+go 1.23.6

 require (
 	filippo.io/mkcert v1.4.4
@@ -20,7 +20,6 @@ require (
 	github.com/coder/websocket v1.8.12
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
-	github.com/creachadair/taskgroup v0.13.2
 	github.com/creack/pty v1.1.23
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e
@@ -33,7 +32,7 @@ require (
 	github.com/frankban/quicktest v1.14.6
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/gaissmai/bart v0.18.0
-	github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874
+	github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288
 	github.com/go-logr/zapr v1.3.0
 	github.com/go-ole/go-ole v1.3.0
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466
@@ -75,10 +74,10 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
 	github.com/tailscale/depaware v0.0.0-20250112153213-b748de04d81b
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20250218230618-9a281fd8faca
+	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
-	github.com/tailscale/mkctr v0.0.0-20250228050937-c75ea1476830
+	github.com/tailscale/mkctr v0.0.0-20250110151924-54977352e4a6
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc
 	github.com/tailscale/setec v0.0.0-20250205144240-8898a29c3fbb
@@ -94,10 +93,10 @@ require (
 	go.uber.org/zap v1.27.0
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.35.0
+	golang.org/x/crypto v0.33.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
 	golang.org/x/mod v0.23.0
-	golang.org/x/net v0.36.0
+	golang.org/x/net v0.35.0
 	golang.org/x/oauth2 v0.26.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/sys v0.30.0
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-SiUkN6BQK1IQmLfkfPetzvYqRu9ENK6+6txtGxegF5Y=
+sha256-xO1DuLWi6/lpA9ubA2ZYVJM+CkVNA5IaVGZxX9my0j0=
--- a/go.sum
+++ b/go.sum
@@ -231,8 +231,6 @@ github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creachadair/mds v0.17.1 h1:lXQbTGKmb3nE3aK6OEp29L1gCx6B5ynzlQ6c1KOBurc=
 github.com/creachadair/mds v0.17.1/go.mod h1:4b//mUiL8YldH6TImXjmW45myzTLNS1LLjOmrk888eg=
-github.com/creachadair/taskgroup v0.13.2 h1:3KyqakBuFsm3KkXi/9XIb0QcA8tEzLHLgaoidf0MdVc=
-github.com/creachadair/taskgroup v0.13.2/go.mod h1:i3V1Zx7H8RjwljUEeUWYT30Lmb9poewSb2XI1yTwD0g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
 github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
@@ -300,8 +298,6 @@ github.com/firefart/nonamedreturns v1.0.4 h1:abzI1p7mAEPYuR4A+VLKn4eNDOycjYo2phm
 github.com/firefart/nonamedreturns v1.0.4/go.mod h1:TDhe/tjI1BXo48CmYbUduTV7BdIga8MAO/xbKdcVsGI=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
-github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
-github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
@@ -331,8 +327,8 @@ github.com/go-git/go-git/v5 v5.13.1/go.mod h1:qryJB4cSBoq3FRoBRf5A77joojuBcmPJ0q
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 h1:F8d1AJ6M9UQCavhwmO6ZsrYLfG8zVFWfEfMS2MXPkSY=
-github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -904,14 +900,14 @@ github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20250218230618-9a281fd8faca h1:ecjHwH73Yvqf/oIdQ2vxAX+zc6caQsYdPzsxNW1J3G8=
-github.com/tailscale/golang-x-crypto v0.0.0-20250218230618-9a281fd8faca/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
+github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 h1:rXZGgEa+k2vJM8xT0PoSKfVXwFGPQ3z3CJfmnHJkZZw=
+github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/mkctr v0.0.0-20250228050937-c75ea1476830 h1:SwZ72kr1oRzzSPA5PYB4hzPh22UI0nm0dapn3bHaUPs=
-github.com/tailscale/mkctr v0.0.0-20250228050937-c75ea1476830/go.mod h1:qTslktI+Qh9hXo7ZP8xLkl5V8AxUMfxG0xLtkCFLxnw=
+github.com/tailscale/mkctr v0.0.0-20250110151924-54977352e4a6 h1:9SuADtKJAGQkIpnpg5znEJ86QaxacN25pHkiEXTDjzg=
+github.com/tailscale/mkctr v0.0.0-20250110151924-54977352e4a6/go.mod h1:qTslktI+Qh9hXo7ZP8xLkl5V8AxUMfxG0xLtkCFLxnw=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
@@ -1045,8 +1041,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
-golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1135,8 +1131,8 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
-golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
--- a/go.toolchain.branch
+++ b/go.toolchain.branch
@@ -1 +1 @@
-tailscale.go1.24
+tailscale.go1.23
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-4fdaeeb8fe43bcdb4e8cc736433b9cd9c0ddd221
+65c3f5f3fc9d96f56a37a79cad4ebbd7ff985801
--- a/gokrazy/build.go
+++ b/gokrazy/build.go
@@ -11,6 +11,7 @@ package main

 import (
 	"bytes"
+	"cmp"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -29,6 +30,7 @@ import (
 var (
 	app    = flag.String("app", "tsapp", "appliance name; one of the subdirectories of gokrazy/")
 	bucket = flag.String("bucket", "tskrazy-import", "S3 bucket to upload disk image to while making AMI")
+	goArch = flag.String("arch", cmp.Or(os.Getenv("GOARCH"), "amd64"), "GOARCH architecture to build for: arm64 or amd64")
 	build  = flag.Bool("build", false, "if true, just build locally and stop, without uploading")
 )

@@ -52,26 +54,6 @@ func findMkfsExt4() (string, error) {
 	return "", errors.New("No mkfs.ext4 found on system")
 }

-var conf gokrazyConfig
-
-// gokrazyConfig is the subset of gokrazy/internal/config.Struct
-// that we care about.
-type gokrazyConfig struct {
-	// Environment is os.Environment pairs to use when
-	// building userspace.
-	// See https://gokrazy.org/userguide/instance-config/#environment
-	Environment []string
-}
-
-func (c *gokrazyConfig) GOARCH() string {
-	for _, e := range c.Environment {
-		if v, ok := strings.CutPrefix(e, "GOARCH="); ok {
-			return v
-		}
-	}
-	return ""
-}
-
 func main() {
 	flag.Parse()

@@ -79,19 +61,6 @@ func main() {
 		log.Fatalf("--app must be non-empty name such as 'tsapp' or 'natlabapp'")
 	}

-	confJSON, err := os.ReadFile(filepath.Join(*app, "config.json"))
-	if err != nil {
-		log.Fatalf("reading config.json: %v", err)
-	}
-	if err := json.Unmarshal(confJSON, &conf); err != nil {
-		log.Fatalf("unmarshaling config.json: %v", err)
-	}
-	switch conf.GOARCH() {
-	case "amd64", "arm64":
-	default:
-		log.Fatalf("config.json GOARCH %q must be amd64 or arm64", conf.GOARCH())
-	}
-
 	if err := buildImage(); err != nil {
 		log.Fatalf("build image: %v", err)
 	}
@@ -137,6 +106,7 @@ func buildImage() error {
 	// Build the tsapp.img
 	var buf bytes.Buffer
 	cmd := exec.Command("go", "run",
+		"-exec=env GOOS=linux GOARCH="+*goArch+" ",
 		"github.com/gokrazy/tools/cmd/gok",
 		"--parent_dir="+dir,
 		"--instance="+*app,
@@ -283,13 +253,13 @@ func waitForImportSnapshot(importTaskID string) (snapID string, err error) {

 func makeAMI(name, ebsSnapID string) (ami string, err error) {
 	var arch string
-	switch conf.GOARCH() {
+	switch *goArch {
 	case "arm64":
 		arch = "arm64"
 	case "amd64":
 		arch = "x86_64"
 	default:
-		return "", fmt.Errorf("unknown arch %q", conf.GOARCH())
+		return "", fmt.Errorf("unknown arch %q", *goArch)
 	}
 	out, err := exec.Command("aws", "ec2", "register-image",
 		"--name", name,
--- a/gokrazy/go.mod
+++ b/gokrazy/go.mod
@@ -1,13 +1,13 @@
 module tailscale.com/gokrazy

-go 1.23
+go 1.23.1

-require github.com/gokrazy/tools v0.0.0-20250128200151-63160424957c
+require github.com/gokrazy/tools v0.0.0-20240730192548-9f81add3a91e

 require (
 	github.com/breml/rootcerts v0.2.10 // indirect
 	github.com/donovanhide/eventsource v0.0.0-20210830082556-c59027999da0 // indirect
-	github.com/gokrazy/internal v0.0.0-20250126213949-423a5b587b57 // indirect
+	github.com/gokrazy/internal v0.0.0-20240629150625-a0f1dee26ef5 // indirect
 	github.com/gokrazy/updater v0.0.0-20230215172637-813ccc7f21e2 // indirect
 	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -15,5 +15,9 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
 )
+
+replace github.com/gokrazy/gokrazy => github.com/tailscale/gokrazy v0.0.0-20240812224643-6b21ddf64678
+
+replace github.com/gokrazy/tools => github.com/tailscale/gokrazy-tools v0.0.0-20240730192548-9f81add3a91e
--- a/gokrazy/go.sum
+++ b/gokrazy/go.sum
@@ -3,10 +3,8 @@ github.com/breml/rootcerts v0.2.10/go.mod h1:24FDtzYMpqIeYC7QzaE8VPRQaFZU5TIUDly
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/donovanhide/eventsource v0.0.0-20210830082556-c59027999da0 h1:C7t6eeMaEQVy6e8CarIhscYQlNmw5e3G36y7l7Y21Ao=
 github.com/donovanhide/eventsource v0.0.0-20210830082556-c59027999da0/go.mod h1:56wL82FO0bfMU5RvfXoIwSOP2ggqqxT+tAfNEIyxuHw=
-github.com/gokrazy/internal v0.0.0-20250126213949-423a5b587b57 h1:f5bEvO4we3fbfiBkECrrUgWQ8OH6J3SdB2Dwxid/Yx4=
-github.com/gokrazy/internal v0.0.0-20250126213949-423a5b587b57/go.mod h1:SJG1KwuJQXFEoBgryaNCkMbdISyovDgZd0xmXJRZmiw=
-github.com/gokrazy/tools v0.0.0-20250128200151-63160424957c h1:iEbS8GrNOn671ze8J/AfrYFEVzf8qMx8aR5K0VxPK2w=
-github.com/gokrazy/tools v0.0.0-20250128200151-63160424957c/go.mod h1:f2vZhnaPzy92+Bjpx1iuZHK7VuaJx6SNCWQWmu23HZA=
+github.com/gokrazy/internal v0.0.0-20240629150625-a0f1dee26ef5 h1:XDklMxV0pE5jWiNaoo5TzvWfqdoiRRScmr4ZtDzE4Uw=
+github.com/gokrazy/internal v0.0.0-20240629150625-a0f1dee26ef5/go.mod h1:t3ZirVhcs9bH+fPAJuGh51rzT7sVCZ9yfXvszf0ZjF0=
 github.com/gokrazy/updater v0.0.0-20230215172637-813ccc7f21e2 h1:kBY5R1tSf+EYZ+QaSrofLaVJtBqYsVNVBWkdMq3Smcg=
 github.com/gokrazy/updater v0.0.0-20230215172637-813ccc7f21e2/go.mod h1:PYOvzGOL4nlBmuxu7IyKQTFLaxr61+WPRNRzVtuYOHw=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
@@ -21,12 +19,14 @@ github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/tailscale/gokrazy-tools v0.0.0-20240730192548-9f81add3a91e h1:3/xIc1QCvnKL7BCLng9od98HEvxCadjvqiI/bN+Twso=
+github.com/tailscale/gokrazy-tools v0.0.0-20240730192548-9f81add3a91e/go.mod h1:eTZ0QsugEPFU5UAQ/87bKMkPxQuTNa7+iFAIahOFwRg=
 golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
 golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/gokrazy/natlabapp.arm64/builddir/tailscale.com/go.sum
+++ b/gokrazy/natlabapp.arm64/builddir/tailscale.com/go.sum
@@ -4,58 +4,32 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
 github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2 v1.36.0 h1:b1wM5CcE65Ujwn565qcwgtOTT1aT4ADOHHgglKjG7fk=
-github.com/aws/aws-sdk-go-v2 v1.36.0/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
 github.com/aws/aws-sdk-go-v2/config v1.26.5 h1:lodGSevz7d+kkFJodfauThRxK9mdJbyutUxGq1NNhvw=
 github.com/aws/aws-sdk-go-v2/config v1.26.5/go.mod h1:DxHrz6diQJOc9EwDslVRh84VjjrE17g+pVZXUeSxaDU=
-github.com/aws/aws-sdk-go-v2/config v1.29.5 h1:4lS2IB+wwkj5J43Tq/AwvnscBerBJtQQ6YS7puzCI1k=
-github.com/aws/aws-sdk-go-v2/config v1.29.5/go.mod h1:SNzldMlDVbN6nWxM7XsUiNXPSa1LWlqiXtvh/1PrJGg=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58 h1:/d7FUpAPU8Lf2KUdjniQvfNdlMID0Sd9pS23FJ3SS9Y=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58/go.mod h1:aVYW33Ow10CyMQGFgC0ptMRIqJWvJ4nxZb0sUiuQT/A=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 h1:7lOW8NUwE9UZekS1DYoiPdVAqZ6A+LheHWb+mHbNOq8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27/go.mod h1:w1BASFIPOPUae7AgaH4SbjNbfdkxuggLyGfNFTn8ITY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31 h1:lWm9ucLSRFiI4dQQafLrEOmEDGry3Swrz0BIRdiHJqQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31/go.mod h1:Huu6GG0YTfbPphQkDSo4dEGmQRTKb9k9G7RdtyQWxuI=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31 h1:ACxDklUKKXb48+eg5ROZXi1vDgfMyfIA/WyvqHcHI0o=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31/go.mod h1:yadnfsDwqXeVaohbGc/RaD287PuyRw2wugkh5ZL2J6k=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.12 h1:O+8vD2rGjfihBewr5bT+QUfYUHIxCVgG61LHoT59shM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.12/go.mod h1:usVdWJaosa66NMvmCrr08NcWDBRv4E6+YFG2pUdw1Lk=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 h1:a8HvP/+ew3tKwSXqL3BCSjiuicr+XTU2eFYeogV9GJE=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 h1:c5WJ3iHz7rLIgArznb3JCSQT3uUMiz9DLZhIX+1G8ok=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14/go.mod h1:+JJQTxB6N4niArC14YNtxcQtwEqzS3o9Z32n7q33Rfs=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 h1:f1L/JtUkVODD+k1+IiSJUUv8A++2qVr+Xvb3xWXETMU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13/go.mod h1:tvqlFoja8/s0o+UruA1Nrezo/df0PzdunMDDurUfg6U=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.13 h1:3LXNnmtH3TURctC23hnC0p/39Q5gre3FI7BNOiDcVWc=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.13/go.mod h1:7Yn+p66q/jt38qMoVfNvjbm3D89mGBnkwDcijgtih8w=
 github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
 github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
-github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
-github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
 github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
@@ -72,14 +46,10 @@ github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
 github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
-github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
-github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -92,8 +62,6 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
 github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
@@ -102,8 +70,6 @@ github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwso
 github.com/illarion/gonotify v1.0.1/go.mod h1:zt5pmDofZpU1f8aqlK0+95eQhoEAn/d4G4B/FjVW4jE=
 github.com/illarion/gonotify/v2 v2.0.2 h1:oDH5yvxq9oiQGWUeut42uShcWzOy/hsT9E7pvO95+kQ=
 github.com/illarion/gonotify/v2 v2.0.2/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
-github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vyxM+9A=
-github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jellydator/ttlcache/v3 v3.1.0 h1:0gPFG0IHHP6xyUyXq+JaD8fwkDCqgqwohXNJBcYE71g=
@@ -118,8 +84,6 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -132,8 +96,6 @@ github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy5
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
@@ -164,18 +126,12 @@ github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wireguard-go v0.0.0-20240705152531-2f5d148bcfe1 h1:ycpNCSYwzZ7x4G4ioPNtKQmIY0G/3o4pVf8wCZq6blY=
 github.com/tailscale/wireguard-go v0.0.0-20240705152531-2f5d148bcfe1/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 h1:RNpJrXfI5u6e+uzyIzvmnXbhmhdRkVf//90sMBH3lso=
 github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 h1:BcEJP2ewTIK2ZCsqgl6YGpuO6+oKqqag5HHb7ehljKw=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9 h1:81P7rjnikHKTJ75EkjppvbwUfKHDHYk6LJpO5PZy8pA=
 github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
@@ -188,8 +144,6 @@ github.com/u-root/u-root v0.12.0 h1:K0AuBFriwr0w/PGS3HawiAw89e3+MU7ks80GpghAsNs=
 github.com/u-root/u-root v0.12.0/go.mod h1:FYjTOh4IkIZHhjsd17lb8nYW6udgXdJhG1c0r6u0arI=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
@@ -198,66 +152,42 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
-golang.org/x/crypto v0.32.1-0.20250118192723-a8ea4be81f07 h1:Z+Zg+aXJYq6f4TK2E4H+vZkQ4dJAWnInXDR6hM9znxo=
-golang.org/x/crypto v0.32.1-0.20250118192723-a8ea4be81f07/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
 golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab h1:BMkEEWYOjkvOX7+YKOGbp6jCyQ5pR2j0Ah47p1Vdsx4=
-golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3 h1:/8/t5pz/mgdRXhYOIeqqYhFAQLE4DDGegc0Y4ZjyFJM=
 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633 h1:2gap+Kh/3F47cO6hAu3idFvsJ0ue6TRcEi2IUkv/F8k=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633/go.mod h1:5DMfjtclAbTIjbXqO1qCe2K5GKKxWz2JHvCChuTcJEM=
 k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
 k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
 k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
 k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
-k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=
-k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8=
 nhooyr.io/websocket v1.8.10 h1:mv4p+MnGrLDcPlBoWsvPP7XCzTYMXP9F9eIGoKbgx7Q=
 nhooyr.io/websocket v1.8.10/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
--- a/gokrazy/natlabapp.arm64/config.json
+++ b/gokrazy/natlabapp.arm64/config.json
@@ -20,10 +20,6 @@
            }
        }
    },
-    "Environment": [
-        "GOOS=linux",
-        "GOARCH=arm64"
-    ],
    "KernelPackage": "github.com/gokrazy/kernel.arm64",
    "FirmwarePackage": "github.com/gokrazy/kernel.arm64",
    "EEPROMPackage": "",
--- a/gokrazy/natlabapp/builddir/tailscale.com/go.sum
+++ b/gokrazy/natlabapp/builddir/tailscale.com/go.sum
@@ -4,58 +4,32 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
 github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2 v1.36.0 h1:b1wM5CcE65Ujwn565qcwgtOTT1aT4ADOHHgglKjG7fk=
-github.com/aws/aws-sdk-go-v2 v1.36.0/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
 github.com/aws/aws-sdk-go-v2/config v1.26.5 h1:lodGSevz7d+kkFJodfauThRxK9mdJbyutUxGq1NNhvw=
 github.com/aws/aws-sdk-go-v2/config v1.26.5/go.mod h1:DxHrz6diQJOc9EwDslVRh84VjjrE17g+pVZXUeSxaDU=
-github.com/aws/aws-sdk-go-v2/config v1.29.5 h1:4lS2IB+wwkj5J43Tq/AwvnscBerBJtQQ6YS7puzCI1k=
-github.com/aws/aws-sdk-go-v2/config v1.29.5/go.mod h1:SNzldMlDVbN6nWxM7XsUiNXPSa1LWlqiXtvh/1PrJGg=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58 h1:/d7FUpAPU8Lf2KUdjniQvfNdlMID0Sd9pS23FJ3SS9Y=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58/go.mod h1:aVYW33Ow10CyMQGFgC0ptMRIqJWvJ4nxZb0sUiuQT/A=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 h1:7lOW8NUwE9UZekS1DYoiPdVAqZ6A+LheHWb+mHbNOq8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27/go.mod h1:w1BASFIPOPUae7AgaH4SbjNbfdkxuggLyGfNFTn8ITY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31 h1:lWm9ucLSRFiI4dQQafLrEOmEDGry3Swrz0BIRdiHJqQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31/go.mod h1:Huu6GG0YTfbPphQkDSo4dEGmQRTKb9k9G7RdtyQWxuI=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31 h1:ACxDklUKKXb48+eg5ROZXi1vDgfMyfIA/WyvqHcHI0o=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31/go.mod h1:yadnfsDwqXeVaohbGc/RaD287PuyRw2wugkh5ZL2J6k=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.12 h1:O+8vD2rGjfihBewr5bT+QUfYUHIxCVgG61LHoT59shM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.12/go.mod h1:usVdWJaosa66NMvmCrr08NcWDBRv4E6+YFG2pUdw1Lk=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 h1:a8HvP/+ew3tKwSXqL3BCSjiuicr+XTU2eFYeogV9GJE=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 h1:c5WJ3iHz7rLIgArznb3JCSQT3uUMiz9DLZhIX+1G8ok=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14/go.mod h1:+JJQTxB6N4niArC14YNtxcQtwEqzS3o9Z32n7q33Rfs=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 h1:f1L/JtUkVODD+k1+IiSJUUv8A++2qVr+Xvb3xWXETMU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13/go.mod h1:tvqlFoja8/s0o+UruA1Nrezo/df0PzdunMDDurUfg6U=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.13 h1:3LXNnmtH3TURctC23hnC0p/39Q5gre3FI7BNOiDcVWc=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.13/go.mod h1:7Yn+p66q/jt38qMoVfNvjbm3D89mGBnkwDcijgtih8w=
 github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
 github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
-github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
-github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
 github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
@@ -72,14 +46,10 @@ github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
 github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
-github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
-github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -92,8 +62,6 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
 github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
@@ -118,8 +86,6 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -132,8 +98,6 @@ github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy5
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
@@ -164,20 +128,14 @@ github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wireguard-go v0.0.0-20240705152531-2f5d148bcfe1 h1:ycpNCSYwzZ7x4G4ioPNtKQmIY0G/3o4pVf8wCZq6blY=
 github.com/tailscale/wireguard-go v0.0.0-20240705152531-2f5d148bcfe1/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 h1:RNpJrXfI5u6e+uzyIzvmnXbhmhdRkVf//90sMBH3lso=
 github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/wireguard-go v0.0.0-20240905161824-799c1978fafc h1:cezaQN9pvKVaw56Ma5qr/G646uKIYP0yQf+OyWN/okc=
 github.com/tailscale/wireguard-go v0.0.0-20240905161824-799c1978fafc/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 h1:BcEJP2ewTIK2ZCsqgl6YGpuO6+oKqqag5HHb7ehljKw=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9 h1:81P7rjnikHKTJ75EkjppvbwUfKHDHYk6LJpO5PZy8pA=
 github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
@@ -190,8 +148,6 @@ github.com/u-root/u-root v0.12.0 h1:K0AuBFriwr0w/PGS3HawiAw89e3+MU7ks80GpghAsNs=
 github.com/u-root/u-root v0.12.0/go.mod h1:FYjTOh4IkIZHhjsd17lb8nYW6udgXdJhG1c0r6u0arI=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
@@ -200,66 +156,42 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
-golang.org/x/crypto v0.32.1-0.20250118192723-a8ea4be81f07 h1:Z+Zg+aXJYq6f4TK2E4H+vZkQ4dJAWnInXDR6hM9znxo=
-golang.org/x/crypto v0.32.1-0.20250118192723-a8ea4be81f07/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
 golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab h1:BMkEEWYOjkvOX7+YKOGbp6jCyQ5pR2j0Ah47p1Vdsx4=
-golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3 h1:/8/t5pz/mgdRXhYOIeqqYhFAQLE4DDGegc0Y4ZjyFJM=
 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633 h1:2gap+Kh/3F47cO6hAu3idFvsJ0ue6TRcEi2IUkv/F8k=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633/go.mod h1:5DMfjtclAbTIjbXqO1qCe2K5GKKxWz2JHvCChuTcJEM=
 k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
 k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
 k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
 k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
-k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=
-k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8=
 nhooyr.io/websocket v1.8.10 h1:mv4p+MnGrLDcPlBoWsvPP7XCzTYMXP9F9eIGoKbgx7Q=
 nhooyr.io/websocket v1.8.10/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
--- a/gokrazy/natlabapp/config.json
+++ b/gokrazy/natlabapp/config.json
@@ -20,10 +20,6 @@
            }
        }
    },
-    "Environment": [
-        "GOOS=linux",
-        "GOARCH=amd64"
-    ],
    "KernelPackage": "github.com/tailscale/gokrazy-kernel",
    "FirmwarePackage": "",
    "EEPROMPackage": "",
--- a/gokrazy/tsapp/builddir/tailscale.com/go.sum
+++ b/gokrazy/tsapp/builddir/tailscale.com/go.sum
@@ -4,80 +4,48 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
 github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2 v1.36.0 h1:b1wM5CcE65Ujwn565qcwgtOTT1aT4ADOHHgglKjG7fk=
-github.com/aws/aws-sdk-go-v2 v1.36.0/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
 github.com/aws/aws-sdk-go-v2/config v1.26.5 h1:lodGSevz7d+kkFJodfauThRxK9mdJbyutUxGq1NNhvw=
 github.com/aws/aws-sdk-go-v2/config v1.26.5/go.mod h1:DxHrz6diQJOc9EwDslVRh84VjjrE17g+pVZXUeSxaDU=
-github.com/aws/aws-sdk-go-v2/config v1.29.5 h1:4lS2IB+wwkj5J43Tq/AwvnscBerBJtQQ6YS7puzCI1k=
-github.com/aws/aws-sdk-go-v2/config v1.29.5/go.mod h1:SNzldMlDVbN6nWxM7XsUiNXPSa1LWlqiXtvh/1PrJGg=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58 h1:/d7FUpAPU8Lf2KUdjniQvfNdlMID0Sd9pS23FJ3SS9Y=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58/go.mod h1:aVYW33Ow10CyMQGFgC0ptMRIqJWvJ4nxZb0sUiuQT/A=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 h1:7lOW8NUwE9UZekS1DYoiPdVAqZ6A+LheHWb+mHbNOq8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27/go.mod h1:w1BASFIPOPUae7AgaH4SbjNbfdkxuggLyGfNFTn8ITY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31 h1:lWm9ucLSRFiI4dQQafLrEOmEDGry3Swrz0BIRdiHJqQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.31/go.mod h1:Huu6GG0YTfbPphQkDSo4dEGmQRTKb9k9G7RdtyQWxuI=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31 h1:ACxDklUKKXb48+eg5ROZXi1vDgfMyfIA/WyvqHcHI0o=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.31/go.mod h1:yadnfsDwqXeVaohbGc/RaD287PuyRw2wugkh5ZL2J6k=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.12 h1:O+8vD2rGjfihBewr5bT+QUfYUHIxCVgG61LHoT59shM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.12/go.mod h1:usVdWJaosa66NMvmCrr08NcWDBRv4E6+YFG2pUdw1Lk=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 h1:a8HvP/+ew3tKwSXqL3BCSjiuicr+XTU2eFYeogV9GJE=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 h1:c5WJ3iHz7rLIgArznb3JCSQT3uUMiz9DLZhIX+1G8ok=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14/go.mod h1:+JJQTxB6N4niArC14YNtxcQtwEqzS3o9Z32n7q33Rfs=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 h1:f1L/JtUkVODD+k1+IiSJUUv8A++2qVr+Xvb3xWXETMU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13/go.mod h1:tvqlFoja8/s0o+UruA1Nrezo/df0PzdunMDDurUfg6U=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.13 h1:3LXNnmtH3TURctC23hnC0p/39Q5gre3FI7BNOiDcVWc=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.13/go.mod h1:7Yn+p66q/jt38qMoVfNvjbm3D89mGBnkwDcijgtih8w=
 github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
 github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
-github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
-github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
 github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
 github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
-github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
 github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
 github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
 github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
-github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
-github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -90,16 +58,12 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
 github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
-github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwsoio=
 github.com/illarion/gonotify v1.0.1/go.mod h1:zt5pmDofZpU1f8aqlK0+95eQhoEAn/d4G4B/FjVW4jE=
-github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vyxM+9A=
-github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jellydator/ttlcache/v3 v3.1.0 h1:0gPFG0IHHP6xyUyXq+JaD8fwkDCqgqwohXNJBcYE71g=
@@ -114,8 +78,6 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -128,8 +90,6 @@ github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy5
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
@@ -156,22 +116,14 @@ github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29X
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
 github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wireguard-go v0.0.0-20240705152531-2f5d148bcfe1 h1:ycpNCSYwzZ7x4G4ioPNtKQmIY0G/3o4pVf8wCZq6blY=
 github.com/tailscale/wireguard-go v0.0.0-20240705152531-2f5d148bcfe1/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 h1:RNpJrXfI5u6e+uzyIzvmnXbhmhdRkVf//90sMBH3lso=
 github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 h1:BcEJP2ewTIK2ZCsqgl6YGpuO6+oKqqag5HHb7ehljKw=
-github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9 h1:81P7rjnikHKTJ75EkjppvbwUfKHDHYk6LJpO5PZy8pA=
 github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
@@ -184,8 +136,6 @@ github.com/u-root/u-root v0.12.0 h1:K0AuBFriwr0w/PGS3HawiAw89e3+MU7ks80GpghAsNs=
 github.com/u-root/u-root v0.12.0/go.mod h1:FYjTOh4IkIZHhjsd17lb8nYW6udgXdJhG1c0r6u0arI=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
 github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
 github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
@@ -194,66 +144,42 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
-golang.org/x/crypto v0.32.1-0.20250118192723-a8ea4be81f07 h1:Z+Zg+aXJYq6f4TK2E4H+vZkQ4dJAWnInXDR6hM9znxo=
-golang.org/x/crypto v0.32.1-0.20250118192723-a8ea4be81f07/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA=
 golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
 golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab h1:BMkEEWYOjkvOX7+YKOGbp6jCyQ5pR2j0Ah47p1Vdsx4=
-golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3 h1:/8/t5pz/mgdRXhYOIeqqYhFAQLE4DDGegc0Y4ZjyFJM=
 gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
 gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633 h1:2gap+Kh/3F47cO6hAu3idFvsJ0ue6TRcEi2IUkv/F8k=
-gvisor.dev/gvisor v0.0.0-20250205023644-9414b50a5633/go.mod h1:5DMfjtclAbTIjbXqO1qCe2K5GKKxWz2JHvCChuTcJEM=
 k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
 k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
 k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
 k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
-k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=
-k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8=
 nhooyr.io/websocket v1.8.10 h1:mv4p+MnGrLDcPlBoWsvPP7XCzTYMXP9F9eIGoKbgx7Q=
 nhooyr.io/websocket v1.8.10/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
--- a/gokrazy/tsapp/config.json
+++ b/gokrazy/tsapp/config.json
@@ -27,10 +27,6 @@
            }
        }
    },
-    "Environment": [
-        "GOOS=linux",
-        "GOARCH=amd64"
-    ],
    "KernelPackage": "github.com/tailscale/gokrazy-kernel",
    "FirmwarePackage": "github.com/tailscale/gokrazy-kernel",
    "InternalCompatibilityFlags": {}
--- a/internal/client/tailscale/tailscale.go
+++ b/internal/client/tailscale/tailscale.go
@@ -8,16 +8,9 @@
 package tailscale

 import (
-	"errors"
-	"io"
-	"net/http"
-
 	tsclient "tailscale.com/client/tailscale"
 )

-// maxSize is the maximum read size (10MB) of responses from the server.
-const maxReadSize = 10 << 20
-
 func init() {
 	tsclient.I_Acknowledge_This_API_Is_Unstable = true
 }
@@ -57,27 +50,3 @@ func NewClient(tailnet string, auth AuthMethod) *Client {
 type Client struct {
 	*tsclient.Client
 }
-
-// HandleErrorResponse is an alias to tailscale.com/client/tailscale.
-func HandleErrorResponse(b []byte, resp *http.Response) error {
-	return tsclient.HandleErrorResponse(b, resp)
-}
-
-// SendRequest add the authentication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func SendRequest(c *Client, req *http.Request) ([]byte, *http.Response, error) {
-	resp, err := c.Do(req)
-	if err != nil {
-		return nil, resp, err
-	}
-	defer resp.Body.Close()
-
-	// Read response. Limit the response to 10MB.
-	// This limit is carried over from client/tailscale/tailscale.go.
-	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
-	if len(b) > maxReadSize {
-		err = errors.New("API response too large")
-	}
-	return b, resp, err
-}
--- a/internal/client/tailscale/vip_service.go
+++ b/internal/client/tailscale/vip_service.go
@@ -1,103 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/httpm"
-)
-
-// VIPService is a Tailscale VIPService with Tailscale API JSON representation.
-type VIPService struct {
-	// Name is a VIPService name in form svc:<leftmost-label-of-service-DNS-name>.
-	Name tailcfg.ServiceName `json:"name,omitempty"`
-	// Addrs are the IP addresses of the VIP Service. There are two addresses:
-	// the first is IPv4 and the second is IPv6.
-	// When creating a new VIP Service, the IP addresses are optional: if no
-	// addresses are specified then they will be selected. If an IPv4 address is
-	// specified at index 0, then that address will attempt to be used. An IPv6
-	// address can not be specified upon creation.
-	Addrs []string `json:"addrs,omitempty"`
-	// Comment is an optional text string for display in the admin panel.
-	Comment string `json:"comment,omitempty"`
-	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
-	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
-	Ports []string `json:"ports,omitempty"`
-	// Tags are optional ACL tags that will be applied to the VIPService.
-	Tags []string `json:"tags,omitempty"`
-}
-
-// GetVIPService retrieves a VIPService by its name. It returns 404 if the VIPService is not found.
-func (client *Client) GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
-	path := client.BuildTailnetURL("vip-services", name.String())
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, path, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	b, resp, err := SendRequest(client, req)
-	if err != nil {
-		return nil, fmt.Errorf("error making Tailsale API request: %w", err)
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, HandleErrorResponse(b, resp)
-	}
-	svc := &VIPService{}
-	if err := json.Unmarshal(b, svc); err != nil {
-		return nil, err
-	}
-	return svc, nil
-}
-
-// CreateOrUpdateVIPService creates or updates a VIPService by its name. Caller must ensure that, if the
-// VIPService already exists, the VIPService is fetched first to ensure that any auto-allocated IP addresses are not
-// lost during the update. If the VIPService was created without any IP addresses explicitly set (so that they were
-// auto-allocated by Tailscale) any subsequent request to this function that does not set any IP addresses will error.
-func (client *Client) CreateOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
-	data, err := json.Marshal(svc)
-	if err != nil {
-		return err
-	}
-	path := client.BuildTailnetURL("vip-services", svc.Name.String())
-	req, err := http.NewRequestWithContext(ctx, httpm.PUT, path, bytes.NewBuffer(data))
-	if err != nil {
-		return fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	b, resp, err := SendRequest(client, req)
-	if err != nil {
-		return fmt.Errorf("error making Tailscale API request: %w", err)
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// DeleteVIPService deletes a VIPService by its name. It returns an error if the VIPService
-// does not exist or if the deletion fails.
-func (client *Client) DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
-	path := client.BuildTailnetURL("vip-services", name.String())
-	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
-	if err != nil {
-		return fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	b, resp, err := SendRequest(client, req)
-	if err != nil {
-		return fmt.Errorf("error making Tailscale API request: %w", err)
-	}
-	// If status code was not successful, return the error.
-	if resp.StatusCode != http.StatusOK {
-		return HandleErrorResponse(b, resp)
-	}
-	return nil
-}
--- a/ipn/auditlog/auditlog.go
+++ b/ipn/auditlog/auditlog.go
@@ -1,466 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package auditlog provides a mechanism for logging audit events.
-package auditlog
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"sort"
-	"sync"
-	"time"
-
-	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/rands"
-	"tailscale.com/util/set"
-)
-
-// transaction represents an audit log that has not yet been sent to the control plane.
-type transaction struct {
-	// EventID is the unique identifier for the event being logged.
-	// This is used on the client side only and is not sent to control.
-	EventID string `json:",omitempty"`
-	// Retries is the number of times the logger has attempted to send this log.
-	// This is used on the client side only and is not sent to control.
-	Retries int `json:",omitempty"`
-
-	// Action is the action to be logged. It must correspond to a known action in the control plane.
-	Action tailcfg.ClientAuditAction `json:",omitempty"`
-	// Details is an opaque string specific to the action being logged. Empty strings may not
-	// be valid depending on the action being logged.
-	Details string `json:",omitempty"`
-	// TimeStamp is the time at which the audit log was generated on the node.
-	TimeStamp time.Time `json:",omitzero"`
-}
-
-// Transport provides a means for a client to send audit logs to a consumer (typically the control plane).
-type Transport interface {
-	// SendAuditLog sends an audit log to a consumer of audit logs.
-	// Errors should be checked with [IsRetryableError] for retryability.
-	SendAuditLog(context.Context, tailcfg.AuditLogRequest) error
-}
-
-// LogStore provides a means for a [Logger] to persist logs to disk or memory.
-type LogStore interface {
-	// Save saves the given data to a persistent store. Save will overwrite existing data
-	// for the given key.
-	save(key ipn.ProfileID, txns []*transaction) error
-
-	// Load retrieves the data from a persistent store.  Returns a nil slice and
-	// no error if no data exists for the given key.
-	load(key ipn.ProfileID) ([]*transaction, error)
-}
-
-// Opts contains the configuration options for a [Logger].
-type Opts struct {
-	// RetryLimit is the maximum number of attempts the logger will make to send a log before giving up.
-	RetryLimit int
-	// Store is the persistent store used to save logs to disk. Must be non-nil.
-	Store LogStore
-	// Logf is the logger used to log messages from the audit logger. Must be non-nil.
-	Logf logger.Logf
-}
-
-// IsRetryableError returns true if the given error is retryable
-// See [controlclient.apiResponseError].  Potentially retryable errors implement the Retryable() method.
-func IsRetryableError(err error) bool {
-	var retryable interface{ Retryable() bool }
-	return errors.As(err, &retryable) && retryable.Retryable()
-}
-
-type backoffOpts struct {
-	min, max   time.Duration
-	multiplier float64
-}
-
-// .5, 1, 2, 4, 8, 10, 10, 10, 10, 10...
-var defaultBackoffOpts = backoffOpts{
-	min:        time.Millisecond * 500,
-	max:        10 * time.Second,
-	multiplier: 2,
-}
-
-// Logger provides a queue-based mechanism for submitting audit logs to the control plane - or
-// another suitable consumer. Logs are stored to disk and retried until they are successfully sent,
-// or until they permanently fail.
-//
-// Each individual profile/controlclient tuple should construct and manage a unique [Logger] instance.
-type Logger struct {
-	logf        logger.Logf
-	retryLimit  int                // the maximum number of attempts to send a log before giving up.
-	flusher     chan struct{}      // channel used to signal a flush operation.
-	done        chan struct{}      // closed when the flush worker exits.
-	ctx         context.Context    // canceled when the logger is stopped.
-	ctxCancel   context.CancelFunc // cancels ctx.
-	backoffOpts                    // backoff settings for retry operations.
-
-	// mu protects the fields below.
-	mu        sync.Mutex
-	store     LogStore      // persistent storage for unsent logs.
-	profileID ipn.ProfileID // empty if [Logger.SetProfileID] has not been called.
-	transport Transport     // nil until [Logger.Start] is called.
-}
-
-// NewLogger creates a new [Logger] with the given options.
-func NewLogger(opts Opts) *Logger {
-	ctx, cancel := context.WithCancel(context.Background())
-
-	al := &Logger{
-		retryLimit:  opts.RetryLimit,
-		logf:        logger.WithPrefix(opts.Logf, "auditlog: "),
-		store:       opts.Store,
-		flusher:     make(chan struct{}, 1),
-		done:        make(chan struct{}),
-		ctx:         ctx,
-		ctxCancel:   cancel,
-		backoffOpts: defaultBackoffOpts,
-	}
-	al.logf("created")
-	return al
-}
-
-// FlushAndStop synchronously flushes all pending logs and stops the audit logger.
-// This will block until a final flush operation completes or context is done.
-// If the logger is already stopped, this will return immediately.  All unsent
-// logs will be persisted to the store.
-func (al *Logger) FlushAndStop(ctx context.Context) {
-	al.stop()
-	al.flush(ctx)
-}
-
-// SetProfileID sets the profileID for the logger. This must be called before any logs can be enqueued.
-// The profileID of a logger cannot be changed once set.
-func (al *Logger) SetProfileID(profileID ipn.ProfileID) error {
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	if al.profileID != "" {
-		return errors.New("profileID already set")
-	}
-
-	al.profileID = profileID
-	return nil
-}
-
-// Start starts the audit logger with the given transport.
-// It returns an error if the logger is already started.
-func (al *Logger) Start(t Transport) error {
-	al.mu.Lock()
-	defer al.mu.Unlock()
-
-	if al.transport != nil {
-		return errors.New("already started")
-	}
-
-	al.transport = t
-	pending, err := al.storedCountLocked()
-	if err != nil {
-		al.logf("[unexpected] failed to restore logs: %v", err)
-	}
-	go al.flushWorker()
-	if pending > 0 {
-		al.flushAsync()
-	}
-	return nil
-}
-
-// ErrAuditLogStorageFailure is returned when the logger fails to persist logs to the store.
-var ErrAuditLogStorageFailure = errors.New("audit log storage failure")
-
-// Enqueue queues an audit log to be sent to the control plane (or another suitable consumer/transport).
-// This will return an error if the underlying store fails to save the log or we fail to generate a unique
-// eventID for the log.
-func (al *Logger) Enqueue(action tailcfg.ClientAuditAction, details string) error {
-	txn := &transaction{
-		Action:    action,
-		Details:   details,
-		TimeStamp: time.Now(),
-	}
-	// Generate a suitably random eventID for the transaction.
-	txn.EventID = fmt.Sprint(txn.TimeStamp, rands.HexString(16))
-	return al.enqueue(txn)
-}
-
-// flushAsync requests an asynchronous flush.
-// It is a no-op if a flush is already pending.
-func (al *Logger) flushAsync() {
-	select {
-	case al.flusher <- struct{}{}:
-	default:
-	}
-}
-
-func (al *Logger) flushWorker() {
-	defer close(al.done)
-
-	var retryDelay time.Duration
-	retry := time.NewTimer(0)
-	retry.Stop()
-
-	for {
-		select {
-		case <-al.ctx.Done():
-			return
-		case <-al.flusher:
-			err := al.flush(al.ctx)
-			switch {
-			case errors.Is(err, context.Canceled):
-				// The logger was stopped, no need to retry.
-				return
-			case err != nil:
-				retryDelay = max(al.backoffOpts.min, min(retryDelay*time.Duration(al.backoffOpts.multiplier), al.backoffOpts.max))
-				al.logf("retrying after %v, %v", retryDelay, err)
-				retry.Reset(retryDelay)
-			default:
-				retryDelay = 0
-				retry.Stop()
-			}
-		case <-retry.C:
-			al.flushAsync()
-		}
-	}
-}
-
-// flush attempts to send all pending logs to the control plane.
-// l.mu must not be held.
-func (al *Logger) flush(ctx context.Context) error {
-	al.mu.Lock()
-	pending, err := al.store.load(al.profileID)
-	t := al.transport
-	al.mu.Unlock()
-
-	if err != nil {
-		// This will catch nil profileIDs
-		return fmt.Errorf("failed to restore pending logs: %w", err)
-	}
-	if len(pending) == 0 {
-		return nil
-	}
-	if t == nil {
-		return errors.New("no transport")
-	}
-
-	complete, unsent := al.sendToTransport(ctx, pending, t)
-	al.markTransactionsDone(complete)
-
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	if err = al.appendToStoreLocked(unsent); err != nil {
-		al.logf("[unexpected] failed to persist logs: %v", err)
-	}
-
-	if len(unsent) != 0 {
-		return fmt.Errorf("failed to send %d logs", len(unsent))
-	}
-
-	if len(complete) != 0 {
-		al.logf("complete %d audit log transactions", len(complete))
-	}
-	return nil
-}
-
-// sendToTransport sends all pending logs to the control plane. Returns a pair of slices
-// containing the logs that were successfully sent (or failed permanently) and those that were not.
-//
-// This may require multiple round trips to the control plane and can be a long running transaction.
-func (al *Logger) sendToTransport(ctx context.Context, pending []*transaction, t Transport) (complete []*transaction, unsent []*transaction) {
-	for i, txn := range pending {
-		req := tailcfg.AuditLogRequest{
-			Action:    tailcfg.ClientAuditAction(txn.Action),
-			Details:   txn.Details,
-			Timestamp: txn.TimeStamp,
-		}
-
-		if err := t.SendAuditLog(ctx, req); err != nil {
-			switch {
-			case errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded):
-				// The contex is done.  All further attempts will fail.
-				unsent = append(unsent, pending[i:]...)
-				return complete, unsent
-			case IsRetryableError(err) && txn.Retries+1 < al.retryLimit:
-				// We permit a maximum number of retries for each log. All retriable
-				// errors should be transient and we should be able to send the log eventually, but
-				// we don't want logs to be persisted indefinitely.
-				txn.Retries++
-				unsent = append(unsent, txn)
-			default:
-				complete = append(complete, txn)
-				al.logf("failed permanently: %v", err)
-			}
-		} else {
-			// No error - we're done.
-			complete = append(complete, txn)
-		}
-	}
-
-	return complete, unsent
-}
-
-func (al *Logger) stop() {
-	al.mu.Lock()
-	t := al.transport
-	al.mu.Unlock()
-
-	if t == nil {
-		// No transport means no worker goroutine and done will not be
-		// closed if we cancel the context.
-		return
-	}
-
-	al.ctxCancel()
-	<-al.done
-	al.logf("stopped for profileID: %v", al.profileID)
-}
-
-// appendToStoreLocked persists logs to the store.  This will deduplicate
-// logs so it is safe to call this with the same logs multiple time, to
-// requeue failed transactions for example.
-//
-// l.mu must be held.
-func (al *Logger) appendToStoreLocked(txns []*transaction) error {
-	if len(txns) == 0 {
-		return nil
-	}
-
-	if al.profileID == "" {
-		return errors.New("no logId set")
-	}
-
-	persisted, err := al.store.load(al.profileID)
-	if err != nil {
-		al.logf("[unexpected] append failed to restore logs: %v", err)
-	}
-
-	// The order is important here.  We want the latest transactions first, which will
-	// ensure when we dedup, the new transactions are seen and the older transactions
-	// are discarded.
-	txnsOut := append(txns, persisted...)
-	txnsOut = deduplicateAndSort(txnsOut)
-
-	return al.store.save(al.profileID, txnsOut)
-}
-
-// storedCountLocked returns the number of logs persisted to the store.
-// al.mu must be held.
-func (al *Logger) storedCountLocked() (int, error) {
-	persisted, err := al.store.load(al.profileID)
-	return len(persisted), err
-}
-
-// markTransactionsDone removes logs from the store that are complete (sent or failed permanently).
-// al.mu must not be held.
-func (al *Logger) markTransactionsDone(sent []*transaction) {
-	al.mu.Lock()
-	defer al.mu.Unlock()
-
-	ids := set.Set[string]{}
-	for _, txn := range sent {
-		ids.Add(txn.EventID)
-	}
-
-	persisted, err := al.store.load(al.profileID)
-	if err != nil {
-		al.logf("[unexpected] markTransactionsDone failed to restore logs: %v", err)
-	}
-	var unsent []*transaction
-	for _, txn := range persisted {
-		if !ids.Contains(txn.EventID) {
-			unsent = append(unsent, txn)
-		}
-	}
-	al.store.save(al.profileID, unsent)
-}
-
-// deduplicateAndSort removes duplicate logs from the given slice and sorts them by timestamp.
-// The first log entry in the slice will be retained, subsequent logs with the same EventID will be discarded.
-func deduplicateAndSort(txns []*transaction) []*transaction {
-	seen := set.Set[string]{}
-	deduped := make([]*transaction, 0, len(txns))
-	for _, txn := range txns {
-		if !seen.Contains(txn.EventID) {
-			deduped = append(deduped, txn)
-			seen.Add(txn.EventID)
-		}
-	}
-	// Sort logs by timestamp - oldest to newest. This will put the oldest logs at
-	// the front of the queue.
-	sort.Slice(deduped, func(i, j int) bool {
-		return deduped[i].TimeStamp.Before(deduped[j].TimeStamp)
-	})
-	return deduped
-}
-
-func (al *Logger) enqueue(txn *transaction) error {
-	al.mu.Lock()
-	defer al.mu.Unlock()
-
-	if err := al.appendToStoreLocked([]*transaction{txn}); err != nil {
-		return fmt.Errorf("%w: %w", ErrAuditLogStorageFailure, err)
-	}
-
-	// If a.transport is nil if the logger is stopped.
-	if al.transport != nil {
-		al.flushAsync()
-	}
-
-	return nil
-}
-
-var _ LogStore = (*logStateStore)(nil)
-
-// logStateStore is a concrete implementation of [LogStore]
-// using [ipn.StateStore] as the underlying storage.
-type logStateStore struct {
-	store ipn.StateStore
-}
-
-// NewLogStore creates a new LogStateStore with the given [ipn.StateStore].
-func NewLogStore(store ipn.StateStore) LogStore {
-	return &logStateStore{
-		store: store,
-	}
-}
-
-func (s *logStateStore) generateKey(key ipn.ProfileID) string {
-	return "auditlog-" + string(key)
-}
-
-// Save saves the given logs to an [ipn.StateStore]. This overwrites
-// any existing entries for the given key.
-func (s *logStateStore) save(key ipn.ProfileID, txns []*transaction) error {
-	if key == "" {
-		return errors.New("empty key")
-	}
-
-	data, err := json.Marshal(txns)
-	if err != nil {
-		return err
-	}
-	k := ipn.StateKey(s.generateKey(key))
-	return s.store.WriteState(k, data)
-}
-
-// Load retrieves the logs from an [ipn.StateStore].
-func (s *logStateStore) load(key ipn.ProfileID) ([]*transaction, error) {
-	if key == "" {
-		return nil, errors.New("empty key")
-	}
-
-	k := ipn.StateKey(s.generateKey(key))
-	data, err := s.store.ReadState(k)
-
-	switch {
-	case errors.Is(err, ipn.ErrStateNotExist):
-		return nil, nil
-	case err != nil:
-		return nil, err
-	}
-
-	var txns []*transaction
-	err = json.Unmarshal(data, &txns)
-	return txns, err
-}
--- a/ipn/auditlog/auditlog_test.go
+++ b/ipn/auditlog/auditlog_test.go
@@ -1,481 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package auditlog
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"sync"
-	"testing"
-	"time"
-
-	qt "github.com/frankban/quicktest"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
-)
-
-// loggerForTest creates an auditLogger for you and cleans it up
-// (and ensures no goroutines are leaked) when the test is done.
-func loggerForTest(t *testing.T, opts Opts) *Logger {
-	t.Helper()
-	tstest.ResourceCheck(t)
-
-	if opts.Logf == nil {
-		opts.Logf = t.Logf
-	}
-
-	if opts.Store == nil {
-		t.Fatalf("opts.Store must be set")
-	}
-
-	a := NewLogger(opts)
-
-	t.Cleanup(func() {
-		a.FlushAndStop(context.Background())
-	})
-	return a
-}
-
-func TestNonRetryableErrors(t *testing.T) {
-	errorTests := []struct {
-		desc string
-		err  error
-		want bool
-	}{
-		{"DeadlineExceeded", context.DeadlineExceeded, false},
-		{"Canceled", context.Canceled, false},
-		{"Canceled wrapped", fmt.Errorf("%w: %w", context.Canceled, errors.New("ctx cancelled")), false},
-		{"Random error", errors.New("random error"), false},
-	}
-
-	for _, tt := range errorTests {
-		t.Run(tt.desc, func(t *testing.T) {
-			if IsRetryableError(tt.err) != tt.want {
-				t.Fatalf("retriable: got %v, want %v", !tt.want, tt.want)
-			}
-		})
-	}
-}
-
-// TestEnqueueAndFlush enqueues n logs and flushes them.
-// We expect all logs to be flushed and for no
-// logs to remain in the store once FlushAndStop returns.
-func TestEnqueueAndFlush(t *testing.T) {
-	c := qt.New(t)
-	mockTransport := newMockTransport(nil)
-	al := loggerForTest(t, Opts{
-		RetryLimit: 200,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-	c.Assert(al.Start(mockTransport), qt.IsNil)
-
-	wantSent := 10
-
-	for i := range wantSent {
-		err := al.Enqueue(tailcfg.AuditNodeDisconnect, fmt.Sprintf("log %d", i))
-		c.Assert(err, qt.IsNil)
-	}
-
-	al.FlushAndStop(context.Background())
-
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNil)
-
-	if wantStored := 0; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	if gotSent := mockTransport.sentCount(); gotSent != wantSent {
-		t.Fatalf("sent: got %d, want %d", gotSent, wantSent)
-	}
-}
-
-// TestEnqueueAndFlushWithFlushCancel calls FlushAndCancel with a cancelled
-// context.  We expect nothing to be sent and all logs to be stored.
-func TestEnqueueAndFlushWithFlushCancel(t *testing.T) {
-	c := qt.New(t)
-	mockTransport := newMockTransport(&retriableError)
-	al := loggerForTest(t, Opts{
-		RetryLimit: 200,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-	c.Assert(al.Start(mockTransport), qt.IsNil)
-
-	for i := range 10 {
-		err := al.Enqueue(tailcfg.AuditNodeDisconnect, fmt.Sprintf("log %d", i))
-		c.Assert(err, qt.IsNil)
-	}
-
-	// Cancel the context before calling FlushAndStop - nothing should get sent.
-	// This mimics a timeout before flush() has a chance to execute.
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	al.FlushAndStop(ctx)
-
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNil)
-
-	if wantStored := 10; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	if gotSent, wantSent := mockTransport.sentCount(), 0; gotSent != wantSent {
-		t.Fatalf("sent: got %d, want %d", gotSent, wantSent)
-	}
-}
-
-// TestDeduplicateAndSort tests that the most recent log is kept when deduplicating logs
-func TestDeduplicateAndSort(t *testing.T) {
-	c := qt.New(t)
-	al := loggerForTest(t, Opts{
-		RetryLimit: 100,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-
-	logs := []*transaction{
-		{EventID: "1", Details: "log 1", TimeStamp: time.Now().Add(-time.Minute * 1), Retries: 1},
-	}
-
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	al.appendToStoreLocked(logs)
-
-	// Update the transaction and re-append it
-	logs[0].Retries = 2
-	al.appendToStoreLocked(logs)
-
-	fromStore, err := al.store.load("test")
-	c.Assert(err, qt.IsNil)
-
-	// We should see only one transaction
-	if wantStored, gotStored := len(logs), len(fromStore); gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	// We should see the latest transaction
-	if wantRetryCount, gotRetryCount := 2, fromStore[0].Retries; gotRetryCount != wantRetryCount {
-		t.Fatalf("reties: got %d, want %d", gotRetryCount, wantRetryCount)
-	}
-}
-
-func TestChangeProfileId(t *testing.T) {
-	c := qt.New(t)
-	al := loggerForTest(t, Opts{
-		RetryLimit: 100,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-
-	// Changing a profile ID must fail
-	c.Assert(al.SetProfileID("test"), qt.IsNotNil)
-}
-
-// TestSendOnRestore pushes a n logs to the persistent store, and ensures they
-// are sent as soon as Start is called then checks to ensure the sent logs no
-// longer exist in the store.
-func TestSendOnRestore(t *testing.T) {
-	c := qt.New(t)
-	mockTransport := newMockTransport(nil)
-	al := loggerForTest(t, Opts{
-		RetryLimit: 100,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-	al.SetProfileID("test")
-
-	wantTotal := 10
-
-	for range 10 {
-		al.Enqueue(tailcfg.AuditNodeDisconnect, "log")
-	}
-
-	c.Assert(al.Start(mockTransport), qt.IsNil)
-
-	al.FlushAndStop(context.Background())
-
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNil)
-
-	if wantStored := 0; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	if gotSent, wantSent := mockTransport.sentCount(), wantTotal; gotSent != wantSent {
-		t.Fatalf("sent: got %d, want %d", gotSent, wantSent)
-	}
-}
-
-// TestFailureExhaustion enqueues n logs,  with the transport in a failable state.
-// We then set it to a non-failing state, call FlushAndStop and expect all logs to be sent.
-func TestFailureExhaustion(t *testing.T) {
-	c := qt.New(t)
-	mockTransport := newMockTransport(&retriableError)
-
-	al := loggerForTest(t, Opts{
-		RetryLimit: 1,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-	c.Assert(al.Start(mockTransport), qt.IsNil)
-
-	for range 10 {
-		err := al.Enqueue(tailcfg.AuditNodeDisconnect, "log")
-		c.Assert(err, qt.IsNil)
-	}
-
-	al.FlushAndStop(context.Background())
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNil)
-
-	if wantStored := 0; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	if gotSent, wantSent := mockTransport.sentCount(), 0; gotSent != wantSent {
-		t.Fatalf("sent: got %d, want %d", gotSent, wantSent)
-	}
-}
-
-// TestEnqueueAndFailNoRetry enqueues a set of logs, all of which will fail and are not
-// retriable. We then call FlushAndStop and expect all to be unsent.
-func TestEnqueueAndFailNoRetry(t *testing.T) {
-	c := qt.New(t)
-	mockTransport := newMockTransport(&nonRetriableError)
-
-	al := loggerForTest(t, Opts{
-		RetryLimit: 100,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-	c.Assert(al.Start(mockTransport), qt.IsNil)
-
-	for i := range 10 {
-		err := al.Enqueue(tailcfg.AuditNodeDisconnect, fmt.Sprintf("log %d", i))
-		c.Assert(err, qt.IsNil)
-	}
-
-	al.FlushAndStop(context.Background())
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNil)
-
-	if wantStored := 0; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	if gotSent, wantSent := mockTransport.sentCount(), 0; gotSent != wantSent {
-		t.Fatalf("sent: got %d, want %d", gotSent, wantSent)
-	}
-}
-
-// TestEnqueueAndRetry enqueues a set of logs, all of which will fail and are retriable.
-// Mid-test, we set the transport to not-fail and expect the queue to flush properly
-// We set the backoff parameters to 0 seconds so retries are immediate.
-func TestEnqueueAndRetry(t *testing.T) {
-	c := qt.New(t)
-	mockTransport := newMockTransport(&retriableError)
-
-	al := loggerForTest(t, Opts{
-		RetryLimit: 100,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	al.backoffOpts = backoffOpts{
-		min:        1 * time.Millisecond,
-		max:        4 * time.Millisecond,
-		multiplier: 2.0,
-	}
-
-	c.Assert(al.SetProfileID("test"), qt.IsNil)
-	c.Assert(al.Start(mockTransport), qt.IsNil)
-
-	err := al.Enqueue(tailcfg.AuditNodeDisconnect, fmt.Sprintf("log 1"))
-	c.Assert(err, qt.IsNil)
-
-	// This will wait for at least 2 retries
-	gotRetried, wantRetried := mockTransport.waitForSendAttemptsToReach(3), true
-	if gotRetried != wantRetried {
-		t.Fatalf("retried: got %v, want %v", gotRetried, wantRetried)
-	}
-
-	mockTransport.setErrorCondition(nil)
-
-	al.FlushAndStop(context.Background())
-	al.mu.Lock()
-	defer al.mu.Unlock()
-
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNil)
-
-	if wantStored := 0; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-
-	if gotSent, wantSent := mockTransport.sentCount(), 1; gotSent != wantSent {
-		t.Fatalf("sent: got %d, want %d", gotSent, wantSent)
-	}
-}
-
-// TestEnqueueBeforeSetProfileID tests that logs enqueued before SetProfileId are not sent
-func TestEnqueueBeforeSetProfileID(t *testing.T) {
-	c := qt.New(t)
-	al := loggerForTest(t, Opts{
-		RetryLimit: 100,
-		Logf:       t.Logf,
-		Store:      NewLogStore(&mem.Store{}),
-	})
-
-	err := al.Enqueue(tailcfg.AuditNodeDisconnect, "log")
-	c.Assert(err, qt.IsNotNil)
-	al.FlushAndStop(context.Background())
-
-	al.mu.Lock()
-	defer al.mu.Unlock()
-	gotStored, err := al.storedCountLocked()
-	c.Assert(err, qt.IsNotNil)
-
-	if wantStored := 0; gotStored != wantStored {
-		t.Fatalf("stored: got %d, want %d", gotStored, wantStored)
-	}
-}
-
-// TestLogStoring tests that audit logs are persisted sorted by timestamp, oldest to newest
-func TestLogSorting(t *testing.T) {
-	c := qt.New(t)
-	mockStore := NewLogStore(&mem.Store{})
-
-	logs := []*transaction{
-		{EventID: "1", Details: "log 3", TimeStamp: time.Now().Add(-time.Minute * 1)},
-		{EventID: "1", Details: "log 3", TimeStamp: time.Now().Add(-time.Minute * 2)},
-		{EventID: "2", Details: "log 2", TimeStamp: time.Now().Add(-time.Minute * 3)},
-		{EventID: "3", Details: "log 1", TimeStamp: time.Now().Add(-time.Minute * 4)},
-	}
-
-	wantLogs := []transaction{
-		{Details: "log 1"},
-		{Details: "log 2"},
-		{Details: "log 3"},
-	}
-
-	mockStore.save("test", logs)
-
-	gotLogs, err := mockStore.load("test")
-	c.Assert(err, qt.IsNil)
-	gotLogs = deduplicateAndSort(gotLogs)
-
-	for i := range gotLogs {
-		if want, got := wantLogs[i].Details, gotLogs[i].Details; want != got {
-			t.Fatalf("Details: got %v, want %v", got, want)
-		}
-	}
-}
-
-// mock implementations for testing
-
-// newMockTransport returns a mock transport for testing
-// If err is no nil, SendAuditLog will return this error if the send is attempted
-// before the context is cancelled.
-func newMockTransport(err error) *mockAuditLogTransport {
-	return &mockAuditLogTransport{
-		err:      err,
-		attempts: make(chan int, 1),
-	}
-}
-
-type mockAuditLogTransport struct {
-	attempts chan int // channel to notify of send attempts
-
-	mu          sync.Mutex
-	sendAttmpts int   // number of attempts to send logs
-	sendCount   int   // number of logs sent by the transport
-	err         error // error to return when sending logs
-}
-
-// waitForSendAttemptsToReach blocks until the number of send attempts reaches n
-// This should be use only in tests where the transport is expected to retry sending logs
-func (t *mockAuditLogTransport) waitForSendAttemptsToReach(n int) bool {
-	for attempts := range t.attempts {
-		if attempts >= n {
-			return true
-		}
-	}
-	return false
-}
-
-func (t *mockAuditLogTransport) setErrorCondition(err error) {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	t.err = err
-}
-
-func (t *mockAuditLogTransport) sentCount() int {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	return t.sendCount
-}
-
-func (t *mockAuditLogTransport) SendAuditLog(ctx context.Context, _ tailcfg.AuditLogRequest) (err error) {
-	t.mu.Lock()
-	t.sendAttmpts += 1
-	defer func() {
-		a := t.sendAttmpts
-		t.mu.Unlock()
-		select {
-		case t.attempts <- a:
-		default:
-		}
-	}()
-
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	default:
-	}
-
-	if t.err != nil {
-		return t.err
-	}
-	t.sendCount += 1
-	return nil
-}
-
-var (
-	retriableError    = mockError{errors.New("retriable error")}
-	nonRetriableError = mockError{errors.New("permanent failure error")}
-)
-
-type mockError struct {
-	error
-}
-
-func (e mockError) Retryable() bool {
-	return e == retriableError
-}
--- a/ipn/ipnauth/actor.go
+++ b/ipn/ipnauth/actor.go
@@ -10,11 +10,12 @@ import (

 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
 )

 // AuditLogFunc is any function that can be used to log audit actions performed by an [Actor].
-type AuditLogFunc func(action tailcfg.ClientAuditAction, details string) error
+//
+// TODO(nickkhyl,barnstar): define a named string type for the action (in tailcfg?) and use it here.
+type AuditLogFunc func(action, details string)

 // Actor is any actor using the [ipnlocal.LocalBackend].
 //
@@ -44,7 +45,7 @@ type Actor interface {
 	//
 	// If the auditLogger is non-nil, it is used to write details about the action
 	// to the audit log when required by the policy.
-	CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess, auditLogFn AuditLogFunc) error
+	CheckProfileAccess(profile ipn.LoginProfileView, requestedAccess ProfileAccess, auditLogger AuditLogFunc) error

 	// IsLocalSystem reports whether the actor is the Windows' Local System account.
 	//
--- a/ipn/ipnauth/policy.go
+++ b/ipn/ipnauth/policy.go
@@ -9,7 +9,6 @@ import (

 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
 	"tailscale.com/util/syspolicy"
 )

@@ -49,7 +48,7 @@ func (a actorWithPolicyChecks) CheckProfileAccess(profile ipn.LoginProfileView,
 //
 // TODO(nickkhyl): unexport it when we move [ipn.Actor] implementations from [ipnserver]
 // and corp to this package.
-func CheckDisconnectPolicy(actor Actor, profile ipn.LoginProfileView, reason string, auditFn AuditLogFunc) error {
+func CheckDisconnectPolicy(actor Actor, profile ipn.LoginProfileView, reason string, auditLogger AuditLogFunc) error {
 	if alwaysOn, _ := syspolicy.GetBoolean(syspolicy.AlwaysOn, false); !alwaysOn {
 		return nil
 	}
@@ -59,16 +58,15 @@ func CheckDisconnectPolicy(actor Actor, profile ipn.LoginProfileView, reason str
 	if reason == "" {
 		return errors.New("disconnect not allowed: reason required")
 	}
-	if auditFn != nil {
+	if auditLogger != nil {
 		var details string
 		if username, _ := actor.Username(); username != "" { // best-effort; we don't have it on all platforms
 			details = fmt.Sprintf("%q is being disconnected by %q: %v", profile.Name(), username, reason)
 		} else {
 			details = fmt.Sprintf("%q is being disconnected: %v", profile.Name(), reason)
 		}
-		if err := auditFn(tailcfg.AuditNodeDisconnect, details); err != nil {
-			return err
-		}
+		// TODO(nickkhyl,barnstar): use a const for DISCONNECT_NODE.
+		auditLogger("DISCONNECT_NODE", details)
 	}
 	return nil
 }
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -119,9 +119,6 @@ func (b *LocalBackend) GetCertPEMWithValidity(ctx context.Context, domain string
 	}

 	if pair, err := getCertPEMCached(cs, domain, now); err == nil {
-		if envknob.IsCertShareReadOnlyMode() {
-			return pair, nil
-		}
 		// If we got here, we have a valid unexpired cert.
 		// Check whether we should start an async renewal.
 		shouldRenew, err := b.shouldStartDomainRenewal(cs, domain, now, pair, minValidity)
@@ -137,7 +134,7 @@ func (b *LocalBackend) GetCertPEMWithValidity(ctx context.Context, domain string
 		if minValidity == 0 {
 			logf("starting async renewal")
 			// Start renewal in the background, return current valid cert.
-			b.goTracker.Go(func() { getCertPEM(context.Background(), b, cs, logf, traceACME, domain, now, minValidity) })
+			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, now, minValidity)
 			return pair, nil
 		}
 		// If the caller requested a specific validity duration, fall through
@@ -145,11 +142,7 @@ func (b *LocalBackend) GetCertPEMWithValidity(ctx context.Context, domain string
 		logf("starting sync renewal")
 	}

-	if envknob.IsCertShareReadOnlyMode() {
-		return nil, fmt.Errorf("retrieving cached TLS certificate failed and cert store is configured in read-only mode, not attempting to issue a new certificate: %w", err)
-	}
-
-	pair, err := getCertPEM(ctx, b, cs, logf, traceACME, domain, now, minValidity)
+	pair, err := b.getCertPEM(ctx, cs, logf, traceACME, domain, now, minValidity)
 	if err != nil {
 		logf("getCertPEM: %v", err)
 		return nil, err
@@ -257,13 +250,15 @@ type certStore interface {
 	// for now. If they're expired, it returns errCertExpired.
 	// If they don't exist, it returns ipn.ErrStateNotExist.
 	Read(domain string, now time.Time) (*TLSCertKeyPair, error)
+	// WriteCert writes the cert for domain.
+	WriteCert(domain string, cert []byte) error
+	// WriteKey writes the key for domain.
+	WriteKey(domain string, key []byte) error
 	// ACMEKey returns the value previously stored via WriteACMEKey.
 	// It is a PEM encoded ECDSA key.
 	ACMEKey() ([]byte, error)
 	// WriteACMEKey stores the provided PEM encoded ECDSA key.
 	WriteACMEKey([]byte) error
-	// WriteTLSCertAndKey writes the cert and key for domain.
-	WriteTLSCertAndKey(domain string, cert, key []byte) error
 }

 var errCertExpired = errors.New("cert expired")
@@ -349,13 +344,6 @@ func (f certFileStore) WriteKey(domain string, key []byte) error {
 	return atomicfile.WriteFile(keyFile(f.dir, domain), key, 0600)
 }

-func (f certFileStore) WriteTLSCertAndKey(domain string, cert, key []byte) error {
-	if err := f.WriteKey(domain, key); err != nil {
-		return err
-	}
-	return f.WriteCert(domain, cert)
-}
-
 // certStateStore implements certStore by storing the cert & key files in an ipn.StateStore.
 type certStateStore struct {
 	ipn.StateStore
@@ -365,29 +353,7 @@ type certStateStore struct {
 	testRoots *x509.CertPool
 }

-// TLSCertKeyReader is an interface implemented by state stores where it makes
-// sense to read the TLS cert and key in a single operation that can be
-// distinguished from generic state value reads. Currently this is only implemented
-// by the kubestore.Store, which, in some cases, need to read cert and key from a
-// non-cached TLS Secret.
-type TLSCertKeyReader interface {
-	ReadTLSCertAndKey(domain string) ([]byte, []byte, error)
-}
-
 func (s certStateStore) Read(domain string, now time.Time) (*TLSCertKeyPair, error) {
-	// If we're using a store that supports atomic reads, use that
-	if kr, ok := s.StateStore.(TLSCertKeyReader); ok {
-		cert, key, err := kr.ReadTLSCertAndKey(domain)
-		if err != nil {
-			return nil, err
-		}
-		if !validCertPEM(domain, key, cert, s.testRoots, now) {
-			return nil, errCertExpired
-		}
-		return &TLSCertKeyPair{CertPEM: cert, KeyPEM: key, Cached: true}, nil
-	}
-
-	// Otherwise fall back to separate reads
 	certPEM, err := s.ReadState(ipn.StateKey(domain + ".crt"))
 	if err != nil {
 		return nil, err
@@ -418,27 +384,6 @@ func (s certStateStore) WriteACMEKey(key []byte) error {
 	return ipn.WriteState(s.StateStore, ipn.StateKey(acmePEMName), key)
 }

-// TLSCertKeyWriter is an interface implemented by state stores that can write the TLS
-// cert and key in a single atomic operation. Currently this is only implemented
-// by the kubestore.StoreKube.
-type TLSCertKeyWriter interface {
-	WriteTLSCertAndKey(domain string, cert, key []byte) error
-}
-
-// WriteTLSCertAndKey writes the TLS cert and key for domain to the current
-// LocalBackend's StateStore.
-func (s certStateStore) WriteTLSCertAndKey(domain string, cert, key []byte) error {
-	// If we're using a store that supports atomic writes, use that.
-	if aw, ok := s.StateStore.(TLSCertKeyWriter); ok {
-		return aw.WriteTLSCertAndKey(domain, cert, key)
-	}
-	// Otherwise fall back to separate writes for cert and key.
-	if err := s.WriteKey(domain, key); err != nil {
-		return err
-	}
-	return s.WriteCert(domain, cert)
-}
-
 // TLSCertKeyPair is a TLS public and private key, and whether they were obtained
 // from cache or freshly obtained.
 type TLSCertKeyPair struct {
@@ -475,9 +420,7 @@ func getCertPEMCached(cs certStore, domain string, now time.Time) (p *TLSCertKey
 	return cs.Read(domain, now)
 }

-// getCertPem checks if a cert needs to be renewed and if so, renews it.
-// It can be overridden in tests.
-var getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf logger.Logf, traceACME func(any), domain string, now time.Time, minValidity time.Duration) (*TLSCertKeyPair, error) {
+func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger.Logf, traceACME func(any), domain string, now time.Time, minValidity time.Duration) (*TLSCertKeyPair, error) {
 	acmeMu.Lock()
 	defer acmeMu.Unlock()

@@ -502,10 +445,6 @@ var getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf l
 		return nil, err
 	}

-	if !isDefaultDirectoryURL(ac.DirectoryURL) {
-		logf("acme: using Directory URL %q", ac.DirectoryURL)
-	}
-
 	a, err := ac.GetReg(ctx, "" /* pre-RFC param */)
 	switch {
 	case err == nil:
@@ -607,6 +546,9 @@ var getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf l
 	if err := encodeECDSAKey(&privPEM, certPrivKey); err != nil {
 		return nil, err
 	}
+	if err := cs.WriteKey(domain, privPEM.Bytes()); err != nil {
+		return nil, err
+	}

 	csr, err := certRequest(certPrivKey, domain, nil)
 	if err != nil {
@@ -628,7 +570,7 @@ var getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf l
 			return nil, err
 		}
 	}
-	if err := cs.WriteTLSCertAndKey(domain, certPEM.Bytes(), privPEM.Bytes()); err != nil {
+	if err := cs.WriteCert(domain, certPEM.Bytes()); err != nil {
 		return nil, err
 	}
 	b.domainRenewed(domain)
@@ -772,28 +714,7 @@ func validateLeaf(leaf *x509.Certificate, intermediates *x509.CertPool, domain s
 		// binary's baked-in roots (LetsEncrypt). See tailscale/tailscale#14690.
 		return validateLeaf(leaf, intermediates, domain, now, bakedroots.Get())
 	}
-
-	if err == nil {
-		return true
-	}
-
-	// When pointed at a non-prod ACME server, we don't expect to have the CA
-	// in our system or baked-in roots. Verify only throws UnknownAuthorityError
-	// after first checking the leaf cert's expiry, hostnames etc, so we know
-	// that the only reason for an error is to do with constructing a full chain.
-	// Allow this error so that cert caching still works in testing environments.
-	if errors.As(err, &x509.UnknownAuthorityError{}) {
-		acmeURL := envknob.String("TS_DEBUG_ACME_DIRECTORY_URL")
-		if !isDefaultDirectoryURL(acmeURL) {
-			return true
-		}
-	}
-
-	return false
-}
-
-func isDefaultDirectoryURL(u string) bool {
-	return u == "" || u == acme.LetsEncryptURL
+	return err == nil
 }

 // validLookingCertDomain reports whether name looks like a valid domain name that
--- a/ipn/ipnlocal/cert_test.go
+++ b/ipn/ipnlocal/cert_test.go
@@ -6,7 +6,6 @@
 package ipnlocal

 import (
-	"context"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -15,17 +14,11 @@ import (
 	"embed"
 	"encoding/pem"
 	"math/big"
-	"os"
-	"path/filepath"
 	"testing"
 	"time"

 	"github.com/google/go-cmp/cmp"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tstest"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/must"
 )

 func TestValidLookingCertDomain(t *testing.T) {
@@ -54,10 +47,10 @@ var certTestFS embed.FS
 func TestCertStoreRoundTrip(t *testing.T) {
 	const testDomain = "example.com"

-	// Use fixed verification timestamps so validity doesn't change over time.
-	// If you update the test data below, these may also need to be updated.
+	// Use a fixed verification timestamp so validity doesn't fall off when the
+	// cert expires. If you update the test data below, this may also need to be
+	// updated.
 	testNow := time.Date(2023, time.February, 10, 0, 0, 0, 0, time.UTC)
-	testExpired := time.Date(2026, time.February, 10, 0, 0, 0, 0, time.UTC)

 	// To re-generate a root certificate and domain certificate for testing,
 	// use:
@@ -85,23 +78,21 @@ func TestCertStoreRoundTrip(t *testing.T) {
 	}

 	tests := []struct {
-		name         string
-		store        certStore
-		debugACMEURL bool
+		name  string
+		store certStore
 	}{
-		{"FileStore", certFileStore{dir: t.TempDir(), testRoots: roots}, false},
-		{"FileStore_UnknownCA", certFileStore{dir: t.TempDir()}, true},
-		{"StateStore", certStateStore{StateStore: new(mem.Store), testRoots: roots}, false},
-		{"StateStore_UnknownCA", certStateStore{StateStore: new(mem.Store)}, true},
+		{"FileStore", certFileStore{dir: t.TempDir(), testRoots: roots}},
+		{"StateStore", certStateStore{StateStore: new(mem.Store), testRoots: roots}},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			if test.debugACMEURL {
-				t.Setenv("TS_DEBUG_ACME_DIRECTORY_URL", "https://acme-staging-v02.api.letsencrypt.org/directory")
+			if err := test.store.WriteCert(testDomain, testCert); err != nil {
+				t.Fatalf("WriteCert: unexpected error: %v", err)
 			}
-			if err := test.store.WriteTLSCertAndKey(testDomain, testCert, testKey); err != nil {
-				t.Fatalf("WriteTLSCertAndKey: unexpected error: %v", err)
+			if err := test.store.WriteKey(testDomain, testKey); err != nil {
+				t.Fatalf("WriteKey: unexpected error: %v", err)
 			}
+
 			kp, err := test.store.Read(testDomain, testNow)
 			if err != nil {
 				t.Fatalf("Read: unexpected error: %v", err)
@@ -112,10 +103,6 @@ func TestCertStoreRoundTrip(t *testing.T) {
 			if diff := cmp.Diff(kp.KeyPEM, testKey); diff != "" {
 				t.Errorf("Key (-got, +want):\n%s", diff)
 			}
-			unexpected, err := test.store.Read(testDomain, testExpired)
-			if err != errCertExpired {
-				t.Fatalf("Read: expected expiry error: %v", string(unexpected.CertPEM))
-			}
 		})
 	}
 }
@@ -228,151 +215,3 @@ func TestDebugACMEDirectoryURL(t *testing.T) {
 		})
 	}
 }
-
-func TestGetCertPEMWithValidity(t *testing.T) {
-	const testDomain = "example.com"
-	b := &LocalBackend{
-		store:   &mem.Store{},
-		varRoot: t.TempDir(),
-		ctx:     context.Background(),
-		logf:    t.Logf,
-	}
-	certDir, err := b.certDir()
-	if err != nil {
-		t.Fatalf("certDir error: %v", err)
-	}
-	if _, err := b.getCertStore(); err != nil {
-		t.Fatalf("getCertStore error: %v", err)
-	}
-	testRoot, err := certTestFS.ReadFile("testdata/rootCA.pem")
-	if err != nil {
-		t.Fatal(err)
-	}
-	roots := x509.NewCertPool()
-	if !roots.AppendCertsFromPEM(testRoot) {
-		t.Fatal("Unable to add test CA to the cert pool")
-	}
-	testX509Roots = roots
-	defer func() { testX509Roots = nil }()
-	tests := []struct {
-		name string
-		now  time.Time
-		// storeCerts is true if the test cert and key should be written to store.
-		storeCerts       bool
-		readOnlyMode     bool // TS_READ_ONLY_CERTS env var
-		wantAsyncRenewal bool // async issuance should be started
-		wantIssuance     bool // sync issuance should be started
-		wantErr          bool
-	}{
-		{
-			name:             "valid_no_renewal",
-			now:              time.Date(2023, time.February, 20, 0, 0, 0, 0, time.UTC),
-			storeCerts:       true,
-			wantAsyncRenewal: false,
-			wantIssuance:     false,
-			wantErr:          false,
-		},
-		{
-			name:             "issuance_needed",
-			now:              time.Date(2023, time.February, 20, 0, 0, 0, 0, time.UTC),
-			storeCerts:       false,
-			wantAsyncRenewal: false,
-			wantIssuance:     true,
-			wantErr:          false,
-		},
-		{
-			name:             "renewal_needed",
-			now:              time.Date(2025, time.May, 1, 0, 0, 0, 0, time.UTC),
-			storeCerts:       true,
-			wantAsyncRenewal: true,
-			wantIssuance:     false,
-			wantErr:          false,
-		},
-		{
-			name:             "renewal_needed_read_only_mode",
-			now:              time.Date(2025, time.May, 1, 0, 0, 0, 0, time.UTC),
-			storeCerts:       true,
-			readOnlyMode:     true,
-			wantAsyncRenewal: false,
-			wantIssuance:     false,
-			wantErr:          false,
-		},
-		{
-			name:             "no_certs_read_only_mode",
-			now:              time.Date(2025, time.May, 1, 0, 0, 0, 0, time.UTC),
-			storeCerts:       false,
-			readOnlyMode:     true,
-			wantAsyncRenewal: false,
-			wantIssuance:     false,
-			wantErr:          true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-
-			if tt.readOnlyMode {
-				envknob.Setenv("TS_CERT_SHARE_MODE", "ro")
-			}
-
-			os.RemoveAll(certDir)
-			if tt.storeCerts {
-				os.MkdirAll(certDir, 0755)
-				if err := os.WriteFile(filepath.Join(certDir, "example.com.crt"),
-					must.Get(os.ReadFile("testdata/example.com.pem")), 0644); err != nil {
-					t.Fatal(err)
-				}
-				if err := os.WriteFile(filepath.Join(certDir, "example.com.key"),
-					must.Get(os.ReadFile("testdata/example.com-key.pem")), 0644); err != nil {
-					t.Fatal(err)
-				}
-			}
-
-			b.clock = tstest.NewClock(tstest.ClockOpts{Start: tt.now})
-
-			allDone := make(chan bool, 1)
-			defer b.goTracker.AddDoneCallback(func() {
-				b.mu.Lock()
-				defer b.mu.Unlock()
-				if b.goTracker.RunningGoroutines() > 0 {
-					return
-				}
-				select {
-				case allDone <- true:
-				default:
-				}
-			})()
-
-			// Set to true if get getCertPEM is called. GetCertPEM can be called in a goroutine for async
-			// renewal or in the main goroutine if issuance is required to obtain valid TLS credentials.
-			getCertPemWasCalled := false
-			getCertPEM = func(ctx context.Context, b *LocalBackend, cs certStore, logf logger.Logf, traceACME func(any), domain string, now time.Time, minValidity time.Duration) (*TLSCertKeyPair, error) {
-				getCertPemWasCalled = true
-				return nil, nil
-			}
-			prevGoRoutines := b.goTracker.StartedGoroutines()
-			_, err = b.GetCertPEMWithValidity(context.Background(), testDomain, 0)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("b.GetCertPemWithValidity got err %v, wants error: '%v'", err, tt.wantErr)
-			}
-			// GetCertPEMWithValidity calls getCertPEM in a goroutine if async renewal is needed. That's the
-			// only goroutine it starts, so this can be used to test if async renewal was started.
-			gotAsyncRenewal := b.goTracker.StartedGoroutines()-prevGoRoutines != 0
-			if gotAsyncRenewal {
-				select {
-				case <-time.After(5 * time.Second):
-					t.Fatal("timed out waiting for goroutines to finish")
-				case <-allDone:
-				}
-			}
-			// Verify that async renewal was triggered if expected.
-			if tt.wantAsyncRenewal != gotAsyncRenewal {
-				t.Fatalf("wants getCertPem to be called async: %v, got called %v", tt.wantAsyncRenewal, gotAsyncRenewal)
-			}
-			// Verify that (non-async) issuance was started if expected.
-			gotIssuance := getCertPemWasCalled && !gotAsyncRenewal
-			if tt.wantIssuance != gotIssuance {
-				t.Errorf("wants getCertPem to be called: %v, got called %v", tt.wantIssuance, gotIssuance)
-			}
-		})
-	}
-}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -57,12 +57,10 @@ import (
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
-	"tailscale.com/ipn/auditlog"
 	"tailscale.com/ipn/conffile"
 	"tailscale.com/ipn/ipnauth"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
-	memstore "tailscale.com/ipn/store/mem"
 	"tailscale.com/log/sockstatlog"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/captivedetection"
@@ -444,20 +442,10 @@ type LocalBackend struct {
 	// See tailscale/corp#26146.
 	overrideAlwaysOn bool

-	// reconnectTimer is used to schedule a reconnect by setting [ipn.Prefs.WantRunning]
-	// to true after a delay, or nil if no reconnect is scheduled.
-	reconnectTimer tstime.TimerController
-
 	// shutdownCbs are the callbacks to be called when the backend is shutting down.
 	// Each callback is called exactly once in unspecified order and without b.mu held.
 	// Returned errors are logged but otherwise ignored and do not affect the shutdown process.
 	shutdownCbs set.HandleSet[func() error]
-
-	// auditLogger, if non-nil, manages audit logging for the backend.
-	//
-	// It queues, persists, and sends audit logs
-	// to the control client.  auditLogger has the same lifespan as b.cc.
-	auditLogger *auditlog.Logger
 }

 // HealthTracker returns the health tracker for the backend.
@@ -626,6 +614,19 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		}
 	}

+	// initialize Taildrive shares from saved state
+	fs, ok := b.sys.DriveForRemote.GetOK()
+	if ok {
+		currentShares := b.pm.prefs.DriveShares()
+		if currentShares.Len() > 0 {
+			var shares []*drive.Share
+			for _, share := range currentShares.All() {
+				shares = append(shares, share.AsStruct())
+			}
+			fs.SetShares(shares)
+		}
+	}
+
 	for name, newFn := range registeredExtensions {
 		ext, err := newFn(logf, sys)
 		if err != nil {
@@ -1069,8 +1070,6 @@ func (b *LocalBackend) Shutdown() {
 		b.captiveCancel()
 	}

-	b.stopReconnectTimerLocked()
-
 	if b.loginFlags&controlclient.LoginEphemeral != 0 {
 		b.mu.Unlock()
 		ctx, cancel := context.WithTimeout(b.ctx, 5*time.Second)
@@ -1687,15 +1686,6 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 			b.logf("Failed to save new controlclient state: %v", err)
 		}
 	}
-
-	// Update the audit logger with the current profile ID.
-	if b.auditLogger != nil && prefsChanged {
-		pid := b.pm.CurrentProfile().ID()
-		if err := b.auditLogger.SetProfileID(pid); err != nil {
-			b.logf("Failed to set profile ID in audit logger: %v", err)
-		}
-	}
-
 	// initTKALocked is dependent on CurrentProfile.ID, which is initialized
 	// (for new profiles) on the first call to b.pm.SetPrefs.
 	if err := b.initTKALocked(); err != nil {
@@ -2351,20 +2341,12 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		}); err != nil {
 			b.logf("failed to save UpdatePrefs state: %v", err)
 		}
+		b.setAtomicValuesFromPrefsLocked(pv)
+	} else {
+		b.setAtomicValuesFromPrefsLocked(b.pm.CurrentPrefs())
 	}

-	// Reset the always-on override whenever Start is called.
-	b.resetAlwaysOnOverrideLocked()
-	// And also apply syspolicy settings to the current profile.
-	// This is important in two cases: when opts.UpdatePrefs is not nil,
-	// and when Always Mode is enabled and we need to set WantRunning to true.
-	if newp := b.pm.CurrentPrefs().AsStruct(); applySysPolicy(newp, b.lastSuggestedExitNode, b.overrideAlwaysOn) {
-		setExitNodeID(newp, b.netMap)
-		b.pm.setPrefsNoPermCheck(newp.View())
-	}
 	prefs := b.pm.CurrentPrefs()
-	b.setAtomicValuesFromPrefsLocked(prefs)
-
 	wantRunning := prefs.WantRunning()
 	if wantRunning {
 		if err := b.initMachineKeyLocked(); err != nil {
@@ -2403,27 +2385,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		debugFlags = append([]string{"netstack"}, debugFlags...)
 	}

-	var auditLogShutdown func()
-	// Audit logging is only available if the client has set up a proper persistent
-	// store for the logs in sys.
-	store, ok := b.sys.AuditLogStore.GetOK()
-	if !ok {
-		b.logf("auditlog: [unexpected] no persistent audit log storage configured.  using memory store.")
-		store = auditlog.NewLogStore(&memstore.Store{})
-	}
-
-	al := auditlog.NewLogger(auditlog.Opts{
-		Logf:       b.logf,
-		RetryLimit: 32,
-		Store:      store,
-	})
-	b.auditLogger = al
-	auditLogShutdown = func() {
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		al.FlushAndStop(ctx)
-	}
-
 	// TODO(apenwarr): The only way to change the ServerURL is to
 	// re-run b.Start, because this is the only place we create a
 	// new controlclient. EditPrefs allows you to overwrite ServerURL,
@@ -2449,7 +2410,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		C2NHandler:                 http.HandlerFunc(b.handleC2N),
 		DialPlan:                   &b.dialPlan, // pointer because it can't be copied
 		ControlKnobs:               b.sys.ControlKnobs(),
-		Shutdown:                   auditLogShutdown,

 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -2484,16 +2444,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	b.logf("Backend: logs: be:%v fe:%v", blid, opts.FrontendLogID)
 	b.sendToLocked(ipn.Notify{Prefs: &prefs}, allClients)

-	// initialize Taildrive shares from saved state
-	if fs, ok := b.sys.DriveForRemote.GetOK(); ok {
-		currentShares := b.pm.CurrentPrefs().DriveShares()
-		var shares []*drive.Share
-		for _, share := range currentShares.All() {
-			shares = append(shares, share.AsStruct())
-		}
-		fs.SetShares(shares)
-	}
-
 	if !loggedOut && (b.hasNodeKeyLocked() || confWantRunning) {
 		// If we know that we're either logged in or meant to be
 		// running, tell the controlclient that it should also assume
@@ -4302,21 +4252,6 @@ func (b *LocalBackend) MaybeClearAppConnector(mp *ipn.MaskedPrefs) error {
 	return err
 }

-var errNoAuditLogger = errors.New("no audit logger configured")
-
-func (b *LocalBackend) getAuditLoggerLocked() ipnauth.AuditLogFunc {
-	logger := b.auditLogger
-	return func(action tailcfg.ClientAuditAction, details string) error {
-		if logger == nil {
-			return errNoAuditLogger
-		}
-		if err := logger.Enqueue(action, details); err != nil {
-			return fmt.Errorf("failed to enqueue audit log %v %q: %w", action, details, err)
-		}
-		return nil
-	}
-}
-
 // EditPrefs applies the changes in mp to the current prefs,
 // acting as the tailscaled itself rather than a specific user.
 func (b *LocalBackend) EditPrefs(mp *ipn.MaskedPrefs) (ipn.PrefsView, error) {
@@ -4342,8 +4277,9 @@ func (b *LocalBackend) EditPrefsAs(mp *ipn.MaskedPrefs, actor ipnauth.Actor) (ip
 	unlock := b.lockAndGetUnlock()
 	defer unlock()
 	if mp.WantRunningSet && !mp.WantRunning && b.pm.CurrentPrefs().WantRunning() {
-		if err := actor.CheckProfileAccess(b.pm.CurrentProfile(), ipnauth.Disconnect, b.getAuditLoggerLocked()); err != nil {
-			b.logf("check profile access failed: %v", err)
+		// TODO(barnstar,nickkhyl): replace loggerFn with the actual audit logger.
+		loggerFn := func(action, details string) { b.logf("[audit]: %s: %s", action, details) }
+		if err := actor.CheckProfileAccess(b.pm.CurrentProfile(), ipnauth.Disconnect, loggerFn); err != nil {
 			return ipn.PrefsView{}, err
 		}

@@ -4353,75 +4289,15 @@ func (b *LocalBackend) EditPrefsAs(mp *ipn.MaskedPrefs, actor ipnauth.Actor) (ip
 		// mode on them until the policy changes, they switch to a different profile, etc.
 		b.overrideAlwaysOn = true

-		if reconnectAfter, _ := syspolicy.GetDuration(syspolicy.ReconnectAfter, 0); reconnectAfter > 0 {
-			b.startReconnectTimerLocked(reconnectAfter)
-		}
+		// TODO(nickkhyl): check the ReconnectAfter policy here. If configured,
+		// start a timer to automatically reconnect after the specified duration.
 	}

 	return b.editPrefsLockedOnEntry(mp, unlock)
 }

-// startReconnectTimerLocked sets a timer to automatically set WantRunning to true
-// after the specified duration.
-func (b *LocalBackend) startReconnectTimerLocked(d time.Duration) {
-	if b.reconnectTimer != nil {
-		// Stop may return false if the timer has already fired,
-		// and the function has been called in its own goroutine,
-		// but lost the race to acquire b.mu. In this case, it'll
-		// end up as a no-op due to a reconnectTimer mismatch
-		// once it manages to acquire the lock. This is fine, and we
-		// don't need to check the return value.
-		b.reconnectTimer.Stop()
-	}
-	profileID := b.pm.CurrentProfile().ID()
-	var reconnectTimer tstime.TimerController
-	reconnectTimer = b.clock.AfterFunc(d, func() {
-		unlock := b.lockAndGetUnlock()
-		defer unlock()
-
-		if b.reconnectTimer != reconnectTimer {
-			// We're either not the most recent timer, or we lost the race when
-			// the timer was stopped. No need to reconnect.
-			return
-		}
-		b.reconnectTimer = nil
-
-		cp := b.pm.CurrentProfile()
-		if cp.ID() != profileID {
-			// The timer fired before the profile changed but we lost the race
-			// and acquired the lock shortly after.
-			// No need to reconnect.
-			return
-		}
-
-		mp := &ipn.MaskedPrefs{WantRunningSet: true, Prefs: ipn.Prefs{WantRunning: true}}
-		if _, err := b.editPrefsLockedOnEntry(mp, unlock); err != nil {
-			b.logf("failed to automatically reconnect as %q after %v: %v", cp.Name(), d, err)
-		} else {
-			b.logf("automatically reconnected as %q after %v", cp.Name(), d)
-		}
-	})
-	b.reconnectTimer = reconnectTimer
-	b.logf("reconnect for %q has been scheduled and will be performed in %v", b.pm.CurrentProfile().Name(), d)
-}
-
 func (b *LocalBackend) resetAlwaysOnOverrideLocked() {
 	b.overrideAlwaysOn = false
-	b.stopReconnectTimerLocked()
-}
-
-func (b *LocalBackend) stopReconnectTimerLocked() {
-	if b.reconnectTimer != nil {
-		// Stop may return false if the timer has already fired,
-		// and the function has been called in its own goroutine,
-		// but lost the race to acquire b.mu.
-		// In this case, it'll end up as a no-op due to a reconnectTimer
-		// mismatch (see [LocalBackend.startReconnectTimerLocked])
-		// once it manages to acquire the lock. This is fine, and we
-		// don't need to check the return value.
-		b.reconnectTimer.Stop()
-		b.reconnectTimer = nil
-	}
 }

 // Warning: b.mu must be held on entry, but it unlocks it on the way out.
@@ -4515,7 +4391,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(newp *ipn.Prefs, unlock unlockOnce)
 	if oldp.Valid() {
 		newp.Persist = oldp.Persist().AsStruct() // caller isn't allowed to override this
 	}
-	// applySysPolicy returns whether it updated newp,
+	// applySysPolicyToPrefsLocked returns whether it updated newp,
 	// but everything in this function treats b.prefs as completely new
 	// anyway, so its return value can be ignored here.
 	applySysPolicy(newp, b.lastSuggestedExitNode, b.overrideAlwaysOn)
@@ -5927,15 +5803,6 @@ func (b *LocalBackend) requestEngineStatusAndWait() {
 func (b *LocalBackend) setControlClientLocked(cc controlclient.Client) {
 	b.cc = cc
 	b.ccAuto, _ = cc.(*controlclient.Auto)
-	if b.auditLogger != nil {
-		if err := b.auditLogger.SetProfileID(b.pm.CurrentProfile().ID()); err != nil {
-			b.logf("audit logger set profile ID failure: %v", err)
-		}
-
-		if err := b.auditLogger.Start(b.ccAuto); err != nil {
-			b.logf("audit logger start failure: %v", err)
-		}
-	}
 }

 // resetControlClientLocked sets b.cc to nil and returns the old value. If the
@@ -6768,7 +6635,7 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 }

 func (b *LocalBackend) taildropTargetStatus(p tailcfg.NodeView) ipnstate.TaildropTargetStatus {
-	if b.state != ipn.Running {
+	if b.netMap == nil || b.state != ipn.Running {
 		return ipnstate.TaildropTargetIpnStateNotRunning
 	}
 	if b.netMap == nil {
@@ -8281,13 +8148,15 @@ func (b *LocalBackend) vipServiceHash(services []*tailcfg.VIPService) string {
 func (b *LocalBackend) vipServicesFromPrefsLocked(prefs ipn.PrefsView) []*tailcfg.VIPService {
 	// keyed by service name
 	var services map[tailcfg.ServiceName]*tailcfg.VIPService
-	if b.serveConfig.Valid() {
-		for svc, config := range b.serveConfig.Services().All() {
-			mak.Set(&services, svc, &tailcfg.VIPService{
-				Name:  svc,
-				Ports: config.ServicePortRange(),
-			})
-		}
+	if !b.serveConfig.Valid() {
+		return nil
+	}
+
+	for svc, config := range b.serveConfig.Services().All() {
+		mak.Set(&services, svc, &tailcfg.VIPService{
+			Name:  svc,
+			Ports: config.ServicePortRange(),
+		})
 	}

 	for _, s := range prefs.AdvertiseServices().All() {
@@ -8300,14 +8169,7 @@ func (b *LocalBackend) vipServicesFromPrefsLocked(prefs ipn.PrefsView) []*tailcf
 		services[sn].Active = true
 	}

-	servicesList := slicesx.MapValues(services)
-	// [slicesx.MapValues] provides the values in an indeterminate order, but since we'll
-	// be hashing a representation of this list later we want it to be in a consistent
-	// order.
-	slices.SortFunc(servicesList, func(a, b *tailcfg.VIPService) int {
-		return strings.Compare(a.Name.String(), b.Name.String())
-	})
-	return servicesList
+	return slicesx.MapValues(services)
 }

 var (
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -216,11 +216,6 @@ type PeerStatusLite struct {
 }

 // PeerStatus describes a peer node and its current state.
-// WARNING: The fields in PeerStatus are merged by the AddPeer method in the StatusBuilder.
-// When adding a new field to PeerStatus, you must update AddPeer to handle merging
-// the new field. The AddPeer function is responsible for combining multiple updates
-// to the same peer, and any new field that is not merged properly may lead to
-// inconsistencies or lost data in the peer status.
 type PeerStatus struct {
 	ID        tailcfg.StableNodeID
 	PublicKey key.NodePublic
@@ -538,9 +533,6 @@ func (sb *StatusBuilder) AddPeer(peer key.NodePublic, st *PeerStatus) {
 	if v := st.Capabilities; v != nil {
 		e.Capabilities = v
 	}
-	if v := st.TaildropTarget; v != TaildropTargetUnknown {
-		e.TaildropTarget = v
-	}
 	e.Location = st.Location
 }

--- a/ipn/store/awsstore/store_aws.go
+++ b/ipn/store/awsstore/store_aws.go
@@ -10,9 +10,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/url"
 	"regexp"
-	"strings"

 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
@@ -30,14 +28,6 @@ const (

 var parameterNameRx = regexp.MustCompile(parameterNameRxStr)

-// Option defines a functional option type for configuring awsStore.
-type Option func(*storeOptions)
-
-// storeOptions holds optional settings for creating a new awsStore.
-type storeOptions struct {
-	kmsKey string
-}
-
 // awsSSMClient is an interface allowing us to mock the couple of
 // API calls we are leveraging with the AWSStore provider
 type awsSSMClient interface {
@@ -56,10 +46,6 @@ type awsStore struct {
 	ssmClient awsSSMClient
 	ssmARN    arn.ARN

-	// kmsKey is optional. If empty, the parameter is stored in plaintext.
-	// If non-empty, the parameter is encrypted with this KMS key.
-	kmsKey string
-
 	memory mem.Store
 }

@@ -71,80 +57,30 @@ type awsStore struct {
 // Tailscaled to only only store new state in-memory and
 // restarting Tailscaled can fail until you delete your state
 // from the AWS Parameter Store.
-//
-// If you want to specify an optional KMS key,
-// pass one or more Option objects, e.g. awsstore.WithKeyID("alias/my-key").
-func New(_ logger.Logf, ssmARN string, opts ...Option) (ipn.StateStore, error) {
-	// Apply all options to an empty storeOptions
-	var so storeOptions
-	for _, opt := range opts {
-		opt(&so)
-	}
-
-	return newStore(ssmARN, so, nil)
-}
-
-// WithKeyID sets the KMS key to be used for encryption. It can be
-// a KeyID, an alias ("alias/my-key"), or a full ARN.
-//
-// If kmsKey is empty, the Option is a no-op.
-func WithKeyID(kmsKey string) Option {
-	return func(o *storeOptions) {
-		o.kmsKey = kmsKey
-	}
-}
-
-// ParseARNAndOpts parses an ARN and optional URL-encoded parameters
-// from arg.
-func ParseARNAndOpts(arg string) (ssmARN string, opts []Option, err error) {
-	ssmARN = arg
-
-	// Support optional ?url-encoded-parameters.
-	if s, q, ok := strings.Cut(arg, "?"); ok {
-		ssmARN = s
-		q, err := url.ParseQuery(q)
-		if err != nil {
-			return "", nil, err
-		}
-
-		for k := range q {
-			switch k {
-			default:
-				return "", nil, fmt.Errorf("unknown arn option parameter %q", k)
-			case "kmsKey":
-				// We allow an ARN, a key ID, or an alias name for kmsKeyID.
-				// If it doesn't look like an ARN and doesn't have a '/',
-				// prepend "alias/" for KMS alias references.
-				kmsKey := q.Get(k)
-				if kmsKey != "" &&
-					!strings.Contains(kmsKey, "/") &&
-					!strings.HasPrefix(kmsKey, "arn:") {
-					kmsKey = "alias/" + kmsKey
-				}
-				if kmsKey != "" {
-					opts = append(opts, WithKeyID(kmsKey))
-				}
-			}
-		}
-	}
-	return ssmARN, opts, nil
+func New(_ logger.Logf, ssmARN string) (ipn.StateStore, error) {
+	return newStore(ssmARN, nil)
 }

 // newStore is NewStore, but for tests. If client is non-nil, it's
 // used instead of making one.
-func newStore(ssmARN string, so storeOptions, client awsSSMClient) (ipn.StateStore, error) {
+func newStore(ssmARN string, client awsSSMClient) (ipn.StateStore, error) {
 	s := &awsStore{
 		ssmClient: client,
-		kmsKey:    so.kmsKey,
 	}

 	var err error
+
+	// Parse the ARN
 	if s.ssmARN, err = arn.Parse(ssmARN); err != nil {
 		return nil, fmt.Errorf("unable to parse the ARN correctly: %v", err)
 	}
+
+	// Validate the ARN corresponds to the SSM service
 	if s.ssmARN.Service != "ssm" {
 		return nil, fmt.Errorf("invalid service %q, expected 'ssm'", s.ssmARN.Service)
 	}
+
+	// Validate the ARN corresponds to a parameter store resource
 	if !parameterNameRx.MatchString(s.ssmARN.Resource) {
 		return nil, fmt.Errorf("invalid resource %q, expected to match %v", s.ssmARN.Resource, parameterNameRxStr)
 	}
@@ -160,11 +96,12 @@ func newStore(ssmARN string, so storeOptions, client awsSSMClient) (ipn.StateSto
 		s.ssmClient = ssm.NewFromConfig(cfg)
 	}

-	// Preload existing state, if any
+	// Hydrate cache with the potentially current state
 	if err := s.LoadState(); err != nil {
 		return nil, err
 	}
 	return s, nil
+
 }

 // LoadState attempts to read the state from AWS SSM parameter store key.
@@ -235,21 +172,15 @@ func (s *awsStore) persistState() error {
 	// which is free. However, if it exceeds 4kb it switches the parameter to advanced tiering
 	// doubling the capacity to 8kb per the following docs:
 	// https://aws.amazon.com/about-aws/whats-new/2019/08/aws-systems-manager-parameter-store-announces-intelligent-tiering-to-enable-automatic-parameter-tier-selection/
-	in := &ssm.PutParameterInput{
-		Name:      aws.String(s.ParameterName()),
-		Value:     aws.String(string(bs)),
-		Overwrite: aws.Bool(true),
-		Tier:      ssmTypes.ParameterTierIntelligentTiering,
-		Type:      ssmTypes.ParameterTypeSecureString,
-	}
-
-	// If kmsKey is specified, encrypt with that key
-	// NOTE: this input allows any alias, keyID or ARN
-	// If this isn't specified, AWS will use the default KMS key
-	if s.kmsKey != "" {
-		in.KeyId = aws.String(s.kmsKey)
-	}
-
-	_, err = s.ssmClient.PutParameter(context.TODO(), in)
+	_, err = s.ssmClient.PutParameter(
+		context.TODO(),
+		&ssm.PutParameterInput{
+			Name:      aws.String(s.ParameterName()),
+			Value:     aws.String(string(bs)),
+			Overwrite: aws.Bool(true),
+			Tier:      ssmTypes.ParameterTierIntelligentTiering,
+			Type:      ssmTypes.ParameterTypeSecureString,
+		},
+	)
 	return err
 }
--- a/ipn/store/awsstore/store_aws_stub.go
+++ b/ipn/store/awsstore/store_aws_stub.go
@@ -0,0 +1,18 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !linux || ts_omit_aws
+
+package awsstore
+
+import (
+	"fmt"
+	"runtime"
+
+	"tailscale.com/ipn"
+	"tailscale.com/types/logger"
+)
+
+func New(logger.Logf, string) (ipn.StateStore, error) {
+	return nil, fmt.Errorf("AWS store is not supported on %v", runtime.GOOS)
+}
--- a/ipn/store/awsstore/store_aws_test.go
+++ b/ipn/store/awsstore/store_aws_test.go
@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build linux && !ts_omit_aws
+//go:build linux

 package awsstore

@@ -65,11 +65,7 @@ func TestNewAWSStore(t *testing.T) {
 		Resource:  "parameter/foo",
 	}

-	opts := storeOptions{
-		kmsKey: "arn:aws:kms:eu-west-1:123456789:key/MyCustomKey",
-	}
-
-	s, err := newStore(storeParameterARN.String(), opts, mc)
+	s, err := newStore(storeParameterARN.String(), mc)
 	if err != nil {
 		t.Fatalf("creating aws store failed: %v", err)
 	}
@@ -77,7 +73,7 @@ func TestNewAWSStore(t *testing.T) {

 	// Build a brand new file store and check that both IDs written
 	// above are still there.
-	s2, err := newStore(storeParameterARN.String(), opts, mc)
+	s2, err := newStore(storeParameterARN.String(), mc)
 	if err != nil {
 		t.Fatalf("creating second aws store failed: %v", err)
 	}
@@ -166,54 +162,3 @@ func testStoreSemantics(t *testing.T, store ipn.StateStore) {
 		}
 	}
 }
-
-func TestParseARNAndOpts(t *testing.T) {
-	tests := []struct {
-		name    string
-		arg     string
-		wantARN string
-		wantKey string
-	}{
-		{
-			name:    "no-key",
-			arg:     "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam",
-			wantARN: "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam",
-		},
-		{
-			name:    "custom-key",
-			arg:     "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam?kmsKey=alias/MyCustomKey",
-			wantARN: "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam",
-			wantKey: "alias/MyCustomKey",
-		},
-		{
-			name:    "bare-name",
-			arg:     "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam?kmsKey=Bare",
-			wantARN: "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam",
-			wantKey: "alias/Bare",
-		},
-		{
-			name:    "arn-arg",
-			arg:     "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam?kmsKey=arn:foo",
-			wantARN: "arn:aws:ssm:us-east-1:123456789012:parameter/myTailscaleParam",
-			wantKey: "arn:foo",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			arn, opts, err := ParseARNAndOpts(tt.arg)
-			if err != nil {
-				t.Fatalf("New: %v", err)
-			}
-			if arn != tt.wantARN {
-				t.Errorf("ARN = %q; want %q", arn, tt.wantARN)
-			}
-			var got storeOptions
-			for _, opt := range opts {
-				opt(&got)
-			}
-			if got.kmsKey != tt.wantKey {
-				t.Errorf("kmsKey = %q; want %q", got.kmsKey, tt.wantKey)
-			}
-		})
-	}
-}
--- a/ipn/store/kubestore/store_kube.go
+++ b/ipn/store/kubestore/store_kube.go
@@ -18,7 +18,6 @@ import (
 	"tailscale.com/kube/kubeapi"
 	"tailscale.com/kube/kubeclient"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/mak"
 )

 const (
@@ -84,26 +83,10 @@ func (s *Store) ReadState(id ipn.StateKey) ([]byte, error) {

 // WriteState implements the StateStore interface.
 func (s *Store) WriteState(id ipn.StateKey, bs []byte) (err error) {
-	return s.updateStateSecret(map[string][]byte{string(id): bs})
-}
-
-// WriteTLSCertAndKey writes a TLS cert and key to domain.crt, domain.key fields of a Tailscale Kubernetes node's state
-// Secret.
-func (s *Store) WriteTLSCertAndKey(domain string, cert, key []byte) error {
-	return s.updateStateSecret(map[string][]byte{domain + ".crt": cert, domain + ".key": key})
-}
-
-func (s *Store) updateStateSecret(data map[string][]byte) (err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer func() {
 		if err == nil {
-			for id, bs := range data {
-				// The in-memory store does not distinguish between values read from state Secret on
-				// init and values written to afterwards. Values read from the state
-				// Secret will always be sanitized, so we also need to sanitize values written to store
-				// later, so that the Read logic can just lookup keys in sanitized form.
-				s.memory.WriteState(ipn.StateKey(sanitizeKey(id)), bs)
-			}
+			s.memory.WriteState(ipn.StateKey(sanitizeKey(id)), bs)
 		}
 		if err != nil {
 			if err := s.client.Event(ctx, eventTypeWarning, reasonTailscaleStateUpdateFailed, err.Error()); err != nil {
@@ -116,9 +99,9 @@ func (s *Store) updateStateSecret(data map[string][]byte) (err error) {
 		}
 		cancel()
 	}()
+
 	secret, err := s.client.GetSecret(ctx, s.secretName)
 	if err != nil {
-		// If the Secret does not exist, create it with the required data.
 		if kubeclient.IsNotFoundErr(err) {
 			return s.client.CreateSecret(ctx, &kubeapi.Secret{
 				TypeMeta: kubeapi.TypeMeta{
@@ -128,53 +111,40 @@ func (s *Store) updateStateSecret(data map[string][]byte) (err error) {
 				ObjectMeta: kubeapi.ObjectMeta{
 					Name: s.secretName,
 				},
-				Data: func(m map[string][]byte) map[string][]byte {
-					d := make(map[string][]byte, len(m))
-					for key, val := range m {
-						d[sanitizeKey(key)] = val
-					}
-					return d
-				}(data),
+				Data: map[string][]byte{
+					sanitizeKey(id): bs,
+				},
 			})
 		}
 		return err
 	}
 	if s.canPatch {
-		var m []kubeclient.JSONPatch
-		// If the user has pre-created a Secret with no data, we need to ensure the top level /data field.
-		if len(secret.Data) == 0 {
-			m = []kubeclient.JSONPatch{
+		if len(secret.Data) == 0 { // if user has pre-created a blank Secret
+			m := []kubeclient.JSONPatch{
 				{
-					Op:   "add",
-					Path: "/data",
-					Value: func(m map[string][]byte) map[string][]byte {
-						d := make(map[string][]byte, len(m))
-						for key, val := range m {
-							d[sanitizeKey(key)] = val
-						}
-						return d
-					}(data),
+					Op:    "add",
+					Path:  "/data",
+					Value: map[string][]byte{sanitizeKey(id): bs},
 				},
 			}
-			// If the Secret has data, patch it with the new data.
-		} else {
-			for key, val := range data {
-				m = append(m, kubeclient.JSONPatch{
-					Op:    "add",
-					Path:  "/data/" + sanitizeKey(key),
-					Value: val,
-				})
+			if err := s.client.JSONPatchResource(ctx, s.secretName, kubeclient.TypeSecrets, m); err != nil {
+				return fmt.Errorf("error patching Secret %s with a /data field: %v", s.secretName, err)
 			}
+			return nil
+		}
+		m := []kubeclient.JSONPatch{
+			{
+				Op:    "add",
+				Path:  "/data/" + sanitizeKey(id),
+				Value: bs,
+			},
 		}
 		if err := s.client.JSONPatchResource(ctx, s.secretName, kubeclient.TypeSecrets, m); err != nil {
-			return fmt.Errorf("error patching Secret %s: %w", s.secretName, err)
+			return fmt.Errorf("error patching Secret %s with /data/%s field: %v", s.secretName, sanitizeKey(id), err)
 		}
 		return nil
 	}
-	// No patch permissions, use UPDATE instead.
-	for key, val := range data {
-		mak.Set(&secret.Data, sanitizeKey(key), val)
-	}
+	secret.Data[sanitizeKey(id)] = bs
 	if err := s.client.UpdateSecret(ctx, secret); err != nil {
 		return err
 	}
@@ -202,10 +172,9 @@ func (s *Store) loadState() (err error) {
 	return nil
 }

-// sanitizeKey converts any value that can be converted to a string into a valid Kubernetes Secret key.
-// Valid characters are alphanumeric, -, _, and .
-// https://kubernetes.io/docs/concepts/configuration/secret/#restriction-names-data.
-func sanitizeKey[T ~string](k T) string {
+func sanitizeKey(k ipn.StateKey) string {
+	// The only valid characters in a Kubernetes secret key are alphanumeric, -,
+	// _, and .
 	return strings.Map(func(r rune) rune {
 		if r >= 'a' && r <= 'z' || r >= 'A' && r <= 'Z' || r >= '0' && r <= '9' || r == '-' || r == '_' || r == '.' {
 			return r
--- a/ipn/store/kubestore/store_kube_test.go
+++ b/ipn/store/kubestore/store_kube_test.go
@@ -1,183 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package kubestore
-
-import (
-	"context"
-	"strings"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/kube/kubeapi"
-	"tailscale.com/kube/kubeclient"
-)
-
-func TestUpdateStateSecret(t *testing.T) {
-	tests := []struct {
-		name       string
-		initial    map[string][]byte
-		updates    map[string][]byte
-		wantData   map[string][]byte
-		allowPatch bool
-	}{
-		{
-			name: "basic_update",
-			initial: map[string][]byte{
-				"existing": []byte("old"),
-			},
-			updates: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			wantData: map[string][]byte{
-				"existing": []byte("old"),
-				"foo":      []byte("bar"),
-			},
-			allowPatch: true,
-		},
-		{
-			name: "update_existing",
-			initial: map[string][]byte{
-				"foo": []byte("old"),
-			},
-			updates: map[string][]byte{
-				"foo": []byte("new"),
-			},
-			wantData: map[string][]byte{
-				"foo": []byte("new"),
-			},
-			allowPatch: true,
-		},
-		{
-			name: "multiple_updates",
-			initial: map[string][]byte{
-				"keep": []byte("keep"),
-			},
-			updates: map[string][]byte{
-				"foo": []byte("bar"),
-				"baz": []byte("qux"),
-			},
-			wantData: map[string][]byte{
-				"keep": []byte("keep"),
-				"foo":  []byte("bar"),
-				"baz":  []byte("qux"),
-			},
-			allowPatch: true,
-		},
-		{
-			name: "create_new_secret",
-			updates: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			wantData: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			allowPatch: true,
-		},
-		{
-			name: "patch_denied",
-			initial: map[string][]byte{
-				"foo": []byte("old"),
-			},
-			updates: map[string][]byte{
-				"foo": []byte("new"),
-			},
-			wantData: map[string][]byte{
-				"foo": []byte("new"),
-			},
-			allowPatch: false,
-		},
-		{
-			name: "sanitize_keys",
-			initial: map[string][]byte{
-				"clean-key": []byte("old"),
-			},
-			updates: map[string][]byte{
-				"dirty@key": []byte("new"),
-				"also/bad":  []byte("value"),
-				"good.key":  []byte("keep"),
-			},
-			wantData: map[string][]byte{
-				"clean-key": []byte("old"),
-				"dirty_key": []byte("new"),
-				"also_bad":  []byte("value"),
-				"good.key":  []byte("keep"),
-			},
-			allowPatch: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			secret := tt.initial // track current state
-			client := &kubeclient.FakeClient{
-				GetSecretImpl: func(ctx context.Context, name string) (*kubeapi.Secret, error) {
-					if secret == nil {
-						return nil, &kubeapi.Status{Code: 404}
-					}
-					return &kubeapi.Secret{Data: secret}, nil
-				},
-				CheckSecretPermissionsImpl: func(ctx context.Context, name string) (bool, bool, error) {
-					return tt.allowPatch, true, nil
-				},
-				CreateSecretImpl: func(ctx context.Context, s *kubeapi.Secret) error {
-					secret = s.Data
-					return nil
-				},
-				UpdateSecretImpl: func(ctx context.Context, s *kubeapi.Secret) error {
-					secret = s.Data
-					return nil
-				},
-				JSONPatchResourceImpl: func(ctx context.Context, name, resourceType string, patches []kubeclient.JSONPatch) error {
-					if !tt.allowPatch {
-						return &kubeapi.Status{Reason: "Forbidden"}
-					}
-					if secret == nil {
-						secret = make(map[string][]byte)
-					}
-					for _, p := range patches {
-						if p.Op == "add" && p.Path == "/data" {
-							secret = p.Value.(map[string][]byte)
-						} else if p.Op == "add" && strings.HasPrefix(p.Path, "/data/") {
-							key := strings.TrimPrefix(p.Path, "/data/")
-							secret[key] = p.Value.([]byte)
-						}
-					}
-					return nil
-				},
-			}
-
-			s := &Store{
-				client:     client,
-				canPatch:   tt.allowPatch,
-				secretName: "test-secret",
-				memory:     mem.Store{},
-			}
-
-			err := s.updateStateSecret(tt.updates)
-			if err != nil {
-				t.Errorf("updateStateSecret() error = %v", err)
-				return
-			}
-
-			// Verify secret data
-			if diff := cmp.Diff(secret, tt.wantData); diff != "" {
-				t.Errorf("secret data mismatch (-got +want):\n%s", diff)
-			}
-
-			// Verify memory store was updated
-			for k, v := range tt.updates {
-				got, err := s.memory.ReadState(ipn.StateKey(sanitizeKey(k)))
-				if err != nil {
-					t.Errorf("reading from memory store: %v", err)
-					continue
-				}
-				if !cmp.Equal(got, v) {
-					t.Errorf("memory store key %q = %v, want %v", k, got, v)
-				}
-			}
-		})
-	}
-}
--- a/ipn/store/store_aws.go
+++ b/ipn/store/store_aws.go
@@ -6,9 +6,7 @@
 package store

 import (
-	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/awsstore"
-	"tailscale.com/types/logger"
 )

 func init() {
@@ -16,11 +14,5 @@ func init() {
 }

 func registerAWSStore() {
-	Register("arn:", func(logf logger.Logf, arg string) (ipn.StateStore, error) {
-		ssmARN, opts, err := awsstore.ParseARNAndOpts(arg)
-		if err != nil {
-			return nil, err
-		}
-		return awsstore.New(logf, ssmARN, opts...)
-	})
+	Register("arn:", awsstore.New)
 }
--- a/kube/kubeclient/fake_client.go
+++ b/kube/kubeclient/fake_client.go
@@ -15,9 +15,6 @@ var _ Client = &FakeClient{}
 type FakeClient struct {
 	GetSecretImpl              func(context.Context, string) (*kubeapi.Secret, error)
 	CheckSecretPermissionsImpl func(ctx context.Context, name string) (bool, bool, error)
-	CreateSecretImpl           func(context.Context, *kubeapi.Secret) error
-	UpdateSecretImpl           func(context.Context, *kubeapi.Secret) error
-	JSONPatchResourceImpl      func(context.Context, string, string, []JSONPatch) error
 }

 func (fc *FakeClient) CheckSecretPermissions(ctx context.Context, name string) (bool, bool, error) {
@@ -36,12 +33,8 @@ func (fc *FakeClient) Event(context.Context, string, string, string) error {
 	return nil
 }

-func (fc *FakeClient) JSONPatchResource(ctx context.Context, resource, name string, patches []JSONPatch) error {
-	return fc.JSONPatchResourceImpl(ctx, resource, name, patches)
-}
-func (fc *FakeClient) UpdateSecret(ctx context.Context, secret *kubeapi.Secret) error {
-	return fc.UpdateSecretImpl(ctx, secret)
-}
-func (fc *FakeClient) CreateSecret(ctx context.Context, secret *kubeapi.Secret) error {
-	return fc.CreateSecretImpl(ctx, secret)
+func (fc *FakeClient) JSONPatchResource(context.Context, string, string, []JSONPatch) error {
+	return nil
 }
+func (fc *FakeClient) UpdateSecret(context.Context, *kubeapi.Secret) error { return nil }
+func (fc *FakeClient) CreateSecret(context.Context, *kubeapi.Secret) error { return nil }
--- a/licenses/README.md
+++ b/licenses/README.md
@@ -1,35 +0,0 @@
-# Licenses
-
-This directory contains a list of dependencies, and their licenses, that are included in the Tailscale clients.
-These lists are generated using the [go-licenses] tool to analyze all Go packages in the Tailscale binaries,
-as well as a set of custom output templates that includes any additional non-Go dependencies.
-For example, the clients for macOS and iOS include some additional Swift libraries.
-
-These lists are updated roughly every week, so it is possible to see the dependencies in a given release by looking at the release tag.
-For example, the dependences for the 1.80.0 release of the macOS client can be seen at
-<https://github.com/tailscale/tailscale/blob/v1.80.0/licenses/apple.md>.
-
-[go-licenses]: https://github.com/google/go-licenses
-
-## Other formats
-
-The go-licenses tool can output other formats like CSV, but that wouldn't include the non-Go dependencies.
-We can generate a CSV file if that's really needed by running a regex over the markdown files:
-
-```sh
-cat apple.md | grep "^ -" | sed -E "s/- \[(.*)\]\(.*?\) \(\[(.*)\]\((.*)\)\)/\1,\2,\3/"
-```
-
-## Reviewer instructions
-
-The majority of changes in this directory are from updating dependency versions.
-In that case, only the URL for the license file will change to reflect the new version.
-Occasionally, a dependency is added or removed, or the import path is changed.
-
-New dependencies require the closest review to ensure the license is acceptable.
-Because we generate the license reports **after** dependencies are changed,
-the new dependency would have already gone through one review when it was initially added.
-This is just a secondary review to double-check the license. If in doubt, ask legal.
-
-Always do a normal GitHub code review on the license PR with a brief summary of what changed.
-For example, see #13936 or #14064. Then approve and merge the PR.
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -9,33 +9,34 @@ Client][].  See also the dependencies in the [Tailscale CLI][].


 - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.1.0/LICENSE))
- - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.36.0/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.29.5/config/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.17.58/credentials/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.16.27/feature/ec2/imds/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.3.31/internal/configsources/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.6.31/internal/endpoints/v2/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.8.2/internal/ini/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.36.0/internal/sync/singleflight/LICENSE))
- - [github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/accept-encoding/v1.12.2/service/internal/accept-encoding/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.12.12/service/internal/presigned-url/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.24.1/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.26.5/config/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.16.16/credentials/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.14.11/feature/ec2/imds/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.2.10/internal/configsources/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.5.10/internal/endpoints/v2/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.7.2/internal/ini/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.24.1/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/accept-encoding/v1.10.4/service/internal/accept-encoding/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.10.10/service/internal/presigned-url/LICENSE.txt))
 - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.44.7/service/ssm/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.24.14/service/sso/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.28.13/service/ssooidc/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.33.13/service/sts/LICENSE.txt))
- - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.22.2/LICENSE))
- - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.22.2/internal/sync/singleflight/LICENSE))
+ - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.18.7/service/sso/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.21.7/service/ssooidc/LICENSE.txt))
+ - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.26.7/service/sts/LICENSE.txt))
+ - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.19.0/LICENSE))
+ - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.19.0/internal/sync/singleflight/LICENSE))
+ - [github.com/bits-and-blooms/bitset](https://pkg.go.dev/github.com/bits-and-blooms/bitset) ([BSD-3-Clause](https://github.com/bits-and-blooms/bitset/blob/v1.13.0/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/65c67c9f46e6/LICENSE))
 - [github.com/djherbis/times](https://pkg.go.dev/github.com/djherbis/times) ([MIT](https://github.com/djherbis/times/blob/v1.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.7.0/LICENSE))
- - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.18.0/LICENSE))
+ - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.11.1/LICENSE))
 - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/6a9a0fde9288/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/76236955d466/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
 - [github.com/google/nftables](https://pkg.go.dev/github.com/google/nftables) ([Apache-2.0](https://github.com/google/nftables/blob/5e242ec57806/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.2.0/LICENSE))
- - [github.com/illarion/gonotify/v3](https://pkg.go.dev/github.com/illarion/gonotify/v3) ([MIT](https://github.com/illarion/gonotify/blob/v3.0.2/LICENSE))
+ - [github.com/illarion/gonotify/v2](https://pkg.go.dev/github.com/illarion/gonotify/v2) ([MIT](https://github.com/illarion/gonotify/blob/v2.0.3/LICENSE))
 - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/8c70d406f6d2/LICENSE))
 - [github.com/jellydator/ttlcache/v3](https://pkg.go.dev/github.com/jellydator/ttlcache/v3) ([MIT](https://github.com/jellydator/ttlcache/blob/v3.1.0/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
@@ -64,17 +65,17 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/ae6ca9944745/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/fdeea329fbba/LICENSE))
 - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/e7c30c78aeb2/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.33.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/a8ea4be8:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/7588d65b:LICENSE))
 - [golang.org/x/mobile](https://pkg.go.dev/golang.org/x/mobile) ([BSD-3-Clause](https://cs.opensource.google/go/x/mobile/+/81131f64:LICENSE))
- - [golang.org/x/mod/semver](https://pkg.go.dev/golang.org/x/mod/semver) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.23.0:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
- - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.29.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.22.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.10.0:LICENSE))
- - [golang.org/x/tools](https://pkg.go.dev/golang.org/x/tools) ([BSD-3-Clause](https://cs.opensource.google/go/x/tools/+/v0.30.0:LICENSE))
- - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/9414b50a5633/LICENSE))
+ - [golang.org/x/mod/semver](https://pkg.go.dev/golang.org/x/mod/semver) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.22.0:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.34.0:LICENSE))
+ - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.10.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/1c14dcad:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.28.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.21.0:LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.9.0:LICENSE))
+ - [golang.org/x/tools](https://pkg.go.dev/golang.org/x/tools) ([BSD-3-Clause](https://cs.opensource.google/go/x/tools/+/v0.29.0:LICENSE))
+ - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/64c016c92987/LICENSE))
 - [inet.af/netaddr](https://pkg.go.dev/inet.af/netaddr) ([BSD-3-Clause](Unknown))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -28,19 +28,20 @@ See also the dependencies in the [Tailscale CLI][].
 - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.33.13/service/sts/LICENSE.txt))
 - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.22.2/LICENSE))
 - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.22.2/internal/sync/singleflight/LICENSE))
+ - [github.com/bits-and-blooms/bitset](https://pkg.go.dev/github.com/bits-and-blooms/bitset) ([BSD-3-Clause](https://github.com/bits-and-blooms/bitset/blob/v1.13.0/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/65c67c9f46e6/LICENSE))
 - [github.com/digitalocean/go-smbios/smbios](https://pkg.go.dev/github.com/digitalocean/go-smbios/smbios) ([Apache-2.0](https://github.com/digitalocean/go-smbios/blob/390a4f403a8e/LICENSE.md))
 - [github.com/djherbis/times](https://pkg.go.dev/github.com/djherbis/times) ([MIT](https://github.com/djherbis/times/blob/v1.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.7.0/LICENSE))
- - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.18.0/LICENSE))
- - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/d3c622f1b874/LICENSE))
+ - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.11.1/LICENSE))
+ - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/6a9a0fde9288/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/76236955d466/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
 - [github.com/google/nftables](https://pkg.go.dev/github.com/google/nftables) ([Apache-2.0](https://github.com/google/nftables/blob/5e242ec57806/LICENSE))
 - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.6.0/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.2.0/LICENSE))
- - [github.com/illarion/gonotify/v3](https://pkg.go.dev/github.com/illarion/gonotify/v3) ([MIT](https://github.com/illarion/gonotify/blob/v3.0.2/LICENSE))
+ - [github.com/illarion/gonotify/v2](https://pkg.go.dev/github.com/illarion/gonotify/v2) ([MIT](https://github.com/illarion/gonotify/blob/v2.0.3/LICENSE))
 - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/15c9b8791914/LICENSE))
 - [github.com/jellydator/ttlcache/v3](https://pkg.go.dev/github.com/jellydator/ttlcache/v3) ([MIT](https://github.com/jellydator/ttlcache/blob/v3.1.0/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
@@ -68,14 +69,14 @@ See also the dependencies in the [Tailscale CLI][].
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/ae6ca9944745/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/fdeea329fbba/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.35.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
- - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.29.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.22.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.10.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/a8ea4be8:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/7588d65b:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.34.0:LICENSE))
+ - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.10.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/1c14dcad:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.28.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.21.0:LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.9.0:LICENSE))
 - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/9414b50a5633/LICENSE))
 - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/HEAD/LICENSE))

--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -33,6 +33,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.33.13/service/sts/LICENSE.txt))
 - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.22.2/LICENSE))
 - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.22.2/internal/sync/singleflight/LICENSE))
+ - [github.com/bits-and-blooms/bitset](https://pkg.go.dev/github.com/bits-and-blooms/bitset) ([BSD-3-Clause](https://github.com/bits-and-blooms/bitset/blob/v1.13.0/LICENSE))
 - [github.com/coder/websocket](https://pkg.go.dev/github.com/coder/websocket) ([ISC](https://github.com/coder/websocket/blob/v1.8.12/LICENSE.txt))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/65c67c9f46e6/LICENSE))
 - [github.com/creack/pty](https://pkg.go.dev/github.com/creack/pty) ([MIT](https://github.com/creack/pty/blob/v1.1.23/LICENSE))
@@ -40,8 +41,8 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/digitalocean/go-smbios/smbios](https://pkg.go.dev/github.com/digitalocean/go-smbios/smbios) ([Apache-2.0](https://github.com/digitalocean/go-smbios/blob/390a4f403a8e/LICENSE.md))
 - [github.com/djherbis/times](https://pkg.go.dev/github.com/djherbis/times) ([MIT](https://github.com/djherbis/times/blob/v1.6.0/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.7.0/LICENSE))
- - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.18.0/LICENSE))
- - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/d3c622f1b874/LICENSE))
+ - [github.com/gaissmai/bart](https://pkg.go.dev/github.com/gaissmai/bart) ([MIT](https://github.com/gaissmai/bart/blob/v0.11.1/LICENSE))
+ - [github.com/go-json-experiment/json](https://pkg.go.dev/github.com/go-json-experiment/json) ([BSD-3-Clause](https://github.com/go-json-experiment/json/blob/6a9a0fde9288/LICENSE))
 - [github.com/go-ole/go-ole](https://pkg.go.dev/github.com/go-ole/go-ole) ([MIT](https://github.com/go-ole/go-ole/blob/v1.3.0/LICENSE))
 - [github.com/godbus/dbus/v5](https://pkg.go.dev/github.com/godbus/dbus/v5) ([BSD-2-Clause](https://github.com/godbus/dbus/blob/76236955d466/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
@@ -51,7 +52,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/gorilla/csrf](https://pkg.go.dev/github.com/gorilla/csrf) ([BSD-3-Clause](https://github.com/gorilla/csrf/blob/9dd6af1f6d30/LICENSE))
 - [github.com/gorilla/securecookie](https://pkg.go.dev/github.com/gorilla/securecookie) ([BSD-3-Clause](https://github.com/gorilla/securecookie/blob/v1.1.2/LICENSE))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.2.0/LICENSE))
- - [github.com/illarion/gonotify/v3](https://pkg.go.dev/github.com/illarion/gonotify/v3) ([MIT](https://github.com/illarion/gonotify/blob/v3.0.2/LICENSE))
+ - [github.com/illarion/gonotify/v2](https://pkg.go.dev/github.com/illarion/gonotify/v2) ([MIT](https://github.com/illarion/gonotify/blob/v2.0.3/LICENSE))
 - [github.com/insomniacslk/dhcp](https://pkg.go.dev/github.com/insomniacslk/dhcp) ([BSD-3-Clause](https://github.com/insomniacslk/dhcp/blob/8c70d406f6d2/LICENSE))
 - [github.com/jellydator/ttlcache/v3](https://pkg.go.dev/github.com/jellydator/ttlcache/v3) ([MIT](https://github.com/jellydator/ttlcache/blob/v3.1.0/LICENSE))
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
@@ -90,15 +91,15 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/ae6ca9944745/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/fdeea329fbba/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.35.0:LICENSE))
- - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/939b2ce7:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE))
- - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.26.0:LICENSE))
- - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.29.0:LICENSE))
- - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.22.0:LICENSE))
- - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.10.0:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/a8ea4be8:LICENSE))
+ - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/7588d65b:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.34.0:LICENSE))
+ - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.25.0:LICENSE))
+ - [golang.org/x/sync](https://pkg.go.dev/golang.org/x/sync) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.10.0:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/1c14dcad:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.28.0:LICENSE))
+ - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.21.0:LICENSE))
+ - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.9.0:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
 - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/9414b50a5633/LICENSE))
--- a/Show More
+++ b/Show More